Every country has implemented some form of data privacy legislation to govern how information is gathered, how data subjects are informed, and what control a data subject has over his information once it is transmitted. Failure to adhere to appropriate data privacy laws may result in fines, lawsuits, and even the prohibition of a site’s usage in specific countries. These rules and regulations are complex, but all website owners should be aware of data privacy laws that impact their customers.
The rules and regulations you should be aware of for 2022, as well as any planned modifications, are listed below. As new legislation is passed, we’ll add it to this list.
US data privacy laws
Despite numerous attempts, no single comprehensive federal law governs data privacy in the United States. There’s a complex tangle of the sector- and medium-specific laws, as well as rules that cover telecommunications, medical information, credit information, financial institutions, and marketing. The Federal Trade Commission (FTC) is a prominent enforcement body in the United States. Its power to protect consumer interests stems from The Federal Trade Commission Act (FTC Act), which gives it jurisdiction over commercial enterprises and gives it the authority to combat deceptive or “deceptive trade practices.” In 2021, an additional $500 million for the FTC was postponed, but it’s expected that the FTC will receive adequate funding, resources, and personnel to fulfill its de-facto privacy watchdog function.
Regardless, while the FTC does not have legislation dictating what information should be included in website privacy policies, it uses its power to enforce regulations and take enforcement actions to protect customers. The FTC can, for example, take action against businesses that:
- Fail to implement and maintain reasonable data security measures.
- Fail to abide by any applicable self-regulatory principles of the organization’s industry.
- Make inaccurate privacy and security representations (lying) to consumers and in privacy policies.
- Fail to provide sufficient security for personal data.
- Violate consumer data privacy rights by collecting, processing or sharing consumer information.
- Engage in misleading advertising practices.
The following are some of the other federal regulations that regulate internet data gathering:
- The Children’s Online Privacy Protection Act (COPPA), The Affirmative Action Program, which administers the collection of information on minors, is an important aspect of the Department’s efforts to prevent discrimination.
- The Health Insurance Portability and Accounting Act (HIPAA), With HIPAA, you may also recover damages if your information was stolen in violation of the privacy and security requirements.
- The Gramm Leach Bliley Act (GLBA), and The Gramm-Leach-Bliley Financial Modernization Act of 1999, better known as GLBA, is a law that governs personal information gathered by banks and financial institutions.
- The Fair Credit Reporting Act (FCRA), The CFPB’s Privacy Rule, which was passed in May 2015 and approved by a federal court on July 25 of that year, regulates the collection, use, and public disclosure of consumer credit information.
State data privacy laws
The United States has hundreds of sectoral data privacy and data security regulations in its states. The state attorneys general are responsible for data privacy rules that govern the collection, storage, protection, disposal, and use of personal information collected from their citizens, especially concerning data breach notifications and Social Security number security.
Only certain types of organizations are covered by each state’s specific privacy legislation. Some apply only to government agencies, while others apply only to businesses; some apply to both. In addition, there is a major movement toward passing privacy laws at the state level in the United States. That’s because the federal government hasn’t been able to find consensus on how to legislate broadly. Rather than wait, state lawmakers have felt pushes from consumers, consumer advocates, and even companies to set their own rules.
Of course, businesses would rather comply with a single federal regulation than hire an attorney to examine each of the numerous state laws that they must adhere to. However, state pushes are a stopgap measure. And if the states have to do it, they have to do it.
California started the chain reaction. Although only one other state has indeed been able to enact a comprehensive law thus far, many states are attempting. They provide a reference point for where Republicans and Democrats agree and what must be amended before any agreement can reach its ultimate destination: the governor’s desk.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is the most comprehensive state data privacy law to date. It came into force on January 1, 2020. The CCPA is a cross-sector bill that establishes important terminology and broad consumer rights while also placing significant obligations on organizations or individuals who acquire personal information from a resident of California. Among other things, the GDPR requires organizations to inform individuals when and how data is collected. California Privacy Rights Act (CPRA)
Here’s a little background: When a real estate agent in California submitted the California Consumer Privacy Act to the ballot, businesses were not pleased. Alastair Mactaggart, on the other hand, was able to gather the required number of signatures to launch a citizen’s initiative. It didn’t have to go through the conventional legislative process, which includes votes from both the California Assembly and Senate. The people spoke when it became a law. Once corporations realized that they had to modify operations to comply with the country’s first comprehensive privacy law, it was obvious that the bill had been passed. Then, just two years later, Mactaggart returned with a new version of the CCPA. In November 2020, California’s Privacy Rights Act was voted into law, extending and amending sections of the CCPA that Mactaggart and his team wanted to include but could not get across the finish line at the time.
The following was added to the CCPA by the CPRA:
- The right to rectification is a consumer’s right to correct incorrect personal information.
- The right to restrict: This gives consumers the option of restricting how much and what information about them is used and disclosed.
- Sensitive personally identifiable information: This redefines personal information. Certain sorts of data, such as a customers’ Social Security number, require special safeguards.
- The CPRA also: fines for child data breaches are trebled.
