The state of digital privacy in 2023 is vastly different compared to just a few years ago. With data breaches and online scams on the rise, governments around the world are taking action to protect the digital rights of their citizens. This article will take a look at how different countries are approaching the issue of data privacy, from the United States to the EU.
Data Privacy laws 2023
U.S. Federal Data Privacy Laws
Despite calls for a single, broad piece of legislation that governs the issue of data privacy, the United States has yet to establish a comprehensive federal law on the matter. It instead takes a patchwork-like approach with several separate regulations that cover individual areas of information sharing. They’re virtually all enforced by the U.S. Federal Trade Commission (FTC), a national authority over American consumer protections. Below are some of the most prominent privacy acts in the United States that the FTC is involved in supporting.
Children’s Online Privacy Protection Act (COPPA)
Passed in 1998, the Children’s Online Privacy Protection Act (COPPA) is a national law that imposes specific requirements on websites targeted to children under 13 years of age. It was created in an effort to protect personal information from children, mandating that all online services collect only the necessary data and obtain verifiable parental consent before doing so.
Health Insurance Portability and Accounting Act (HIPAA)
The Health Insurance Portability and Accounting Act (HIPAA) governs the very-important issue of patient data privacy. It was passed in 1996 and is specifically concerned with the security, storage and sharing of personal medical information among health care providers, insurers, and other related entities.
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA) of 1999 is a federal law designed to protect the privacy of individuals’ financial information. It requires financial institutions to provide adequate security to protect customer data and to inform customers of the privacy policies regarding that information.
Fair Credit Reporting Act (FCRA)
The Fair Credit Reporting Act (FCRA) is another federal privacy law that applies to the use of consumer credit reports. It sets out a comprehensive set of rules and regulations for how consumer credit reporting agencies, lenders, employers and other entities can collect, store and use personal credit information.
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) was first created in 1974 out of an effort to protect the privacy of student educational records. It applies to all educational institutions that are receiving federal funds from the U.S. Department of Education and requires those institutions to have written policies governing the sharing of student records.
U.S. State-Level Data Privacy Laws
In addition to the abovementioned federal regulations which govern specific aspects of Americans’ data privacy, the U.S. also has several regional laws imposed by decision-makers on the state level. These pieces of legislation have been enacted as a sort of stop-gap measure among local governments who want the broader protections of data privacy laws without having to wait for federal action. While to date, only a select number of states have actually gone as far as to pass and enforce their own regulations, each one of them holds relevance to local citizens and the both national and international entities that serve their respective populations.
Below are a few of the most notable state data privacy laws in the United States.
California Privacy Rights Act (CPRA)
California Privacy Rights Act (CPRA) is one of the most comprehensive data privacy laws in the United States. It was passed back in November 2020 as the result of a ballot initiative to replace the state’s previous privacy regulation, the California Privacy Protection Act (CPPA).
This cross-sector legislation introduces important definitions and broad individual consumer rights in the State of California. It imposes basic responsibilities upon those who collect personal information about or from a California resident, including:
- Informing data subjects when and how their personal information is collected
- Allowing individuals to opt-out of data collection
- Providing individuals with a means of accessing, correcting, and deleting collected information
- Restricting how businesses transfer individuals’ personal data to other entities
The CPRA has been in effect since January 1, 2023, and introduced a number of new and important amendments to its predecessor.
The right to rectification: This gives consumers the right to correct inaccurate personal information.
Right to restriction: Consumers are given the right to limit the disclosure and use of their sensitive personal data.
Definition of sensitive personal information: The CPRA includes an amendment that updates the State’s definition of personal information.
Virginia Consumer Data Protection Act (CDPA)
The Virginia Consumer Data Protection Act (CDPA) is a state-level law designed to protect Virginians’ personal privacy. It was first passed on March 2, 2021 and grants consumers rights over the way companies collect and use their data.
The CDPA has several similarities to the EU General Data Protection Regulation’s (GDPR) and CPRA in that it also applies to entities that do business in the state or sell products targeted to its residents. Entities are subject to the law’s provision if they meet one or more of the following criteria.
- Processing or controlling the personal information of 100,000 citizens or more
- Processing or controlling the personal information of at least 25,000 consumers and earning 50% of revenue through the sale of personal data
The CDPA imposes a multitude of rules upon businesses that meet the above thresholds, including:
- A requirement to assist consumers in exercising their rights through opt-in consent
- Disclosing when consumers’ personal information will be sold
- Allowing consumers to opt-out of data collection practices
- A requirement to provide users with clear privacy notices
- A requirement for data brokers to honor consumers’ opt-out requests
Colorado Privacy Act (CPA)
Colorado became the third U.S. state to create its own privacy law in In June 2020 with the passing of the Colorado Privacy Act (CPA). This regulation places obligations upon data controllers who do business in the state while also providing residents with distinct rights over their online privacy.
