Social scientists have observed that laws in the U.S. travel from east to west, while fashion and style travel from west to east. California upended that theory in 2018, when the California Consumer Privacy Act (CCPA) was passed, the first comprehensive consumer privacy law in the U.S., which has been followed by similar privacy laws in four other states east of the Golden State as of mid-2022.
While California’s law – and its extension, the California Privacy Rights Act (CPRA), effective on Jan. 1, 2023 – was the first of its kind in the U.S., privacy laws actually started long before. In 1970, the German state of Hesse enacted the world’s first data privacy law in response to what it perceived as the potential abuse of data by government agencies. The Data Protection Act1 – almost 50 years before California’s law – established basic principles of data protection that form the basis of data privacy laws around the world today.
Regardless of the jurisdiction, data privacy laws govern the way consumer data is collected, used, and shared. While data privacy and data security often are used interchangeably, data security focuses on the safeguards a company puts in place to protect the consumer data it holds. A company can have data security without data privacy, but it cannot have data privacy without data security.
By mid-year 2022, there were approximately 130 data privacy laws around the world, and no two laws are exactly the same. The laws may differ in their specific regulations, but they typically are built on some common underlying principles. Each law provides certain rights to consumers, which are balanced with certain obligations of companies to comply with those rights.
The basic principles woven through existing privacy laws include the rights for consumers to access and control their personal data, as well the obligation of companies holding data to protect the data. Specifically, most privacy laws include the following five requirements:
Beyond the common principles, individual laws may define terms differently – such as what constitutes personal data or a data breach – and may have other requirements, such as data disposal or the right to correct misinformation. In addition, enforcement differs for each law.
In the EU, for example, the European Data Protection Board (EDPB2) was established as an independent body to ensure the General Data Protection Regulation (GDPR) – the continent’s data privacy and protection regulation – is applied consistently throughout the European Union. But while the GDPR applies equally to all EU member states, each country has its own enforcement mechanisms. In the U.S., each state with a data privacy law determines how it enforces the law within the state, and in the absence of a federal privacy law, the Federal Trade Commission (FTC3) regulates consumer protections under its authority to prevent unfair or deceptive trade practices.
While data privacy laws govern personal data, there are additional sectoral laws in the U.S. that regulate specific categories of data, including:
Modern data privacy regulations generally can be traced to two benchmark laws: the EU’s General Data Protection Regulation (GDPR4), which took effect in 2018, and the California Consumer Privacy Act (CCPA), which took effect in 2020.
Often considered the most important data protection legislation enacted to date – due to its influence on other data privacy laws around the world that followed – the GDPR governs the collection, use, transmission and security of data collected from the residents of the 28 member countries of the European Union. The law applies to all EU residents, and – very importantly – any company that collects the personal data of those residents, regardless of where the data collector is located. And to ensure that a violation of the law would have a business impact on the offending organization, penalties include fines of up to €20 million or 4% of a company’s global revenues.
The GDPR treats data privacy as a fundamental right, and is generally considered to provide seven specific rights to EU citizens:
The same year that GDPR took effect, a group of privacy advocates in California pushing for a statewide ballot initiative to force a vote on data privacy legislation reached an agreement with legislators to pass the California Consumer Privacy Act (CCPA5). Taking effect two years after the implementation of GDPR, the CCPA shares with GDPR the goal of giving more control to consumers over their personal information.
In addition to now-standard obligations such as notification and consent, the CCPA gives California residents four data rights: the right to access their information, delete their information, opt out of selling or sharing their information, and the right to non-discrimination – in other words, a company can’t charge different prices to consumers who opt out of sharing their information. Organizations doing business in California must include a privacy policy on their website, as well as a “do not sell” button on their websites visible to California residents.
The same group that advocated for CCPA is responsible for the law’s extension, the California Privacy Rights Act (CPRA6), which will take effect at the beginning of 2023. The CPRA adds two new rights to CCPA: the right to correct inaccurate personal information, and the right to restrict the use and disclosure of sensitive personal information. Among other changes, it expands breach liability beyond breaches of unencrypted data to disclosures of personal credentials – such as email addresses or passwords – that could enable unauthorized access to a consumer’s account.
