European Union & Canada’s Privacy Policy Laws and What it Means for US Businesses

Did you know that if you do business with someone or sell to consumers in the European Union, that you must comply with EU law, even if your business is located in the United States? This post will review both EU and Canadian Privacy Policy Laws and what it means for US businesses.

In the EU, organizations that collect personal data must do so in accordance with the Data Protection Directive. US businesses must also provide an “adequate level of protection” if they do business with the EU. Personal data can only be gathered under strict conditions and for a legitimate purpose. Further, this information must be managed by the organization in a way that protects certain rights and prevents misuse.

If you are a US company, you can comply with the requirements by joining the US-EU Safe Harbor Program. To do so, you must adhere to the following seven Safe Harbor Privacy Principles:

  1. Notice-Organizations must notify individuals about the purpose for which they collect and use information about them, contact information of the organization, the means the organization provides for limiting its use and disclosure, and the kind of third parties that the organization discloses your information to if any.
  2. Choice-Organizations must provide the opportunity to opt out (and if the information is sensitive like health information, it must be in the form of an opt in) of the collection of personal information that will be disclosed to a third party or used for any purpose beyond that of its original collection.
  3. Onward Transfer-In order to disclose to a third party, an organization must comply with the above Notice and Choice principles.
  4. Access-Individuals must be able to view, correct, amend, or delete their personal information, with some exceptions.
  5. Security-Reasonable precautions must be made by organizations to protect personal information.
  6. Data Integrity-Personal information collected must be relevant to all the purposes it will be used for.
  7. Enforcement-Organizations must have accessible independent recourse mechanisms for complaints to be resolved and have damages awarded if applicable. They must also have procedures for verifying the adherence to all principles, and to correct problems from any failures to comply.

In Canada, the applicable law is the Personal Information Protection and Electronic Documents Act or “PIPEDA.” It applies to any organization that collects, uses, or discloses personal information in the course of commercial activities. As a US company, you will still fall within the scope of PIPEDA if you have operations in Canada. Also, even if you do not have any Canadian operations but are collecting the personal information of Canadian citizens, you may be found to be within the scope of the law.

Any collection, use, or disclosure of personal information under this law can only be for purposes that a reasonable person would consider appropriate under the circumstances. In addition to this, there are ten principles that are to be followed to comply.

  1. Accountability-There must be people responsible for your organization’s compliance with the ten principles, protect all personal information, and implement personal information policies and practices.
  2. Identifying Purposes-The organization must identify, document, and inform the user the reasons for collecting personal information at the time of collection or beforehand.
  3. Consent-The user must be meaningfully informed of the purposes for collection and use or disclosure of the personal information and then consent to them.
  4. Limiting Collection-An organization cannot deceive, mislead, or be indiscriminate with their collection of personal information or statements of reasons for collecting it.
  5. Limiting Use, Disclosure, and Retention-Personal information cannot be used beyond its original purpose for collection or kept longer than is necessary.  There must also be procedures in place for retention, destruction, and the resolution of grievances in relation to the data.
  6. Accuracy-The possibility of disclosing or making a decision based on personal information that is incorrect must be minimized.
  7. Safeguards-The personal information must be protected from loss, theft, unauthorized access, disclosure, copying, use, or modification, regardless of the information’s form.
  8. Openness-The organization must have understandable policies for the management of personal information that are readily available to users.
  9. Individual Access-Users should generally be given the opportunity to access the personal information that the organization possesses.
  10. Challenging Compliance-The organization must provide simple and easily understandable complaint procedures that inform of all avenues of recourse, investigate all complaints, and take appropriate corrective measures.

If you need help creating or updating the privacy policy for your business’ website, please contact the Law Office of E.C. Lewis PC, home of your Denver Business Lawyer, Elizabeth Lewis at 720-258-6647 or email her at

Children’s Online Privacy Protection Act

COPPA became effective in April of 2000, and it applies to commercial websites that collects personal information from children under 13 years old, whether or not the collection is mandatory or voluntary. Personal information is defined by the act as any information that is individually identifiable, or would allow someone to identify or contact the child. If your website does this, then you must take certain measures in order to comply with this law.

Personal information includes:

  • First and last name
  • Address including street name
  • Online contact information
  • Username that functions as online contact information
  • Telephone number
  • Social Security Number
  • Persistent identifier that can be used to recognize a user over time and different website services
  • A photo, video, or audio file, containing a child’s image or voice
  • Geolocation information sufficient to identify street and city name
  • Other information about the child or parent collected from the child when combined with one of the above identifiers

If you collect personal information such as those described above, you must follow these steps to comply with COPPA:

1. You must post a clearly written and understandable online privacy policy that is comprehensive and describes your practices for collecting personal information from children. There are certain elements that need to be included.

a. You must name the individuals collecting or maintaining personal information, as well as provide their contact information.

b. You must describe the personal information that is collected, how it is collected, how it is used, and whether you disclose the information to third parties, as well as the categories of businesses of the third parties and how they use the information if you do disclose to third parties.

c. You must describe the parents’ rights with regard to the personal information. You must tell parents that you will not require a child to disclose more information than is reasonably necessary to participate in an activity, that they can review their child’s personal information, request its deletion, refuse to allow any further collection or use of the child’s information, agree to the collection and use of the child’s information with the option to disallow any further collection or use of the child’s information, and lastly, the procedures to exercise these rights.

2. You must also give direct notice to parents and obtain verifiable parental consent prior to collecting personal information online from children, with some limited exceptions. Parents must also be given the option to consent to the collection of a child’s information by the website but disallow the disclosure of such information to third parties, unless this information is considered integral to the website, which must be made clear to the parents.

3. You must also maintain the confidentiality, security, and integrity of information collected by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security.

4. You can only collect and keep such information for as long as is necessary to fulfill the purpose it was collected for, and you must take reasonable measures to protect and securely delete the information afterward.

If you have any questions about whether or not your website falls under COPPA or how to comply with COPPA, do not hesitate to reach out to the Law Office of E.C. Lewis, PC, the home of your Denver Business Lawyer, Elizabeth Lewis at 720-258-6647 or email her at