North America:
CCPA - California Consumer Privacy Act
The bill has been in effect since January 1, 2020.
The intentions of the Act are to provide California residents with the right to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Say no to the sale of personal data.
- Access their personal data.
- Request a business to delete any personal information about a consumer collected from that consumer.
- Not be discriminated against for exercising their privacy rights.
The CCPA applies to any business, including any for-profit entity that collects consumers' personal data, does business in California, and satisfies at least one of the following thresholds:
- Has annual gross revenues in excess of $25 million;
- Buys, receives, or sells the personal information of 50,000 or more consumers or households; or
- Earns more than half of its annual revenue from selling consumers' personal information.
CPA - Colorado Privacy Act
The bill has an effective date of January 1, 2023.
The act creates personal data privacy rights and:
- Applies to legal entities that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents and that either:
- Control or process personal data of at least 100,000 consumers per calendar year; or
- Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers; and
- Does not apply to certain specified entities including state and local governments and state institutions of higher education, personal data governed by listed state and federal laws, listed activities, and employment records.
PIPEDA - The Personal Information Protection and Electronic Documents Act (Canada)
The bill has been in effect since January 1, 2021.
PIPEDA regulates how the private sector handles personal data. According to the OPC, PIPEDA defines personal data as subjective information about an identifiable individual “in any form", such as:
- age, name, ID numbers, income, ethnic origin, or blood type;
- opinions, evaluations, comments, social status, or disciplinary actions; and
- employee files, credit records, loan records, medical records, the existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).”
In order for a business to be PIPEDA compliant, it must always get the individual’s consent before collecting their personal data and that data can only be used for the sole purpose it was collected for. A new consent is needed if the data is about to be disclosed and used in any other way than was previously approved by the individual. People are entitled to access their data at any time and challenge its accuracy.
EMEA
ePrivacy - European Union (EU)
The bill has been in effect since July 31, 2002.
The ePrivacy Regulation (ePR) is a proposal for the regulation of various privacy-related topics, mostly in relation to electronic communications within the European Union. Its full name is "Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)." It would repeal the Privacy and Electronic Communications Directive 2002 (ePrivacy Directive) and would be lex specialis to the General Data Protection Regulation. It would particularize and complement the latter in respect to privacy-related topics. Key fields of the proposed regulation are the confidentiality of communications, privacy controls through electronic consent and browsers, and cookies.
PECR - Privacy and Electronic Communications Regulations (United Kingdom)
The bill has been in effect since March 29, 2019.
One of the key tenets of this legislation upholds that it is unlawful to send someone direct marketing if they have not specifically granted permission (via an opt-in agreement) in the absence of a previous relationship between the parties. Organizations cannot merely add people's details to their marketing database and offer an opt out after they have started sending direct marketing. For this reason, the regulations offer increased consumer protection from direct marketing.
The regulations can be enforced against an offending company or individual anywhere in the European Union. The Information Commissioner's Office has responsibility for the enforcement of unsolicited emails and considers complaints about breaches. A breach of an enforcement notice is a criminal offence subject to a fine of up to £500,000, depending on the circumstances.
Data Protection Act (United Kingdom):
The bill has been in effect since May 25, 2018
The Act has seven parts. These are outlined in Section 1:
- This Act makes provisions about the processing of personal data.
- Most processing of personal data is subject to the GDPR.
- Part 2 supplements the GDPR (see Chapter 2) and applies a broadly equivalent regime to certain types of processing to which the the GDPR does not apply (see Chapter 3).
- Part 3 makes provisions about the processing of personal data by competent authorities for law enforcement purposes and implements the Law Enforcement Directive.
- Part 4 makes provisions about the processing of personal data by the intelligence services.
- Part 5 makes provisions about the Information Commissioner.
- Part 6 makes provisions about the enforcement of the data protection legislation.
- Part 7 makes supplementary provisions, including provisions about the application of this Act to the Crown and to Parliament.
Latin America
LGPD - Lei Geral de Proteção de Dados Pessoais (Brazil)
The bill has been in effect since September 18, 2020.
The law's primary aim is to unify 40 different Brazilian laws that regulate the processing of personal data. The LGPD contains provisions and requirements related to the processing of personal data of individuals, where the data is of individuals located in Brazil, where the data is collected or processed in Brazil, or where the data is used to offer goods or services to individuals in Brazil.