The CPA’s provisions are applicable to entities that collect the personal information of 100,000 or more Colorado residents, or a lower threshold of at least 25,000 Colorado residents if deriving profit from the sale of that data.
The law also gives citizens five core rights when it comes to protecting their data:
- The right to opt-out of the sale of personal data, being profiled, and targeted ads
- The right to access the personal data companies collect
- The right to correct personal data that has been collected by companies
- The right to request the deletion of personal data collected by companies
- The right to data portability
It is worth noting, however, that the CPA includes several exemptions to these rules that allow businesses to proceed with data collection under certain circumstances. Notable examples include:
- Personal data collected for Colorado health insurance law purposes
- Data or a data collecting entity covered by another law like COPPA or FERPA
- Data that has been pseudonymized or de-identified
- Data maintained and used by consumer reporting agencies
- Data used for employment records purposes
The law is set to take effect in Summer of 2023, leaving businesses a matter of months to prepare for its enforcement.
Utah Consumer Privacy Act
The Utah Consumer Privacy Act (UCPA) is another new state privacy law, drawing from the existing principles of the CPA, CDPA, and CPRA. It will take effect by the end of 2023 and apply to data processors and controllers that generate more than $25 Million in yearly revenue in the state while also:
- Controlling or processing the personal data of 100,000 consumers a year or more
- Deriving over 50% of gross revenue from the sale of private information while controlling or processing the personal information of 25,000 or more individuals
With the UCPA, individuals have the right to:
- Confirm whether an entity is processing their private information, as well as deleting or accessing information provided
- Acquire a copy of their collected personal information in an accessible format
- Opt-out of personal data processing for the purpose of targeted advertising or sales
Connecticut’s Data Privacy Law
Connecticut is the fifth most recent U.S. state to implement its own privacy law, with the recent passing of Senate Bill 6, An Act Concerning Personal Data Privacy and Online Monitoring (CTDPA).
It applies to entities that, during a preceding calendar year:
- Processed or controlled the personal data of 100,000 or more state residents
- Processed or controlled the personal information of at least 25,000 consumers while deriving 25% or more of gross revenue from the sale of personal information
This new law notably excludes payment transaction data from its scope, which is for small businesses. It outlines a 60-day violation remedy period through December 31, 2024.
New York SHIELD Act
The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act is an expansion on the state’s existing consumer data protection law. This new act, passed in July 2019, applies to all businesses that possess or access private data from New York residents. It went into full effect in March 2020 .
This act requires businesses to implement reasonable safeguards to protect the security, confidentiality and integrity of private information. In addition, they must assess the sensitivity of the data they collect, notify consumers in the event of a breach and take necessary steps to mitigate similar events in the future.
European Data Privacy Laws
Europe is no stranger to data privacy laws, having implemented a broad range of regulations in recent years.
When it comes to European data privacy laws, the most important name worth noting is the EU GDPR. This law governs the collection, use, security and transmission of personal data of EU citizens. It applies to any business that collects or processes the personal data of European citizens and was established in 2018.
Digital Services Act (DSA)
The Digital Services Act (DSA) was created to protect EU citizens from harmful online content, such as hate speech and disinformation. It entered into force on November 16, 2022 and will come fully into effect on February 17, 2024. This new regulation will require platforms such as Google and Facebook to remove content that doesn’t meet certain standards. The primary principle of the DSA is “what is illegal offline must be illegal online.”
Other International Data Privacy Laws
Beyond the United States and European Union, other countries are catching up in the data privacy game. Below are some of the most prominent international data privacy laws.
The Digital Markets Act (DMA)
The Digital Markets Act (DMA), which was proposed in December 2020, is designed to regulate the activities of digital platforms such as Amazon, Apple, and Google. The DMA will require these companies to treat their competitors fairly and not impose unfair conditions on them.
China’s Personal Information Protection Law (PIPL)
China’s Personal Information Protection Law (PIPL) is a comprehensive data privacy law that entered into effect in November 2021. It puts restrictions on how companies may collect, use and transfer personal information. It also requires that organizations take reasonable measures to protect the data they hold, such as implementing encryption and robust authentication protocols.
The Lei Geral de Proteção de Dados Pessoais (LGPD) was passed by the Brazilian Congress in 2020. It requires companies to protect the data of Brazilian residents and sets limits on how they can acquire, use, store and transfer this information.
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
Canada implemented the Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000. It applies to organizations that collect, use or disclose personal information in the course of commercial activities, while also outlining principles that businesses must adhere to when handling private data, such as obtaining consent for the collection and use of personal data.
Data privacy laws are essential for the protection of individuals’ personal data and private information. Companies must ensure that they comply with all applicable laws and regulations in order to protect their customers’ data, while also being aware of other international data privacy laws that may affect their operations. By taking these steps, organizations can help safeguard the information of their customers and maintain their trust.