In addition, compliance with CPRA will require businesses processing consumers’ personal information to perform an annual cybersecurity audit, and submit a risk assessment on a regular basis to the state’s new enforcement agency: the California Privacy Protection Agency, established by the new regulation.
While the U.S. has so far left it to states to enact privacy laws covering their citizens, other countries have taken a more national approach. In the U.S., in addition to California, only Virginia, Colorado, Utah and Connecticut have passed privacy laws, although more than 20 other states have privacy legislation pending7. And some states have narrow laws governing a specific aspect of privacy, such as New York’s SHIELD Act focused on data breach notification, and the Illinois Biometric Privacy Information Act (BIPA) that regulates the collection, use and handling of biometric identifiers.
Globally, the countries of Brazil, Canada and China have enacted perhaps the most high-profile laws outside of the EU and U.S. Brazil’s law – the Lei Geral de Proteção de Dados (LGPD) – was modeled on the GDPR and is nearly identical in its scope, but with less severe penalties for non-compliance. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is largely aligned with GDPR, while China’s Personal Information Protection Law (PIPL) also shares similarities with GDPR, including harsh fines for violations.
With the number of data privacy laws continuing to rise, smart companies will operationalize their privacy programs to ensure – and be able to prove to a regulatory authority – that they are in compliance.
A privacy program that provides full visibility for a company into how its data is flowing and is protected can help avoid fines for non-compliance. At the same time, a strong privacy program – bolstered by an equally strong data security function – will build a foundation of trust with key stakeholders, including consumers, customers and regulators.
Relyance AI’s data privacy platform provides the solid foundation needed to comply with the various privacy regulations worldwide. The platform automatically generates a live data inventory and map, which not only discovers applications that process personal and sensitive data, but also how it’s processed. On top of the live data inventory and map, Relyance AI also includes several additional modules for Universal ROPA generation, DPAs, and more. Want to learn more? Book a demo with us, or contact us here.
----------------------
Social scientists have observed that laws in the U.S. travel from east to west, while fashion and style travel from west to east. California upended that theory in 2018, when the California Consumer Privacy Act (CCPA) was passed, the first comprehensive consumer privacy law in the U.S., which has been followed by similar privacy laws in four other states east of the Golden State as of mid-2022.
While California’s law – and its extension, the California Privacy Rights Act (CPRA), effective on Jan. 1, 2023 – was the first of its kind in the U.S., privacy laws actually started long before. In 1970, the German state of Hesse enacted the world’s first data privacy law in response to what it perceived as the potential abuse of data by government agencies. The Data Protection Act1 – almost 50 years before California’s law – established basic principles of data protection that form the basis of data privacy laws around the world today.
Regardless of the jurisdiction, data privacy laws govern the way consumer data is collected, used, and shared. While data privacy and data security often are used interchangeably, data security focuses on the safeguards a company puts in place to protect the consumer data it holds. A company can have data security without data privacy, but it cannot have data privacy without data security.
By mid-year 2022, there were approximately 130 data privacy laws around the world, and no two laws are exactly the same. The laws may differ in their specific regulations, but they typically are built on some common underlying principles. Each law provides certain rights to consumers, which are balanced with certain obligations of companies to comply with those rights.
The basic principles woven through existing privacy laws include the rights for consumers to access and control their personal data, as well the obligation of companies holding data to protect the data. Specifically, most privacy laws include the following five requirements:
Beyond the common principles, individual laws may define terms differently – such as what constitutes personal data or a data breach – and may have other requirements, such as data disposal or the right to correct misinformation. In addition, enforcement differs for each law.
In the EU, for example, the European Data Protection Board (EDPB2) was established as an independent body to ensure the General Data Protection Regulation (GDPR) – the continent’s data privacy and protection regulation – is applied consistently throughout the European Union. But while the GDPR applies equally to all EU member states, each country has its own enforcement mechanisms. In the U.S., each state with a data privacy law determines how it enforces the law within the state, and in the absence of a federal privacy law, the Federal Trade Commission (FTC3) regulates consumer protections under its authority to prevent unfair or deceptive trade practices.
