A Complete Guide to GDPR, CCPA and International Privacy Laws
This article with infographics gives you the complete overview of the most important international privacy laws including GDPR, CCPA, ePrivacy, CalCOPPA
Many businesses are doing business online serving customers internationally from different parts of the world. Trying to keep with all regulations worldwide is both complicated and highly time-consuming.
That is why we have created this complete guide within in-depth articles and infographics to help you get an overview of the different international data privacy laws, how they may have consequences to you and how your business can become compliant in relevant markets. See what to expect in 2023 in our world privacy law update.
Tracking users’ data is crucial for business success in this data-driven world. If your operations are not data-driven, it may hinder your chances to get the results your business need.
However, your users’ data belong to them. They have the right to proper data protection, which brings us to today’s data protection laws. These laws have been existing in parts of the world for quite some time and their importance has grown. Data protection laws are here to stay and you have to comply with them if you want to do business ethically, build a relationship based on trust and avoid penalties.
What Are Data Privacy Laws and Who Do They Apply To?
When tracking technologies became available years ago, data collection was yet not regulated. Website owners could freely collect visitors’ data and use it for any purpose they wished.
That has changed. As the existing privacy laws were not sufficient for regulating data collection and use, governments began passing new laws or updating the existing ones. As technology changes, governments try to keep up with the changes and requirements needed in the privacy laws.
When it comes to your duty to comply with these laws, it is important to remember that there is no single universal data protection law. Every single government can pass laws that meet their jurisdiction, which means that their laws only apply in certain territories or for a group of people.
Wherever you are based, you have to know what local data privacy law that applies to you. Wherever you have a visitor from, your local privacy law and probably their local privacy law applicable to the collection and use of their data.
Let’s imagine that you are a US citizen and your website has visitors from different parts of the world. You have to comply with US federal laws, as well as the laws of your state and your industry. However, when a visitor from Canada lands on your website, the collection and use of their data have to be done in compliance with both the US and Canadian laws. The same goes if the visitor is from an EU country; both the US and the EU laws apply to the relationship between you and your EU visitor. The US laws apply to you, while the Canadian and EU laws apply to your interactions with Canadian and EU visitors respectively.
It may sound like a hassle to comply with all the laws from around the world. It is true that you have to be very careful and obey every single law when collecting users’ data. From the rest of this article, you’ll notice that all the governments tend to pass similar laws, making it easier for businesses with an online presence. Also, there are advanced tools to help you stay compliant with all the laws all of the time at no significant effort, like the Secure Privacy online privacy policy generator and the cookie banner generator.
Overview of the Current Data Protection Laws from Around the World
As tracking technologies change, so does data protection laws. New ones are being passed, or existing ones are being updated on a regular basis.
To give you an idea of what you have to do to stay fully compliant no matter where you have visitors from, we created an overview of the most important data protection laws from around the world. It focuses on the requirements needed specifically around privacy policies and cookie banners.
Europe
When it comes to complying with the data protection laws in Europe, you have to be aware of the European Union (EU) laws and the laws of the EU member states.
The EU is a union of European States. Each one of them is a sovereign country with its laws. When an EU institution passes a law (regulation or directive), it applies to the EU level. It means that in each country, both EU laws and domestic laws apply. In case of a collision, the EU law applies. That’s why EU member states regularly update domestic laws in line with EU laws.
That’s also the case with the General Data Protection Regulation (GDPR) of the EU. Although every member state has its own data protection law, you have to comply with it to make sure you do everything right.
If you collect data from EU residents, you need to comply with the EU privacy laws. There are two main laws you should take note of the General Data Protection Regulation and the ePrivacy Directive.
GDPR
GDPR, which came into effect on 25 May 2018, is the most extensive personal data protection law to date. As you’ll see from the rest of this article, very few countries of the rest of the world have as many requirements about using tools for data collection and processing. However, the GDPR has set the trend of the data protection laws of the 21st century and we see more and more countries are following their example.
