Skip to content

Data Privacy Laws in 2024 (Updated!)

Osman Husain 4/11/24 6:35 PM

Table of Contents

Data Privacy Laws

Data privacy laws around the world govern the use of customer information, such as their name, phone number, address, and other personally identifiable information. Such laws provide a data privacy framework, governing how businesses can go about processing personal data, outlining rights for individuals, requests for removals, and penalties for non-compliance.

While every region has its own privacy laws, the goal is the same: to protect consumers and prevent unfair data collection practices. Some examples of data protection laws include the GDPR, PIPEDA, California Consumer Privacy Act (CCPA), and more.

Interested in knowing more about business privacy laws? Read our guide to which privacy laws apply to your business.

In this article, we’ll discuss the major data privacy laws coming into effect in 2024 and the following years. We will cover data protection laws in the U.S., Europe, Canada, Australia, Brazil, India, Russia, and South Africa, as well as upcoming legislation in each jurisdiction.

 

New Data Privacy Laws in 2024 

The United States faces unique legislative challenges in managing data privacy, with the push for a universal federal privacy policy butting heads against state-level mandates. As of 2024, the closest the U.S. has come to a national privacy mandate was The American Data Privacy Protection Act (ADPPA), which was introduced to the House Committee in 2022 but failed to pass.

As such, it’s up to each individual state to determine its own policies for protecting user privacy. Most states are adopting privacy legislation in some form, with many new laws taking effect in the coming years:

Continue reading for a full summary of each privacy mandate. 

 

The Role of the FTC

The Federal Trade Commission (FTC) is the chief regulatory body governing consumer protections and anticompetitive business practices. It has the authority to issue mandates, enforce regulations, and apply penalties for companies that fail to achieve compliance. For data privacy, the FTC is essential for enforcing laws related to the security of user information—such as the Federal Trade Commission Act, which prohibits unsafe or deceptive acts in commerce.

Notably, the FTC’s authority allows it to address many practices that affect consumers, including those practices that develop alongside new technologies. Data privacy directives are a great example, with the FTC helping protect users in the wake of fast-moving technological shifts.

The FTC may apply enforcement actions to protect consumers and compel companies to take affirmative steps towards remediation. Some of the FTC’s enforcement mechanisms include:

  • Assessments of business practices by independent auditors
  • Implementation of comprehensive privacy programs
  • Requiring forfeit of illicit funds
  • Monetary redress for affected consumers
  • Deletion of illegally-obtained information
  • Requiring robust transparency and choice mechanisms for consumers

 

Federal Data Privacy Laws in the U.S.

The FTC also has the ability to enforce privacy laws specific to different sectors, such as health, financial services, and credit reporting:

  • Health Insurance Portability and Accountability Act (HIPAA): HIPAA is a federal law that governs the security and privacy of personal health information (PHI) in the U.S. It applies to various covered entities, including:
    • Health plans, such as company health plans, health insurance companies, and certain government programs that pay for healthcare, such as Medicaid and Medicare
    • Healthcare clearinghouses, which are entities that process non-standard health data they receive from another entity into a standard data content or electronic format
    • Healthcare providers that conduct tasks like billing over the internet, such as psychologists, most doctors, nursing homes, nursing homes, dentists, and clinics
  • Gramm-Leach-Bliley Act (GLBA): This requires companies that offer consumers financial services or products like investment advice, insurance, or loans to explain their data-sharing practices to their customers. It also requires them to protect sensitive data.
  • Fair Credit Reporting Act (FCRA): This federal law regulates who can access consumers' credit reports and for what purposes. It imposes certain obligations on companies that provide data to consumer reporting agencies, such as the duty to investigate disputed information. The fair credit reporting act also requires users of credit data to notify customers when an adverse action has been taken based on the information in the reports. 
  • Posting a privacy policy describing how they collect personal information from children under 13
  • Obtaining verifiable parental consent before collecting, using, and disclosing personal information from children under 13
  • Establishing and maintaining actionable procedures to protect the security, confidentiality, and integrity of personal information collected from children under 13
  • Retaining information collected from children under 13 for only as long as needed to fulfill the purpose for which it was collected
  • Providing notice to parents of the operator's practices concerning the use, collection, or disclosure of children's personal data, including notice of material changes to practices to which the parents had previously consented
  • Offering a reasonable way for parents to review the personal details collected from their child and to refuse to permit its further maintenance or use

  • Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003: This law establishes the U.S. national standards for sending commercial email:

    • Don't use deceptive subject lines.
    • Don't use misleading or false "from," "to," "reply-to," or routing information.
    • Tell recipients your location.
    • Identify the message as an advertisement.
    • Inform recipients how to opt out of receiving future email.
    • Monitor what others are doing in your name or on your behalf.
    • Honor opt-out requests within 10 business days.

 

U.S. State Data Privacy Laws

Besides federal laws like HIPAA and COPPA, the U.S. has several state data collection laws, such as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). There are currently 12 U.S. states with data privacy regulations signed into law, with many others reviewing active bills in committee. You can track the status of emerging privacy legislation here

Each act represents comprehensive data privacy legislation that applies both to in-state businesses and websites, as well as other businesses that collect, sell, or share the personal information of in-state consumers.

Let's take a closer look at each privacy and data protection regulation and understand how it deals with consumer consent, data security requirements, consumers' data, and international data transfers.

