Social scientists have observed that laws in the U.S. travel from east to west, while fashion and style travel from west to east. California upended that theory in 2018, when the California Consumer Privacy Act (CCPA) was passed, the first comprehensive consumer privacy law in the U.S., which has been followed by similar privacy laws in four other states east of the Golden State as of mid-2022.

While California’s law – and its extension, the California Privacy Rights Act (CPRA), effective on Jan. 1, 2023 – was the first of its kind in the U.S., privacy laws actually started long before. In 1970, the German state of Hesse enacted the world’s first data privacy law in response to what it perceived as the potential abuse of data by government agencies. The Data Protection Act¹ – almost 50 years before California’s law – established basic principles of data protection that form the basis of data privacy laws around the world today.

The principles of data privacy laws

Regardless of the jurisdiction, data privacy laws govern the way consumer data is collected, used, and shared. While data privacy and data security often are used interchangeably, data security focuses on the safeguards a company puts in place to protect the consumer data it holds. A company can have data security without data privacy, but it cannot have data privacy without data security.

By mid-year 2022, there were approximately 130 data privacy laws around the world, and no two laws are exactly the same. The laws may differ in their specific regulations, but they typically are built on some common underlying principles. Each law provides certain rights to consumers, which are balanced with certain obligations of companies to comply with those rights.

The basic principles woven through existing privacy laws include the rights for consumers to access and control their personal data, as well the obligation of companies holding data to protect the data. Specifically, most privacy laws include the following five requirements:

• Notification that data is collected, used and/or shared
• Parameters for how data can be used, and how sensitive data is treated
• Safeguards for data when it is stored and transmitted, and management of data breaches
• Consumer consent and choices, including options to access, delete and restrict the sale or sharing of data
• Documentation, typically including some type of Records of Processing Activities (ROPA)

Beyond the common principles, individual laws may define terms differently – such as what constitutes personal data or a data breach – and may have other requirements, such as data disposal or the right to correct misinformation. In addition, enforcement differs for each law.

In the EU, for example, the European Data Protection Board (EDPB²) was established as an independent body to ensure the General Data Protection Regulation (GDPR) – the continent’s data privacy and protection regulation – is applied consistently throughout the European Union. But while the GDPR applies equally to all EU member states, each country has its own enforcement mechanisms. In the U.S., each state with a data privacy law determines how it enforces the law within the state, and in the absence of a federal privacy law, the Federal Trade Commission (FTC³) regulates consumer protections under its authority to prevent unfair or deceptive trade practices.

While data privacy laws govern personal data, there are additional sectoral laws in the U.S. that regulate specific categories of data, including:

• Fair Credit Reporting Act (FCRA), enacted in 1970, which regulates the collection and use of credit information.
• Health Insurance Portability and Accounting Act (HIPAA), enacted in 1996, which governs the collection of health information.
• Children’s Online Privacy Protection Act (COPPA), enacted in 1998, which governs the collection of data about minors.
• Gramm Leach Bliley Act (GLBA), enacted in 1999, which governs personal information collected by financial institutions.

Two pioneering data privacy laws: GDPR and CCPA

Modern data privacy regulations generally can be traced to two benchmark laws: the EU’s General Data Protection Regulation (GDPR⁴), which took effect in 2018, and the California Consumer Privacy Act (CCPA), which took effect in 2020.

Often considered the most important data protection legislation enacted to date – due to its influence on other data privacy laws around the world that followed – the GDPR governs the collection, use, transmission and security of data collected from the residents of the 28 member countries of the European Union. The law applies to all EU residents, and – very importantly – any company that collects the personal data of those residents, regardless of where the data collector is located. And to ensure that a violation of the law would have a business impact on the offending organization, penalties include fines of up to €20 million or 4% of a company’s global revenues.