- Breaches of unencrypted data are only part of the equation. Disclosures of credentials (like an email address or password) that might enable access to a consumer’s account may now be covered by this new law.
- Limits the amount of time a business may keep a consumer’s information to only what is essential and “proportional” to the original purpose for which it was gathered.
- Companies that outsource should require their third-party vendors to keep data shared with them in the same degree of privacy as the original party.
One of the more innovative elements of the CPRA is how it will be enforced. While state attorneys generally usually handle privacy disputes unless the Federal Trade Commission gets involved, the CPRA establishes a new privacy regulator. The California Privacy Protection Agency will be able to impose fines, conduct hearings regarding privacy breaches, and clarify privacy standards. It’s a five-person board that starts applying six months after the CPRA takes effect on July 1, 2023.
Virginia’s Consumer Data Protection Act (CDPA)
On March 2, 2021, Virginia’s Consumer Data Protection Act (CDPA) went into force. It gives Virginians control over their data and requires businesses covered by the legislation to follow rules about how data is collected, stored, handled, and shared. The Virginia Data Practices Act is comparable in many ways to the European Union’s General Data Protection Regulation and California’s Consumer Privacy Act. It applies to businesses that operate in Virginia or provide goods and services targeted toward Virginians, as well as those who perform one of the following:
- Control or process the personal data of 100,000 or more.
- Control or process the personal data of at least 25,000 consumers and earn 50% of their revenue by selling personal information.
The CDPA requires businesses that fall under the law to assist customers in exercising their data rights by obtaining opt-in consent before handling their sensitive data, disclosing when their data will be sold, and allowing them to opt-out. It also demands firms provide consumers with a clear privacy notice that includes a means for them to opt-out of personalized advertising.
The CDPA takes effect on the same day as California’s most recent privacy legislation, the CPRA, which replaces its prior version, the CCPA, on Jan. 1, 2023. Lawmakers will likely adjust the law before then; therefore it’s a good idea to keep an eye on this legislation as it develops.
Colorado Privacy Act (CPA)
Colorado became the third state in the United States to enact a privacy law in June 2020. The Colorado Privacy Act protects consumers’ information and places obligations on data controllers and processors. The GDPR is similar to California’s two privacy laws, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), as well as Virginia’s current Consumer Data Protection Act (CDPA).
The European Union’s General Data Protection Regulation, which went into force in May 2018, provides a framework that is quite similar to the GDPR. While there are some parallels, such as the existence of a right to opt-out and special protections for sensitive data, the key distinctions lie in the specifics.
The privacy act applies to firms that collect personal information from 100,000 residents of Colorado or 25,000 residents of Colorado and make money as a result of such data sales.
Once the law is implemented, Colorado residents will be granted five civil rights. They are as follows:
- The right to opt-out of targeted ads, the sale of their data or being profiled.
- The right to access the data a company has collected about them.
- The right to correct data that’s been collected about them.
- The right to request the data collected about them is deleted.
- The right to data portability (that is, the right to take your data and move it to another company).
Within the law, there are 17 blanket exceptions. They include:
- If the data was collected for Colorado health insurance law purposes.
- If the entity collecting the data or the data collected is already covered by certain sectoral laws, including the Children’s Online Privacy Protection Act or the Family Educational Rights and Privacy Act.
- If the data has been de-identified or pseudonymized.
- If the data is being maintained and used by a consumer reporting agency.
- If the data is being used for employment records purposes.
New York SHIELD Act
In July 2019, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act was enacted in New York. This legislation updates New York’s existing data breach notification law while also adding more data security standards for businesses that acquire information on residents of New York. As of March 2020, the legislation is fully effective. This legislation extends consumer privacy rights and improves data security for New York residents. Other state-level data privacy laws
The first states to pass comprehensive legislation that has a national impact are California, New York, Virginia, and Colorado, but many additional states throughout the United States are considering data privacy laws. Europe
The EU General Data Protection Regulation (GDPR) continues to be the law of the land. However, in 2022, there will be several suggestions to consider. Here’s a refresher on the GDPR and a list of other potential laws you should keep an eye on if your organization is concerned about data privacy.
The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is the most significant data protection law to date. It covers the gathering, usage, transmission, and security of data gathered from EU citizens. This provision applies to all EU residents, regardless of the entity that holds their personal information. Organizations that do not comply with the GDPR face fines of up to € 20 million or 4% of worldwide revenue. The following are some of the most significant requirements of the GDPR: Consent
Individuals must be able to freely give informed, express consent before their data is collected. Cookies are a type of personal data that may be used by websites. According to the GDPR, certain information, such as the user’s computer IP address, is considered “personal data” in the European Union. Data Breach Notification
Most organizations are obligated to notify authorities and data subjects within 72 hours of a data breach that affects users’ personal information. Data Subjects’ Rights
- The right to access their data. A data subject can request a copy of his or her ation by submitting a data subject request. Data collectors must provide information on how they gained the data, what they are doing with it, and with whom it is shared.
