Skip to content

Data Privacy Laws in 2023: The Rules & Regulations You Need to Know

Osman Husain 12/1/22 4:30 PM

Table of Contents

Data privacy laws around the world govern the use of customer information, such as their name, phone number, address, and other personally identifiable information. Such laws provide a data privacy framework, governing how businesses can go about processing personal data, outlining rights for individuals, requests for removals, and penalties for non-compliance.

While every region has its own privacy laws, the goal is the same: to protect consumers and prevent unfair data collection practices. Some examples of data protection laws include the GDPR, PIPEDA, California Consumer Privacy Act (CCPA), and more.

Interested in knowing more about business privacy laws? Read our guide to which privacy laws apply to your business.

In this article, we’ll discuss the major data privacy laws you should be aware of in 2023. We will cover data protection laws in the U.S., Europe, Canada, Australia, and Brazil as well as upcoming legislation in each jurisdiction.

 

Federal Data Privacy Laws in the U.S.

The U.S. is unique in the sense that it still does not have one single federal data privacy law that brings all the states under its jurisdiction. However, there are a few laws that operate in niche areas such as health, financial services, and credit reporting. These are the:

 

  • American Data Privacy Protection Act (ADPPA): This bill is still under consideration. However, it has gone further in the federal legislative process than any other data privacy regulation in the U.S. Like many other modern privacy laws, it protects children's right to privacy, grants individuals the right to sue businesses for noncompliance, and gives consumers the right to opt out of having their data transferred to third parties. 

  • Health Insurance Portability and Accountability Act (HIPAA): HIPAA is a federal law that governs the security and privacy of personal health information (PHI) in the U.S. It applies to various covered entities, including:

    • Health plans, such as company health plans, health insurance companies, and certain government programs that pay for healthcare, such as Medicaid and Medicare

    • Healthcare clearinghouses, which are entities that process non-standard health data they receive from another entity into a standard data content or electronic format

    • Healthcare providers that conduct tasks like billing over the internet, such as psychologists, most doctors, nursing homes, nursing homes, dentists, and clinics

  • Gramm-Leach-Bliley Act (GLBA): This requires companies that offer consumers financial services or products like investment advice, insurance, or loans to explain their data-sharing practices to their customers. It also requires them to protect sensitive data.

  • Fair Credit Reporting Act (FCRA): This federal law regulates who can access consumers' credit reports and for what purposes. It imposes certain obligations on companies that provide data to consumer reporting agencies, such as the duty to investigate disputed information. The fair credit reporting act also requires users of credit data to notify customers when an adverse action has been taken based on the information in the reports. 

    • Posting a privacy policy describing how they collect personal information from children under 13
    • Obtaining verifiable parental consent before collecting, using, and disclosing personal information from children under 13
    • Establishing and maintaining actionable procedures to protect the security, confidentiality, and integrity of personal information collected from children under 13
    • Retaining information collected from children under 13 for only as long as needed to fulfill the purpose for which it was collected
    • Providing notice to parents of the operator's practices concerning the use, collection, or disclosure of children's personal data, including notice of material changes to practices to which the parents had previously consented
    • Offering a reasonable way for parents to review the personal details collected from their child and to refuse to permit its further maintenance or use

  • Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003: This law establishes the U.S. national standards for sending commercial email:

    • Don't use deceptive subject lines.
    • Don't use misleading or false "from," "to," "reply-to," or routing information.
    • Tell recipients your location.
    • Identify the message as an advertisement.
    • Inform recipients how to opt out of receiving future email.
    • Monitor what others are doing in your name or on your behalf.
    • Honor opt-out requests within 10 business days.

Under the Free Trade Commission Act, the U.S. Federal Trade Commission has the power to protect consumers against deceptive and unfair practices and to enforce federal data protection and privacy regulations.

 

 

U.S. State Data Privacy Laws

Besides federal laws like HIPAA and COPPA, the U.S. has several state data collection laws, such as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

Each is a comprehensive data privacy legislation that applies both to in-state businesses and websites, as well as other businesses that collect, sell, or share the personal information of in-state consumers.

