Data Privacy Laws Explained

Importance of Data Privacy Laws

The goal of modern privacy laws is to deter privacy harms and encourage compliance.

Cybercrimes are becoming more sophisticated year over year, and it seems like every company now participates in the so-called surveillance economy. Regulators are looking at how anticompetitive behavior by the largest tech giants incentivizes systemic privacy abuses, and lawmakers are wrestling with bleeding edge biometric and algorithmic technologies.

All of these issues form the vast fabric of data privacy and consumer protection laws around the world. These laws and their regulations support the goals of privacy protection.

• Personal data: Setting modernized standards for what is and isn’t “personal data,” and encouraging Privacy Enhancing Technologies like end-to-end encryption and anonymization.
• Obligations on data controllers and processors: Defining obligations organizations must follow under the law and commit to contractually with one another when collecting, using, and sharing personal data. Data that is considered sensitive (or “special category” as it is called in Europe) carries added obligations.
• Rights of the data subject: Called consumer privacy rights or just data rights, modern privacy laws empower individuals with rights to privacy information, to access, correct, and delete their data where appropriate, to object to and stop certain business uses, and to complain to a data protection authority at any time.
• Oversight and enforcement: Specialized agencies are increasingly empowered to issue rules, provide guidance, and monitor organizations for non-compliance. The UK Information Commissioner’s Office, France’s Commission nationale de l’informatique et des libertés, California’s Privacy Protection Agency, and the US Federal Trade Commission are examples of data privacy regulators.

Key Privacy Laws and Regulations

Data privacy laws vary from country to country and state to state. But when it comes to enacting widespread, comprehensive laws focused on personal data protection, Europe’s General Data Protection Regulation (GDPR) has become the global standard.

In this section, you’ll learn all the basics of not only GDPR, but every other data privacy law that supports consumer protection and data theft.

The General Data Protection Regulation

The GDPR is an evolution of decades’ worth of European efforts to protect the fundamental right to privacy. It repealed and replaced the older Data Protection Directive and advanced data privacy in a number of game changing ways:

• Online identifiers: Expands “personal data” to include online and mobile identifiers, location data, statistical inferences, and other means by which an individual could be identified directly or indirectly.
• International reach: Applies to organizations processing EU residents’ personal data regardless of physical presence or incorporation.
• Stronger rights: Strengthens existing data subject rights and creates new ones like the Right to be Forgotten and the Portability.
• Beyond compliance: Enshrines Privacy by Design and Security by Default principles informing engineering and business decisions.
• Opt-in consent: Requires businesses to collect specific, informed, freely-given and unambiguous consent from individuals where consent is required.
• Data Protection Officer: Mandates certain organizations appoint an independent role charged with guiding and overseeing GDPR compliance.
• Data Protection Impact Assessments: Requires organizations engaging in risky processing to assess and mitigate impacts to the rights and freedoms of individuals.

National authorities can fine organizations up to $20 million or 4% of global revenues for GDPR violations.

The General Law for the Protection of Personal Data

Two years after the GDPR went into effect, Brazil enacted its own nationwide data privacy law, the General Law for the Protection of Personal Data (LGPD). Similar to the GDPR, an important part of the LGPD is that it protects Brazilian consumers’ data no matter who collects it or where they’re located.

One difference is that the LGPD gives broad definitions to personal data, which can include almost any information about a person. In addition to standard sensitive data, like medical history or credit card information, the LGPD also covers race, ethnicity, sexual orientation, religious beliefs, and political stances.

Another difference is the LGPD makes some exceptions for when consumer consent is required for data collection or use. For example, if the consumer’s life is in danger or information is needed for other lawful purposes, consent may not be required.

U.S. Consumer Protection Laws

The United States has not yet passed a federal, comprehensive data privacy law. What the government has done is address data privacy and consumer issues in specific sectors with the following kinds of laws and regulations.

