INTERNATIONAL

General Data Protection Regulation (GDPR)

The GDPR is an EU data privacy law that went into effect May 25, 2018. It is designed to give individuals more control over how their data are collected, used, and protected online. It also binds organizations to strict new rules about using and securing the personal data they collect from people, including the mandatory use of technical safeguards like encryption and higher legal thresholds to justify data collection. The law applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”

Canada’s Consumer Privacy Protection Act (CPPA)

The CCPA, which went into effect June 2022, falls into two parts, which focus on the law and enforcement capabilities.

Part 1: Enacts the Consumer Privacy Protection Act to protect the personal information of individuals while recognizing the need of organizations to collect, use or disclose personal information in the course of commercial activities. Like GDPR, CPPA requires businesses to be transparent about the use of automated decision systems – such as algorithms and artificial intelligence – to make predictions, recommendations, or decisions about individuals that could impact them. Individuals also have the right to request an explanation as to how information about them was obtained as well as how any prediction, recommendation or decision was made by an automated decision-making system.

Part 2: Enacts the Personal Information and Data Protection Tribunal Act, which establishes an administrative tribunal to hear appeals of certain decisions made by the Privacy Commissioner under the Consumer Privacy Protection Act and to impose penalties for the contravention of certain provisions of that Act.

China’s Personal Information Protection Law

The Personal Information Protection Law (PIPL) is China’s first comprehensive legislation on personal information and data privacy. While similar to the European Union’s General Data Protection Regulation in many ways, China’s PIPL notably contains a number of ambiguities that have yet to be interpreted, thereby generating regulatory uncertainty. It remains to be seen how stringent the PIPL will truly be and the extent of its impact.

China’s Data Security Law

Aimed at protecting national security interests in the usage, collection and protection of data, China’s Data Security Law came into effect on September 1 2021. Data protection experts said that there are a number of areas that remain murky in the new law, such as guidance on which regulatory bodies are in charge of the new law and what data processing activities may trigger national security review requirements.

India Personal Data Protection Bill — proposed; as of March 2020, the Bill was being analyzed by a Joint Parliamentary Committee; scrapped as of August 2022, with a promise to introduce new legislation soon.

India’s Personal Data Protection Bill is intended to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the fundamental rights of individuals whose personal data are processed, to create a framework for organizational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorized and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected there with or incidental thereto.

New Zealand Privacy Act

The Privacy Act 2020, which went into effect December 1, 2020, provides the rules in New Zealand for protecting personal information and puts responsibilities on agencies and organizations about how they must do that. While New Zealand’s new privacy legislation is not as comprehensive as some international privacy laws, such as the GDPR, it still introduced significant changes including:

• mandatory data breach notification;
• new investigative and regulatory powers for the New Zealand Privacy Commissioner; and
• new criminal offenses and penalties, including fines of up to $10,000.

Overseas businesses are required to comply with New Zealand’s privacy laws as the Privacy Act 2020 has extraterritorial effect.

UNITED STATES OF AMERICA

California (CCPA)

The California Consumer Privacy Act of 2018 (CCPA), which went into effect January 1, 2020, gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This landmark law secures new privacy rights for California consumers, including:

• The right to know about the personal information a business collects about them and how it is used and shared;
• The right to delete personal information collected from them (with some exceptions);
• The right to opt-out of the sale of their personal information; and
• The right to non-discrimination for exercising their CCPA rights.

Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

California (CPRA)

In November 2020, California passed the CPRA which amends and expands the California Consumer Privacy Act (CCPA). This California state privacy law, which is being phased in through July of 2023, clarifies existing provisions of the CCPA, creates new consumer rights, imposes additional obligations on businesses that collect personal information from California consumers, and creates a new enforcement agency called the California Privacy Protection Agency.

The CPRA will affect large businesses and organizations the most. Any company that engages in the data collection, analysis, and storage of any person located in California is subject to CPRA they fit under the following criteria:

• For-profit companies that do business in California
• Over $25 million in annual revenue
• Companies that buy, sell or share personal information (PI) of over 100,000 consumers or households
• Derives at least 50 percent of annual revenue from selling or sharing of consumer PI

Note that even if a business isn’t physically or legally located in California, that company is still subject to CPRA as long as they have users or conduct business in the state.