Let's take a closer look at each privacy and data protection regulation and understand how it deals with consumer consent, data security requirements, consumers' data, and international data transfers.

 

California Consumer Privacy Act (CCPA)

The CCPA is a 2018 law that gives California residents more control over the details that businesses collect about them. It secures several privacy rights for consumers in California, including:

  • The right to know what personal information a business collects from them and how that information is used and shared
  • The right to opt out of the sale of their personal data
  • The right to delete personal information collected about and from them
  • The right to nondiscrimination for exercising their CCPA rights

The CCPA applies to for-profit businesses that meet one or more of the following thresholds:

  • Has annual gross revenues of over $25 million
  • Makes 50% or more of annual revenue from selling data
  • Alone, or in combination, buys, sells, shares, or receives the personal information of 50,000 or more California residents for a commercial purpose

Note that the CCPA applies to any business that meets one or more of these thresholds, even if it doesn't have a physical presence or office in California.

The CCPA grants consumers a private right of action, which means they can recover actual damages or declaratory or injunctive relief and damages between $100 and $750 per consumer per incident, whichever is greater. However, consumers can only bring actions involving the following types of personal data:

  • A person's first name or first initial along with their last name
  • One or more of the following:
    • A unique government-issued ID number, such as a tax ID number, driver's license number, military ID number, passport number, or California ID number
    • Social Security number
    • Credit or debit card number or account number, in combination with any required information that would permit access to the account, like a security code, access code, or password
    • Health insurance information
    • Medical information
    • Biometric information such as iris images, fingerprints, and retina images

Since July 1, 2020, the California Attorney General (AG) has been enforcing the CCPA by issuing penalties of $2,500 for each violation and $7,500 for each intentional violation.

 

California Privacy Rights Act (CPRA)

The California Privacy Rights Act expands and amends the California Consumer Privacy Act by creating new privacy rights and requirements for applicable companies.

It also establishes the California Privacy Protection Agency — the state regulator for data compliance and privacy practices.

There are five major updates of CPRA as compared to the CCPA:

  • Updated criteria for qualifying businesses: The CPRA both expands and contracts the scope of applicability. It applies to for-profit legal entities that meet one or more of the following thresholds:

    • Has an annual gross revenue of over $25 million
    • Makes 50% or more of its annual revenue from selling or sharing consumers' personal information
    • Alone, or in combination, buys, sells, or shares the personal information of 100,000 or more households or consumers annually

  • A new category of protecting personal details: The CPRA introduces a new requirement — sensitive personal information (SPI), which deals with biometric data, information collected online, protected health information, and privacy practices around them. This requirement resembles Article 9 of the General Data Protection Regulation (GDPR). Examples of SPI include driver's licenses, personal identification numbers, passports, and state ID numbers.

  • New and expanded consumer privacy rights: The CPRA expands various existing CCPA rights, including the right to know personal information, the right to delete, the right to opt out of third-party sharing and sales, opt-in rights for minors, and the right to data portability. It also adds new consumer rights, including:

    • The right to correct information
    • The right to opt out of automated decision-making technology, including profiling
    • The right to limit disclosure and use of SPI
    • The right to access information about automated decision-making

  • Expansion of legal rights in event of a data breach: The CCPA gives consumers the right to take legal action if their non-redacted and non-encrypted information gets exposed. The CPRA adds consumer login credentials to the list of personal information data leaks that a California resident can file a lawsuit for and makes it mandatory for businesses to induct appropriate security measures.

  • Adopting certain GDPR principles: The CPRA has adopted several GDPR principles, including:
     
    • Data minimization: This requires businesses to limit the collection of personal information to what is directly necessary and relevant to accomplish a specified purpose.
    • Storage limitation: This requires businesses to only retain and store consumer information for a reasonable amount of time.
    • Purpose limitation: This requires businesses to only collect consumer personal information for explicit, specific, and legitimate disclosed purposes.  

