Data Privacy Legislation: What to Know
How often do you think about your personal data? How much time do you spend wondering what it contains, who has access to it, and who they might share it with?
Even if you aren’t thinking about your data, there’s a good chance another entity is. Data is a valuable asset, and companies everywhere are scrambling to acquire yours. Every time you click “accept cookies” or buy something online, you’re putting your personal information—not to mention your trust—into the hands of companies.
That’s what makes data privacy laws so important for consumer data privacy. All over the world, from Europe to South America and Virginia to Utah, lawmakers are recognizing how vital it is to take measures to protect sensitive data. In response, they’re implementing historic privacy regulations for personal data protection.
From CCPA vs CPRA vs GDPR, privacy regulation is changing fast. In this guide, we’ll cover the importance of data privacy laws and everything you need to know to make sense of the complicated world of data privacy.
Europe is Leading the Way in Data Privacy Laws
When it comes to the battle to enact widespread, comprehensive updates to data privacy law, which put personal data protection first, the 28 nations included in the European Union (E.U.) are leading the charge.
In 2018, the E.U. enacted its now-historic data privacy protection law, the General Data Protection Regulation (GDPR). But what is GDPR, exactly? This first-of-its-kind data security law is in place to manage and protect any and all sensitive data collected from any resident of an E.U.-member country. Specifically, this data privacy legislation regulates how consumer data is used, transmitted, and secured and ensures greater consumer protection through any covered entity.
The GDPR is known as the strictest personal data protection act in the world. This data security law built upon three elements that are crucial to data privacy. They are:
- Consent – The GDPR stipulates that consumers must be willing to forfeit their data. This means no data can be collected unless the consumer has given their explicit consent. This includes consumer IP addresses and information collected by website cookies.
- Data breach handling – How a business or agency responds to any sensitive data breach is a primary concern of the GDPR and other data privacy regulations. In general, consumers have the right to be notified if their data is made vulnerable to unauthorized parties or any unauthorized entity. According to the GDPR, data holders must notify consumers within 72 hours of any exposure.
- Consumer rights – The GDPR ensures certain rights to consumers regarding their data, including the right to know how and when their data is collected and used, to access their own data, and to restrict or suppress their data, among a host of other provisions.
Importantly, the GDPR protects the data of E.U. citizens no matter the location of the collecting organization. This stipulation has international ramifications as it applies to businesses outside of the European Commission or E.U.-member countries, including the United States.
Failure of GDPR compliance can result in fines of up to $20 million.
Brazil’s E.U.-Inspired Laws Protect Additional Data
In 2020, Brazil took a page from the E.U.’s playbook and passed its own set of nationwide data privacy legislation and regulations, known as the General Law for the Protection of Personal Data (LGPD).
Like the GDPR, a central tenet of the LGPD is the protection of Brazilian consumers’ data regardless of who collects it or where they are in the world. However, LGPD applies broad definitions to personal data. It includes virtually any information about a person. In addition to standard data, like health history or credit information from a medical or financial institution, this covers a person’s:
- Race and ethnicity
- Sexual orientation
- Religious and political beliefs
Unlike the GDPR, however, the LGPD makes certain consumer protection exceptions for when consumer consent is required for data collection or use, such as when the data subject’s life is in danger or the information is needed for other lawful purposes.
Privacy Laws in the United States Vary by State
Compared to the European Union and Brazil, the United States offers far fewer protections for consumer data. In fact, at the federal law level, most of the data that consumers surrender every day is only marginally regulated, if at all.
This leaves the data of American consumers vulnerable. As American citizens continue to grow increasingly reliant on a range of gadgets and devices that are connected to the Internet, how that data is protected is an even greater concern.
That said, the United States isn’t exactly the wild wild west when it comes to data privacy legislation. Here’s what to know about federal and state regulations.
U.S. Federal Privacy Laws
To date, the United States hasn’t passed a comprehensive, all-encompassing data privacy law at the federal level. Instead, the government has made a practice of addressing data privacy issues by enacting various laws and regulations for managing consumer data within specific industries. These regulations address personal data like:
- Health information
- Credit information
- Information collected by financial institutions
For example, the Healthcare Insurance Portability and Accountability Act (HIPAA), passed in 1996, regulates how sensitive healthcare information is managed by and transmitted between healthcare providers, insurance companies, and government programs like Medicare and Medicaid.
The Fair Credit Reporting Act of 1970 and the Children’s Online Privacy Act of 1998 are further examples of the federal government’s attempts to implement enforceable data privacy protections.
