The Current State of Data Privacy Regulation
Online privacy violations, ranging from security breaches to the large-scale exposure of personal data, have become increasingly commonplace. While personal data used to mean a few data points like name, phone number, and address, the amount of personal data online has dramatically expanded, presenting vulnerability and liability issues for companies, as well as resulting in changing behaviors online due to an ever-increasing lack of trust.
To help counteract this problem, a wide array of data privacy regulations have been enacted, with many more being considered each year. Here we’ll present an overview of the state of data privacy today in the U.S. and around the globe.
In Europe, the General Data Protection Regulation (GDPR) represents one of the most robust data privacy laws in the world and is often viewed as the precursor to a number of U.S. data privacy regulations. Effective as of May 2018, GDPR is a series of laws spelling out the digital rights of citizens of the European Union. It builds on an earlier policy, called the Data Protection Directive, which Europe adopted in 1995. Many of the ideas outlined in GDPR came from the earlier regulation, and an even older set of principles called the Fair Information Practices, which covers the ways consumer information should be used.
The GDPR sets a high standard for data privacy. It gives people the right to ask companies how their personal data is collected and stored, how it's being used, and to request that personal data be deleted. It also requires that companies clearly explain how personal data is stored and used, and to get user consent before collecting it.
Unlike the European Union, the U.S. does not currently have comprehensive national data privacy legislation (though the American Data Privacy and Protection Act was taken up in Congress last year with bi-partisan support and is still being debated). However, five states have stepped up on their own and enacted laws that protect the privacy of their residents’ personal data.
In the U.S. the most significant development in data privacy regulation is the implementation of the California Consumer Privacy Act (effective January 1, 2020) and its amendment, the California Privacy Rights Act (January 1, 2023). Most notably, this legislation gives California residents the right to know what personal information a business collects, the sources of that information, the purpose for collecting that information, and the categories of third parties with whom the information is shared; to request that a business delete their personal information; and to opt out of the sale of their personal information. CPRA also requires businesses to implement reasonable security measures to protect the personal information they collect, and to provide consumers with specific information about their data-sharing practices.
In addition to California, four other states have enacted comprehensive consumer privacy laws, all of which provide protections for the collection and use of personal data:
- The Virginia Consumer Data Protection Act went into effect on January 1, 2023. The act requires businesses to provide specific rights and protections to Virginia residents with respect to their personal data, including the right to access, control, and delete such data. The law also imposes obligations on businesses regarding the collection, use, and protection of personal data.
- The Colorado Privacy Act will take effect on July 1, 2023. This act provides Colorado residents with the right to opt out of targeted advertising, the sale of their personal data, and certain types of profiling.
- The Utah Consumer Privacy Act (UCPA) was signed into law in March 2022 and will go into effect on December 31, 2023. This law uses a bunch of core concepts from the Virginia act, and will provide rights of deletion, access, portability, and opt-out of data sale to third parties, including use in targeted ads.
- Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring was signed into law in May 2022 and will go into effect on July 1, 2023. Similar to the other four U.S. privacy laws, Connecticut’s is primarily an opt-out law that requires consent for the processing of sensitive data. Connecticut borrowed an additional requirement from GDPR to provide a way to revoke consent in a manner that’s as easy as it is to provide consent.
Other Regulations of Note
- Canada Personal Information Protection and Electronic Documents Act (PIPEDA) applies to businesses that collect, use, and disclose personal information for commercial purposes. It grants individuals various rights over their personal data and imposes specific obligations on businesses that handle personal data.
- Brazil's General Data Protection Law (LGPD) covers all Brazilian organizations that process personal data, regardless of their location. It regulates the processing of personal data and grants individuals various rights over their data.
- Japan's Act on the Protection of Personal Information (APPI) applies to businesses that process personal data. It regulates the handling of personal data and grants individuals various rights over their data.
- China's Cybersecurity Law is important to all organizations that collect and use personal information in China. It regulates the handling of personal data and grants individuals various rights over their data.
With data privacy being top of mind for many states and consumers, we expect to see more privacy laws being introduced over the course of the year and beyond. For businesses, the most obvious takeaway is that they will need to figure out how to comply with these regulations or risk facing steep fines. For consumers, the obvious takeaway is that you will have more rights governing your personal data. However, the implications of data privacy laws are a bit more nuanced.
In an upcoming series of posts, we’ll take a look at those nuances by addressing what the state of data privacy means to different groups of people.