 

California Consumer Privacy Act (CCPA)

The CCPA is a 2018 law that gives California residents more control over the details that businesses collect about them. It secures several privacy rights for consumers in California, including:

  • The right to know what personal information a business collects from them and how that information is used and shared
  • The right to opt out of the sale of their personal data
  • The right to delete personal information collected about and from them
  • The right to nondiscrimination for exercising their CCPA rights

The CCPA applies to for-profit businesses that meet one or more of the following thresholds:

  • Has annual gross revenues of over $25 million
  • Makes 50% or more of annual revenue from selling data
  • Alone, or in combination, buys, sells, shares, or receives the personal information of 50,000 or more California residents for a commercial purpose

Note that the CCPA applies to any business that meets one or more of these thresholds, even if it doesn't have a physical presence or office in California.

The CCPA grants consumers a private right of action, which means they can recover actual damages or declaratory or injunctive relief and damages between $100 and $750 per consumer per incident, whichever is greater. However, consumers can only bring actions involving the following types of personal data:

  • A person's first name or first initial along with their last name
  • One or more of the following:
    • A unique government-issued ID number, such as a tax ID number, driver's license number, military ID number, passport number, or California ID number
    • Social Security number
    • Credit or debit card number or account number, in combination with any required information that would permit access to the account, like a security code, access code, or password
    • Health insurance information
    • Medical information
    • Biometric information such as iris images, fingerprints, and retina images

Since July 1, 2020, the California Attorney General (AG) has been enforcing the CCPA by issuing penalties of $2,500 for each violation and $7,500 for each intentional violation.

 

California Privacy Rights Act (CPRA)

The California Privacy Rights Act expands and amends the California Consumer Privacy Act by creating new privacy rights and requirements for applicable companies.

It also establishes the California Privacy Protection Agency — the state regulator for data compliance and privacy practices.

There are five major updates of CPRA as compared to the CCPA:

  • Updated criteria for qualifying businesses: The CPRA both expands and contracts the scope of applicability. It applies to for-profit legal entities that meet one or more of the following thresholds:
  • Has an annual gross revenue of over $25 million
  • Makes 50% or more of its annual revenue from selling or sharing consumers' personal information
  • Alone, or in combination, buys, sells, or shares the personal information of 100,000 or more households or consumers annually
  • A new category of protecting personal details: The CPRA introduces a new requirement — sensitive personal information (SPI), which deals with biometric data, information collected online, protected health information, and privacy practices around them. This requirement resembles Article 9 of the General Data Protection Regulation (GDPR). Examples of SPI include driver's licenses, personal identification numbers, passports, and state ID numbers.
  • New and expanded consumer privacy rights: The CPRA expands various existing CCPA rights, including the right to know personal information, the right to delete, the right to opt out of third-party sharing and sales, opt-in rights for minors, and the right to data portability. It also adds new consumer rights, including:

    • The right to correct information
    • The right to opt out of automated decision-making technology, including profiling
    • The right to limit disclosure and use of SPI
    • The right to access information about automated decision-making

  • Expansion of legal rights in event of a data breach: The CCPA gives consumers the right to take legal action if their non-redacted and non-encrypted information gets exposed. The CPRA adds consumer login credentials to the list of personal information data leaks that a California resident can file a lawsuit for and makes it mandatory for businesses to apply appropriate security measures.
  • Adopting certain GDPR principles: The CPRA has adopted several GDPR principles, including:
     
    • Data minimization: This requires businesses to limit the collection of personal information to what is directly necessary and relevant to accomplish a specified purpose.
    • Storage limitation: This requires businesses to only retain and store consumer information for a reasonable amount of time.
    • Purpose limitation: This requires businesses to only collect consumer personal information for explicit, specific, and legitimate disclosed purposes.  

The CPRA will also expand the CCPA's private right to action by letting consumers bring lawsuits arising from data breaches involving additional types of personal information. Specifically, it adds email addresses in combination with security questions and answers or passwords to the list of actionable data types. 

As for enforcement, the CPRA will be enforced by the California Privacy Protection Agency (CPPA), which was established soon after the CPRA was passed. The CPPA is also responsible for promoting awareness of the CPRA and issuing further regulations.

Penalties and fines under the CPRA are very similar to those of its predecessor. The CPPA can issue two levels of penalties depending on the violation: up to $2,500 per unintentional violation and up to $7,500 per intentional violation or violation involving minors. 

 

Virginia's Consumer Data Protection Act (CDPA)

Effective January 1, 2023, Virginia's Consumer Data Protection Act (CDPA) applies to companies that:

  • Conduct business in Virginia or market their services and goods to Virginia residents, and
  • Control or process the personal information of at least 100,000 Virginia residents or control or process data of at least 25,000 Virginia residents and make more than 50% of their gross income from selling personal information

Like California's CCPA and CPRA, Virginia's CPDA provides consumers with several personal data rights, including:

  1. The right to access, know, and confirm 
  2. The right to fix inaccuracies
  3. The right to delete
  4. The right to data portability (i.e., easy access to all of one's held by a company)
  5. The right to opt out of processing for targeted advertising purposes
  6. The right to opt out of profiling
  7. The right to opt out of the sale of one's data
  8. The right to not be discriminated against for exercising consumer rights under the CPDA

Virginia's CPDA does not have a private right to action — it will be solely enforced by the Attorney General of Virginia. Civil penalties can go up to $7,500 per violation, and all civil penalties, attorney fees, and expenses collected under the CPDA are paid into Virginia's state treasury and credited to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund.

 

Montana’s Consumer Data Privacy Act (MTCDPA)

The Montana Consumer Data Privacy Act (SB 384) was signed in May 2023 and takes effect on October 1, 2024, making it the 12th state to enact dedicated privacy legislation. The applicability of MTCDPA depends on how much data an organization processes and where its revenue comes from. Eligible entities include:

  • Organizations that reside in Montana or provide goods/services to Montana residents;
  • Those who manage personal data of at least 50,000 Montana residents;
  • Those who manage data of at least 25,000 residents and who earn more than 25% of annual revenue from personal data sales.