Do I Have To Be GDPR Compliant?
If you are located in the EU or are collecting and processing personal data from EU residents, then the answer is yes. With Secure Privacy you can become GDPR compliant in less than a week.
How To Be GDPR Compliant?
GDPR requirements are clear and concise. To make sure that you have a GDPR compliant privacy policy and cookie banner, make sure you include the following:
- Inform your users that you collect and process their data, tell them how you do it and list the reasons why you collect and process their data.
- Get prior consent before collecting any data. Injecting cookies in their computers and waiting for the consent afterward puts you in breach of the GDPR. If you collect data from a child under 16, you need to get explicit consent from the parents. The soon-to-be-passed ePrivacy regulation (ePrivacy Regulation vs GDPR) will allow you inject privacy non-intrusive cookies, but until then, keep the cookies out of their computers for full compliance. See more about ePrivacy Regulation Status and our 2022 ePrivacy Regulation update.
- Obtain consent for each purpose you collect data for, except for necessary functions. Let’s say that you collect data about users’ preferences, analytics, and marketing. You have to obtain an active opt-in for each one of them. This means that you have to provide a checkbox or similar for each function. If they don’t check any of the boxes, you are not allowed to collect their data for any purposes. Learn about the 11 GDPR Marketing Mistakes and How to Fix Them.
- Only use the data for the purposes you communicated and received valid consent for.
- Provide them with access to their data and the possibility to correct and transfer the data to somewhere else.
- Provide a possibility for withdrawing the already given consent. Opting out should be as easy as opting in.
- Document each consent you receive from your users and keep it documented until necessary or until they ask for removal.
- Delete users’ data upon request.
The requirement for an active opt-in has been confirmed by a decision of the Court of Justice of the EU, where the court acknowledged that a pre-ticked box for obtaining consent does not mean a freely and clearly given consent. Therefore, you need to provide users non-ticked boxes, and only if they tick them, you are free to place cookies.
In another case, the same court clarified the limits of the scope of the right to be forgotten. Namely, the court confirmed that a non-EU website does not have to delete users’ information from all its versions, but only from the EU ones. Therefore, under the GDPR a user can be forgotten only in the EU, but not outside of the EU.
What are the Consequences for Non-Compliance?
If you don’t comply with any of these requirements, you risk huge penalties. In case you were wondering why the GDPR is important, this may be the answer. Penalties are capped at 4% of the annual global turnover or €20 million - whichever is higher. The authorities have discretionary right to decide about penalties on a case-by-case basis. However, don’t take this lightly and make sure you are GDPR compliant to avoid any troubles with the EU institutions.
To give you an idea of how GDPR fines look like in reality, here are some examples:
- The Polish data protection agency issued a €220,000 fine to Bisnode for scraping personal data of 6 million Polish citizens while obtaining consent for only 90,000 of them.
- A UK real estate company was fined €80,000 for failing to keep clients’ data safe during and after properly transferring it to a partner organization.
- Unicredit Bank in Romania has received a €130,000 fine due to failing to provide sufficient technical and organization measures in processing data, as well as collecting more data than necessary.
- The Municipality of Bergen was fined with €170,000 by Datatilsynet, the Norwegian data protection authority because they left a file with the login credentials of students and employees of a public school operated by them in a public storage area.
- The Hungarian data protection authorities have issued a €1,560 fine to a debt collector who has refused to comply with a request for data deletion.
Quick research will show you that no one is spared from GDPR fines. Both big and small businesses could be fined at any moment, should they breach the provisions of the regulation.
Also, violation of the GDPR will likely mean a violation of the national data privacy laws of the EU member state you collect data from. If not with the EU agencies, that could bring problems with the national law enforcement agencies and fines according to the national data protection laws.
Our free GDPR e-book provides a simplified step-by-step breakdown of the two laws to help you understand what you need to become compliant with the GDPR.
ePrivacy Directive
The ePrivacy Directive of the EU is an older law than GDPR and is not as extensive. It requires having a privacy policy, a cookie banner, and prior consent before using cookies.
