The U.S. Constitution protects us from the evils of quartering Redcoats, but it doesn’t mention privacy. In fact, the United States is “light” on privacy laws. Free speech? Absolutely. Privacy? Meh, not so much. Which raises a question: Must websites have privacy policies?
Besides, national borders are easily (and regularly) crossed online — passports not required. However, if people in the United Kingdom or Canada (or any other country) can interact or purchase products or services through your site, then your site must comply with the UK and Canadian (or whichever countries) online privacy laws.
And guess what? Online privacy laws are a lot stricter in other countries.
(4) Access to Data;
(5) Transfer of Data.
Bear in mind: these five points constitute a bare minimum and don’t fully guarantee that issues and problems won’t arise. Should problems arise, particularly in Arizona, and consumer data is breached, you could face severe consequences. To wit, Arizona’s Revised Statutes say (Ariz. Rev. Stat. § 44-7501):
Arizona requires a person that owns or licenses computerized data that includes personal information to conduct an investigation when it becomes aware of unauthorized access to unencrypted personal information to determine if there has been a breach. If the investigation determines a breach has occurred, a person must notify the individuals affected. The disclosure is to be made without unreasonable delay, subject to law enforcement needs and internal investigations to restore the data integrity. Arizona further requires that a person that maintains computerized data that includes personal information that it does not own or license disclose any security breach to the owner or licensor immediately following the discovery.
Notice can be given (A) in writing, (B) by email, (C) by telephone or (D), in certain circumstances, by substitute notice that includes email, posting on the person’s website and notification by statewide media. Notification is not required if, after reasonable investigation, the person or law enforcement agency determines that a breach has not occurred or is not likely to occur. Personal information means a person’s first name or first initial and last name in combination with one or more of the following that is not encrypted or redacted: (A) social security number, (B) driver’s license number or identification card number, and (C) account number, credit card number, or debit card number in combination with security code, access codes or password. A person who complies with federal notification requirements or security breach rules, and a person who maintains notification procedures as part of an information security.
To ensure your website is in compliance with state and federal regulations, contact us today!