MTCDPA provides protections for consumers by requiring data processors and controllers to adhere to certain obligations:

  • Provide a privacy notice with specific content
  • Process personal data only as reasonably necessary
  • Establish a secure way for consumers to exercise privacy rights
  • Obtain consent for processing sensitive data
  • Contract with processors
  • Conduct and document data protection assessments for high-risk processing activities

Like most privacy mandates, enforcement is handled by the state’s Office of the Attorney General. Notably, the MTCDPA does not specify a dollar amount for potential compliance violations, though it’s likely that civil penalties will be roughly in accordance with other state-level privacy acts.

 

Tennessee’s Information Protection Act (TIPA)

Tennessee’s Information Protection Act (TIPA, or SB 0073) was signed in May 2023 and takes effect on July 1, 2025. TIPA is considered more business-friendly privacy mandates coming into effect, offering more lenient criteria for applicability:

  • Businesses that exceed $25 million in annual revenue;
  • Conducts business within Tennessee or with residents in Tennessee;
  • Controls or processes personal data of at least 175,000 customers
  • Controls or processes data of at least 25,000 customers, gaining over 50% of revenue from personal data sales

TIPA enacts protections for consumers akin to many other state-level privacy mandates. Common features include the ability to confirm, adjust, or delete personal data. It also requires controllers to adhere to data handling best practices. There is also a lengthy onboarding period for affected entities of two-plus years—giving businesses plenty of time to achieve their compliance goals. And for those businesses with established privacy programs that align with frameworks like NIST, TIPA offers an affirmative defense option that allows processors to protect themselves against potential violations.  

Enforcement is handled by the Tennessee Office of the Attorney General. Those who are not compliant may face civil penalties of $7,500 per violation.

 

Oregon’s Consumer Privacy Act (OCPA)

The OCPA (Senate Bill 619) is Oregon’s primary data privacy legislation, signed into law in July of 2023 and taking effect July 1, 2024. The legislation applies to the following organizations:

  • Entities who conduct business in Oregon or who provide products/services to Oregon residents;
  • Those who process personal data of 100,000 or more residents in a calendar year
  • Those who process personal data of 25,000 or more customers while earning 25% or more annual revenue from personal data sales

Like other privacy mandates, the OCPA provides essential protections for consumers with respect to how their data is handled and processed. OCPA allows consumers to:

  • Request information about personal data processing and disclosures
  • Obtain a copy of processed personal data
  • Request corrections or deletion of personal data
  • Opt-out of certain data processing activities like targeting, sales, or profiling

Additional requirements for controllers include the need to safeguard collected data, provide user-friendly means to revoke consent, and obtain consent to process sensitive data. The OCPA has looser definitions for what is considered “sensitive” information than some other privacy mandates, including any data related to mental/physical condition, race, nationality, religion, citizenship, and more. Enforcement is handled by the Oregon Office of the Attorney General and may include fines up to $7,500 per violation. 

 

Texas’ Data Privacy and Security Act (TDPSA)

The Texas Data Privacy and Security Act was signed into law by Governor Greg Abbott on June 18, 2023, taking effect on July 1, 2024. However, entities will be given a grace period extending through January 1, 2025 to achieve compliance. Just like mandates imposed by California and other proactive regions, the TDPSA aims to bring Texas into the game by codifying data privacy requirements that are emerging as industry best practices.

Businesses conducting operations within Texas borders, or those offering products/services to Texas residents must comply with this law. However, the TDPSA offers an exemption for companies defined as “small businesses” by the Small Business Administration. And unlike other privacy laws, the TDPSA does not impose eligibility requirements based on annual revenue or volume of data processed.

Notably, the TDPSA has some distinct features, such as requirements for companies to disclose sales of sensitive information, and a universal opt-out mechanism that is consumer-friendly and easy to use. There are also specific mandates for controller obligations related to data minimization, opt-out rights, privacy notices, and more.

Like other state-based privacy mandates, enforcement falls to the Texas Office of the Attorney General. Those in violation will be given 30 days to remediate the issue, after which fines may be levied up to $7,500 per offense.

 

Iowa’s Consumer Data Protection Act (ICDPA)

Iowa’s Consumer Data Protection Act was signed into law on March 28, 2023 and is set to take effect January 1, 2025. This legislation makes Iowa the sixth U.S. state to enact dedicated data privacy legislation. Like similar mandates, the ICDPA establishes basic protections for Iowa residents, including the right to opt-out of data sales, requirements for controller/processor agreements, and mandating that companies provide an opt-out option before processing sensitive data. The ICDPA applies to entities that:

  • Operate in Iowa or provide goods/services to Iowa residents;
  • Processes personal data of at least 100,000 Iowa residents per calendar year
  • Processes data of at least 25,000 residents and obtains more than 50% of gross revenue from the sale of personal data

While the ICPDA is quite similar to many comparable state privacy laws, it lacks mandates requiring entities to provide the right to correct personal data or opt-out of profiling. It also does not provide a private right of action.

Enforcement is managed by the Iowa Office of the Attorney General, which offers a substantial 90-day cure period for offenses. Those who fail to reach compliance are liable for fines of $7,500 per violation.