The CPRA will also expand the CCPA's private right to action by letting consumers bring lawsuits arising from data breaches involving additional types of personal information. Specifically, it adds email addresses in combination with security questions and answers or passwords to the list of actionable data types. 

As for enforcement, the CPRA will be enforced by the California Privacy Protection Agency (CPPA), which was established soon after the CPRA was passed. The CPPA is also responsible for promoting awareness of the CPRA and issuing further regulations.

Penalties and fines under the CPRA are very similar to those of its predecessor. The CPPA can issue two levels of penalties depending on the violation: up to $2,500 per unintentional violation and up to $7,500 per intentional violation or violation involving minors. 

 

CTA Graphic - CCPA

 

Virginia's Consumer Data Protection Act (CDPA)

Effective January 1, 2023, Virginia's Consumer Data Protection Act (CDPA) will apply to companies that:

  • Conduct business in Virginia or market their services and goods to Virginia residents, and
  • Control or process the personal information of at least 100,000 Virginia residents or control or process data of at least 25,000 Virginia residents and make more than 50% of their gross income from selling personal information

Like California's CCPA and CPRA, Virginia's CPDA provides consumers with several personal data rights, including:

  1. The right to access, know, and confirm 
  2. The right to fix inaccuracies
  3. The right to delete
  4. The right to data portability (i.e., easy access to all of one's held by a company)
  5. The right to opt out of processing for targeted advertising purposes
  6. The right to opt out of profiling
  7. The right to opt out of the sale of one's data
  8. The right to not be discriminated against for exercising consumer rights under the CPDA

Virginia's CPDA does not have a private right to action — it will be solely enforced by the Attorney General of Virginia. Civil penalties can go up to $7,500 per violation, and all civil penalties, attorney fees, and expenses collected under the CPDA will be paid into Virginia's state treasury and credited to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund.

 

Colorado Privacy Act (CPA)

On July 7, 2021, Colorado passed the Colorado Privacy Act, becoming the third state — after California and Virginia — to pass state consumer personal data privacy laws. The CPA will come into effect on July 1, 2023.

The Colorado Privacy Act applies to businesses that:

  • Process or control the personal data of 100,000 or more consumers during a calendar year, or
  • Earn revenue or receive a discount on the price of services and goods from the sale of data and process or control the personal data of 25,000 or more local Coloradan consumers

Unlike the California and Virginia state data laws, the Colorado Privacy Act applies to nonprofits. However, the law does not apply to certain types of data sets and entities, such as financial institutions subject to the Gramm-Leach-Bliley Act, data governed by the Family Educational Rights and Privacy Act (FERPA), and certain types of healthcare-related data. Despite these subtle differences, the CPA is similar to other laws in the limits it places on the data collected by businesses.

The CPA grants Colorado residents the right to opt out of:

  • Targeted advertising
  • The sale of their data
  • Certain types of profiling

They also have the right to access, delete, and correct their personal data and the right to data portability. Businesses typically have 45 days to respond to consumer requests.

Unlike California's CCPA and CRPA, Colorado's CPA does not have a private right of action. The Colorado Attorney General and district attorneys have exclusive authority to enforce the CPA. Penalties can go up to $20,000 per violation, with the maximum penalty for a series of related violations being $500,000.

 

New York SHIELD Act

Signed into law on July 25, 2019, by Governor Andrew Cuomo, New York's Stop Hacks and Improve Electronic Data Security (SHIELD) Act amends New York's 2005 Information Security Breach and Notification Act. 

This act significantly strengthens the state's existing data security laws by expanding the kinds of private data that companies must notify consumers if accessed in a breach and requiring companies to create, implement, and maintain reasonable safeguards to protect the confidentiality, security, and integrity of private information. In short, the act compels businesses to implement data breach notifications, and within a specific timeframe.

