DocsBlogIntegrationsSign InSign Up
Laws & Regulations

Global Privacy Frameworks: APEC CBPR

The APEC Cross-Border Privacy Rules (CBPR) system is a voluntary, enforceable privacy certification system designed to facilitate data flows among APEC economies while ensuring the protection of personal information. It aims to promote interoperability among privacy frameworks and enhance trust in cross-border data transfers.

Overview

Unlike laws such as GDPR, the APEC CBPR is not a formal national or International law, but a framework that covered organizations can use to demonstrate compliance with internationally recognized privacy standards. The system is supported by individual participating economies, with enforcement via a given nation’s privacy enforcement bodies, such as the Federal Trade Commission (FTC) in the United States. Individual bodies (companies, NGO’s, etc.) must self-asses to ensure their privacy policies and practices meet the program requirements.

Upon verification via Accountability Agents, organizations will be considered “certified”. US organizations functioning as Accountability Agents include TrustArc, NCC Group, BBB National Programs, HITRUST Services, and others.

Economies implementing CBPR can claim appropriate protection of personal data when such data is moved across international borders.

Key Dates

  • November 2011 - APEC CBPR formally endorsed
  • July 2012 - CBPR system open relevant countries
  • April 2022 - Global Cross-Border Privacy Rules Forum established to expand CBPR beyond APEC countries
  • April 2024 - Transition period in which participating economies migrate from APEC-centric to a global certification scheme, the Global CBPR

Thresholds

As a voluntary framework, any entity acting as a private-sector Data Controller or Data Processors is eligible for participation and self-certification. An organization of any size and any industry, which may participate in sending or receiving data across international borders (in particular, between the participating economies) is able to participate. Participating economies include:

  • Unites States
  • Mexico
  • Japan
  • Canada
  • Singapore
  • Republic of Korea
  • Australia
  • Taiwan
  • Philippines

Obligations and Individual Rights Under APEC CBPR

  • Accountability - covered entities must take responsibility for data under their control, including when sharing with third parties. Covered entities are also responsible for ensuring any organization they share data with provides equivalent protection
  • Governance - internal governance measures and privacy management programs must be put into place
  • Notice - timely and comprehensive privacy notices must be provided, including what data is collected, why the data is collected, how the data is used, who the data is shared with, and how to contact the organization collecting the data
  • Consent - data collection consent must be obtained when required, with data subjects given choice regarding data collection, use, and sharing with third parties
  • Data and use limitation - data collection and data use should be limited to the personal data necessary for the stated collection and processing purposes. Any additional use of data requires new consent or appropriate legal basis
  • Integrity of personal information - data must be accurate, complete, and timely for its intended use
  • Safeguards - reasonable physical, technical, and administrative protections must be in place to prevent loss, misuse, improper access, disclosure, alteration, or destruction of data subjects’ information
  • Access and correction - subjects must be allowed the ability to audit, correct, or complete their data, within reasonable limits
  • Dispute resolution and enforcement - dispute resolution mechanisms must be put in place, typically via Accountability Agents, with appropriate penalties in place for non-compliance, including decertification

Personal Data

Personal data (”personal information”) under APEC CBPR includes any data that may be used to directly or indirectly identify an individual. Although a broad definition, this conforms to broad global norms. Examples include:

  • Identifiers such as name, address, phone number, email address, ID and Passport numbers
  • Online identifiers such as IP addresses, device IDs, cookies, usernames, etc.
  • Demographic data such as age, gender, marital status, nationality
  • Employment info such as job title, employer, work email, and professional affiliations
  • Financial data such as credit card numbers, bank account details, etc.
  • Biometric data, including facial and voice recognition data, fingerprints, etc.
  • Location data including GPS coordinates, travel history, etc.
  • Consumer data including shopping/purchase history, user preferences and profiles, and more
  • Sensitive personal data is not recognized as a distinct category. APEC CBPR acknowledges some data types, such as health and financial data, government IDs, biometric and genetic data, and data about minor persons may require additional protection and special handling

Penalties

Although a voluntary framework, certified entities may be subject to domestic regulatory enforcement (such as by the Federal Trade Commission in the USA). Such actions may include:

  • Investigation and regulatory actions, including fines and penalties
  • Decertification by Accountability Agents
  • Commercial consequences, often in the form of lost business after decertification

Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like LGPD in Brazil vs. CCPA in California). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws.

Based on the current laws, we recommend the following regional settings:

  • Consent Mode: Express
  • Blocking Mode: Strict
  • **Google Consent Mode V2:** Basic
  • Consent Duration: 12 months
  • Enable Limit Sensitive Information: Off
  • Enable Do Not Sell Consent: Off
  • Enable Global Privacy Control: Off

Current APEC CBPR requirements do not explicitly require Do Not Sell or Global Privacy Control, but you can enable these features if you choose to. This can be a good strategy if you want a single privacy-first configuration that you can use globally since other jurisdictions may require one or both.

For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document Configure Your Consent Banner for Different Geographical Regions.

While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions, only adding additional regions for stricter states like California if needed). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.

Wordpress Integration Guide

Step-by-step instructions on how to integrate Concord via Wordpress.

Global Privacy Laws: Brazil LGPD

The Brazilian General Data Protection Law (LGPD) is Brazil’s first comprehensive data protection regulation, broadly aligning with the EU GDPR. It aims to regulate personal data processing, protect individuals’ privacy and fundamental rights, and provide legal certainty for data handling.

On this page

OverviewKey DatesThresholdsObligations and Individual Rights Under APEC CBPRPersonal DataPenaltiesConfigure Your Consent Banner for APEC CBPRRecommended Consent Settings