What Privacy Laws Apply to Your Business?

While most places agree that information security is important, not every region handles privacy law in the same way. This can make it confusing when you’re trying to understand which laws apply to your business and your users. 

In this article, we take a look at some of the major privacy laws that exist around the world, and share our advice on how to determine which apply for your business. We’ll also share answers to key questions, along with a really useful way to help you stay compliant with privacy legislation.

Major Data Privacy Laws and Where They Apply

Privacy legislation around personal data and consumer protection isn’t universal, and separate countries and regions approach it differently. In some areas, there’s legislation that covers a cluster of countries, like the General Data Protection Regulation (GDPR) for the EU, and in others, there are state laws that apply — like the California Consumer Privacy Act (CCPA). 

These privacy laws cover the collection and use of multiple categories of information and personal data. This can include such information as contact details, IP addresses, and social security numbers. With many laws defining personal data in a broad way, it’s likely that at least one of these applies to how you operate your business. 

Each privacy law applies to a different territory, giving protection and rights to residents. Let’s take a look at some of the most well-known and relevant privacy laws, so you can start to get a feel for how they safeguard consumer information and whether they apply to you. 

 General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a privacy law that applies to any organization operating within the EU, plus any organization outside the EU that offers goods or services to those inside it. A similar law, the UK GDPR, now covers the United Kingdom. 

This EU-wide privacy law offers consumers robust protection and oversight over their personal data collection and use and is one of the most well-known. As part of it, consumers (or ‘data subjects’) are entitled to have their personal data processed lawfully, fairly, and in a transparent manner. This applies across multiple categories of personal data — including special categories, like biometric data and health information. 

In the EU, consumers now also have the opportunity to move their personal data at will, even to competitors — known as data portability. They also gain significant rights over their data, including the right of access, the right to be forgotten, and the right to the restriction of processing. 

A major part of the GDPR is that personal data should be collected for specific and legitimate reasons. This means you can’t send emails for marketing purposes to a service user for example unless they opt-in. Also, if you use third-party service providers to operate your business, you also need to make sure that your use of their services complies with the principles of the GDPR. 

For an easy-to-follow yet in-depth look at the GDPR, take a look at our simple guide to the GDPR. 

  Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian data privacy law that applies to private sector businesses across Canada that collect and use personal information as part of commercial activity. For public sector organizations and government agencies, the Privacy Act applies instead. 

While this privacy law generally covers Canada, there are some exceptions where provinces have their own private sector privacy legislation. In Alberta, British Columbia, and Quebec, their own province-specific law applies — rather than PIPEDA. However, where personal information crosses borders, all relevant organizations must comply with PIPEDA. 

The PIPEDA introduces better protection for and oversight of consumer information. People need to provide consent to their personal data being collected and used, and it can only be used for the purposes under which it was collected. Consumers also have the right to access their data and request that it’s accurate. 

To understand the PIPEDA more fully and get to know the principles behind the legislation, read our simple guide to the PIPEDA.

 California Consumer Privacy Act (CCPA)

While Canada has a federal law that governs general personal data security and privacy, the United States does not. Some types of data are covered by federal law — like the Health Insurance Portability and Accountability Act (HIPAA) for health care or the Children's Online Privacy Protection Act (COPPA) for children’s data and parental consent. Outside of this, certain state laws apply — the most well-known of which is the California Consumer Privacy Act (CCPA). 

This state-level law applies to any for-profit organization that does business in California and meets any of the requirements. These requirements include buying, selling, or receiving the personal data of 50,000 or more California residents, households, or devices, having annual revenue of $25 million or higher, or where 50% or more of revenue comes from selling residents’ personal data. 

With such big numbers involved, it’s unlikely that many small businesses need to adhere to the CCPA. Still, it introduces valuable consumer rights and has similar themes to other privacy laws — so it’s good practice to meet this law’s requirements too. 

Like most privacy laws, the CCPA gives California residents the right to understand how their personal data is collected and used, and to request the deletion of this data. Uniquely, this law also covers the sale of personal information — giving residents the opportunity to opt-out of data selling. 

For a more in-depth look at the CCPA and how it applies to California residents and companies that do business in the state, see our simple guide to the CCPA.

 Lei Geral de Proteção de Dados (LGPD)

The Lei Geral de Proteção de Dados (LGPD) is a privacy rule that gives Brazilian residents greater control over their personal data. It’s closely linked to the GDPR, with many similar principles around data privacy. 

As with the GDPR, the LGPD applies to organizations that collect and process personal data from residents. That means that even if your company is based elsewhere, as soon as a user from Brazil lands on your website you need to be compliant. There are no restrictions on company size, so it’s safe to assume that even as a small business you should strive to comply with the LGPD.