- The right of rectification. If a data subject’s data is incorrect or lacking, they have the right to request that it be corrected.
- The right of erasure. Within 30 days after being informed of the violation, data subjects have the right to demand the erasure of their data in certain cases.
- The right to restrict processing. Individuals have the right to ask for the restriction or deletion of their data (which you can still store).
- The right to data portability. They can have their data transferred from one electronic system to another without interrupting its usefulness at any time.
- The right to object. Individuals can object to how their data is used for marketing, sales, or other non-service-related purposes. The right to object does not extend where legal or official authority is used, a task is carried out for the public benefit, or data must be processed for the organization to provide you with a service for which you signed up.
EU proposals to watch in 2022
Digital Services Act (DSA) The European Commission aims to upgrade its rules on digital services in the EU. Using two proposed laws to form a single set of rules across the EU is doing this. One is the Digital Services Act, which was introduced in Parliament by Minister for Communications and Information Helene Elinson. It’s designed to safeguard customers and create a “level playing field that promotes innovation, growth, and competitiveness.”
Consider any digital service when you think about internet services. That might be a music streaming service, an e-book, or even a website.
The Digital Services Act would apply to the following services:
- Intermediary services (Internet access providers, etc.)
- Hosting services.
- Online platforms.
The council’s responsibilities differ based on a firm’s size, but they may include monitoring of third-party providers, external risk auditing, and codes of conduct. The Internal Market Committee at the European Parliament has given its blessing to the bill, which will be voted on by all Members of the European Parliament in January 2022.
The Digital Markets Act
Under the bill, large digital platforms are known as “gatekeepers” would be regulated. Companies like Facebook, Apple, Microsoft, and Google are examples of such businesses. It aims to level the playing field for all sizes of digital firms. The FTC would establish rules for major internet platforms to prevent them from placing “unfair terms on businesses and customers,” according to the preliminary. For example, a firm like Amazon wouldn’t be allowed to rank items on its site in a manner that gives Amazon’s items and services an edge.
It would also give the European Commissioner the authority to conduct investigations and impose penalties on offenders as needed, as well as update laws as required.
The European Parliament have given its approval to the Digital Markets Act, which will now be sent to the European Commission for negotiation.
The e-Privacy Regulation has been a long time in the making. It was designed to take effect at the same time as the EU’s General Data Protection Regulation, but it has been delayed for years. The e-Privacy Regulation would regulate traditional electronic communications services and entities that were not covered by the e-Privacy Directive, such as WhatsApp, Facebook Messenger, and Skype.
It would strengthen privacy rules for electronic communications and apply not just to communication content but also to “metadata,” which is data that describes other data. Under ePrivacy, service providers and electronic communications networks must get express consent from their customers before collecting or analyzing their electronic communications metadata.
It would also establish more simple cookie rules. It would allow customers to opt in or out of tracking cookies at the browser level, as well as define that websites do not require consent for “non-privacy intrusive” cookies. Cookies are programs installed on a website’s users’ computers that allow the site to function properly, such as “shopping carts.” It would also necessitate that businesses enable end-users to withdraw their previously authorized consent at least once a year.
Any firm doing business in the European Union that develops or adopts machine-learning-based software would be subject to the EU’s Artificial Intelligence Act. It would extend extraterritorial, which means the legislation will apply to businesses based outside of the EU if they have clients or users within it.
The AI Act would ban the following:
- Techniques are used to change a person’s actions in such a way as to put them in danger of mental or bodily damage.
- According to a recent report, AI systems may exploit susceptible categories such as age and physical or mental infirmity.
- According to the law, real-time remote biometric data is already being collected by AI systems that provide it to police in public places.
Brazil’s General Law for the Protection of Personal Data (LGPD)
The Brazilian Data Protection Act (Lei Geral de Proteção de Dados Pessoais in Portuguese, or LGPD) went into effect in 2020. It contains provisions that are comparable to the GDPR and aim to govern the treatment of personal data from all people and natural persons in Brazil. As a result, even if your firm isn’t based in Brazil, if you process data of Brazilian citizens, you must comply with the new legislation. Companies and organizations that do not follow the law’s conditions and directives may be fined up to $50 million Brazilian Real (approximately USD 12 million) as a penalty.
- Under the LGPD, personal data can be processed either with a data subject’s consent or when: It must be processed to comply with a legal obligation.
- The public administration must carry out public policies.
- For research purposes.
- To protect the life or physical safety of the data subject.
Data breach notification
If there’s a potential for risk or damage to the data subjects involved following a data breach, data controllers must notify the National Data Protection Authority within a “reasonable time” after the breach occurs. Data subjects’ rights
- Brazilian nationals may confirm the existence of treatment using their rights.
- Access their data.
- Correct incomplete, inaccurate, or outdated data.
- Take their data to another service provider or product (data portability).
- Delete their data.
- Know any public and private entities with whom the controller has shared their data.
- Receive information on what happens if they do not provide consent to the processing of their data.
- Revoke consent to the processing of their data.
These rights are comparable to those given under the GDPR. Privacy policies are crucial.