Colorado Privacy Act

The Colorado Privacy Act creates personal data privacy rights and:

Applies to legal entities that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents and that either:

• Control or process personal data of more than 100,000 consumers per calendar year; or
• Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers; and
• Does not apply to certain specified entities, personal data governed by listed state and federal laws, listed activities, and employment records.

Under the bill, consumers have the right to opt out of the processing of their personal data; access, correct, or delete the data; or obtain a portable copy of the data. The bill defines a “controller” as a person that, alone or jointly with others, determines the purposes and means of processing personal data. A “processor” means a person that processes personal data on behalf of a controller.

The bill:

• Specifies how controllers must fulfill duties regarding consumers’ assertion of their rights, transparency, purpose specification, data minimization, avoiding secondary use, care, avoiding unlawful discrimination, and sensitive data;
• Requires controllers to conduct a data protection assessment for each of their processing activities involving personal data that present a heightened risk of harm to consumers, such as processing for purposes of targeted advertising , profiling, selling personal data, or processing sensitive data; and
• Specifies that a violation of its requirements is a deceptive trade practice, but the bill may be enforced only by the attorney general or district attorneys.

Connecticut Data Privacy Act

The Connecticut Data Privacy Act (CTDPA) protects the privacy and security of Connecticut residents’ personal data by requiring businesses and organizations to be accountable for safeguarding it. The CTDPA applies to entities that handle personal data, including sensitive data like genetic or biometric information. 

The CTDPA gives Connecticut residents the following rights:

• Access their personal data
• Correct inaccuracies in their personal data
• Delete their personal data
• Obtain a copy of their personal data in a portable format
• Opt-out of the sale of their personal data
• Opt-out of the processing of their personal data for targeted advertising 

The CTDPA also imposes strict requirements on data handling, security, breach notification, and consent. For example, controllers must limit the collection of personal data to what is relevant and necessary for the purpose it is processed for. They must also create and maintain security practices to protect the confidentiality, integrity, and accessibility of data.

Maryland Online Data Privacy Act of 2024

The Maryland Online Data Privacy Act of 2024 (MODPA) establishes a regulatory framework to protect Marylanders’ personal data. The law imposes requirements on businesses to protect personal information, such as:

Data security

Businesses must implement and maintain security procedures to protect personal information from unauthorized access, use, modification, or disclosure

Sensitive data

Businesses cannot collect, process, or share sensitive data unless it’s strictly necessary to provide or maintain a specific product or service

Data collection

Businesses cannot collect, process, or sell a consumer’s personal data for targeted advertising if they know or should know the consumer is under 18

Anti-discrimination

Businesses cannot collect, process, or transfer personal data in a discriminatory manner

Data subject requests

Businesses must respond to data subject requests within 45 days, with a 45-day extension if necessary

The Montana Consumer Data Privacy Act

The Montana Consumer Data Privacy Act (MTCDPA) establishes consumer rights and requirements for businesses that collect and process personal data. The law goes into effect on October 1, 2024. 

The MTCDPA applies to businesses that:

• Operate in Montana
• Produce products or services for Montana consumers
• Control or process personal data for at least 50,000 Montana consumers
• Control or process personal data for at least 25,000 Montana consumers and earn more than 25% of their gross revenue from selling personal data 

The MTCDPA requires businesses to:

• Provide consumers with a way to opt out of data collection and processing
• Implement reasonable security and protections to safeguard collected data
• Conduct and document a data protection assessment for each activity that presents a heightened risk of harm to a consumer
• Obtain prior consent from a parent or guardian before processing the personal data of any known child under 13
• Obtain consent from a known consumer who is at least 13 but under 16 before processing their personal data for targeted advertising or sale 

The MTCDPA also gives consumers several rights, including:

• Confirmation of whether a controller is processing their data
• Access to the data a controller has collected
• Correction of inaccuracies in personal data
• Deletion of collected data
• A copy of the data a controller has collected
• Opting out of the processing of personal data for targeted advertising, sale, or automated profiling

Nevada Online Privacy Law

Nevada’s Online privacy Law is an ACT relating to Internet privacy that went into effect May 30, 2019; prohibiting an operator of an Internet website or online service which collects certain information from consumers in Nevada from making any sale of certain information about a consumer if so directed by the consumer; and providing other matters properly relating thereto. Under the law, sales are defined as exchanges of personal information for monetary consideration by the online operator to a person for the person to license or sell the personal information to additional persons.