 

Indiana’s Consumer Data Protection Act (INCDPA)

The Indiana Consumer Data Protection Act was adopted on May 1, 2023 and is set to take effect on January 1, 2026, representing the seventh U.S. state to enact consumer privacy legislation. Like other regulations, the INCDPA establishes guardrails for data processing and consumer privacy. The INCDPA applies entities that:

  • Operate in Indiana or sell products/services to Indiana residents;
  • That process or control data of at least 100,000 residents;
  • Processes personal data of at least 25,000 residents and derives over 50% of gross revenue from personal data

Indiana’s INCDPA does not differ materially from similar consumer privacy mandates, requiring entities to fulfill a range of obligation that hold them accountable for how personal data is used:

  • Collect only necessary personal data for disclosed purposes
  • Implement reasonable data security practices
  • Obtain consent before processing sensitive data
  • Process data without discrimination
  • Provide a clear privacy policy with specified details
  • Disclose selling of personal data and provide opt-out options
  • Establish an appeal process for rights requests
  • Conduct data protection assessments for specific activities
  • Maintain de-identified data securely

The Indiana Office of the Attorney General is responsible for enforcing actions against violators. Offenders will be given a 30-day grace period to achieve compliance, at which point violators may receive civil penalties up to $7,500 per violation.

 

Delaware’s Personal Data Privacy Act (DPDPA)

Passed on September 11, 2023 and taking effect January 1, 2025, Delaware’s Personal Data Privacy Act (Bill No. 154) provides many of the same protections as comparable data protection laws. These regulations apply to any entity that:

  • Conducts business in Delaware or produces products/services that target Delaware residents;
  • Processes personal data of more than 35,000 Delaware residents;
  • Processes personal data of over 10,000 residents and derives more than 20% of gross revenue from personal data sales

Broadly, Delaware’s Personal Data Privacy Act requires entities to give consumers the right to opt-out of data processing, establishes new regulations for how data is handled between processors and controllers, and allows consumers to delete or return personal data upon request.

The Delaware Department of Justice is the authority responsible for enforcing requirements, investigating issues, and prosecuting offenders. Under the law, offenders will be issued a notice of violation and given 60 days to correct the issue. Liable entities may be compelled to pay civil penalties of up to $10,000 for each violation.

Notably, Delaware’s Personal Data Privacy Act places strict requirements on processors, requiring processors to assist controllers in enforcing their obligations—such as consumer rights requests or data subject access requests. All processing must be set forth in a contract between the controller and processor that codifies these requirements.

 

Colorado Privacy Act (CPA)

On July 7, 2021, Colorado passed the Colorado Privacy Act, becoming the third state — after California and Virginia — to pass state consumer personal data privacy laws. The CPA came into effect on July 1, 2023.

The Colorado Privacy Act applies to businesses that:

  • Process or control the personal data of 100,000 or more consumers during a calendar year, or
  • Earn revenue or receive a discount on the price of services and goods from the sale of data and process or control the personal data of 25,000 or more local Coloradan consumers

Unlike the California and Virginia state data laws, the Colorado Privacy Act applies to nonprofits. However, the law does not apply to certain types of data sets and entities, such as financial institutions subject to the Gramm-Leach-Bliley Act, data governed by the Family Educational Rights and Privacy Act (FERPA), and certain types of healthcare-related data. Despite these subtle differences, the CPA is similar to other laws in the limits it places on the data collected by businesses.

The CPA grants Colorado residents the right to opt out of:

  • Targeted advertising
  • The sale of their data
  • Certain types of profiling

They also have the right to access, delete, and correct their personal data and the right to data portability. Businesses typically have 45 days to respond to consumer requests.

Unlike California's CCPA and CRPA, Colorado's CPA does not have a private right of action. The Colorado Attorney General and district attorneys have exclusive authority to enforce the CPA. Penalties can go up to $20,000 per violation, with the maximum penalty for a series of related violations being $500,000.

 

New York SHIELD Act

Signed into law on July 25, 2019, by Governor Andrew Cuomo, New York's Stop Hacks and Improve Electronic Data Security (SHIELD) Act amends New York's 2005 Information Security Breach and Notification Act. 

This act significantly strengthens the state's existing data security laws by expanding the kinds of private data that companies must notify consumers if accessed in a breach and requiring companies to create, implement, and maintain reasonable safeguards to protect the confidentiality, security, and integrity of private information. In short, the act compels businesses to implement data breach notifications, and within a specific timeframe.

Specifically, the SHIELD Act expands the definition of "private information" to include usernames, biometric information, email addresses, and passwords. Additionally, it requires businesses and people maintaining private information to adopt physical, administrative, and technical safeguards, such as:

  • Training and managing employees in security procedures and practices
  • Designating one or more employees to manage and coordinate the security program
  • Identifying reasonably foreseeable external and internal risks
  • Selecting service providers capable of maintaining appropriate safeguards
  • Adjusting the security program in light of new circumstances and business changes
  • Detecting, preventing, and responding to intrusions
  • Disposing of private information within a reasonable amount of time after it's no longer needed for business purposes by destroying electronic media so that the data can't be reconstructed or read

Like Colorado's CPA, the SHIELD Act does not create a private right to action. As such, if a New York resident believes a company subject to the SHIELD Act failed to comply with SHIELD's data protection requirements, that individual won't be able to sue the business under the SHIELD Act.

Under the SHIELD Act, the New York Attorney General may seek restitution, injunctive relief, and penalties against any business entity for violating the law. Companies may be fined $20 per instance for failing to provide timely notification and $5,000 per violation for failing to maintain reasonable safeguards. 

 

Utah Consumer Privacy Act

On March 24, 2022, Utah enacted the Utah Consumer Privacy Act (UCPA), which came into effect on December 31, 2023. 