Unlike the GDPR, the ePrivacy Directive does not require asking for consent for each and every purpose you collect data for. One general consent is enough.
However, since the application scope of the directive is the same as GDPR, compliance with the GDPR means compliance with the ePrivacy Directive as well.
ePrivacy Regulation
The ePrivacy Regulation will replace the ePrivacy Directive. It has not been passed yet, but the EU institutions have provided information to give us an idea about how it is going to impact data privacy around the continent. As of now, we know that it is going to cover all electronic communications, including messaging services like WhatsApp, Skype, and Facebook Messenger, and will clarify certain aspects of the cookie rules.
The ePrivacy Regulation was initially planned to come into effect on 25 May 2018, the same day when the GDPR did, but it hasn’t been passed yet. It is planned to come into effect by the end of 2019 (Update: ePrivacy Regulation 2021 Draft Update).
The information we have about it at the moment promises some changes in the EU data protection landscape, but it won’t change a lot substantially. In fact, this regulation provides just some specifications for the GDPR.
For your website, the most important part of the regulation is the simpler cookie laws. The GDPR required endless clicking on cookie banners, but this law is set to streamline the process. Most importantly, it clearly states that:
- cookie consent is not needed for cookies improving the user experience without collecting any data
- users can accept or refuse cookies through their browser settings, and
- you need a consent for collecting metadata, such as time and date of creation of the data, creator, or file size unless the metadata is needed for billing.
In addition, this regulation prescribes a strict ban on unsolicited emails, SMS messages, and automated phone calls. Every EU member state will have the right to choose whether to protect consumers by default or by using do-not-call lists.
Post-Brexit United Kingdom
United Kingdom is about to leave the European Union, which means that GDPR is about to stop being applicable to UK businesses and UK citizens. However, the Data Protection Act 2018 is fully harmonized with the GDPR, so Brexit won’t bring any significant changes to your duties regarding privacy policy and cookie banners. You have the same obligations under the UK Data Protection Act 2018 as you have under the GDPR.
The only thing you’ll need to take care of in the case of no-deal Brexit is your right to transfer personal data through the UK borders. Some businesses will likely need to review their data transfer contracts and act as necessary for full compliance.
Update: On January 2021, UK GDPR came into force and with it came the need for UK organizations to align their data protection compliance efforts with the new requirements.
Non-EU European Countries
Not all European countries are EU member states, which means that the GDPR doesn’t apply to them. However, most of these countries are part of the European Economic Area (EEA) or are preparing to become EU member states, so they are updating their national data protection laws in line with the GDPR.
EEA member states such as Iceland and Norway have accepted the GDPR. Unlike them, Switzerland has not. They still rely on their own Federal Act of Data Protection of 1992 and the Ordinance of 1993. In addition, every canton of the country has its own data protection laws. As of now, neither of these laws requires an active opt-in for cookie use, but they require an opt-out option. For sending cookies to your Swiss customers it is enough to provide them with sufficient information on what information you collect and what you do with it. Keep in mind, however, that the Swiss federal (You can read about the Swiss Federal Data Protection Act) government works on a full revision of the current law, which may require an active opt-in in perspective.
Many of the other non-EU European countries mostly want to become EU member-states, therefore they tend to harmonize their legal systems with the EU. As a result, many of them already have privacy laws aligned with the GDPR. Those that have no intention of joining the EU also align with their laws due to the proximity and the market demands.
Serbia, Montenegro and North Macedonia data protection laws are largely harmonized with the EU laws. You need a privacy policy for collecting and using data for users from each one of them. In the privacy policy, you need to inform them about the purpose of data collection, the way you do it and how they could access, change, or delete their data. Cookies consent is not explicitly discussed in any of the laws, nor the active opt-in for data collection, but in general, you need to obtain consent prior to using the data.
