“Data is the new oil. It’s valuable, but if unrefined it cannot really be used. It has to be changed into gas, plastic, chemicals, etc to create a valuable entity that drives profitable activity; so must data be broken down, analyzed for it to have value.” — Clive Humby, British mathematician and Data Science Entrepreneur
Like the oil set a revolution in the world, the next big thing (already is) is data. With the emergence of big data and data science, the value of data has become multifold. Organizations rely on data to make critical decisions for their business. Data-driven decision-making is in demand. As Humby stated, analysis from the refined data could bring profits. Even the governments see data as a valuable asset.
It is obvious that with the rising importance of data, it will be more prone to misuse or theft. Many big companies that have large volumes of people’s data have committed data privacy violations. Therefore, every country needs legislation to protect the data of its people. Especially, for the digital world, where the most data breaches happen. That is why we have seen many countries launch their data privacy laws in recent years.
We will discuss data privacy and various laws enacted around the world.
Data being one of the most valuable assets, is often subject to misuse. Many countries have passed their data privacy laws to protect the data rights of their citizens.
There are many data privacy laws that have impacted the whole digital world. Some of the major laws are the EU’s GDPR and ePrivacy Directive, California’s CCPA, and the more recent Brazil’s LGPD.
CookieYes strives to provide cookie compliance solution for all these data privacy laws.
What is data privacy?
Data privacy is the practice for the protection of data by properly handling it and by following the rules and regulations. Data privacy is all about how you collect, use, sell, store, transfer, or share the data. It also involves sharing data with third parties.
In recent years, data privacy has been gaining momentum. With many data privacy violations unearthed, many countries have come forward with their data privacy legislation. Data privacy laws aim to protect the rights and freedom of their people and give them more control over their data.
Data privacy includes regulations, legislation, policies, and governance.
Let us take a quick look at some of the major enacted data privacy laws around the world and how they uphold the data rights of the people.
European Union (EU) data privacy laws
General Data Protection Regulation (GDPR)
The EU’s General Data Protection Regulation (GDPR) is the most significant data privacy legislation. The reason is its wide territorial scope and comprehensive guidelines to implement it. It has influenced many other data privacy laws in the world.
It regulates the handling of personal data of people within the EU and EEA (European Economic Area) member states. The Regulation applies to all entities, regardless of their location, that collect personal data.
The GDPR came into force on May 25, 2018.
The key highlights and requirements of the GDPR are:
- Personal data under the GDPR refers to any data that can identify a natural person in the EU, with or without additional data. Examples include personal identifiers and online identifiers.
- Special categories of data or sensitive data include physical, physiological, genetic, mental, economic, cultural, or social data. Sensitive data requires a higher level of protection.
- Be transparent about what type of data you collect, how you collect it, its purpose, legal basis, how long it is being stored, and where it is being shared (international transfer and third parties).
- Proposes 7 principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. Limit data collection to what is required for the defined purpose, and delete them as soon as you fulfill the purpose of processing. Do not store the data longer than needed for the purpose. Ensure accuracy and safety and security of the personal data you handle.
- Keep processing records to demonstrate proof of your compliance.
- The data processing must satisfy at least one of the six lawful bases to be legal: explicit consent, legitimate interest, legal obligation, vital interest, contractual obligation, and public interest.
- Consent must be freely given, informed, specific, and unambiguous to be valid. Withdrawing the consent must be as easy as it was to give it.
- People must be able to easily request and exercise their GDPR rights.
- For large-scale processing that will likely put the rights and freedom of people at risk, appoint a Data Protection Officer (DPO). A DPO must train and supervise the GDPR compliance of an organization.
- Carry out Data Protection Impact Assessment (DPIA), if you handle sensitive personal data or the processing of data might put the rights and freedom of people at risk.
- Data breach must be reported to your Supervisory Authority and for severe cases, the affected individual within 72 hours of becoming aware of it. The breach report must include the type of data affected, its ramifications, measures taken or will be taken.
- Failing to comply with the GDPR results (depending on the severity of the violation) to fines up to €20 million or 4% of the annual turnover of the organization, whichever is higher.
Privacy and Electronic Communications Directive 2002/58/EC or ePrivacy Directive (ePD), is an EU directive on data protection and privacy.
It deals with the confidentiality of electronic communication, transfer of data, and cookies. It lays out rules for data collection and processing and sets the need for prior consent.
Due to the amendments in 2009 that included a clause for cookies and cookie consent, it came to be known as the EU Cookie Law.
It states that a website cannot store cookies (other than strictly necessary) on the user device without their prior consent and the user must be able to opt out of cookies whenever they want.
Check the full text of the ePrivacy Directive here.
In 2017, the ePrivacy Directive was amended and a new ‘ePrivacy Regulation’ was proposed, which will repeal the Directive.
ePrivacy Regulation is the regulation in the EU for all types of electronic communication within the EU. Once implemented, it would be lex specialis to the GDPR. It was set to come into force on May 25, 2018, the same day as the GDPR. However, many negotiations delayed its implementation.
The final draft agreed upon by the EU Council on February 10, 2021, addresses elements like confidentiality of electronic communication, the possibility of cookie walls, processing of metadata and Internet of things services, and data collection for marketing purposes.
Read the full text of the draft here.
The new draft text will be subject to final negotiations. Once agreed, it is expected to come into force after two years.
US data privacy laws
The US has many state-specific data privacy laws that address the digital privacy of its citizens. A lot of bills are still awaiting final discussions in the respective committees. Here is a quick look at the privacy laws of the US (update: Virginia has already passed its data privacy law):
California Consumer Privacy Act (CCPA)
Known as the most robust data privacy law in the US, the California Consumer Privacy Act (CCPA), was signed into law on June 28, 2018. It came into force on January 1, 2020. The California Consumer Privacy Act (CCPA) is a state-wide data privacy legislation in California. The California State Legislature passed the CCPA bill, and the then Governor of California signed it into law on June 28, 2018. The bill came into effect on January 1, 2020.