State Privacy Laws
In the face of the federal government’s failure to enact far-reaching data privacy laws, states all over the country are taking matters into their own hands. Prompted by calls from consumers, consumer advocates, and business owners alike, individual states have taken steps to protect consumer data. Today, hundreds of laws exist across states that regulate how consumer data is collected, used, stored, secured, and disposed of.
That said, only three states have so far passed comprehensive State privacy law of their own. These include:
- California – A citizen’s initiative is responsible for the California Consumer Privacy Act (CCPA) of 2018. Together with the California Privacy Rights Act (CPRA) of 2020, the CCPA protects the data of California’s consumers, ensures various rights to data subjects, and mandates fees and other penalties for compliance failures.
- Virginia – Like the GDPR and the CPRA, Virginia’s Consumer Data Protection Act, passed in 2021, protects Virginia residents no matter where their data is collected. It also expects compliance from any company that collects data on 100,000 subjects or more. Businesses that collect data on 25,000 or more must also comply if they earn half of their revenue from selling data.
- Colorado – In 2020, Colorado passed the Colorado Privacy Act (CPA), which includes many of the same provisions as other similar acts. However, the CPA only applies to businesses that collect data on 100,00 subjects or more, or that collect on at least 25,000 and earn profits from selling data. Notably, the CPA mentions 17 situations in which data may not be subject to its protections.
Another notable state data privacy law is New York’s Stop Hacks and Improve Electronic Data Security Act, also known as the SHIELD Act. Although the SHIELD Act lacks the broad scope and reach of laws in California, Virginia, and Colorado, it is nevertheless an improvement on the state’s prior regulations.
One key facet of the SHIELD Act is its expansion of what is considered private information. Specifically, the bill adds to the list of data types that businesses must inform consumers about in the event of a data breach.
In order to remain compliant with SHIELD, companies must enforce “reasonable safeguards” to ensure the protection of consumer data with regard to its:
At the state level, the state Attorney General is responsible for managing and enforcing data privacy laws.
The Future of Data Privacy
As the need for data privacy laws increases, lawmakers all over the world are devising regulations for addressing the issues and strategies for turning those regulations into law.
In Europe, plans are already underway to enhance the provisions of the GDPR with two additional acts, the Digital Services Act (DSA) and the Digital Markets Act (DMA). These acts are poised to expand existing regulations to include:
- Internet and cellular service providers
- Internet platforms and hosting services
- Large platforms such as Facebook and Google
In the U.S., individual states continue to take action to protect consumer data and keep companies accountable.
In March of 2022, the Utah Consumer Privacy Act (UCPA) was signed into law. Like other state laws, UCPA provides consumers with the right to access their own data and opt out of sharing their data. It also requires some businesses to take precautions to keep consumer data safe. More states are expected to follow suit in the coming years.
With data privacy regulations changing and evolving at such a fast rate, it can be difficult to keep up with your rights and responsibilities as a business owner.
That’s why DataGrail’s data privacy platform is working to help businesses everywhere understand the data privacy laws that apply to them—whether those come in the form of state action or international mandate. Our easy-to-use platform has everything businesses need for managing, automating, and scaling data processing, all with an eye on keeping you compliant.
Getting started is easy. Request a demo today.
International Trade Administration. European Union – Data Privacy and Protection. https://www.trade.gov/european-union-data-privacy-and-protection#
GDPR.eu. What is GDPR, EU’s New Data Protection Law? https://gdpr.eu/what-is-gdpr/
American Bar Association. Brazil Passes Landmark Privacy Law: The General Law for the Protection of Privacy. https://www.americanbar.org/groups/business_law/publications/blt/2020/05/brazil-privacy-law/
U.S. Department of Health and Human Services. Your Rights Under HIPAA. https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html#
The New York Times. The State of Consumer Data Privacy Laws in the US (And Why It Matters). https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/
California Department of Justice. California Consumer Privacy Act (CCPA). https://oag.ca.gov/privacy/ccpa
National Law Review. Virginia’s New Consumer Data Protection Act. https://www.natlawreview.com/article/virginia-s-new-consumer-data-protection-act
Colorado Attorney General. Colorado Privacy Act (CPA). https://coag.gov/resources/colorado-privacy-act/
European Parliament. EU Digital Markets Act and Digital Services Act Explained. https://www.europarl.europa.eu/news/en/headlines/society/20211209STO19124/eu-digital-markets-act-and-digital-services-act-explained
National Law Review. Utah Privacy Act Newest state Privacy Act Signed into Law. https://www.natlawreview.com/article/utah-consumer-privacy-act-newest-state-privacy-act-signed-law