The LGPD contains 65 articles and defines new legal concepts in Brazilian law, such as personal data and sensitive personal data. The law sets out the rights of the subjects of personal data, and under what conditions that data can be collected, processed, stored, and shared. It also specifies the obligations of the entity processing that data, and the exceptions to the law.
PDP - Protección de datos personales (Argentina)The bill has been in effect since October 30, 2000.
The principles established by this law are the following:
- All personal data files must be registered in the Registry of the National Directorate for Personal Data Protection.
- The personal data that is collected for the purposes of its treatment must be true, adequate, pertinent and not excessive in relation to the scope and purpose for which they were obtained.
- Data collection cannot be done by unfair, fraudulent means or in a manner contrary to the provisions of Law No. 25,326.
- The data object of treatment cannot be used for purposes other than or incompatible with those that motivated its obtaining.
- The data must be accurate and updated if necessary.
- The data that is totally or partially inaccurate, or that is incomplete, must be deleted and replaced, or if its case, completed by the person in charge of the file or database when he has knowledge of the inaccuracy or incompleteness of the information in question, without prejudice to the rights of the owner established in article 16 of Law No. 25,326.
- The data must be stored in a way that allows the exercise of the right of access of the owner.
- The data must be destroyed when they are no longer necessary or relevant to the purposes for which they were collected.
Asia & Pacific
PIPL - Personal Information Protection Law (China)
The bill has been in effect since November 1, 2021.
The PIPL generally covers all organizations that process personal information and operate in China.
Some provisions also include jurisdiction over data collection and the processes of organizations outside of China. These apply when:
- The purpose is to provide products or services to natural persons inside the borders;
- Analyzing or assessing activities of natural persons inside the borders;
- Other circumstances provided in laws or administrative regulations.
Consent is a major concern of the PIPL and a key legal basis on which handlers can process personal information.
If there is no other legal basis for processing data, handlers must get consent for data collection and processing, and this consent can be revoked by any individual at any time. Handlers are not allowed to refuse to provide products or services if an individual withholds or withdraws their consent for non-essential processing.
If you are selling online, you’re likely to eventually encounter a pop-up at the bottom of the screen that reads something like, “this site uses cookies to improve your browsing experience,” along with the option to accept or decline all cookies and an explanation of how the website uses them.
This policy disclaimer is required under privacy laws like the General Data Protection Regulation (GDPR) and the ePrivacy Directive, to give consumers more control over how their data is collected and used.
While there are data privacy laws in place in many countries, no single overarching privacy law covers the entirety of the US. But state-by-state laws are becoming more common, protecting a wide range of privacy rights of their residents.
These laws limit how businesses collect, use, and share personal data, responding to increasing concerns about the ballooning presence of online data-collection and the growing ecosystem of companies that buy and sell consumer data.
The more hands a person’s information passes through, the more likely a hacker can access it. From social media companies and hotels, to healthcare providers and dating sites, data breaches happen with discouraging regularity — and they often cost companies millions of dollars.
Understanding the data privacy requirements for each country or induvidual state in Europe or United States of America is imperative for businesses operating in the globally, so that they don’t unintentionally break the law and wind up with hefty fines.
At Demand, we’re proactive in our approach to data privacy and security, and we want to help you to be as well. The following five states have or are putting into place comprehensive consumer data privacy laws that you should be aware of.
US Privacy Laws by State
While most of these laws aren’t yet in effect, it’s important to familiarize yourself with what will be expected of businesses in the coming years. Even though these laws are specific to residents in their respective states, we recommend that your privacy policies adhere to the strictest measures, because it may not always be clear where consumers reside.
Note: All of the laws below, except California, exclude from their scope consumers acting in a commercial or employment context, meaning compliance requirements primarily don’t apply in a business-to-business context. California does include a limited B2B data exemption that is set to expire at the end of the year.
California
Specifics: The CCPA allows California residents to request that businesses disclose which types of personal data they’re collecting, along with the source and business reason for collecting that information. It gives consumers the right to request that a business delete previously collected personal information and to opt out of a business’ sale of their personal information. Businesses are prohibited from discriminating against consumers who exercise their CCPA rights.