While data privacy laws govern personal data, there are additional sectoral laws in the U.S. that regulate specific categories of data, including:
Modern data privacy regulations generally can be traced to two benchmark laws: the EU’s General Data Protection Regulation (GDPR4), which took effect in 2018, and the California Consumer Privacy Act (CCPA), which took effect in 2020.
Often considered the most important data protection legislation enacted to date – due to its influence on other data privacy laws around the world that followed – the GDPR governs the collection, use, transmission and security of data collected from the residents of the 28 member countries of the European Union. The law applies to all EU residents, and – very importantly – any company that collects the personal data of those residents, regardless of where the data collector is located. And to ensure that a violation of the law would have a business impact on the offending organization, penalties include fines of up to €20 million or 4% of a company’s global revenues.
The GDPR treats data privacy as a fundamental right, and is generally considered to provide seven specific rights to EU citizens:
The same year that GDPR took effect, a group of privacy advocates in California pushing for a statewide ballot initiative to force a vote on data privacy legislation reached an agreement with legislators to pass the California Consumer Privacy Act (CCPA5). Taking effect two years after the implementation of GDPR, the CCPA shares with GDPR the goal of giving more control to consumers over their personal information.
In addition to now-standard obligations such as notification and consent, the CCPA gives California residents four data rights: the right to access their information, delete their information, opt out of selling or sharing their information, and the right to non-discrimination – in other words, a company can’t charge different prices to consumers who opt out of sharing their information. Organizations doing business in California must include a privacy policy on their website, as well as a “do not sell” button on their websites visible to California residents.
The same group that advocated for CCPA is responsible for the law’s extension, the California Privacy Rights Act (CPRA6), which will take effect at the beginning of 2023. The CPRA adds two new rights to CCPA: the right to correct inaccurate personal information, and the right to restrict the use and disclosure of sensitive personal information. Among other changes, it expands breach liability beyond breaches of unencrypted data to disclosures of personal credentials – such as email addresses or passwords – that could enable unauthorized access to a consumer’s account.
In addition, compliance with CPRA will require businesses processing consumers’ personal information to perform an annual cybersecurity audit, and submit a risk assessment on a regular basis to the state’s new enforcement agency: the California Privacy Protection Agency, established by the new regulation.
While the U.S. has so far left it to states to enact privacy laws covering their citizens, other countries have taken a more national approach. In the U.S., in addition to California, only Virginia, Colorado, Utah and Connecticut have passed privacy laws, although more than 20 other states have privacy legislation pending7. And some states have narrow laws governing a specific aspect of privacy, such as New York’s SHIELD Act focused on data breach notification, and the Illinois Biometric Privacy Information Act (BIPA) that regulates the collection, use and handling of biometric identifiers.
Globally, the countries of Brazil, Canada and China have enacted perhaps the most high-profile laws outside of the EU and U.S. Brazil’s law – the Lei Geral de Proteção de Dados (LGPD) – was modeled on the GDPR and is nearly identical in its scope, but with less severe penalties for non-compliance. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is largely aligned with GDPR, while China’s Personal Information Protection Law (PIPL) also shares similarities with GDPR, including harsh fines for violations.
With the number of data privacy laws continuing to rise, smart companies will operationalize their privacy programs to ensure – and be able to prove to a regulatory authority – that they are in compliance.
A privacy program that provides full visibility for a company into how its data is flowing and is protected can help avoid fines for non-compliance. At the same time, a strong privacy program – bolstered by an equally strong data security function – will build a foundation of trust with key stakeholders, including consumers, customers and regulators.
Relyance AI’s data privacy platform provides the solid foundation needed to comply with the various privacy regulations worldwide. The platform automatically generates a live data inventory and map, which not only discovers applications that process personal and sensitive data, but also how it’s processed. On top of the live data inventory and map, Relyance AI also includes several additional modules for Universal ROPA generation, DPAs, and more. Want to learn more? Book a demo with us, or contact us here.
