Almost every country on Earth has passed data privacy laws regulating the collection of personal information, the ways subjects are informed of collection activities and the control those subjects have over the transfer of that information.24
The penalties for failing to comply with these laws primarily consist of fines, although they can also include blocking websites and lawsuits. Website operators and other entities who collect personal information should therefore familiarize themselves with the relevant data privacy laws in their jurisdiction. These laws discussed in this blog post are current as of 2022, but subject to frequent change.
United States
The United States doesn’t have a single federal law that regulates data privacy, despite repeated efforts to enact such legislation. However, it does have many data privacy laws specific to a particular jurisdiction or industrial sector, including finance, healthcare, marketing and telecommunications. The only states that have passed comprehensive legislation on data privacy so far are California, Virginia, Colorado and New York.
California
The California Consumer Privacy Act (CCPA) passed in 2018 is the most comprehensive data privacy legislation in the US at the state level. It introduces provides consumers with broad rights and imposes a substantial duty of care on any entities that collect personal information on California residents. These duties include informing subjects about the collection process and allowing them to access, modify and delete this information. For example, website owners who collect personal data must disclose their privacy policy on their websites.
Virginia
Virginia passed its Consumer Data Protection Act (CDPA) in March, 2021 certain rights over their data. Organizations covered by this law include those that do business in Virginia or sell products and services targeted towards residents in Virginia, provided they also control the personal data of at least 100,000 people, or control the personal data of at least 25,000 people and earn at least half the revenue from selling personal information. Companies affected by the CDPA have restrictions on the data they can collect, how they must protect it and whom they can share it with.
Colorado
Colorado passed the Colorado Privacy Act in June 2020, which places obligations on the controllers and processors of personal data. It bears significant similarities to the data privacy laws in California and Virginia. The Colorado privacy act also borrows ideas from the General Data Protection Regulation (GDPR), which regulates data privacy for the European Union (EU).
New York
New York passed its Stop Hacks and Improve Electronic Data Security (SHIELD) Act in July 2019 and is fully enforceable as of March 2020. This law amended the existing on data breach notification in that state by providing better protection for residents in that state from data breaches involving personal information. The SHIELD Act also further strengthens data security requirements for organizations that collect personal information on New York residents.
Europe
The GDPR regulates data privacy and protection in the EU and European Economic Area (EEA). It’s a critical component of privacy and human rights law, Article 8(1) of the Charter of Fundamental Rights of the EU in particular. The GDPR also regulates the transfer of personal data outside the EU and EEA.
Fines
The largest fines related to data privacy have occurred through the GDPR, which fined Amazon $877 million in 2021. Amazon announced the fine in its July earnings report for that year, although it didn’t provide further details on the specific reason for the fine. However, it had something to do with the way it obtained consent from website visitors to use cookies. Amazon was previously fined $41 million in France during late 2020 for allegedly failing to get cookie consent.
Ireland fined WhatsApp $255 million in late 2021 for violating the GDPR, which was almost five times its previous record for GDPR fines. The basis for the fine was that WhatsApp’s messaging service failed to properly explain its data collection practices in its privacy notice. Authorities used the GDPR’s “one-stop-shop” mechanism to successfully increase the size of the fine. This provision can greatly increase GDPR fines in cases where the entity controlling the data isn’t in the EU, allowing each Supervisory Authority (SA) to impose a separate fine.
Privacy – Privacy Online flickr photo by perspec_photo88 shared under a Creative Commons (BY-SA) license
