INTERNATIONAL

General Data Protection Regulation (GDPR)

The GDPR is an EU data privacy law that went into effect May 25, 2018. It is designed to give individuals more control over how their data are collected, used, and protected online. It also binds organizations to strict new rules about using and securing the personal data they collect from people, including the mandatory use of technical safeguards like encryption and higher legal thresholds to justify data collection. The law applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”

Canada’s Consumer Privacy Protection Act (CPPA)

The CCPA, which went into effect June 2022, falls into two parts, which focus on the law and enforcement capabilities.

Part 1: Enacts the Consumer Privacy Protection Act to protect the personal information of individuals while recognizing the need of organizations to collect, use or disclose personal information in the course of commercial activities. Like GDPR, CPPA requires businesses to be transparent about the use of automated decision systems – such as algorithms and artificial intelligence – to make predictions, recommendations, or decisions about individuals that could impact them. Individuals also have the right to request an explanation as to how information about them was obtained as well as how any prediction, recommendation or decision was made by an automated decision-making system.

Part 2: Enacts the Personal Information and Data Protection Tribunal Act, which establishes an administrative tribunal to hear appeals of certain decisions made by the Privacy Commissioner under the Consumer Privacy Protection Act and to impose penalties for the contravention of certain provisions of that Act.

China’s Personal Information Protection Law

The Personal Information Protection Law (PIPL) is China’s first comprehensive legislation on personal information and data privacy. While similar to the European Union’s General Data Protection Regulation in many ways, China’s PIPL notably contains a number of ambiguities that have yet to be interpreted, thereby generating regulatory uncertainty. It remains to be seen how stringent the PIPL will truly be and the extent of its impact.

China’s Data Security Law

Aimed at protecting national security interests in the usage, collection and protection of data, China’s Data Security Law came into effect on September 1 2021. Data protection experts said that there are a number of areas that remain murky in the new law, such as guidance on which regulatory bodies are in charge of the new law and what data processing activities may trigger national security review requirements.

India Personal Data Protection Bill — proposed; as of March 2020, the Bill was being analyzed by a Joint Parliamentary Committee; scrapped as of August 2022, with a promise to introduce new legislation soon.

India’s Personal Data Protection Bill is intended to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the fundamental rights of individuals whose personal data are processed, to create a framework for organizational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorized and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected there with or incidental thereto.

New Zealand Privacy Act

The Privacy Act 2020, which went into effect December 1, 2020, provides the rules in New Zealand for protecting personal information and puts responsibilities on agencies and organizations about how they must do that. While New Zealand’s new privacy legislation is not as comprehensive as some international privacy laws, such as the GDPR, it still introduced significant changes including:

• mandatory data breach notification;
• new investigative and regulatory powers for the New Zealand Privacy Commissioner; and
• new criminal offenses and penalties, including fines of up to $10,000.

Overseas businesses are required to comply with New Zealand’s privacy laws as the Privacy Act 2020 has extraterritorial effect.

UNITED STATES OF AMERICA

California (CCPA)

The California Consumer Privacy Act of 2018 (CCPA), which went into effect January 1, 2020, gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This landmark law secures new privacy rights for California consumers, including:

• The right to know about the personal information a business collects about them and how it is used and shared;
• The right to delete personal information collected from them (with some exceptions);
• The right to opt-out of the sale of their personal information; and
• The right to non-discrimination for exercising their CCPA rights.

Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

California (CPRA)

In November 2020, California passed the CPRA which amends and expands the California Consumer Privacy Act (CCPA). This California state privacy law, which is being phased in through July of 2023, clarifies existing provisions of the CCPA, creates new consumer rights, imposes additional obligations on businesses that collect personal information from California consumers, and creates a new enforcement agency called the California Privacy Protection Agency.

The CPRA will affect large businesses and organizations the most. Any company that engages in the data collection, analysis, and storage of any person located in California is subject to CPRA they fit under the following criteria:

• For-profit companies that do business in California
• Over $25 million in annual revenue
• Companies that buy, sell or share personal information (PI) of over 100,000 consumers or households
• Derives at least 50 percent of annual revenue from selling or sharing of consumer PI

Note that even if a business isn’t physically or legally located in California, that company is still subject to CPRA as long as they have users or conduct business in the state.

Colorado Privacy Act — enacted July 7, 2021; goes into effect July 1, 2023

The Colorado Privacy Act creates personal data privacy rights and:

Applies to legal entities that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents and that either:

• Control or process personal data of more than 100,000 consumers per calendar year; or
• Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers; and
• Does not apply to certain specified entities, personal data governed by listed state and federal laws, listed activities, and employment records.

Under the bill, consumers have the right to opt out of the processing of their personal data; access, correct, or delete the data; or obtain a portable copy of the data. The bill defines a “controller” as a person that, alone or jointly with others, determines the purposes and means of processing personal data. A “processor” means a person that processes personal data on behalf of a controller.

The bill:

• Specifies how controllers must fulfill duties regarding consumers’ assertion of their rights, transparency, purpose specification, data minimization, avoiding secondary use, care, avoiding unlawful discrimination, and sensitive data;
• Requires controllers to conduct a data protection assessment for each of their processing activities involving personal data that present a heightened risk of harm to consumers, such as processing for purposes of targeted advertising , profiling, selling personal data, or processing sensitive data; and
• Specifies that a violation of its requirements is a deceptive trade practice, but the bill may be enforced only by the attorney general or district attorneys.

Nevada Online Privacy Law

Nevada’s Online privacy Law is an ACT relating to Internet privacy that went into effect May 30, 2019; prohibiting an operator of an Internet website or online service which collects certain information from consumers in Nevada from making any sale of certain information about a consumer if so directed by the consumer; and providing other matters properly relating thereto. Under the law, sales are defined as exchanges of personal information for monetary consideration by the online operator to a person for the person to license or sell the personal information to additional persons.

Nevada’s bill does not add include new notice requirements for website operators but does require them to post certain items of information in their privacy policies, including the categories of information collected, the categories of third parties with which the data is shared, a description of the process consumers may use to review and request changes to their covered information, a disclosure that third parties may track consumers’ online activities and the effective date of these notices.

Virginia (CDPA) — Effective date of January 1, 2023

Passed March 2, 2021, Virginia’s Consumer Data Protection Act establishes a framework for controlling and processing personal data in the Commonwealth. The bill applies to all persons that conduct business in the Commonwealth and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.

The bill outlines responsibilities and privacy protection standards for data controllers and processors. The bill does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law.

The bill grants consumer rights to access, correct, delete, and obtain a copy of personal data and to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling of the consumer.

The bill provides that the Attorney General has exclusive authority to enforce violations of the law, and the Consumer Privacy Fund is created to support this effort.

The bill directs the Joint Commission on Technology and Science to establish a work group to review the provisions of this act and issues related to its implementation, and to report on its findings by November 1, 2021. The bill has a delayed effective date of January 1, 2023.

For more information, see:

• State Laws Related to Digital Privacy
• Privacy Laws of the United States
• US State Privacy Legislation Tracker
• Privacy Laws Around the Globe