----------------------
Social scientists have observed that laws in the U.S. travel from east to west, while fashion and style travel from west to east. California upended that theory in 2018, when the California Consumer Privacy Act (CCPA) was passed, the first comprehensive consumer privacy law in the U.S., which has been followed by similar privacy laws in four other states east of the Golden State as of mid-2022.
While California’s law – and its extension, the California Privacy Rights Act (CPRA), effective on Jan. 1, 2023 – was the first of its kind in the U.S., privacy laws actually started long before. In 1970, the German state of Hesse enacted the world’s first data privacy law in response to what it perceived as the potential abuse of data by government agencies. The Data Protection Act1 – almost 50 years before California’s law – established basic principles of data protection that form the basis of data privacy laws around the world today.
Regardless of the jurisdiction, data privacy laws govern the way consumer data is collected, used, and shared. While data privacy and data security often are used interchangeably, data security focuses on the safeguards a company puts in place to protect the consumer data it holds. A company can have data security without data privacy, but it cannot have data privacy without data security.
By mid-year 2022, there were approximately 130 data privacy laws around the world, and no two laws are exactly the same. The laws may differ in their specific regulations, but they typically are built on some common underlying principles. Each law provides certain rights to consumers, which are balanced with certain obligations of companies to comply with those rights.
The basic principles woven through existing privacy laws include the rights for consumers to access and control their personal data, as well the obligation of companies holding data to protect the data. Specifically, most privacy laws include the following five requirements:
Beyond the common principles, individual laws may define terms differently – such as what constitutes personal data or a data breach – and may have other requirements, such as data disposal or the right to correct misinformation. In addition, enforcement differs for each law.
In the EU, for example, the European Data Protection Board (EDPB2) was established as an independent body to ensure the General Data Protection Regulation (GDPR) – the continent’s data privacy and protection regulation – is applied consistently throughout the European Union. But while the GDPR applies equally to all EU member states, each country has its own enforcement mechanisms. In the U.S., each state with a data privacy law determines how it enforces the law within the state, and in the absence of a federal privacy law, the Federal Trade Commission (FTC3) regulates consumer protections under its authority to prevent unfair or deceptive trade practices.
While data privacy laws govern personal data, there are additional sectoral laws in the U.S. that regulate specific categories of data, including:
Modern data privacy regulations generally can be traced to two benchmark laws: the EU’s General Data Protection Regulation (GDPR4), which took effect in 2018, and the California Consumer Privacy Act (CCPA), which took effect in 2020.
Often considered the most important data protection legislation enacted to date – due to its influence on other data privacy laws around the world that followed – the GDPR governs the collection, use, transmission and security of data collected from the residents of the 28 member countries of the European Union. The law applies to all EU residents, and – very importantly – any company that collects the personal data of those residents, regardless of where the data collector is located. And to ensure that a violation of the law would have a business impact on the offending organization, penalties include fines of up to €20 million or 4% of a company’s global revenues.
The GDPR treats data privacy as a fundamental right, and is generally considered to provide seven specific rights to EU citizens:
The same year that GDPR took effect, a group of privacy advocates in California pushing for a statewide ballot initiative to force a vote on data privacy legislation reached an agreement with legislators to pass the California Consumer Privacy Act (CCPA5). Taking effect two years after the implementation of GDPR, the CCPA shares with GDPR the goal of giving more control to consumers over their personal information.
In addition to now-standard obligations such as notification and consent, the CCPA gives California residents four data rights: the right to access their information, delete their information, opt out of selling or sharing their information, and the right to non-discrimination – in other words, a company can’t charge different prices to consumers who opt out of sharing their information. Organizations doing business in California must include a privacy policy on their website, as well as a “do not sell” button on their websites visible to California residents.
The same group that advocated for CCPA is responsible for the law’s extension, the California Privacy Rights Act (CPRA6), which will take effect at the beginning of 2023. The CPRA adds two new rights to CCPA: the right to correct inaccurate personal information, and the right to restrict the use and disclosure of sensitive personal information. Among other changes, it expands breach liability beyond breaches of unencrypted data to disclosures of personal credentials – such as email addresses or passwords – that could enable unauthorized access to a consumer’s account.
