There have been several domestic and international laws passed in recent years to give consumers data privacy rights. The laws focus on how individuals’ data can be used and establish management requirements for companies that handle personal data. The intent is to prevent incidents of unauthorized disclosure of personal information and loss of consumer privacy from businesses that collect identifying information.
In the United States specifically, there are currently no nationwide data protection laws, however there have been a number of states that have passed specific legislation covering their residents. California’s CCPA is perhaps one of the more influential state-passed legislation which other states have begun to model and build upon with subsequent laws. All together this jumbled mass of hundreds of very similar data protection and privacy laws enacted at both the federal and state level serve to protect the personal data and privacy of U.S. citizens while online.
Read below for a summary of major domestic and international regulations:
Once a personal information request has come in, businesses must provide all information via mail or electronically free of charge within 45 days. Consumers can make up to two of these personal information requests from a business within a 12-month period.
NOTE: Businesses can still sell information if the data has anonymized (meaning all personally identifiable details have been removed before doing so).
Most domestic data privacy laws are enforceable by the state attorney general’s office, however it’s only enforceable if it can be proven that a business’ inadequate security measures specifically caused a data breach that allowed for consumers’ Social Security numbers, credit cards or health information to be disclosed. Typically, if the breach does not involve highly sensitive information a suit is not likely to be pursued, however legislators are considering amending to allow for any violations not just those that can potentially cause substantial harm. In case of a successful suit, the most fines range from $2,500 to $7,500 and allow businesses up to 30 days to correct violations.
Domestically, the passing of the CCPA is widely seen as just the first step in establishing stronger consumer privacy protection laws in the United States. There are already several stricter amendments to the law currently up for legislative consideration. The belief is that the law will lead to more comprehensive legislation in the future.
There is a growing handful of other states that have enacted similarly robust data privacy protection laws as those passed in California, however with some very important additions including:
Germany is the first Member State in the EU to enact national privacy laws to supplement the GDPR. BDSG lays out more rules for data processing based on environments (i.e. context of employment, surveillance of public places). Also, a Data Protection Officer is needed if at least 10 people are regularly engaged in the processing of personal data whether manually or through automated means.
PIPEDA is akin to both the U.S.’s CCPA laws and the EU’s GDPR, but with less teeth. Fines are much milder in comparison maxing out at CAD$100,000 (approximately $76,000) for serious offenses. These specific offenses include acting against whistle blower employees, obstructing a federal Privacy Commissioner investigation or audit, and failing to retain personal data to allow individuals the opportunity to exercise their rights.
With GDPR enforcement now in full swing, the Information Commissioner’s Office (ICO) is charged with investigating, enforcing and issuing financial penalties to ensure compliance measures are being followed. All data breaches must be reported to the ICO and, beyond issuing financial penalties, the ICO can impose powerful business corrections that considerably impact the day-to-day operations of a business. Nothing is off limits, although the ICO has confirmed that they will reserve top end fines for only the most serious data breaches.
Within Germany, certain BDSG data protection infringements are also now considered criminal offences and can be sentenced up to three years in prison or a fine. These cases are typically reserved for instances in which personal data is illegally transferred to third parties, somehow made accessible for commercial purposes on a large scale or if personal data is gained through intentional and harmful fraud.
The enactment of the GDPR prompted an international interest to better understand and comply with data privacy and protection laws aimed at consumers. Many companies are still working towards compliance and some have been hit with major fines to expedite the process further. However, the belief is that law will continue to lead to more comprehensive and transparent data processing legislation in the future. With Germany taking the first steps in their BDSG laws, other member states are also poised to pass other supplementary national legislation along with GDPR in their countries.
Get on the fast track to compliance!