Like other state privacy data laws, the UCPA imposes several obligations on businesses that process or control the personal data of Utah consumers. It also grants Utah consumers new rights over their personal data, including:

  • The right to know and confirm processing activity
  • The right to access personal data
  • The right to delete personal data
  • The right to obtain a copy of personal data in a readily usable and portable format
  • The right to opt out of sales of personal information and targeted advertising
  • The right to avoid discrimination as a result of exercising their UCPA consumer rights

Note that the UCPA does not create a private right of action for consumers. It is only enforceable by the Utah Attorney General, which may impose fines of up to $7,500 per violation. 

 

Connecticut’s Data Subject & Privacy Law

On May 10, 2022, Connecticut became the fifth state to embrace comprehensive state consumer privacy legislation after Senate Bill 6, An Act Concerning Personal Data Privacy and Online Monitoring, was signed into law. Most provisions of this law took effect on July 1, 2023.

This new law includes many of the same obligations, rights, and exceptions as similar consumer data subject laws in California, Virginia, Colorado, and Utah. It also has a similar scope, applying to entities that manage sensitive data:

  • Produce services or products targeted to Connecticut residents or conduct business in Connecticut and do either of the following:
    • Control or process the personal data of at least 100,000 consumers, excluding personal information processed or controlled solely to complete payment transactions
    • Control or process the personal data of at least 25,000 consumers and make over 25% of their gross revenue from selling personal data

This law does not have a private right of action, and the Attorney General of Connecticut is solely responsible for enforcement. Violations of this act are enforceable under the Connecticut Unfair Trade Practices Act and may result in the following civil penalties: 

  • A maximum penalty of $5,000 for willful violations
  • A maximum penalty of $25,000 for violating restraining orders or injunctions

 

Maine's Data Privacy Law

In 2020, Maine created one of the strictest data privacy laws in the nation, causing a stir. This law prevents service providers from using, selling, disclosing, or providing access to consumers' personal information without permission. Under this law, customer personal information includes the customers':

  • Web browsing history
  • Precise geolocation information
  • Application usage history
  • Health information
  • Financial information
  • Information about their children
  • Device identifiers, such as internet protocol (IP) address, international mobile equipment identity, and media access control address
  • Communications content
  • Destination and origin IP addresses

 

Data Privacy Laws in Europe

Let's take a look at the most important data privacy laws in Europe, starting with the General Data Protection Regulation (GDPR) — the first example of a robust data privacy act that dealt with companies processing personal data by developing a comprehensive consumer privacy law framework.

 

The General Data Protection Regulation (GDPR)

The most important data privacy law in the European Union (EU) is the General Data Protection Regulation (GDPR), a set of laws that, among other things, imposes stiff penalties to companies that fail to correct inaccurate personal information such as a financial account number.

The GDPR treats all EU residents as data subjects — stating that it is illegal for any business to be collecting and selling personal information and is applicable to any country that processes personal data inside the EU, including those regulated in countries with a comprehensive data privacy law of itself, such as Canada.

The law aims to enhance EU citizens' rights and controls over their personal data, minimize the reach and influence of data brokers such as marketing aggregation companies and certain financial institutions, and limit the amount of data that a service provider can acquire.

The GDPR has a much broader scope than similar U.S. legislation such as the CCPA and CPRA, which are mostly state laws rather than federal laws. Businesses cannot request access to data at will and there are severe penalties for any firm aiming to act as a data broker.

The GDPR makes the role of a data protection officer even more important — since they guarantee the correct processing of personal data of individuals in the European Economic Area (EEA). Data controllers are organizations that collect data from EEA residents, and processors are organizations that process data for data controllers like cloud service providers.

The GDPR establishes eight data subject rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to data portability
  6. The right to limit processing
  7. The right to object
  8. Rights related to automated decision-making, including profiling

The law prohibits organizations from processing individuals' data unless it is explicitly allowed legally or the individual has consented to the processing. Under Article 7, consent must be "freely given, specific, informed, and unambiguous." It must also be given voluntarily. Consent is considered invalid if companies exert inappropriate influence or pressure that could affect the outcome of an individual's choice.

Additionally, the GDPR requires enterprises to appoint a Data Protection Officer (DPO) to oversee the application of the GDPR if:

  • The organization is a public body or authority
  • The organization's core activities consist of data processing operations that require systematic and regular monitoring of data subjects
  • The organization's code activities consist of large-scale processing of personal data relating to criminal offenses and convictions or special categories of data, such as sensitive information about health, sexual orientation, race, and religion

The GDPR is enforced by individual data protection authorities (DPAs) from the 27 EU member states. DPAs are independent of the government and investigate complaints, determine when the GDPR has been breached, and provide data protection advice. Fines are typically much higher than in U.S. state laws — they can go all the way to 4% of a company's global annual turnover or €20 million, whichever is higher.

 

The Data Protection Law Enforcement Directive

The EU's Data Protection Law Enforcement Directive is another set of data protection laws that guard EU citizens against unauthorized use of biometric data and other sensitive data collection.

It applies mostly to criminal law enforcement — where authorities use personal data like fingerprints for sleuthing and other purposes. Besides safeguarding the personal data of suspects, witnesses, and victims, it can also facilitate cross-border cooperation in the fight against terrorism and crime.

 

Recent Data Privacy Laws in Europe

The GDPR and the Data Protection Law Enforcement Directive aren't the only laws you need to be aware of. The following EU laws have taken effect and represent key mandates for a business’s compliance strategy:: 

  • The Digital Services Act (DSA): This regulation modernizes the e-Commerce Directive regarding transparent advertising, illegal content, and disinformation. The purpose of the DSA is to update the EU's legal framework and harmonize different national EU laws that have been passed to address illegal content. This law became applicable across the EU on January 1, 2024.
  • The Digital Markets Act (DMA): Submitted as part of the same package as the DSA. The Digital Markets Act aims to ensure a higher degree of competition in the European digital markets by preventing large organizations from abusing their market power and encouraging new players to enter the market. This law entered into force as of October 2022 and became applicable in February 2023.