In addition, compliance with CPRA will require businesses processing consumers’ personal information to perform an annual cybersecurity audit, and submit a risk assessment on a regular basis to the state’s new enforcement agency: the California Privacy Protection Agency, established by the new regulation.
While the U.S. has so far left it to states to enact privacy laws covering their citizens, other countries have taken a more national approach. In the U.S., in addition to California, only Virginia, Colorado, Utah and Connecticut have passed privacy laws, although more than 20 other states have privacy legislation pending7. And some states have narrow laws governing a specific aspect of privacy, such as New York’s SHIELD Act focused on data breach notification, and the Illinois Biometric Privacy Information Act (BIPA) that regulates the collection, use and handling of biometric identifiers.
Globally, the countries of Brazil, Canada and China have enacted perhaps the most high-profile laws outside of the EU and U.S. Brazil’s law – the Lei Geral de Proteção de Dados (LGPD) – was modeled on the GDPR and is nearly identical in its scope, but with less severe penalties for non-compliance. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is largely aligned with GDPR, while China’s Personal Information Protection Law (PIPL) also shares similarities with GDPR, including harsh fines for violations.
With the number of data privacy laws continuing to rise, smart companies will operationalize their privacy programs to ensure – and be able to prove to a regulatory authority – that they are in compliance.
A privacy program that provides full visibility for a company into how its data is flowing and is protected can help avoid fines for non-compliance. At the same time, a strong privacy program – bolstered by an equally strong data security function – will build a foundation of trust with key stakeholders, including consumers, customers and regulators.
Relyance AI’s data privacy platform provides the solid foundation needed to comply with the various privacy regulations worldwide. The platform automatically generates a live data inventory and map, which not only discovers applications that process personal and sensitive data, but also how it’s processed. On top of the live data inventory and map, Relyance AI also includes several additional modules for Universal ROPA generation, DPAs, and more. Want to learn more? Book a demo with us, or contact us here.
----------------------
Social scientists have observed that laws in the U.S. travel from east to west, while fashion and style travel from west to east. California upended that theory in 2018, when the California Consumer Privacy Act (CCPA) was passed, the first comprehensive consumer privacy law in the U.S., which has been followed by similar privacy laws in four other states east of the Golden State as of mid-2022.
While California’s law – and its extension, the California Privacy Rights Act (CPRA), effective on Jan. 1, 2023 – was the first of its kind in the U.S., privacy laws actually started long before. In 1970, the German state of Hesse enacted the world’s first data privacy law in response to what it perceived as the potential abuse of data by government agencies. The Data Protection Act1 – almost 50 years before California’s law – established basic principles of data protection that form the basis of data privacy laws around the world today.
Regardless of the jurisdiction, data privacy laws govern the way consumer data is collected, used, and shared. While data privacy and data security often are used interchangeably, data security focuses on the safeguards a company puts in place to protect the consumer data it holds. A company can have data security without data privacy, but it cannot have data privacy without data security.
By mid-year 2022, there were approximately 130 data privacy laws around the world, and no two laws are exactly the same. The laws may differ in their specific regulations, but they typically are built on some common underlying principles. Each law provides certain rights to consumers, which are balanced with certain obligations of companies to comply with those rights.
The basic principles woven through existing privacy laws include the rights for consumers to access and control their personal data, as well the obligation of companies holding data to protect the data. Specifically, most privacy laws include the following five requirements:
Beyond the common principles, individual laws may define terms differently – such as what constitutes personal data or a data breach – and may have other requirements, such as data disposal or the right to correct misinformation. In addition, enforcement differs for each law.
In the EU, for example, the European Data Protection Board (EDPB2) was established as an independent body to ensure the General Data Protection Regulation (GDPR) – the continent’s data privacy and protection regulation – is applied consistently throughout the European Union. But while the GDPR applies equally to all EU member states, each country has its own enforcement mechanisms. In the U.S., each state with a data privacy law determines how it enforces the law within the state, and in the absence of a federal privacy law, the Federal Trade Commission (FTC3) regulates consumer protections under its authority to prevent unfair or deceptive trade practices.