The LGPD gives users rights over their personal data, including the right to access and correct data, and the right to deny consent for processing. There’s a strong focus on the right to be informed, including how data is collected, transferred, and when it will be deleted. 

For a closer look at the LGPD and how to comply, see our simple guide to the LGPD. 

Helpful Scenarios of When Different Privacy Laws Apply

Each privacy law has its own territorial scope — the area for which the law applies. In most cases, the legislation applies to the relationship between residents of that area and companies that collect, use, or disclose their personal data. 

You’ll always want to make sure you comply with any privacy legislation that governs your own country or territory. After that, consider where your users are based and whether your relationship with them means you need to be considerate of their own rights. 

Let’s take a look at some scenarios to get a feel for when each privacy law might apply, and why. 

Scenario 1 — San Diego Bakery

Dave runs a local bakery and coffee shop in San Diego, California that also has a web presence, where people can order cakes and pastries for collection or local delivery. His customers come from the local area and he doesn’t offer any national or international ordering or shipping options. 

Which Privacy Laws Apply

Seeing as Dave only operates in California and his customers are exclusively from California, only the CCPA applies — if he meets the requirements. 

With a small customer base, this local bakery is unlikely to meet the revenue targets or the number of residents or households required to comply. Even so, it’s worth Dave creating a CCPA compliant privacy policy for his website — especially if he intends to expand and offer cakes or cookies by mail across the US. 

Scenario 2 — Beauty Ecommerce Store in Germany

Hanna runs an online beauty supplies store from her hometown in Germany, with customers ordering from all over the world to get access to her unrivalled discounts on products for their salons. Hanna’s company ships products internationally, and never knows where her next customer might come from. 

Which Privacy Laws Apply

With a base in Germany, an EU country, Hanna needs to make sure that she complies with the GDPR. She also needs to be mindful of her international audience and the requirement to comply with her customers’ rights, wherever they’re located. 

In this case, it makes sense for Hanna to craft a privacy policy and have an approach to data privacy that complies with all major privacy laws. This means she’s not accidentally running into compliance issues if a customer orders from Brazil and she hasn’t considered the LGPD. 

Scenario 3 — Digital Nomad Social Media Consultant

Blake is a freelance social media consultant that doesn’t like staying still, and travels the world as a digital nomad. They can work from anywhere their travels take them, with clients that come from around the world, but their business is registered in the state of New York, US. 

Which Privacy Laws Apply

With most privacy laws applying to residents, Blake needs to consider whether their operations make them a resident of the location where they are currently based. They also need to stay compliant with the privacy laws that apply to their customers and their data — in this case, they could be from anywhere in the world. 

To help simplify Blake’s approach to data privacy and avoid any accidental non-compliance, it’s sensible to create a privacy policy that meets most major privacy laws. This way, they don’t need to worry about making changes as they move locations, and they’re confident that they’re catering to their customers’ privacy needs — wherever they are. 

 An Easier Way to Reach Compliance with Multiple Privacy Laws

With an online business, it’s impossible to know where your next customer might be based. This means it makes a lot of sense to be compliant with all of these major privacy laws. That might sound overwhelming, but we’ve built a tool to help you manage your data privacy compliance with ease. 

Create a user-friendly Privacy Policy

A major theme that runs through consumer data privacy laws is a user’s right to easily understand how their data is collected, how it’s used, and what their rights are over it. An easy way to meet these needs is with a user-friendly privacy policy, designed with your customers in mind. 

Our simple privacy policy generator tool helps you craft a policy page that makes it easy for your customers to understand exactly how you approach privacy security practices. It features a drop down design, so users can navigate easily to the section that’s most important to them.

Plus, with our paid plans, you can automatically translate your privacy policy into multiple languages. This helps you create a better customer experience and shows that you genuinely care about their data and helping them understand and exercise their rights around privacy issues. 

Maintain compliance using Enzuzo's Privacy Portal

Staying compliant with privacy laws doesn’t start and end with your privacy policy. You need to have a good understanding of your need to action data subject requests, the timescales involved, and your potential risks if you don’t meet them. 

Our simple privacy portal gives you the tools to stay compliant in one user-friendly space. From your dashboard you can view, action, and complete data subject requests. You’ll also see notifications when due dates approach, so there’s no more missing a key deadline again. You can also view and download reports that prove your business is compliant with privacy legislation. 

 Understand Which Privacy Laws Apply and Stay Compliant The Simple Way

Navigating international privacy law compliance isn’t always easy, but we aim to help make staying compliant simple. Our goal is to help you understand the various privacy laws, where they apply, and how to meet their requirements. 

With our privacy platform, your business can enjoy an easier way to create a privacy policy, manage data subject requests, and get a better overview of your overall compliance. If you’re ready to simplify your approach to data privacy compliance, start your journey with our privacy platform today.