 

EU Artificial Intelligence Act

On December 9, 2023, the EU Parliament reached a provisional agreement with the Council of Europe to codify and adopt the AI Act: the first EU regulatory framework for managing AI. This text aims to protect the fundamental rights, democracy, and sustainability of our society when faced with potentially high-risk AI systems.

The AI Act categorizes AI systems based on their perceived level of risk to users, with higher risk tools requiring stricter regulation. The goal of the draft is to establish guardrails around the use of AI, with the following goals as top priorities:

  • Safeguard agreed on general purpose artificial intelligence
  • Limitation for the of use biometric identification systems by law enforcement
  • Bans on social scoring and AI used to manipulate or exploit user vulnerabilities
  • Right of consumers to launch complaints and receive meaningful explanations  

Specifically, the draft regulations classify AI systems into three groups based on their risk level: Limited, High, and Unacceptable.

 

Unacceptable Risk

AI systems with an unacceptable level of risk are deemed to be harmful to audiences and will be banned outright. These systems include:

  • Real-time and remote biometric identification systems like facial recognition
  • Biometric identification and categorization of people
  • Cognitive behavioral manipulation of people or vulnerable groups
  • Social scoring that classifies people on behavior, economic status, or other personal traits

Notably, the European Parliament states that exceptions may be allowed for law enforcement purposes.

 

High Risk

AI systems with a high level of risk are believed to pose risks to the safety or fundamental rights of users. While not banned outright, these systems must be assessed by regulators before being put into operation. High risk systems are divided into two groups:

AI systems used in products that fall under the EU’s existing product safety legislation
  • E.g. cars, aviation, toys, and medical devices

AI systems falling into specific use cases that will have to be registered in an EU database
  • E.g. those used in management of critical infrastructure, or those used for assistance in legal interpretation

 

Limited Risk

AI systems with limited risk are not deemed harmful, yet they still must comply with minimum transparency requirements that allow users to make informed decisions. This includes a requirement to disclose to users that they are interacting with AI.

  • Non-compliance with the AI Act may produce fines ranging from 35 million euro or 7% of global turnover, to 7.5 million euro or 1.5% of turnover.

Data Privacy Laws in Canada

Like the U.S. and the EU, Canada has several federal privacy laws. Let's discuss below:

Quebec Law 25

Quebec Law 25, also known as Act 25, came into full force in September 2023. This law was part of the omnibus Bill 64, which was intended to modernize Quebec’s Private Sector Act over the next three years with new regulatory and privacy mandates. Within this bill is Law 25; a mandate that allows Quebec's data protection authority, the Commission d'accès à l'information du Québec, to enforce new privacy requirements on data being transferred outside the province.

Law 25 was rolled out in phases, with several provisions taking effect in September 2022. These include requirements for the following:

  • Companies must designate a privacy officer

  • Must maintain confidentiality in incident reporting

  • Establish a biometric database

  • Tighten requirements or disclosing personal information for research purposes

On the back of these provisions, Law 25 took full effect the following year in September 2023. This law out clear regulations for how companies must handle their compliance programs as well as outlining new administrative penalties for the failing to comply:

  • Adopt a privacy program according to prescribed requirements

  • Establish processes to perform privacy impact assessments before adoption of technology that processes/transfers personal information outside Quebec

  • Update privacy notices to meet enhanced transparency requirements

  • Review consent mechanisms according to more stringent conditions

  • Ensure data anonymization can demonstrate that it’s performed for legitimate reasons and is in accordance with generally accepted best practices

  • Organizations that disseminate information must prepare to respond to “right to be forgotten” deindexation requests

Notably, Law 25 enacts a new schedule of penalties for non-compliance violations. Those without adequate risk management practices may be liable for penalties ranging from 10 million Canadian or 2% of global turnover, up to 25 million Canadian or 4% of global turnover for violations.

Privacy experts believe that Quebec Law 25, as one of the more stringent privacy regulations in North America, will set a new standard for privacy mandates to come.

 

The Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal law that applies to all businesses that operate in Canada and handle personal information that crosses national or provincial borders, a practice known as global data transfer.

Federally regulated organizations that conduct business in Canada, such as airports, banks, and telecommunications companies, are subject to PIPEDA which means they must always strive to maintain correct data.

Under the PIPEDA, personal information includes any subjective or factual information about an identifiable natural person. Examples include:

  • Name, age, income, ID numbers, blood type, or ethnic origin
  • Opinions, comments, evaluations, disciplinary actions, or social status
  • Employee files, loan records, credit records, intentions to change jobs or acquire goods, and the existence of disputes between consumers and merchants

Businesses subject to PIPEDA are required to follow the 10 fair information principles to protect personal data, namely:

  1. Accountability: This principle requires you to develop a privacy management program, conduct privacy impact assessments, regularly review your privacy management program, and make your privacy procedures and policies readily available to employees and customers.
  2. Identifying purposes: This requires you to identify and document your reasons for collecting personal information, tell customers why your company needs their personal information before or at the time of collection, and obtain customers' consent when and if you have a new purpose for collecting personal data.
  3. Consent: This principle requires you to obtain meaningful consent for the gathering, use, and disclosure of personal information. It also requires you to make consent meaningful by explaining what consumers are consenting to.
  4. Limiting collection: You should only collect the personal information you need to fulfill a legitimate identified purpose. 
  5. Limiting use, disclosure, and retention: Your organization should only use or disclose personal information for the identified purposes for which it was collected. 
  6. Accuracy: You should minimize the likelihood of using incorrect data when disclosing data to third parties or making a decision about an individual.
  7. Safeguards: You must protect personal information against theft, loss, and any unauthorized disclosure, access, use, copying, or modification. You must also safeguard personal data according to how sensitive it is. 
  8. Openness: Your company must have detailed, clear, and easy-to-understand personal information management practices. These practices must be readily available to consumers.
  9. Individual access: When asked, you must tell consumers about the personal information you obtained about them. You must also give people access to their information at little to no cost, or explain your reasons for not providing access. Additionally, you must amend or correct personal data for completeness and accuracy.
  10. Challenging compliance: Finally, you must investigate all complaints you receive and develop simple complaint investigation and handling procedures. 