While data privacy laws govern personal data, there are additional sectoral laws in the U.S. that regulate specific categories of data, including:
Modern data privacy regulations generally can be traced to two benchmark laws: the EU’s General Data Protection Regulation (GDPR4), which took effect in 2018, and the California Consumer Privacy Act (CCPA), which took effect in 2020.
Often considered the most important data protection legislation enacted to date – due to its influence on other data privacy laws around the world that followed – the GDPR governs the collection, use, transmission and security of data collected from the residents of the 28 member countries of the European Union. The law applies to all EU residents, and – very importantly – any company that collects the personal data of those residents, regardless of where the data collector is located. And to ensure that a violation of the law would have a business impact on the offending organization, penalties include fines of up to €20 million or 4% of a company’s global revenues.
The GDPR treats data privacy as a fundamental right, and is generally considered to provide seven specific rights to EU citizens:
The same year that GDPR took effect, a group of privacy advocates in California pushing for a statewide ballot initiative to force a vote on data privacy legislation reached an agreement with legislators to pass the California Consumer Privacy Act (CCPA5). Taking effect two years after the implementation of GDPR, the CCPA shares with GDPR the goal of giving more control to consumers over their personal information.
In addition to now-standard obligations such as notification and consent, the CCPA gives California residents four data rights: the right to access their information, delete their information, opt out of selling or sharing their information, and the right to non-discrimination – in other words, a company can’t charge different prices to consumers who opt out of sharing their information. Organizations doing business in California must include a privacy policy on their website, as well as a “do not sell” button on their websites visible to California residents.
The same group that advocated for CCPA is responsible for the law’s extension, the California Privacy Rights Act (CPRA6), which will take effect at the beginning of 2023. The CPRA adds two new rights to CCPA: the right to correct inaccurate personal information, and the right to restrict the use and disclosure of sensitive personal information. Among other changes, it expands breach liability beyond breaches of unencrypted data to disclosures of personal credentials – such as email addresses or passwords – that could enable unauthorized access to a consumer’s account.
In addition, compliance with CPRA will require businesses processing consumers’ personal information to perform an annual cybersecurity audit, and submit a risk assessment on a regular basis to the state’s new enforcement agency: the California Privacy Protection Agency, established by the new regulation.
While the U.S. has so far left it to states to enact privacy laws covering their citizens, other countries have taken a more national approach. In the U.S., in addition to California, only Virginia, Colorado, Utah and Connecticut have passed privacy laws, although more than 20 other states have privacy legislation pending7. And some states have narrow laws governing a specific aspect of privacy, such as New York’s SHIELD Act focused on data breach notification, and the Illinois Biometric Privacy Information Act (BIPA) that regulates the collection, use and handling of biometric identifiers.
Globally, the countries of Brazil, Canada and China have enacted perhaps the most high-profile laws outside of the EU and U.S. Brazil’s law – the Lei Geral de Proteção de Dados (LGPD) – was modeled on the GDPR and is nearly identical in its scope, but with less severe penalties for non-compliance. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is largely aligned with GDPR, while China’s Personal Information Protection Law (PIPL) also shares similarities with GDPR, including harsh fines for violations.
With the number of data privacy laws continuing to rise, smart companies will operationalize their privacy programs to ensure – and be able to prove to a regulatory authority – that they are in compliance.
A privacy program that provides full visibility for a company into how its data is flowing and is protected can help avoid fines for non-compliance. At the same time, a strong privacy program – bolstered by an equally strong data security function – will build a foundation of trust with key stakeholders, including consumers, customers and regulators.
Relyance AI’s data privacy platform provides the solid foundation needed to comply with the various privacy regulations worldwide. The platform automatically generates a live data inventory and map, which not only discovers applications that process personal and sensitive data, but also how it’s processed. On top of the live data inventory and map, Relyance AI also includes several additional modules for Universal ROPA generation, DPAs, and more. Want to learn more? Book a demo with us, or contact us here.
----------------------