• The Health Insurance Portability and Accountability Act (HIPAA) protects patients’ protected health information, also known as PHI. This set of regulations applies not just to medical providers but to the companies that conduct business with them as well.
• The Fair Credit Reporting Act (FCRA) protects information in a consumer’s personal or business credit report. It regulates how financial information is collected by credit bureaus, which data they may obtain from consumers and businesses, and who can view a credit report.
• The Family Educational Rights and Privacy Act (FERPA) indicates who can request a student’s educational records by empowering students, their parents, and other schools the right to request and view a student’s educational details.
• The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to do two things: explain how they share a customer’s sensitive data and provide an option to opt out of sharing their information. As long as the institution discloses their usage, the GLBA doesn’t restrict how they can use the data.
• The CAN-SPAM Act protects consumers and businesses from unwanted commercial email (spam). Marketers are required to provide advanced notice of their marketing intent and to offer a clear and easy way for recipients to opt-out of unwanted marketing.
• The Electronic Communications Privacy Act (ECPA) restricts the government’s ability to wiretap phone calls and other communications. It also sets rules for how employers can monitor and view employee communications. Since this law was passed in 1986, it has become slightly outdated, with The Patriot Act redefining many ECPA protections.
• The Children’s Online Privacy Protection Rule (COPPA) limits companies that collect data from and about children under the age of 13. Specifically, its rules are for websites or online services directed at users under 13 years of age and online entities that know they are collecting information from someone under 13.
• The Video Privacy Protection Act (VPPA) protects consumers’ VHS rental records. We know — who’s renting VHS tapes anymore? Although outdated, it’s important to note this exists since nothing currently protects data associated with consumer streaming activity.
• The Federal Trade Commission Act Section 5 lets the FTC investigate companies misleading or deceiving consumers about their security and privacy practices, including in privacy policies.

Although the U.S. does not (yet) have a comprehensive privacy law like the GDPR at the federal level, Colorado, Virginia, Utah and Connecticut successfully followed California with their own comprehensive consumer privacy laws. There are hundreds of other state consumer protection and security laws that intertwine with all the above.

California Consumer Privacy Act

The first comprehensive, statewide consumer privacy bill was signed in 2018 to protect California residents. Although it has other rights and protections outlined, the California Consumer Privacy Act (CCPA) is a data privacy law focused on two things:

• Consumer rights: Under the CCPA, California consumers have the right to know what personal data is collected and shared with third parties. They also have the right to access their own data, delete their information, and opt out of sharing data entirely.
• Unique business obligations: Unlike the GDPR, the CCPA takes special note of data brokers and how Californian’s data can be sold or otherwise monetized in the digital economy.

California Privacy Rights Act

Passed in late 2020, the California Privacy Rights Act (CPRA) is essentially the CCPA’s successor. It will take over as California’s primary data privacy regulation in 2023. The CPRA aligns more closely with the GDPR and adds more provisions to prevent data breaches, including:

• Employee rights: The CPRA protects employee and business contact data with the same diligence as other consumer data.
• Expanded business obligations: The CPRA creates new rights of data correction and to limit the use of sensitive personal information, expands opt-out obligations to include cross-context behavioral advertising, and introduces GDPR style data minimization and impact assessment requirements.

Overall, the CPRA brings California closer to the European standard for data privacy and corporate accountability.

For both the CCPA and CPRA, it can be confusing to know whether or not your business is required to comply.

Colorado Privacy Act

Following California’s lead, Colorado passed the Colorado Privacy Act (CPA) in 2020. It includes many of the same provisions as similar acts, but it has some important restrictions to note. The CPA only applies to businesses that collect data on more than 100,000 consumers per calendar year, or that collect data on at least 25,000 consumers per calendar year if they earn profits from selling data.

In addition, the CPA notes 17 situations where data may not be subject to the regulation’s protections, including if the data was collected for Colorado health insurance law purposes, if the data is used for employment records, if the data is used by a consumer reporting agency, and more.

Virginia’s Consumer Data Protection Act

Like other privacy regulations, Virginia’s Consumer Data Protection Act protects Virginia residents no matter where their data is collected. Passed in 2021, it also only applies to businesses collecting data on more than 100,000 consumers per calendar year. It applies to businesses collecting data on 25,000 or more consumers if they earn at least half of their revenue from selling data.