Specifically, the SHIELD Act expands the definition of "private information" to include usernames, biometric information, email addresses, and passwords. Additionally, it requires businesses and people maintaining private information to adopt physical, administrative, and technical safeguards, such as:

  • Training and managing employees in security procedures and practices
  • Designating one or more employees to manage and coordinate the security program
  • Identifying reasonably foreseeable external and internal risks
  • Selecting service providers capable of maintaining appropriate safeguards
  • Adjusting the security program in light of new circumstances and business changes
  • Detecting, preventing, and responding to intrusions
  • Disposing of private information within a reasonable amount of time after it's no longer needed for business purposes by destroying electronic media so that the data can't be reconstructed or read

Like Colorado's CPA, the SHIELD Act does not create a private right to action. As such, if a New York resident believes a company subject to the SHIELD Act failed to comply with SHIELD's data protection requirements, that individual won't be able to sue the business under the SHIELD Act.

Under the SHIELD Act, the New York Attorney General may seek restitution, injunctive relief, and penalties against any business entity for violating the law. Companies may be fined $20 per instance for failing to provide timely notification and $5,000 per violation for failing to maintain reasonable safeguards. 

 

Utah Consumer Privacy Act

On March 24, 2022, Utah enacted the Utah Consumer Privacy Act (UCPA), which will come into effect on December 31, 2023. 

Like other state privacy data laws, the UCPA imposes several obligations on businesses that process or control the personal data of Utah consumers. It also grants Utah consumers new rights over their personal data, including:

  • The right to know and confirm processing activity
  • The right to access personal data
  • The right to delete personal data
  • The right to obtain a copy of personal data in a readily usable and portable format
  • The right to opt out of sales of personal information and targeted advertising
  • The right to avoid discrimination as a result of exercising their UCPA consumer rights

Note that the UCPA does not create a private right of action for consumers. It is only enforceable by the Utah Attorney General, which may impose fines of up to $7,500 per violation. 

 

Connecticut’s Data Subject & Privacy Law

On May 10, 2022, Connecticut became the fifth state to embrace comprehensive state consumer privacy legislation after Senate Bill 6, An Act Concerning Personal Data Privacy and Online Monitoring, was signed into law. Most of this law will come into effect on July 1, 2023.

This new law includes many of the same obligations, rights, and exceptions as similar consumer data subject laws in California, Virginia, Colorado, and Utah. It also has a similar scope, applying to entities that manage sensitive data:

  • Produce services or products targeted to Connecticut residents or conduct business in Connecticut and do either of the following:
    • Control or process the personal data of at least 100,000 consumers, excluding personal information processed or controlled solely to complete payment transactions
    • Control or process the personal data of at least 25,000 consumers and make over 25% of their gross revenue from selling personal data

This law does not have a private right of action, and the Attorney General of Connecticut is solely responsible for enforcement. Violations of this act are enforceable under the Connecticut Unfair Trade Practices Act and may result in the following civil penalties: 

  • A maximum penalty of $5,000 for willful violations
  • A maximum penalty of $25,000 for violating restraining orders or injunctions

 

Maine's Data Privacy Law

In 2020, Maine created one of the strictest data privacy laws in the nation, causing a stir. This law prevents service providers from using, selling, disclosing, or providing access to consumers' personal information without permission. Under this law, customer personal information includes the customers':

  • Web browsing history
  • Precise geolocation information
  • Application usage history
  • Health information
  • Financial information
  • Information about their children
  • Device identifiers, such as internet protocol (IP) address, international mobile equipment identity, and media access control address
  • Communications content
  • Destination and origin IP addresses

 

 

Data Privacy Laws in Europe

Let's take a look at the most important data privacy laws in Europe, starting with the General Data Protection Regulation (GDPR) — the first example of a robust data privacy act that dealt with companies processing personal data by developing a comprehensive consumer privacy law framework.

 

The General Data Protection Regulation (GDPR)

The most important data privacy law in the European Union (EU) is the General Data Protection Regulation (GDPR), a set of laws that, among other things, imposes stiff penalties to companies that fail to correct inaccurate personal information such as a financial account number.

