In the wild west of Web 3.0, user data is oil. Liquid gold! Unfortunately… there will be blood. But you don’t have to become Daniel Plainview. As a digital-first entrepreneur, you rely on user data. But if you treat it without the respect it deserves you could be finished. (Hopefully not with a bowling pin.)

Still scarred from abuses like the Nazi’s use of personal information to identify Jews and other minority groups, Europe has become a leader in privacy law. As far back as 1995, the EU enacted the EU Data Protection Directive to regulate the processing of personal data. This has since been superseded by the General Data Protection Regulation (or GDPR), which was enacted in 2018. Today, the GDPR is the gold standard of data protection around the world.

The GDPR requires that websites disclose their collection and processing of user information and creates rights that users can choose to exercise. The fundamental principle underlying the GDPR is idea that personal data may only be processed lawfully, fairly, and transparently. From this principle has emerged a framework where proper notice and consent—or some equivalent—must be obtained before any substantial processing of user data may occur.

So, how do you give proper notice before collecting and processing user data? How do you tell a user—the “data subject”—about her rights (as required by the GDPR)? How do you get a user’s informed consent?

A privacy policy, of course!

But it’s not quite that easy.

Harkening back to the days of Oil!, the US has taken a more laissez faire approach to user data than the EU. The federal government has indicated an unwillingness to create a nationwide law requiring data privacy protection. Attempts have been made. But following Edward Snowden’s disclosure of the NSA’s privacy practices, the federal government perhaps hasn’t had the moral grounding to enact data legislation.

This has left data privacy in the hands of the states, acting with little coordination. The patchwork of limited-jurisdiction privacy laws has caused severe headaches for countless founders and CIOs. And no state has had nearly the impact of California. Since California is the 5th largest economy in the world, any business engaging in online commerce (that would be all of them) must abide California’s laws. And California knows it.

Several other states have begun to propose and enact legislation seeking to protect their citizens the same way California protects its own. Because while California law affects every online business—everyone has to comply—it really only protects the citizens of California. To give rights such as the right to be informed, the right to access, the right to opt-out, the right to correct information, and the right to not be discriminated against, each state must create legislation incorporating those rights and extending them to their own citizens. At this point there are a patchwork of privacy laws across the US, each with its own specific standards, rules, and requirements. But, still, most states don’t have any privacy laws at all. It’s a mess.

You might be wondering if you need a privacy policy at all for users outside of those covered states?

The short answer is, it’s not clear. The longer and more circumspect answer is that depending on how you collect, use, and process user data, as well as the industry that you operate in, it’s a good business practice to at least identify the information you’re collecting and processing. Better safe than sorry. In our view, you’d be wise to be proactive about this stuff as most, if not all, states will surely have their own requirements for data protection and user rights before too long.

But—and here’s the critical takeaway—compliance is key! The federal government may not have its own data privacy laws, but the Federal Trade Commission has the power to enforce the terms of a privacy policy given to consumers. So when you put something in your privacy policy you create an obligation to follow through. If you can’t or you won’t, leave it out! Regardless of the applicable law, whether GDPR, California, or any other jurisdiction in the world, your privacy policy should say what you plan to do and you should do what your privacy policy says.

The expanding patchwork of privacy laws may seem daunting. But as long as you ask permission before drinking our milkshake (and follow a few other rules), you’ll be in good shape.

Website Audit Package

We hope that this series on website terms has been appropriately terrifying because, boy!, do we have an offer for you!

Kidding.

But seriously. If you operate a commercial website of any kind, you really do need to ensure that your terms of service, privacy policy, cookie policy, affiliate disclosures, and other critical user agreements are up to date and accurately reflect your practices. This isn’t always the most exciting stuff or where you want to spend your time. So we’ve made this incredibly easy. Our Website Audit package includes a comprehensive review of your existing website terms and replacement of all as needed to ensure compliance.

If you’d like to learn more, reach out to mackenzie@stansburyweaver.com or anyone else on the team. Pricing starts at $5,000 for new and existing websites.