Albania hasn’t passed a modern privacy law yet. The one from 2008 requires consent for using personal data, nevertheless.
The Law on Protection of Personal Data of Bosnia and Herzegovina is nowhere near GDPR or any other modern data protection law. It has come into force back in 2006 and doesn’t deal with data collection and use as we know it nowadays. However, it requires the user’s consent for the use of data.
Ukraine’s law on data protection dates from 2010 with amendments from 2012. It is aligned with the ePrivacy Directive, but not with the GDPR. You need, however, to obtain consent before using the data.
Belarus Law on Information, Informatisation, and Information Protection of 2008 do not provide sufficient data protection to users, hence the government is in the process of adopting a GDPR-like new privacy law. The new law will require explicit consent before injecting cookies and comprehensive privacy policy, but until then, no consent is required.
All in all, non-EU European countries are either very close to aligning with the GDPR or are about to reach that level.
United States
Despite the calls for federal privacy laws by the tech industry leaders in the US, there is no single federal data privacy law in the country yet. US privacy laws apply on a state level and on an industry sector level.
Take a look at our Complete Guide to the New US Federal Data Privacy Bill (ADPPA).
Federal level
The industry laws requiring certain data privacy protection are not data privacy laws per se. They regulate entirely different matters but have provisions on data privacy as well. There are a plethora of them on the federal level and hundreds on a state level. These laws are very diverse and it’s impossible to fit them all into one article. Just to give you an idea about them, here are few examples:
FTC: Federal Trade Commission
Federal Trade Commission Rules (FTC Rules) prohibits unfair and deceptive practices on the market, including cases when companies fail to keep their promises listed in privacy policies.
Coppa: Children's Online Privacy Protection ActRetrieving data
Children’s Online Privacy Protection Act of 1998 (COPPA) requires providing a notice to the parent about the collection of their children’ data, obtaining a prior parental consent for websites that knowingly collect, use, or disclose children’s personal data, providing reasonable means for parents to review the collected data, withdraw the consent and deny further use of that data.
HIPAA: Health Insurance Portability and Accountability Act
Health Insurance Portability and Accountability Act (HIPAA) requires providing notice to people whose medical information you may collect or use.
Each one of them has some requirements, but none is as extensive as the GDPR or national law of any other country.
State-level
California
Every US state has its own laws, but California has the most extensive one and is going even further with the updates planned for 2020. The current law is called the California Online Privacy Protection Act (CalOPPA). The other one is the California Consumer Protection Act (CCPA) and is the most comprehensive US state privacy law to date.
CalOPPA
According to the CalOPPA, a link to the privacy policy has to appear on the homepage when a visitor lands on the website. A regular cookie banner is enough to comply with the law, as long as the privacy policy includes:
- What type of data you collect from the users
- What third parties you share data with
- The way users can review the data you have collected from them
- The way users can change their data
- The way you’ll inform your users about any changes in the privacy policy
- How the website responds to Do Not Track signals
- The effective date of the privacy policy
You have to be compliant with the CalOPPA in any of the following two scenarios:
- If your company or your website is based in California
- If you have collected personal data from at least one user from California, no matter if the person is a citizen or only a resident
- Although extensive compared to other US privacy laws, the CalOPPA doesn’t require prior consent from the user. It is enough to put a privacy policy in place and let them know about it.
In case you breach the CalOPPA, you’ll get in trouble with the Federal Trade Commission or California Attorney General Office. The penalty will depend on the circumstances of your particular case.
CCPA
The CCPA is the law that initiated a change in the data protection landscape around the USA. It is the first-ever passed GDPR-like law in the country. After passing, many other states started considering passing a similar law on their own soil.
The CCPA applies to your business if you:
- Collect personal data from California residents
- You, your parent company, or your subsidiary exceed at least one of the following three thresholds:
- Annual gross revenue of at least $25 million
- Obtain personal data of at least 50,000 California residents, households, and/or devices per year or
- At least 50% of your annual gross revenue comes from selling personal information
Employment-related personal information is exempt from the CCPA.
