What is the state of privacy laws on business websites?

Privacy laws have a significant impact on society. People are better protected against organizations misusing their personal information. And on the other hand, it has an impact on businesses and governments who are limited in how they work, and it comes with costs as they have to spend a lot of money on legal advice and build privacy-friendly systems.

Since the implementation of GDPR, many other countries have followed suit and implemented their own privacy laws to protect the privacy rights of their citizens. 

Here are a few examples of other countries that followed suit.

• China: China's Cybersecurity Law (CSL) is a comprehensive privacy law that regulates the collection, use and storage of personal data by both domestic and foreign companies operating in China.
• Canada: The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal privacy law that governs the collection, use and disclosure of personal information by private sector organizations.
• Japan: The Act on the Protection of Personal Information (APPI) is a comprehensive privacy law that regulates the handling of personal information by both public and private entities.
• South Korea: The Personal Information Protection Act (PIPA) governs the collection, use and disclosure of personal information by public and private entities.
• Brazil: The Brazilian General Data Protection Law (LGPD) governs the collection, use and processing of personal data by both public and private entities.

Companies and governments often communicate about these laws on their websites. In some countries, it is even mandatory to include a privacy policy on the website. Let’s have a look at some European countries and how many websites mention the GDPR or a national equivalent. We focus specifically on business and e-commerce websites as these more frequently collect personal identifiable information (PII) than, for example, a personal website or a blog. Figure 1 shows the percentage of business websites per country that mention a data protection law on their website. The country with the highest percentage of business websites that mention data protection laws is Germany. Here, 41% of business websites reference either the GDPR or the German Datenschutz-Grundverordnung (DSGVO). Austria follows suit after Germany with 37%, Spain comes third with 31% of business websites mentioning data protection. In our sample of thirteen countries, the Netherlands, Finland and Poland have the lowest share: less than 10% of business websites reference data protection regulation, despite all three countries implementing their own legislation.

According to the German data protection law, everyone who collects, transmits, uses or processes personal data through their websites must publish a data protection declaration. This would suggest that approximately 59% of German business and e-commerce sites don’t handle personal information, and therefore, don’t see a need to publish a privacy policy. We dug a little deeper into our data and looked at German business and e-commerce sites that have a feature on their website, such as “login”, “subscribe”, “book”, “register”, or have a shopping cart system and payment providers. These are all features that suggest PPI is being collected. Among these 610,162 websites, 86% have a data protection section on their website, mention data protection or the DSGVO. This indicates that around 14% of business websites that collect personal information may not comply with the law. Having said that, the absence of a published privacy policy on the website doesn't necessarily mean that any PII collected is treated irresponsibly.

Let’s have a look across the pond. The United States don’t have a federal law that designates countrywide rules regarding privacy policies. However, some states have regulations in place. The California Online Privacy Protection Act (CalOPPA) introduced in 2003 requires all commercial websites that collect PII of California residents to post a clearly visible privacy policy that complies with the regulatory requirements. CalOPPA applies as long as the website is accessible by California residents — in other words any website accessible from California, even if it’s not located there. The Act also has a section on rules regarding children. If products or services target children, the Children’s Online Privacy Protection Act (COPPA) comes into play. If a website is directed to, or collects PII from children under the age of 13, parental consent must be sought. Failing to comply with COPPA can be expensive, as was shown by the 5.7 million settlement paid by Musica.ly (now known as TikTok) in 2019 in response to violations.

In Figure 2, we show a map of all websites that mention the California Consumer Privacy Act. As you can see, many websites outside of California mention the Act on their website, likely because they are doing business with California residents. But let’s have a look at the proportion of websites in California that mention the CCPA. Only around 4% of websites mention the actual Act. In contrast, the number of Californian business sites that have a privacy policy is much larger (35%). However, overall the percentage is still surprisingly low. 

Companies that don’t publish privacy statements or legal disclaimers about how they protect their clients PII risk hefty fines and the loss of trust from consumers. The largest fine to date for GDPR violations was issued to Amazon. Inc for €746 million, not for failing to publish a privacy policy but for not being transparent about the collection of information from consumers. Nowadays, there are plenty of free sources where you can find prefabricated Privacy Statements. As a website owner, you can modify the statement  to comply with all the countries’ legislation that you are planning to do business with. Obviously, if you do have a statement, you should also ensure that you really do comply with what you state and protect your clients’ data.