The GDPR treats data privacy as a fundamental right, and is generally considered to provide seven specific rights to EU citizens:

• The right to be informed about the collection and use of their personal data.
• The right to access their data and see how it is being collected and shared.
• The right to correct inaccurate or incomplete data.
• The right to request the erasure (“right to be forgotten”) of personal data based on certain grounds, such as data that was unlawfully obtained.
• The right to restrict processing based on certain grounds, such as when the accuracy of the data is in question.
• The right to data portability, or the right to transfer data from one online service to another.
• The right to object, allowing consumers to request that companies stop processing their data in certain circumstances, such as for direct marketing purposes.

The same year that GDPR took effect, a group of privacy advocates in California pushing for a statewide ballot initiative to force a vote on data privacy legislation reached an agreement with legislators to pass the California Consumer Privacy Act (CCPA⁵). Taking effect two years after the implementation of GDPR, the CCPA shares with GDPR the goal of giving more control to consumers over their personal information.

In addition to now-standard obligations such as notification and consent, the CCPA gives California residents four data rights: the right to access their information, delete their information, opt out of selling or sharing their information, and the right to non-discrimination – in other words, a company can’t charge different prices to consumers who opt out of sharing their information. Organizations doing business in California must include a privacy policy on their website, as well as a “do not sell” button on their websites visible to California residents.

The same group that advocated for CCPA is responsible for the law’s extension, the California Privacy Rights Act (CPRA⁶), which will take effect at the beginning of 2023. The CPRA adds two new rights to CCPA: the right to correct inaccurate personal information, and the right to restrict the use and disclosure of sensitive personal information. Among other changes, it expands breach liability beyond breaches of unencrypted data to disclosures of personal credentials – such as email addresses or passwords – that could enable unauthorized access to a consumer’s account.

In addition, compliance with CPRA will require businesses processing consumers’ personal information to perform an annual cybersecurity audit, and submit a risk assessment on a regular basis to the state’s new enforcement agency: the California Privacy Protection Agency, established by the new regulation.

Many countries, many laws

While the U.S. has so far left it to states to enact privacy laws covering their citizens, other countries have taken a more national approach. In the U.S., in addition to California, only Virginia, Colorado, Utah and Connecticut have passed privacy laws, although more than 20 other states have privacy legislation pending⁷. And some states have narrow laws governing a specific aspect of privacy, such as New York’s SHIELD Act focused on data breach notification, and the Illinois Biometric Privacy Information Act (BIPA) that regulates the collection, use and handling of biometric identifiers.

Globally, the countries of Brazil, Canada and China have enacted perhaps the most high-profile laws outside of the EU and U.S. Brazil’s law – the Lei Geral de Proteção de Dados (LGPD) – was modeled on the GDPR and is nearly identical in its scope, but with less severe penalties for non-compliance. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is largely aligned with GDPR, while China’s Personal Information Protection Law (PIPL) also shares similarities with GDPR, including harsh fines for violations.

Operationalizing a privacy program for compliance

With the number of data privacy laws continuing to rise, smart companies will operationalize their privacy programs to ensure – and be able to prove to a regulatory authority – that they are in compliance.

A privacy program that provides full visibility for a company into how its data is flowing and is protected can help avoid fines for non-compliance. At the same time, a strong privacy program – bolstered by an equally strong data security function – will build a foundation of trust with key stakeholders, including consumers, customers and regulators.

How Relyance AI can help

Relyance AI’s data privacy platform provides the solid foundation needed to comply with the various privacy regulations worldwide. The platform automatically generates a live data inventory and map, which not only discovers applications that process personal and sensitive data, but also how it’s processed. On top of the live data inventory and map, Relyance AI also includes several additional modules for Universal ROPA generation, DPAs, and more. Want to learn more? Book a demo with us, or contact us here.

----------------------

1. https://thelawreviews.co.uk/title/the-privacy-data-protection-and-cybersecurity-law-review/germany
2. https://edpb.europa.eu/edpb_en
3. https://www.ftc.gov/business-guidance/privacy-security
4. https://gdpr.eu/what-is-gdpr/
5. https://www.oag.ca.gov/privacy/ccpa
6. https://www.caprivacy.org/introducing-the-california-privacy-rights-act-cpra-resource-center/
7. https://www.natlawreview.com/article/least-22-states-have-consumer-privacy-legislation-pending-will-2022-be-year-more