When Europe’s General Data Protection Regulations (GDPR) came into force on the 25th of May 2018, many companies – large and small – had a rude awakening to data tracking legislation. Though the GDPR (as we are going to see) is arguably the strictest piece of data security and privacy legislation, there are also other laws that companies should be aware of. 

This might come as unwelcome news to those of you who are beginners at website analytics, and who have enough to worry about trying to avoid data overwhelm and glean clear insights from your new analytics system. You might be asking yourself whether you really need to worry about data tracking laws on top of all that. 

The answer is yes. 

Almost all of the data laws on this list apply to any company that collects data on citizens from the EU, or from California. That means that if you have a website, you need to be aware of them.

In this guide, we’ll take a quick look at the data tracking laws that (probably) apply to you, and explain some basic features of each.  


The Children’s Online Privacy Protection Act (COPPA) has been in place in the US for quite a few years now and has huge implications for how small businesses should store data. The law aims to protect the privacy of children under 13 years of age by detailing how and when inline companies can collect personal information on children.

COPPA applies to any company (or individual) that collects data on people under the age of 13. Nowadays, that includes essentially any website that collects analytics data, as well as a range of online services like mobile apps, plugins, or IoT devices. The COPPA defines “personal information” extremely broadly, to include contact information or even “persistent identifiers” that uniquely identify users.

In practice, complying with COPPA means that you need to be able to justify all of the information you are collecting on minors, and to provide them (and their parents) with the opportunity to give consent to this. You also need to provide parents with the capability to see exactly what data you have on their children.


The California Online Privacy Protection Act (CalOPPA) came into force in 2004 and was the first law of its kind. It applies to any business that collects personal information on any resident of California. Like the other laws on this list, that means that you have to comply with it even if you are based in another country.

The Consumer Federation of California Education Foundation defines what “personally identifiable information” is for purposes of CalOPPA. This includes almost any contact details you collect on your users.

CalOPPA is slightly different from other pieces of legislation on this list because it focuses mainly on the implementation of strong privacy policies that give your users details on which data you are collecting, how (and with who) you share this, and how they can review and change this.

On the other hand, CalOPPA is very specific about how your privacy policy must be presented, even going as far as saying that this needs to be “conspicuous and easily identifiable, larger in size and different in design (such as the typeface and size) when compared to any text around it”. 

Big companies have scrambled to meet these requirements, in California and elsewhere. Apple, based in Cupertino, CA, was quick to comply with the new guidelines, while other businesses have lagged behind. Though the changes are small, everything from a website’s privacy policy to the company’s templates used for sending invoices must reflect the new CalOPPA data privacy requirements.


The EU’s General Data Privacy Regulation is arguably the strictest data tracking law in force at the moment. It came into force in 2018, and has already had a huge impact on how businesses collect and store data.  Article 4 of the GDPR defines the scope of the law: who it applies to, and what “personal information” means in the context of the legislation. In short, it applies to ALL citizens of the EU, and ANY piece of information that is linked to an identifiable individual.

In practice, working out whether you are collecting information on citizens of the EU is extremely difficult. European citizens are increasingly using proxy servers and VPNs to hide their true location. This can make ascertaining their true whereabouts essentially impossible.

The best approach for most businesses, therefore, is to comply with the GDPR as standard. This means getting explicit consent for any personal information you collect, allowing your users to access this, deleting this information if they assert their “right to be forgotten”, and if your company meets the criteria you also have to appoint a “data protection officer”.

EU Cookies Directive

The EU Cookies Directive existed before the GDPR came into force, but it is now best thought of as an extension to the GDPR. 

At a basic level, the cookies directive states that every website that is based in the EU, owned by EU businesses or aimed towards EU citizens must let users know that they use cookies. This is the piece of legislation that has driven those annoying pop-ups on sites asking you if you consent for them to store cookies on your device.

Compliance with the Cookies Directive means informing all your users about which cookies you are collecting, and giving them the opportunity to decline this. It is particularly important for companies who want to use web analytics because these systems typically use cookies to track website visitors. 

Other Data Tracking Laws

Though the four laws above are the most far-reaching data privacy laws at the moment if you are an online company with a global reach you also need to be aware of a number of smaller geographically-specific or industry-specific laws.

For English-language websites, the most important of these are PIPEDA, which applies to Canadian citizens, and the HIPAA, which applies to companies who collect medical information in the US. Both of these laws implement strict guidelines on the way that data can be collected and stored, and non-compliance can risk you being fined.

The Bottom Line: Compliance Means The GDPR

With so many different (and sometimes contradictory) data tracking laws out there, it is almost impossible to separately assess whether you are compliant with each and every one. 

The best approach for most companies – i.e. those without huge legal teams devoted to ensuring compliance – is, therefore, to comply with the strictest set of regulations out there. That means that if you are compliant with the GDPR, you should be compliant with most other data collection rules. 

Complying with the GDPR, as we’ve said above, means implementing a system for ensuring that your users can exercise certain key rights. However, due to the close relationship between data privacy and data security, it also means ensuring that all aspects of your data collection and storage systems are secure. That, in turn, involves choosing a quality cloud storage provider who is able to protect your data and hardening your backup systems against data intrusion. 

In short, in order to take advantage of the huge benefits of data-driven marketing, you need to also ensure that you are taking the rights (and the security) of your users seriously. Not doing that risks huge fines – Google was recently fined €50 million for non-compliance with the GDPR – as well as significant damage to your reputation.