Nevada’s bill does not add include new notice requirements for website operators but does require them to post certain items of information in their privacy policies, including the categories of information collected, the categories of third parties with which the data is shared, a description of the process consumers may use to review and request changes to their covered information, a disclosure that third parties may track consumers’ online activities and the effective date of these notices.

Utah Consumer Privacy Act

The Utah Consumer Privacy Act (UCPA) is a law that went into effect on December 31, 2023, that protects Utah residents’ personal information and gives them control over it. The UCPA grants consumers rights and imposes obligations on businesses. 

The UCPA gives consumers the right to:

• Know if their personal data is being processed
• Access their personal data
• Delete their personal data
• Obtain a copy of their personal data in a usable format
• Opt out of the sale of their personal data
• Opt out of targeted advertising 

The UCPA also requires businesses to:

• Protect personal data
• Provide consumers with information about how to exercise their rights
• Disclose how consumers can opt out of the sale of their data and targeted advertising 

The UCPA applies to businesses that process data of a certain scale or target Utah and have more than $25 million in annual revenue. Government entities and non-profits are exempt from the UCPA. 

Tennessee Information Protection Act

The Tennessee Information Protection Act (TIPA) is a privacy law that gives Tennessee residents rights over how businesses collect, use, and sell their personal information. It was passed in April 2023 and will take effect on July 1, 2025. 

TIPA imposes obligations on businesses and penalties for violations. It requires controllers to:

• Limit data collection to what is necessary for the disclosed purpose
• Get consumer consent before processing data for other purposes
• Establish reasonable data security practices
• Conduct and document data protection impact assessments before certain processing activities 

TIPA also requires processors to cooperate with controllers to comply with the act, including consumer rights requests and data security. Processors must also be governed by a contract with the controller that outlines relevant consumer privacy provisions

Vermont Data Privacy Act

The Vermont Data Privacy Act is considered to be one of the strongest data privacy laws in the country. The bill includes:

• Data minimization: Limits the amount of personal data companies can collect and use
• Sensitive data: Prohibits the sale of sensitive data, such as social security numbers, financial information, and health records
• Civil rights protections: Prohibits digital discrimination
• Private right of action: Allows consumers to hold businesses accountable for violations of sensitive data rules
• Consumer rights: Includes the right to opt out of targeted advertising, profiling, and the sale of personal data
• Data security: Requires controllers to establish, implement, and maintain reasonable data security practices
• Data breach notification: Requires data collectors to provide preliminary notice to the AG or DFR within 14 days of discovering a breach 

Virginia Consumer Data Protection Act

Virginia’s Consumer Data Protection Act (CDPA) establishes a framework for controlling and processing personal data in the Commonwealth. The bill applies to all persons that conduct business in the Commonwealth and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.

The bill outlines responsibilities and privacy protection standards for data controllers and processors. The bill does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law.

The bill grants consumer rights to access, correct, delete, and obtain a copy of personal data and to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling of the consumer.

The bill provides that the Attorney General has exclusive authority to enforce violations of the law, and the Consumer Privacy Fund is created to support this effort.

The bill directs the Joint Commission on Technology and Science to establish a work group to review the provisions of this act and issues related to its implementation, and to report on its findings by November 1, 2021. The bill has a delayed effective date of January 1, 2023.

For more information, see:

• State Laws Related to Digital Privacy
• Privacy Laws of the United States
• US State Privacy Legislation Tracker
• Privacy Laws Around the Globe