The GDPR treats all EU residents as data subjects — stating that it is illegal for any business to be collecting and selling personal information and is applicable to any country that processes personal data inside the EU, including those regulated in countries with a comprehensive data privacy law of itself, such as Canada.

The law aims to enhance EU citizens' rights and controls over their personal data, minimize the reach and influence of data brokers such as marketing aggregation companies and certain financial institutions, and limit the amount of data that a service provider can acquire.

The GDPR has a much broader scope than similar U.S. legislation such as the CCPA and CPRA, which are mostly state laws rather than federal laws. Businesses cannot request access to data at will and there are severe penalties for any firm aiming to act as a data broker.

The GDPR makes the role of a data protection officer even more important — since they guarantee the correct processing of personal data of individuals in the European Economic Area (EEA). Data controllers are organizations that collect data from EEA residents, and processors are organizations that process data for data controllers like cloud service providers.

The GDPR establishes eight data subject rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to data portability
  6. The right to limit processing
  7. The right to object
  8. Rights related to automated decision-making, including profiling

The law prohibits organizations from processing individuals' data unless it is explicitly allowed legally or the individual has consented to the processing. Under Article 7, consent must be "freely given, specific, informed, and unambiguous." It must also be given voluntarily. Consent is considered invalid if companies exert inappropriate influence or pressure that could affect the outcome of an individual's choice.

Additionally, the GDPR requires enterprises to appoint a Data Protection Officer (DPO) to oversee the application of the GDPR if:

  • The organization is a public body or authority
  • The organization's core activities consist of data processing operations that require systematic and regular monitoring of data subjects
  • The organization's code activities consist of large-scale processing of personal data relating to criminal offenses and convictions or special categories of data, such as sensitive information about health, sexual orientation, race, and religion

The GDPR is enforced by individual data protection authorities (DPAs) from the 27 EU member states. DPAs are independent of the government and investigate complaints, determine when the GDPR has been breached, and provide data protection advice. Fines are typically much higher than in U.S. state laws — they can go all the way to 4% of a company's global annual turnover or €20 million, whichever is higher.

 

The Data Protection Law Enforcement Directive

The EU's Data Protection Law Enforcement Directive is another set of data protection laws that guard EU citizens against unauthorized use of biometric data and other sensitive data collection.

It applies mostly to criminal law enforcement — where authorities use personal data like fingerprints for sleuthing and other purposes. Besides safeguarding the personal data of suspects, witnesses, and victims, it can also facilitate cross-border cooperation in the fight against terrorism and crime.

 

 

Upcoming Data Privacy Laws in Europe

The GDPR and the Data Protection Law Enforcement Directive aren't the only laws you need to be aware of. You should also be aware of the following EU laws for 2023: 

  • The Digital Services Act (DSA): This regulation modernizes the e-Commerce Directive regarding transparent advertising, illegal content, and disinformation. The purpose of the DSA is to update the EU's legal framework and harmonize different national EU laws that have been passed to address illegal content. This law will be applicable across the EU starting on January 1, 2024.
  • The Digital Markets Act (DMA): Submitted as part of the same package as the DSA. the Digital Markets Act aims to ensure a higher degree of competition in the European digital markets by preventing large organizations from abusing their market power and encouraging new players to enter the market. This law has already entered into force as of October 2022 and will become applicable in February 2023.
  • The Artificial Act (AI) Act: This is a proposed European law on AI that bans systems and applications that create unacceptable risks — such as government-run social scoring AIs used in China — and regulates high-risk applications like resume-scanning tools.


CTA Graphic (4)-png

 

Data Privacy Laws in Canada

Like the U.S. and the EU, Canada has several federal privacy laws. Let's discuss below:

 

The Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal law that applies to all businesses that operate in Canada and handle personal information that crosses national or provincial borders, a practice known as global data transfer.

Federally regulated organizations that conduct business in Canada, such as airports, banks, and telecommunications companies, are subject to PIPEDA which means they must always strive to maintain correct data.

