# Privacy Regulation Summary for E-Commerce

## GDPR (General Data Protection Regulation)

**Jurisdiction**: EU + EEA countries, UK (UK GDPR)
**Applies to**: Any business that offers goods/services to EU/UK residents or monitors their behavior, regardless of where the business is located.

### Key Requirements
| Requirement | Detail |
|---|---|
| **Lawful basis** | Must have one of 6 legal bases for each processing activity: consent, contract, legal obligation, vital interests, public interest, legitimate interest |
| **Consent** | Must be freely given, specific, informed, unambiguous. Opt-in only (no pre-checked boxes). Easy to withdraw. |
| **Data minimization** | Collect only what's necessary for the stated purpose |
| **Purpose limitation** | Use data only for the purpose it was collected for |
| **Storage limitation** | Don't keep data longer than necessary |
| **Data subject rights** | Access, rectification, erasure, portability, restriction, objection — respond within 30 days |
| **Privacy by design** | Build privacy into systems from the start |
| **DPIAs** | Required for high-risk processing activities |
| **DPO** | Required if core activities involve large-scale monitoring or sensitive data processing |
| **Breach notification** | 72 hours to notify supervisory authority; without undue delay to affected individuals if high risk |
| **Data processor agreements** | Required with all third parties processing data on your behalf |
| **International transfers** | Need adequacy decision, SCCs, or other safeguards for data leaving EEA/UK |

### Penalties
- Up to €20 million or 4% of global annual turnover (whichever is higher)
- Lower tier: Up to €10 million or 2% for less severe violations

## CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)

**Jurisdiction**: California, USA
**Applies to**: For-profit businesses that collect California residents' personal information AND meet one of: (a) >$25M annual gross revenue, (b) buy/sell/share PI of 100,000+ consumers/households, (c) >50% revenue from selling/sharing PI.

### Key Requirements
| Requirement | Detail |
|---|---|
| **Right to know** | Consumers can request what PI is collected, categories, sources, purposes, third parties |
| **Right to delete** | Consumers can request deletion of PI (with exceptions) |
| **Right to opt-out** | Must offer "Do Not Sell or Share My Personal Information" link |
| **Right to correct** | Consumers can request correction of inaccurate PI |
| **Non-discrimination** | Can't penalize consumers for exercising privacy rights |
| **Privacy policy** | Must disclose categories of PI collected, purposes, third-party sharing, consumer rights |
| **Sensitive PI** | Must allow consumers to limit use of sensitive PI |
| **Service provider contracts** | Required with all vendors processing PI on your behalf |

### Penalties
- $2,500 per unintentional violation
- $7,500 per intentional violation
- Private right of action for data breaches: $100-$750 per consumer per incident

## CAN-SPAM Act

**Jurisdiction**: United States
**Applies to**: Any commercial electronic mail message sent to US recipients.

### Key Requirements
| Requirement | Detail |
|---|---|
| **Accurate headers** | "From," "To," "Reply-To" and routing info must be accurate |
| **Non-deceptive subject** | Subject line must accurately reflect message content |
| **Ad identification** | Message must be clearly identified as an ad (if applicable) |
| **Physical address** | Must include valid physical postal address |
| **Opt-out mechanism** | Must include clear, conspicuous opt-out method |
| **Opt-out honoring** | Must honor opt-out requests within 10 business days |
| **No list selling** | Can't sell or transfer email addresses of people who opted out |
| **Monitor third parties** | You're responsible for compliance even if a third party sends on your behalf |

### Penalties
- Up to $50,120 per non-compliant email
- Criminal penalties possible for specific violations (harvesting, dictionary attacks)

## US State Privacy Laws (Beyond California)

### Virginia (VCDPA)
- **Threshold**: Process PI of 100K+ VA consumers, OR 25K+ consumers and >50% revenue from PI sales
- **Key rights**: Access, correction, deletion, portability, opt-out of targeted advertising and PI sales
- **Enforcement**: Attorney General only (no private right of action)

### Colorado (CPA)
- **Threshold**: Process PI of 100K+ CO consumers, OR 25K+ consumers with revenue from PI sales
- **Key rights**: Access, correction, deletion, portability, opt-out of targeted advertising, profiling, and PI sales
- **Universal opt-out**: Must recognize Global Privacy Control signals

### Connecticut (CTDPA)
- **Threshold**: Process PI of 100K+ CT consumers, OR 25K+ consumers with >25% revenue from PI sales
- **Key rights**: Similar to Virginia + must recognize universal opt-out mechanisms

### Other states with enacted privacy laws
Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Indiana (INPA), Tennessee (TIPA), Delaware (DPDPA), New Hampshire, New Jersey, Maryland, Minnesota, Nebraska, Rhode Island, and others — check current list as this area is rapidly evolving.

## COPPA (Children's Online Privacy Protection Act)

**Jurisdiction**: United States
**Applies to**: Websites/services directed at children under 13, or with actual knowledge of collecting data from children under 13.

### Key Requirements
- Verifiable parental consent before collecting PI from children under 13
- Clear, comprehensive privacy policy on data practices for children's data
- Parents can review, delete, and refuse further collection
- Reasonable data security measures
- Data retention limitations

### E-Commerce Relevance
- If you sell children's products, ensure your site is not "directed at children"
- Avoid collecting unnecessary data from users who may be minors
- Age-gate if necessary

### Penalties
- Up to $50,120 per violation