If you recognized your business in the criteria above, then ensure to comply with the CCPA requirements (read about CCPA penalties) by complying with the following:
- Have a CCPA-compliant privacy policy (see more on the requiresments for CCPA Privacy Policy)
- Inform your users how to access the data you have collected from them, upon request, and provide them with access when they request so
- Tell them who you sell their data to if you sell it at all
- Let them opt-out from selling data by providing a “Do Not Sell My Personal Data” button or link
- Delete their data upon request and inform them how to request it in the privacy policy, unless the request interferes with your duty “fulfill the terms of a written warranty or product recall conducted in accordance with federal law,” in which case you can refuse the request
- Ask for explicit consent for selling children’s data (from the children if they are 13-15 years of age or from their parents if younger)
- Introduce a system for verification of the identity for the persons making these requests
- Do not discriminate against persons who practice their privacy rights in providing your services
- Show users a notice on collection, a notice on the right to opt-out of sale, and notice of financial incentives, if applicable
Regarding cookies, the CCPA does not require consent for using any kind of cookie. All it requires is disclosing the use of cookies and allowing the consumer to opt-out from selling their data to a third part
The CCPA is under continuous amending. In the next period, we expect to see:
- Removing household from the definition of personal information, hence the consumer will be the only one linkable to personal information
- A requirement for verifiable parental consent for opening a social media account
- Disclosing the use of facial recognition technology on entrance doors.
See CCPA 2.0 Update: Latest Changes to the CPREA
Learn how CCPA is different from GDPR and check out the Ultimate CCPA Guide.
Nevada
Senate Bill 220 is the new privacy law of the State of Nevada. It has been into effect since October 2019. This law seems very similar to the CCPA, but it has some significant differences that make it less comprehensive than the California counterpart.
SB220 applies to you if you:
- Own or operate a website or online service for commercial purposes
- Collect and keep personal information of Nevada residents and
- Engage in any activity that constitutes a nexus in Nevada, which means that you purposefully undertake commercial activities in Nevada, such as online sales, advertising, and so on.
If the law applies to you, then you are obliged to provide users with a privacy policy stating:
- Categories of personal information you collect
- Whether you collect information about their online behavior
- Categories of third parties with whom you share such information
- How users can access and change the information
- The process of notifying users about changes in the privacy policy
- How to opt-out from data collection
An opt-in for collecting information is not required. However, you have to let them know how to opt-out from data collection. Unlike the CCPA, the SB220 does not require a “Do Not Sell My Personal Information” button or link. All you need to do is inform them about a toll-free number or an email address where they could request the opt-out.
The opt-out requirement is limited to certain types of personal data. It includes only personal name, physical and email addresses, phone number, social security number, an identifier that allows the person to be contacted online or offline, and any other information that you collect and can be related to the user herself.
Moreover, the SB220 limits the definition of data sale only to data for money exchange. Exchanging your customers’ data for a non-monetary benefit is not under the scope of Nevada privacy law.
Consumers have no right to act against you under the SB220. However, if authorities that you violate the law, you may be required to pay up to $5,000 in civil fines.
Maine
Maine’s Act to Protect the Privacy of Online Customer Information is also narrower in scope than the CCPA. It applies to you as long as you are an internet service provider who collects data from internet users located in Maine and billed for services in Maine.
Chances are that you are not an internet service provider (ISP) from Maine, so here is just a quick overview of the law that likely does not apply to your business:
- It goes into effect on 1 July 2020
- ISPs must obtain explicit consent from users before using, disclosing, selling, or permitting access to users’ data
- ISPs must provide clear notice about users’ rights
- It is not clear who enforces this law
Virginia
Virginia Consumer Data Protection Act (CDPA) comes into effect on January 1, 2023, which happens to be, coincidentally, the exact date when the enforcement of CCPA 2.0 (California Privacy Rights Act) also begins in California.