The Office of the Privacy Commissioner of Canada (OPC) is responsible for overseeing compliance with PIPEDA. Organizations that commit offenses may be fined up to $100,000 Canadian.

 

The Privacy Act

The Privacy Act applies to the Canadian government's use, collection, retention, disclosure, or disposal of personal information when providing services like:

  • Border security
  • Old age security benefits
  • Employment insurance
  • Public safety and federal policing
  • Refunds and tax collection

This act only applies to federal government institutions and Crown corporations and does not apply to courts, private sector organizations, political parties, and political representatives.

The Privacy Act is overseen by the OPC. The OPC was created in 1983 after the Privacy Act was established.

 

Bill C-11: The Consumer Privacy Protection Act

In November 2020, the Canadian federal government introduced Bill C-11, which proposed repealing the personal information-related provisions of PIPEDA and replacing them with a new data and privacy legal framework. While Bill C-11 never made it into law, on June 16, 2022, the federal government resurrected it by introducing Bill C-27, the Digital Charter Implementation Act, 2022.

Bill C-27 retains Bill C-11's core elements, including its proposals to:

  • Enact the Consumer Privacy Protection Act, which would replace Part 1 of PIPEDA
  • Enact the Personal Information and Data Protection Tribunal Act (PIDPTA), which creates an administrative tribunal

However, there are some differences between the two bills. For one, Bill C-27 is much more concerned with artificial intelligence (AI). Specifically, it proposes enacting the Artificial Intelligence and Data Act (AIDA) to regulate AI systems. 

Under Bill C-27, noncompliant organizations are liable to a fine of up to 5% of their global revenue or $25 million Canadian, whichever is greater. There are also administrative monetary penalties of up to 3% of global revenue or $10 million Canadian for certain violations of the Consumer Privacy Protection Act.

 

Data Privacy Laws in Australia

If you have Australian users, you must be aware of applicable Australian privacy laws, including:

 

The Privacy Act

The Privacy Act 1988 is the main piece of Australian privacy legislation. It establishes 13 Australian Privacy Principles (APPs) that apply to private sector companies and government agencies with an annual turnover of $3 million Australian or more:

  1. Open and transparent management of personal data
  2. Pseudonymity and anonymity
  3. Collection of solicited personal information
  4. Dealing with unsolicited personal information
  5. Notification of the collection of personal information
  6. Use or disclosure of personal information
  7. Direct marketing
  8. Cross-border disclosure of personal data
  9. Adoption, disclosure, or use of government-related identifiers
  10. Quality of personal information
  11. Security of personal information
  12. Access to personal information
  13. Correction of personal information

The OAIC is responsible for investigating breaches of the APPs. Other powers include accepting enforceable undertakings, conducting privacy performance assessments of businesses and Australian government agencies, and seeking civil penalties in the case of repeated and serious privacy breaches.

Other than the Privacy Act, Australian authorities are planning to boost protections to guard against data breaches. 

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the maximum penalties of the Privacy Act 1988 from the current $2.22 million Australian penalty to whichever is the greater of:

  • $50 million Australian
  • Three times the value of any benefit obtained by misusing information
  • 30% of a business's adjusted turnover in the relevant period

 

Data Privacy Laws in Brazil

The central data privacy law in Brazil is called the General Law for the Protection of Personal Data (LGPD).

 

Brazil's General Law for the Protection of Personal Data (LGPD)

The General Data Protection Law or the Lei Geral de Proteção de Dados Pessoais (LGPD) is Brazil's answer to the EU's GDPR. It entered into force in August 2020 and affects how businesses track users in Brazil.

The LGDP provides data subjects with nine rights, creates 10 legal bases for lawful data processing, and defines what constitutes personal data. It also establishes the Autoridade Nacional de Proteção de Dados for enforcing the LGPD and requires businesses to appoint a DPO.

Like the GDPR, the LGPD has extraterritorial application, meaning that companies, websites, and businesses that process personal data from Brazil must comply with the LGPD, regardless of where they are actually located or operated. Additionally, the LGPD doesn't just protect Brazilians, but everyone whose data is gathered or processed while in Brazil.

Compared to the GDPR, the LGPD imposes much less severe fines. Maximum fines for noncompliance in the LGPD are 50 million Brazilian reais (around €11 million) or 2% of a business's annual turnover in Brazil per violation. Meanwhile, the maximum fines for noncompliance under the GDPR are 4% of a company's annual global turnover or €20 million, whichever is higher.

 

India’s Digital Personal Data Protection Act (DPDP)

India recently passed the country’s first official legislation codifying a user’s right to privacy in the digital age: the Digital Personal Data Protection (DPDP) Act. The Government of India published this act on August 11, 2023 as an update to the outdated Information Technology Act of 2000.