The CCPA applies to for-profit entities that do business in California and collects and processes the personal information (PI) of California residents (consumers). These entities must also satisfy one of the following:
- More than $25 million gross revenue
- Buys, receives, or sell personal information of 50,000 or more California consumers, households, or devices
- Derives half of its annual revenue by selling the personal information of consumers
Some highlights of the CCPA are:
- Personal information is any information that identifies or relates to, directly or indirectly, a consumer or household.
- The CCPA also grants the consumers several rights that they can request:
- The right to know what type of personal information has been collected and processed and why
- The right to delete any personal information collected, with exceptions such as data necessary to complete transactions, detect security incidents, satisfy legal and functionality obligations, rectify errors, and conduct research for public interest
- The right to opt out of a business selling any personal information to third parties via a conspicuous link titled “Do Not Sell My Personal Information”
- The right to non-discrimination against consumers who exercise their rights, i.e. a business cannot deny or charge a different price or quality of goods or services to such consumers
- Fines for non-compliance can go up to $7500 per intentional violation and up to $2500 per unintentional violation.
- Businesses must notify the affected California residents if a data breach occurs.
- If the number of affected Californians is over 500, they must also submit a copy of the breach notification to California’s Attorney General.
- Consumers can claim compensation for the breach or seek legal action against the business in the civil court.
California Privacy Rights Act (CPRA)
In November 2020, Californian voters passed the California Privacy Rights Act (CPRA) that amends and expands the CCPA. It will go into effect on January 2, 2023, and replace the CCPA.
Here is how CPRA differs from the CCPA ( only major changes have been mentioned here):
- Introduced new Sensitive personal information category and its opt-out, opt-in, disclosure, and purpose limitation requirements.
- For businesses that will be subject to the CPRA:
- Increased the number of consumers or households (removed ‘devices’) from 50,000 or more to 100,000 or more.
- Deriving 50% of annual revenue also includes sharing the personal information of consumers and not just from selling it.
- Added new consumer rights and modified the existing CCPA right.
- The additional new rights under the CPRA are:
- Right to Correct Inaccurate Personal Information and
- Right to Limit Use of Sensitive Personal Information.
- Extended opt-out for personal information used for cross-context behavioral advertising.
- Appointed the California Privacy Protection Agency (CPPA) that will be responsible for monitoring and enforcing The Act.
- Removed 30-day cure period before the CPPA fines a business for violation.
- $7500 fine for a violation related to the personal information of minors.
Read the full text of the CPRA here.
Other data privacy laws
Brazil’s data privacy law, Lei Geral de Proteção de Dados (LGPD), draws a lot of inspiration from its European counterpart, the GDPR. The bill was passed in 2018 and came into force on September 18, 2020. It replaces over 40 personal data governing statutes for both online and offline.
Like other data privacy laws, it aims to protect the fundamental rights and data privacy of the people by encouraging innovation and economic and technological development.
Let us look at the main points states in the LGPD:
- Personal data refers to any information related to an identified or identifiable natural person. It does not specify examples of personal data.
- Sensitive personal data is almost the same as defined in the GDPR.
- Any natural person or entity will be subject to the LGPD if:
- it processes the personal data in Brazil,
- it processes the personal data of people located in Brazil, or
- it collects personal data of people, regardless of their nationality or current location when they were in Brazil.
- The LGPD does not apply if the processing of personal data is solely for private, non-economic, journalistic or artistic, academics, public safety, national defense, state security, or criminal probe purposes.
- A National Data Protection Authority, Autoridad Nacional de Protección de Datos (ANPD) will supervise the enforcement of the regulation.
- States 10 principles for processing: purpose; adequacy; need; free access; data quality; transparency; security; prevention; non-discrimination; and responsibility and accountability.
- There are lawful bases for processing, some of which are similar to the GDPR. Other bases include:
- study by research body,
- regular exercise of judicial, administrative, or arbitral proceeding rights,
- health protection, and
- credit protection.
- Consent under the LGPD must be “free,” “informed,” and “unequivocal.”
- The GDPR conditions for consent, such as demonstrable and revocable at any time, apply in the LGPD as well.
- For children under the age of 12, parental consent is required.
- LGPD rights are similar to the GDPR. The two additional rights they provide are:
- anonymization of unnecessary or excessive data
- information on public and private entities with which the controller shares the personal data
- International data transfer is allowed under certain circumstances, like a legal requirement, contractual requirement, public policy, with the consent of the users, cooperation agreement, etc.
- The appointment of a DPO is mandatory.
- Record-keeping of data collection and handling is also mandatory.
- In case a data breach occurs, organizations must submit a breach report to the ANPD and the users. The exact time limit for the submission is not specified.
- The maximum fine for non-compliance is 2% of an organization’s annual turnover in Brazil, up to 50 million Brazilian Reais (about US$9M), per violation.
- Other penalties for violations include warning, with a deadline to adopt corrective measures; daily fine; publicizing the violation; blocking the processing activity; or deleting the personal data.
Get to know LGPD here.
CookieYes and Data Privacy Laws
CookieYes believes complying with data privacy laws does not have to be complicated or too hard to achieve. We have continuously strived to provide our customers with the best solution for cookie compliance for their websites. That is why over 1 million users trust CookieYes products.
CookieYes cookie consent solution is a cloud-based service. You can install a cookie consent banner on your website which is fully customizable — down to the T.
CookieYes provides compliance support for the data privacy laws discussed.