All other US states
There are California and Nevada privacy laws, and all the other US states privacy laws. As for now, there are several other states in the process of passing a comprehensive data protection rules. Most of the states, however, have not announced any intention of passing such laws yet, nor has the US government on a federal level. All of the states have some kind of privacy laws pertaining to personal data collected by businesses, but none of them is extensive as the CalOPPA, CCPA or the GDPR.
To ensure that you stay compliant with all the US states' laws and the law of California, having a privacy policy in accordance with the CalOPPA and the CCPA and showing it on a cookie banner will be enough to comply.
Canada
Like the US, Canada has several privacy laws - on the federal, province, and industry sector level.
There are two laws that regulate data collection and management on the federal level in Canada.
The first one is the Privacy Act, but it applies only to government institutions and what they do with citizens’ data, so it doesn’t affect you in any way.
The second one affects your business if you are based in Canada or collect data from Canadian visitors. This law is called the Personal Information Protection and Electronic Documents Act (PIPEDA). It doesn’t apply to nonprofits, political parties, and associations. It applies to all the Canadian provinces, except for Quebec, Alberta, and British Columbia, only if the business is entirely operated in these provinces. As soon as the first visitors from these provinces arrive at the company’s website, PIPEDA applies. Don’t let it confuse you, because the requirements by the local province laws are almost the same as the federal law.
Entities that are subject to PIPEDA, which process personal information must adhere to 10 fair information principles. To comply with PIPEDA, you have to:
- Appoint someone to be in charge of the data you collect and use
- Identify the purposes you will collect and use data for and limit your actions to those purposes only.
- Understandably inform your users what data you collect, what you do with it, and for what purpose
- Get consent from each user before or at the time of collecting their data, as well as when you want to use their data for a purpose you haven’t got consent for already.
- Keep the data for a reasonable time and delete it as soon as you don’t need it for the purposes you have got the consent.
- Safeguard the data
- Upon request, grant your users access to their data and inform them about the data you have collected about them, how it has been used, to whom it has been disclosed, or anything else you have done with their data.
Australia
If you operate in Australia or have website visitors from there, you have to comply with Australia’s Privacy Principles (APP). They explicitly require having a privacy policy. It must contain the following:
- What type of data you collect
- How you collect and hold it
- For what purpose you collect data
- How your users can access their collected data
- How users can complain about the breach of their privacy rights
Prior consent is not necessary, but to avoid troubles with the Australian Information Commissioner, having a privacy policy is a must.
New Zealand
New Zealand regulates personal data collection with the Privacy Act 1993. It doesn’t require a privacy policy per se, but the requirements might mean that having one is a wise choice.
To comply with the law, you have to:
- Collect the personal information directly from the individual concerned
- Let the users know that you are collecting data
- Inform them about what data you collect and for what purpose
- Inform them about your name and address of the subject that collects and holds the information
As you can see, the Privacy Act 1993 has more or less the same requirements as other laws. While privacy policy is never mentioned in the law, it would be the most practical way to comply with the law
Asia
Not all Asian countries have enacted data privacy laws, but those who have done that have clear requirements that you need to follow if you operate from there or interact with website visitors from those countries. Here is a short overview of what you should take note of when collecting and using data from them.
China
If you are doing business in China or collect and use Chinese visitors’ data, there are two laws to comply with: The Cybersecurity Law and the Information Security Technology - Personal Information Security Specification. The law has come into force in 2016, while the Specification has come into effect on 1 May 2017.
The Cybersecurity Law provides the data protection standard in broader terms, while the Specification makes it more concrete. To make sure that you comply with both, you have to make sure you:
- Tell users that you collect and use their data
- Inform them why and how you do it
- Obtain explicit consent before collecting and using their data for each purpose separately
- Store the data safely and keep it for the minimum period necessary
- Let them know how they can access, correct, and delete their data
- Inform them about the use of third-party data processors (Google Analytics, widgets, plugins, and others)
- Conduct a security assessment of the third-party data processors before letting them collect data for you
The Specification is very similar to the GDPR, with one big difference: there are no penalties. However, don’t let this confuse you. If you don’t comply with the Specification, it is likely that you don’t comply with the Cybersecurity Law. That could get you in trouble with the Chinese law enforcement agencies. To avoid that, get a privacy policy with the standards as provided in the Specification.