Under DPDP, entities will face more scrutiny over how they process user data. The act was designed with specific principles in mind:

  • Entities must use personal data in a manner that is lawful, fair, and transparent to the individuals in question

  • Usage of personal data is limited to the purpose for which it was collected

  • Only those items of personal data that are required for achieving a specific purpose are to be collected

  • Reasonable efforts should be made to ensure that personal data is accurate and kept up-to-date

  • Storage of personal data must be limited to the duration as is necessary for the stated purpose of collection

  • Reasonable safeguards must be put in place to ensure there is no unauthorized collection or processing of personal data

  • A data fiduciary must be appointed to determine the purpose and means of processing personal data

DPDP applies only to data collected in a digitized state, and data collected through non-digitized means that is then converted to digital. Personal data processed through non-digitized channels are not subject to DPDP.

Note that DPDP extends to foreign entities who offer goods and services to protected citizens located within the Indian territory. These entities must comply with data storage and processing mandates as defined by the DPDP.

 

South Africa’s Protection of Personal Information Act (POPIA)

South Africa’s privacy mandate, the Protection of Personal Information Act (POPIA), entered full effect on June 30, 2021. Like similar regulations, POPIA is designed to protect South African residents’ personal data from misuse, theft, and negligence.

POPIA applies to all organizations and individuals that handle personal data in South Africa and establishes minimum standards for protecting personal information.

Specifically, POPIA outlines eight conditions for “lawful processing” of personal information:

  1. Accountability: Organizations have a responsibility to comply with provisions and ensure personal data is protected.  

  2. Processing limitation: Data must be processed lawfully, in a manner that does not infringe on the subject’s rights, and is aligned with the reason for which it was collected.

  3. Purpose specification: Organizations must explicitly define the purpose of data collection and ensure the subject is aware of that purpose.

  4. Further processing limitation: Further processing of personal data must be compatible with the purpose for which it was collected.

  5. Information quality: Responsible parties must take reasonably practicable steps to ensure that personal data is complete, accurate, and up-to-date.

  6. Openness: An organization must maintain documentation of all processing operations and ensure data subjects are informed of the company’s data collection practices.

  7. Security safeguards: Parties responsible for sensitive data must ensure its integrity and confidentiality by taking appropriate and reasonable measures.

  8. Data subject participation: Data subjects have the right to confirm what data is stored, request descriptions of data, and object to data processing.

Failure to comply with POPIA puts an organization at risk of various administrative fines and penalties. For more serious offenses, the maximum penalties are 10 million rand and/or a period of imprisonment not exceeding 10 years. 

 

Russia’s Law on Personal Data

Recently, Russia has passed several amendments to its existing and outdated privacy legislation, (Federal Law No. 152-FZ on Personal Data). Coming into full effect on March 1, 2023, the amended data law marks a major reform on Russia’s personal data legislation.

The amendments establish new rules for data processing, cross-border data transfers, and the requirements that data processors and controllers must follow. Compliance regulations for data management in Russia include the following provisions:

  • Personal data must be processed on a lawful and fair basis

  • Processing of personal data must be limited to the specific purpose or scope of data collection

  • Organizations may not combine databases containing personal information when data is collected and processed for incompatible purposes

  • The content and scope of processing must align with the stated purpose of processing and should not include excessive personal data relative to the stated purpose

  • Organizations must make efforts to ensure the accuracy, sufficiency, and relevance of data in relation to processing activities

  • Personal data should not be stored for longer periods than is required for the purposes of processing and agreed-upon uses.

  • Upon completion of the stated goal, personal data must be destroyed or depersonalized.

The recent amendments to the Russian Privacy Law add several new provisions as well. These amendments extend the maximum time after the offense within which a fine may be imposed, increasing from three months to one year. In accordance with this, the Russian Data Protection Authority (DPA, or Roskomnadzor) may extend its supervisory checks to prevent offenders from excessive delays.

Additionally, the amendment increased the administrative fines associated with repeat violations. It also adds a mandate for cross-border data transfers that requires companies to secure adequate consent and documentation when sending information to certain non-approved countries. And as of September 2022, data controllers must notify the DPA of security breaches concerning personal protected information, provided the event results in illegal or accidental transfer of personal data.

 

The Implications of Data Privacy Laws 

Failing to comply with data privacy laws can result in exorbitant fines, lawsuits, reputational loss, and more. And it’s rare for companies today to concentrate their efforts on a single market — you might be operating in jurisdictions with different data privacy laws and not have the necessary controls in place. 

That's why it’s imperative to create a comprehensive data privacy policy — a legal document on your site or app that details how you gather, process, and use visitors' personal data. A well-written privacy policy is a clear and succinct way to explain how your site or app gathers data, what data you collect, and what you plan to do with that information. It should also include:

  • Your DPO or privacy officer's contact information
  • A section disclosing how your website or app uses cookies to enhance functionality
  • How, why, and when you share consumers' personal information with third-party service providers

Once you've created your data privacy policy, you must display prominent links to your privacy policy on your website and mobile app's footer, side menu, and newsletter signup forms. Otherwise, users will have difficulty finding your policy and learning about their rights. Having an easy-to-access privacy policy will also increase customer trust by showing customers that you care about their user experience.

Creating a comprehensive and clear data privacy policy can be daunting, especially since there are so many rules and regulations to stay compliant with. 

Enzuzo's privacy policy generator can help. It develops develop customized privacy policies for your business, enabling the following:

  • Full compliance with CCPA, GDPR, CPRA, COPPA, PIPEDA, and other privacy laws around the world
  • The ability to translate your policy into over 25 languages, including French, EU Portuguese, Brazilian Portuguese, German, Dutch, and Spanish
  • A built-in data request (DSAR) button and form
  • Automatic updates so your privacy policy is always compliant

Osman Husain

Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.