Data privacy laws vary greatly around the world, but that’s rapidly changing. The United States is increasingly alone in not having a single overarching data privacy law as more countries adopt new statutes that have much in common with the European Union’s General Data Privacy Regulation (GDPR). Most countries that have GDPR-esque laws are excluded from this list, with only a few exceptions in cases of pre-GDPR laws being updated to bring them in line with modern data privacy considerations. Organizations that do business outside of their home country should research data privacy laws wherever they interact with consumers to ensure legal compliance.
SEE: Identity theft protection policy (TechRepublic Premium)
Act on the Protection of Personal Information (APPI) – Japan
This Japanese privacy law took effect in 2003, but was amended in 2015 to include a second category of personal identifying information (PII) called special care required personal data. This second category includes any data that can be used to discriminate against an individual, such as race, criminal history, religion, etc. The APPI applies to any organization handling the data of Japanese citizens.
California Consumer Privacy Act (CCPA)
California’s CCPA is thorough; it affects any for-profit organization that does business in California and earns at least $25 million, has data on over 50,000 California residents, or derives 50% or more of their revenue from selling the data of California residents. The law only protects California residents, but has been held up as a standard for other US states to draft their own data privacy laws.
Children’s Online Privacy Protection Act (COPPA) – United States
This US law controls data collection on children aged 13 or younger and affects any business that collects such data on US citizens. Its aim is to put parents in control of their childrens’ data and requires businesses that collect such data to require parental permission that clearly details the kind of data collected and for what purposes, and allows parents to rescind that permission at any time.
California Privacy Rights Act (CPRA)
The CPRA, passed in November 2020, adds to and supersedes the CCPA by adding several new data privacy rights for California citizens, such as: The right to correct incorrect data, the right to be notified of a company’s intent to use data, and the right to have businesses minimize the use of what is stored, how long it’s stored, and what stored data is used for. Rights from the CCPA are also expanded on and clarified. This act will take effect in 2023, and the CCPA stands as-is until that time.
Fair Credit Reporting Act (FCRA) – United States
The FCRA controls what kind of personal information credit agencies can collect, how they can use it, who they can share it with, and the rights individuals have over their data. Specifically, US residents with credit histories are allowed a free credit report once a year, and can dispute information, verify accuracy when credit report data is used for employment purposes, and it also requires agencies who use credit history to decline an applicant to provide justification in writing.
General Data Protection Regulation (GDPR) – European Union
The EU’s GDPR affects any organization that does business with citizens of any of the 27 EU countries. The rule requires any requests for personal data to be stated clearly in writing, eliminates blanket consent to access of private data, requires companies to notify customers of data breaches within 72 hours of discovery, gives individuals the right to see what data is being collected, and requires “right to be forgotten” provisions. Penalties for non-compliance are steep, and can be as high as 4% of annual global turnover or 20 million Euros–whichever is greater.
Health Insurance Portability and Accountability Act (HIPAA) – United States
HIPAA is a wide ranging US law that governs how insurance companies, health care providers, and anyone else that potentially has access to healthcare-related PII must treat that data, what must be protected, and penalties for non-compliance. It also gives individual patients rights like being able to see and correct data, be notified when, how, with whom, and why HIPAA data is shared, control access to HIPAA data (i.e., spouse, parent, child, etc.), and so on.
Brazilian General Data Protection Law (LGPD)
Brazil’s Lei Geral de Proteção de Dados unified more than 40 competing and often contradictory privacy laws into a single document that bears many similarities to the EU’s GDPR. Basic protections include rights to be forgotten, portability, notification of access, revocation of consent, notification of sharing/selling, and others. Like other laws, the LGPD applies to any businesses who interact with data of Brazilian citizens.
Personal Data Protection Act (PDPA) – Singapore
The PDPA of Singapore, like other national data privacy acts, protects consumers from having their data collected and used without their expressed consent, and applies to any business transacting with citizens of Singapore. The PDPA classifies personal data as anything that can be used to identify an individual, but makes careful distinction between certain bits of data (gender, address, age, etc.) that alone cannot identify an individual and how those bits of data are used–when combined with other data those non-personal points become personal, making its definition of PII somewhat flexible. It also established Singapore’s do-not-call list to block telemarketing calls.
Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada
PIPEDA covers any private-sector organization that collects data on Canadian citizens in the course of commercial activities, so companies located outside of Canada are affected. Originally enacted in 2000, PIPEDA was updated in 2019 to bring it in line with more modern privacy acts, like GDPR, adding more robust requirements on meaningful consent for the collection of personal data.
Telephone Consumer Protection Act (TCPA) – United States
Designed to eliminate robocall spam, the TCPA was enacted in 1991, has been updated several times, and as of 2020, requires companies to maintain their own do-not-call lists, obtain prior written consent from consumers before robocalling them, requires opt-out mechanisms in robocalls, and established the US do-not-call registry.