Under the PIPEDA, personal information includes any subjective or factual information about an identifiable natural person. Examples include:

  • Name, age, income, ID numbers, blood type, or ethnic origin
  • Opinions, comments, evaluations, disciplinary actions, or social status
  • Employee files, loan records, credit records, intentions to change jobs or acquire goods, and the existence of disputes between consumers and merchants

Businesses subject to PIPEDA are required to follow the 10 fair information principles to protect personal data, namely:

  1. Accountability: This principle requires you to develop a privacy management program, conduct privacy impact assessments, regularly review your privacy management program, and make your privacy procedures and policies readily available to employees and customers.
  2. Identifying purposes: This requires you to identify and document your reasons for collecting personal information, tell customers why your company needs their personal information before or at the time of collection, and obtain customers' consent when and if you have a new purpose for collecting personal data.
  3. Consent: This principle requires you to obtain meaningful consent for the gathering, use, and disclosure of personal information. It also requires you to make consent meaningful by explaining what consumers are consenting to.
  4. Limiting collection: You should only collect the personal information you need to fulfill a legitimate identified purpose. 
  5. Limiting use, disclosure, and retention: Your organization should only use or disclose personal information for the identified purposes for which it was collected. 
  6. Accuracy: You should minimize the likelihood of using incorrect data when disclosing data to third parties or making a decision about an individual.
  7. Safeguards: You must protect personal information against theft, loss, and any unauthorized disclosure, access, use, copying, or modification. You must also safeguard personal data according to how sensitive it is. 
  8. Openness: Your company must have detailed, clear, and easy-to-understand personal information management practices. These practices must be readily available to consumers.
  9. Individual access: When asked, you must tell consumers about the personal information you obtained about them. You must also give people access to their information at little to no cost, or explain your reasons for not providing access. Additionally, you must amend or correct personal data for completeness and accuracy.
  10. Challenging compliance: Finally, you must investigate all complaints you receive and develop simple complaint investigation and handling procedures. 

The Office of the Privacy Commissioner of Canada (OPC) is responsible for overseeing compliance with PIPEDA. Organizations that commit offenses may be fined up to $100,000 Canadian.

 

The Privacy Act

The Privacy Act applies to the Canadian government's use, collection, retention, disclosure, or disposal of personal information when providing services like:

  • Border security
  • Old age security benefits
  • Employment insurance
  • Public safety and federal policing
  • Refunds and tax collection

This act only applies to federal government institutions and Crown corporations and does not apply to courts, private sector organizations, political parties, and political representatives.

The Privacy Act is overseen by the OPC. The OPC was created in 1983 after the Privacy Act was established.

 

Bill C-11: The Consumer Privacy Protection Act

In November 2020, the Canadian federal government introduced Bill C-11, which proposed repealing the personal information-related provisions of PIPEDA and replacing them with a new data and privacy legal framework. While Bill C-11 never made it into law, on June 16, 2022, the federal government resurrected it by introducing Bill C-27, the Digital Charter Implementation Act, 2022.

Bill C-27 retains Bill C-11's core elements, including its proposals to:

  • Enact the Consumer Privacy Protection Act, which would replace Part 1 of PIPEDA
  • Enact the Personal Information and Data Protection Tribunal Act (PIDPTA), which creates an administrative tribunal

However, there are some differences between the two bills. For one, Bill C-27 is much more concerned with artificial intelligence (AI). Specifically, it proposes enacting the Artificial Intelligence and Data Act (AIDA) to regulate AI systems. 

Under Bill C-27, noncompliant organizations are liable to a fine of up to 5% of their global revenue or $25 million Canadian, whichever is greater. There are also administrative monetary penalties of up to 3% of global revenue or $10 million Canadian for certain violations of the Consumer Privacy Protection Act.