Scope: Applies to for-profit businesses that do business in California, collect California residents’ personal information, and meet any of the following criteria:
- Have gross annual revenue of more than $25 million
- Buy, sell, or share personal information of 50,000 or more consumers, households, or devices
- Derive 50% or more of revenue from selling or sharing consumers’ personal information
Effective Date: January 1, 2020
Specifics: The CPRA will expand the current CCPA laws for California residents. Under the new law, consumers will be able to:
- Stop businesses from sharing their personal information
- Correct inaccurate personal information
- Limit businesses’ use of sensitive personal information
The amount of time businesses can store personal information will be limited, and some penalties will be increased. Additionally, the CPRA will establish the California Privacy Protection Agency to enforce and monitor compliance with the CPRA.
Scope: Applies to for-profit businesses that operate in California, collect California residents’ personal information, and meet one or more of the following thresholds:
- Gross annual revenue of more than $25 million
- Buy, sell, or share personal information of 100,000 or more consumers or households
- Derive 50% or more of revenue from selling or sharing consumers’ personal information
Effective Date: January 1, 2023
Read More: CCPA: What the California Privacy Regulation Means for Your Business
Colorado
Specifics: The Colorado Privacy Act will give Colorado residents the right to know which businesses are collecting their personal data and to opt out of targeted advertising and the sale of their data. It will also give consumers the ability to access, correct, and delete their personal information.
Scope: Businesses and individuals that conduct business in Colorado or produce or deliver products or services targeting Colorado residents, and:
- Control or process the personal information of 100,000 or more consumers a year, or
- Make money from or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 or more consumers
Effective Date: July 1, 2023
Connecticut
Specifics: The Connecticut Data Privacy Act will give Connecticut residents the right to know when their data is collected by businesses, the right to opt out of data collection, and the right to correct and delete data that’s been collected. The act also states that businesses must limit data collection to only what is relevant for business purposes, must be transparent about which type of data is collected and how they use it, and must protect consumer data.
Scope: For-profit businesses and individuals that conduct business in Connecticut, have products or services targeting its residents, and during the preceding calendar year:
- Controlled or processed the personal information of 100,000 or more consumers, excluding data solely used for processing transactions, or
- Made 25% of their gross revenue from the sale of personal data and processed or controlled the personal data of 25,000 or more consumers
Effective Date: July 1, 2023
Utah
Specifics: The Utah Consumer Privacy Act will give Utah’s residents the right to know what types of personal data a business is collecting and whether the business sells their personal data. It will also allow consumers to opt out and delete collected data. The UCPA will require that businesses implement data security practices, do not discriminate against consumers that opt out of data sharing, and provide consumers with a clear privacy notice that states how personal data is used and that they can opt out or delete data.
Scope: For-profit businesses and individuals that conduct business in Utah, produce a product or service targeting Utah residents, have annual revenue of $25 million or more, and
- Control or process the personal information of 100,000 or more consumers a year, or
- Make over 50% of the company’s gross revenue from the sale of personal data and process or control the personal data of 25,000 or more consumers
Effective Date: December 31, 2023
Virginia
Specifics: This law will give Virginia residents the right to access, correct, delete, and obtain a copy of their personal data. It will also give consumers the right to opt out of data collection, and requires businesses to be transparent about their data collection practices, limit the use and collection to reasonably necessary data, and protect that data.
Scope: For-profit businesses and individuals that conduct business in Virginia or have a product or service targeting Virginia residents, and
- Control or process the personal information of 100,000 or more consumers a year, or
- Make over 50% of the company’s gross revenue from the sale of personal data and process or control the personal data of 25,000 or more consumers
Effective Date: January 1, 2023
Knowing which states have current or pending data privacy laws is important to ensure that your business has a comprehensive compliance strategy. For more information, check out these tips about how to create a foolproof compliance strategy.
Related Posts
The Ultimate Guide to Leveraging LinkedIn's Open to Work Feature
Discover how to make the most of LinkedIn's Open to Work feature with our comprehensive guide.
The Ultimate Guide to Finding Email Addresses on LinkedIn
Learn the best strategies and tools for uncovering email addresses on LinkedIn with our comprehensive guide.