While most places agree that information security is important, not every region handles privacy law in the same way. This can make it confusing when you’re trying to understand which laws apply to your business and your users.
In this article, we take a look at some of the major privacy laws that exist around the world, and share our advice on how to determine which apply for your business. We’ll also share answers to key questions, along with a really useful way to help you stay compliant with privacy legislation.
Privacy legislation around personal data and consumer protection isn’t universal, and separate countries and regions approach it differently. In some areas, there’s legislation that covers a cluster of countries, like the General Data Protection Regulation (GDPR) for the EU, and in others, there are state laws that apply — like the California Consumer Privacy Act (CCPA).
These privacy laws cover the collection and use of multiple categories of information and personal data. This can include such information as contact details, IP addresses, and social security numbers. With many laws defining personal data in a broad way, it’s likely that at least one of these applies to how you operate your business.
Each privacy law applies to a different territory, giving protection and rights to residents. Let’s take a look at some of the most well-known and relevant privacy laws, so you can start to get a feel for how they safeguard consumer information and whether they apply to you.
The General Data Protection Regulation (GDPR) is a privacy law that applies to any organization operating within the EU, plus any organization outside the EU that offers goods or services to those inside it. A similar law, the UK GDPR, now covers the United Kingdom.
This EU-wide privacy law offers consumers robust protection and oversight over their personal data collection and use and is one of the most well-known. As part of it, consumers (or ‘data subjects’) are entitled to have their personal data processed lawfully, fairly, and in a transparent manner. This applies across multiple categories of personal data — including special categories, like biometric data and health information.
In the EU, consumers now also have the opportunity to move their personal data at will, even to competitors — known as data portability. They also gain significant rights over their data, including the right of access, the right to be forgotten, and the right to the restriction of processing.
A major part of the GDPR is that personal data should be collected for specific and legitimate reasons. This means you can’t send emails for marketing purposes to a service user for example unless they opt-in. Also, if you use third-party service providers to operate your business, you also need to make sure that your use of their services complies with the principles of the GDPR.
For an easy-to-follow yet in-depth look at the GDPR, take a look at our simple guide to the GDPR.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian data privacy law that applies to private sector businesses across Canada that collect and use personal information as part of commercial activity. For public sector organizations and government agencies, the Privacy Act applies instead.
While this privacy law generally covers Canada, there are some exceptions where provinces have their own private sector privacy legislation. In Alberta, British Columbia, and Quebec, their own province-specific law applies — rather than PIPEDA. However, where personal information crosses borders, all relevant organizations must comply with PIPEDA.
The PIPEDA introduces better protection for and oversight of consumer information. People need to provide consent to their personal data being collected and used, and it can only be used for the purposes under which it was collected. Consumers also have the right to access their data and request that it’s accurate.
To understand the PIPEDA more fully and get to know the principles behind the legislation, read our simple guide to the PIPEDA.
While Canada has a federal law that governs general personal data security and privacy, the United States does not. Some types of data are covered by federal law — like the Health Insurance Portability and Accountability Act (HIPAA) for health care or the Children's Online Privacy Protection Act (COPPA) for children’s data and parental consent. Outside of this, certain state laws apply — the most well-known of which is the California Consumer Privacy Act (CCPA).
This state-level law applies to any for-profit organization that does business in California and meets any of the requirements. These requirements include buying, selling, or receiving the personal data of 50,000 or more California residents, households, or devices, having annual revenue of $25 million or higher, or where 50% or more of revenue comes from selling residents’ personal data.
With such big numbers involved, it’s unlikely that many small businesses need to adhere to the CCPA. Still, it introduces valuable consumer rights and has similar themes to other privacy laws — so it’s good practice to meet this law’s requirements too.
Like most privacy laws, the CCPA gives California residents the right to understand how their personal data is collected and used, and to request the deletion of this data. Uniquely, this law also covers the sale of personal information — giving residents the opportunity to opt-out of data selling.
For a more in-depth look at the CCPA and how it applies to California residents and companies that do business in the state, see our simple guide to the CCPA.
The Lei Geral de Proteção de Dados (LGPD) is a privacy rule that gives Brazilian residents greater control over their personal data. It’s closely linked to the GDPR, with many similar principles around data privacy.
As with the GDPR, the LGPD applies to organizations that collect and process personal data from residents. That means that even if your company is based elsewhere, as soon as a user from Brazil lands on your website you need to be compliant. There are no restrictions on company size, so it’s safe to assume that even as a small business you should strive to comply with the LGPD.
The LGPD gives users rights over their personal data, including the right to access and correct data, and the right to deny consent for processing. There’s a strong focus on the right to be informed, including how data is collected, transferred, and when it will be deleted.
For a closer look at the LGPD and how to comply, see our simple guide to the LGPD.
Each privacy law has its own territorial scope — the area for which the law applies. In most cases, the legislation applies to the relationship between residents of that area and companies that collect, use, or disclose their personal data.
You’ll always want to make sure you comply with any privacy legislation that governs your own country or territory. After that, consider where your users are based and whether your relationship with them means you need to be considerate of their own rights.
Let’s take a look at some scenarios to get a feel for when each privacy law might apply, and why.
Dave runs a local bakery and coffee shop in San Diego, California that also has a web presence, where people can order cakes and pastries for collection or local delivery. His customers come from the local area and he doesn’t offer any national or international ordering or shipping options.
Seeing as Dave only operates in California and his customers are exclusively from California, only the CCPA applies — if he meets the requirements.
Hanna runs an online beauty supplies store from her hometown in Germany, with customers ordering from all over the world to get access to her unrivalled discounts on products for their salons. Hanna’s company ships products internationally, and never knows where her next customer might come from.
With a base in Germany, an EU country, Hanna needs to make sure that she complies with the GDPR. She also needs to be mindful of her international audience and the requirement to comply with her customers’ rights, wherever they’re located.
Blake is a freelance social media consultant that doesn’t like staying still, and travels the world as a digital nomad. They can work from anywhere their travels take them, with clients that come from around the world, but their business is registered in the state of New York, US.
With most privacy laws applying to residents, Blake needs to consider whether their operations make them a resident of the location where they are currently based. They also need to stay compliant with the privacy laws that apply to their customers and their data — in this case, they could be from anywhere in the world.
With an online business, it’s impossible to know where your next customer might be based. This means it makes a lot of sense to be compliant with all of these major privacy laws. That might sound overwhelming, but we’ve built a tool to help you manage your data privacy compliance with ease.
Our simple privacy portal gives you the tools to stay compliant in one user-friendly space. From your dashboard you can view, action, and complete data subject requests. You’ll also see notifications when due dates approach, so there’s no more missing a key deadline again. You can also view and download reports that prove your business is compliant with privacy legislation.
Navigating international privacy law compliance isn’t always easy, but we aim to help make staying compliant simple. Our goal is to help you understand the various privacy laws, where they apply, and how to meet their requirements.