Almost every country on Earth has passed data privacy laws regulating the collection of personal information, the ways subjects are informed of collection activities and the control those subjects have over the transfer of that information.24
The penalties for failing to comply with these laws primarily consist of fines, although they can also include blocking websites and lawsuits. Website operators and other entities who collect personal information should therefore familiarize themselves with the relevant data privacy laws in their jurisdiction. These laws discussed in this blog post are current as of 2022, but subject to frequent change.
The United States doesn’t have a single federal law that regulates data privacy, despite repeated efforts to enact such legislation. However, it does have many data privacy laws specific to a particular jurisdiction or industrial sector, including finance, healthcare, marketing and telecommunications. The only states that have passed comprehensive legislation on data privacy so far are California, Virginia, Colorado and New York.
Virginia passed its Consumer Data Protection Act (CDPA) in March, 2021 certain rights over their data. Organizations covered by this law include those that do business in Virginia or sell products and services targeted towards residents in Virginia, provided they also control the personal data of at least 100,000 people, or control the personal data of at least 25,000 people and earn at least half the revenue from selling personal information. Companies affected by the CDPA have restrictions on the data they can collect, how they must protect it and whom they can share it with.
Colorado passed the Colorado Privacy Act in June 2020, which places obligations on the controllers and processors of personal data. It bears significant similarities to the data privacy laws in California and Virginia. The Colorado privacy act also borrows ideas from the General Data Protection Regulation (GDPR), which regulates data privacy for the European Union (EU).
New York passed its Stop Hacks and Improve Electronic Data Security (SHIELD) Act in July 2019 and is fully enforceable as of March 2020. This law amended the existing on data breach notification in that state by providing better protection for residents in that state from data breaches involving personal information. The SHIELD Act also further strengthens data security requirements for organizations that collect personal information on New York residents.
The GDPR regulates data privacy and protection in the EU and European Economic Area (EEA). It’s a critical component of privacy and human rights law, Article 8(1) of the Charter of Fundamental Rights of the EU in particular. The GDPR also regulates the transfer of personal data outside the EU and EEA.
Ireland fined WhatsApp $255 million in late 2021 for violating the GDPR, which was almost five times its previous record for GDPR fines. The basis for the fine was that WhatsApp’s messaging service failed to properly explain its data collection practices in its privacy notice. Authorities used the GDPR’s “one-stop-shop” mechanism to successfully increase the size of the fine. This provision can greatly increase GDPR fines in cases where the entity controlling the data isn’t in the EU, allowing each Supervisory Authority (SA) to impose a separate fine.