 

Data Privacy Laws in Australia

If you have Australian users, you must be aware of applicable Australian privacy laws, including:

The Privacy Act

The Privacy Act 1988 is the main piece of Australian privacy legislation. It establishes 13 Australian Privacy Principles (APPs) that apply to private sector companies and government agencies with an annual turnover of $3 million Australian or more:

  1. Open and transparent management of personal data
  2. Pseudonymity and anonymity
  3. Collection of solicited personal information
  4. Dealing with unsolicited personal information
  5. Notification of the collection of personal information
  6. Use or disclosure of personal information
  7. Direct marketing
  8. Cross-border disclosure of personal data
  9. Adoption, disclosure, or use of government-related identifiers
  10. Quality of personal information
  11. Security of personal information
  12. Access to personal information
  13. Correction of personal information

The OAIC is responsible for investigating breaches of the APPs. Other powers include accepting enforceable undertakings, conducting privacy performance assessments of businesses and Australian government agencies, and seeking civil penalties in the case of repeated and serious privacy breaches.

Other than the Privacy Act, Australian authorities are planning to boost protections to guard against data breaches. 

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the maximum penalties of the Privacy Act 1988 from the current $2.22 million Australian penalty to whichever is the greater of:

  • $50 million Australian
  • Three times the value of any benefit obtained by misusing information
  • 30% of a business's adjusted turnover in the relevant period

 

Data Privacy Laws in Brazil

The central data privacy law in Brazil is called the General Law for the Protection of Personal Data (LGPD).

 

Brazil's General Law for the Protection of Personal Data (LGPD)

The General Data Protection Law or the Lei Geral de Proteção de Dados Pessoais (LGPD) is Brazil's answer to the EU's GDPR. It entered into force in August 2020 and affects how businesses track users in Brazil.

The LGDP provides data subjects with nine rights, creates 10 legal bases for lawful data processing, and defines what constitutes personal data. It also establishes the Autoridade Nacional de Proteção de Dados for enforcing the LGPD and requires businesses to appoint a DPO.

Like the GDPR, the LGPD has extraterritorial application, meaning that companies, websites, and businesses that process personal data from Brazil must comply with the LGPD, regardless of where they are actually located or operated. Additionally, the LGPD doesn't just protect Brazilians, but everyone whose data is gathered or processed while in Brazil.

Compared to the GDPR, the LGPD imposes much less severe fines. Maximum fines for noncompliance in the LGPD are 50 million Brazilian reais (around €11 million) or 2% of a business's annual turnover in Brazil per violation. Meanwhile, the maximum fines for noncompliance under the GDPR are 4% of a company's annual global turnover or €20 million, whichever is higher.

 

The Implications of Data Privacy Laws 

Failing to comply with data privacy laws can result in exorbitant fines, lawsuits, reputational loss, and more. And it’s rare for companies today to concentrate their efforts on a single market — you might be operating in jurisdictions with different data privacy laws and not have the necessary controls in place. 

That's why it’s imperative to create a comprehensive data privacy policy — a legal document on your site or app that details how you gather, process, and use visitors' personal data. A well-written privacy policy is a clear and succinct way to explain how your site or app gathers data, what data you collect, and what you plan to do with that information. It should also include:

  • Your DPO or privacy officer's contact information
  • A section disclosing how your website or app uses cookies to enhance functionality
  • How, why, and when you share consumers' personal information with third-party service providers

Once you've created your data privacy policy, you must display prominent links to your privacy policy on your website and mobile app's footer, side menu, and newsletter signup forms. Otherwise, users will have difficulty finding your policy and learning about their rights. Having an easy-to-access privacy policy will also increase customer trust by showing customers that you care about their user experience.

Creating a comprehensive and clear data privacy policy can be daunting, especially since there are so many rules and regulations to stay compliant with. 

Enzuzo's privacy policy generator can help. It's built by real lawyers and helps develop customized privacy policies for your business. It enables the following:

  • Full compliance with CCPA, GDPR, CPRA, COPPA, PIPEDA, and other privacy laws around the world
  • The ability to translate your policy into over 25 languages, including French, EU Portuguese, Brazilian Portuguese, German, Dutch, and Spanish
  • A built-in data request (DSAR) button and form
  • Automatic updates so your privacy policy is always compliant

CTA Protect Your Data

 

 

Osman Husain

Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.