In addition, you have to ensure compliance with China’s Regulation on Network Protection of Children’s Personal Information. Aside from the requirements of the Cybersecurity Law, ensure to:
- Obtain parental consent for collecting and using children’s data
- Designate a person responsible for children’s information
- Safeguard children’s data by encryption or other means
- Have user agreements on children’s data
India
The India Information Technology Act 2000, amended in 2011 with the Information Technology Rules of 2011, applies only to businesses and persons located in India. They require every website to have a privacy policy in place and comply with the following:
- Inform users that you collect data and why you collect it
- Use the data only for the purpose you have collected it for
- Get prior consent before collecting sensitive data (passwords, financial statements, credit card information, biometric data, etc.). Collecting any other data doesn’t require prior consent.
- Keep the data safely stored, but only for the minimum necessary period of time
As of the moment of writing, the Indian government is in the process of enacting the Data Privacy Bill. The proposed draft has many similarities with the GDPR. You’ll find more details about that at the end of this article. We will keep you updated on any changes.
Update: Discover the India Digital Personal Data Protection Act – India's first comprehensive data protection law and understand the differences between the GDPR and DPDPA.
Other Asian countries
Not all Asian countries have personal data privacy laws in place. The ones that are more technologically advanced, however, have laws that you should bear in mind when doing business with their residents or operating from these countries.
Most have similar laws in place. They all require some kind of written document, like a privacy policy, with information on why you collect data, how you collect it, for what purpose, and how you process it. There are just a few differences among them pertaining to giving prior consent or the jurisdiction. Here is a short overview of them.
Japan
The Amendments to the Act of Protection of Personal Information of Japan don’t require prior consent from users, except for when you want to use the data for a purpose other than the one you have collected the data for, or cases when you disclose personal data to third-party service providers.
South Korea
The Personal Information Protection Act requires obtaining prior consent from users before collecting their data. The consent will be valid only if you provide correct information about yourself through your privacy policy. The consent from children younger than 14 has to be given by their guardian.
Malaysia
The Malaysian Personal Data Protection Act 2010 requires getting explicit consent for the collection and use of personal data on top of providing the usual information on why, how, and what you do with the information.
Indonesia
Indonesia doesn’t have a consolidated law on privacy (Update on Indonesia Privacy Law 2023). The government still prepares the bill planned to be enacted in 2019. For now, many laws are touching the subject of personal data protection. Cookie-wise, the most important of them is the Law on Electronic Information and Transaction.
Unlike other privacy laws, this one applies to companies and persons who:
- Operate in Indonesia
- Collect personal data from Indonesian residents
- Operate outside of Indonesia, but their legal acts have legal consequences in the country
Except for privacy policy and the usual information of why and how you collect data, this law also requires obtaining explicit consent for collecting and using user’s personal data for whatever purposes.
Singapore
In Singapore, you also have to obtain prior consent from your user before injecting tracking mechanisms into their computers. Check out the Personal Data Protection Act 2012.
Hong Kong
As long as you provide information about what you collect, how, and for what purpose, you are compliant with the Hong Kong Personal Data Ordinance.
Taiwan
The Personal Data Protection Act of Taiwan also requires prior consent. Also, you have to provide users with a document informing them that you collect their data, how you do it, and for what purpose, as well let them know how they can access, change, or delete their data.
Vietnam
The personal data collected by cookies is regulated by the Vietnamese Law on Cyber Information and Security. It requires prior consent before injecting them into someone’s computer.
Philippines
According to the Data Privacy Act of 2012 and the Implementing Rules and Regulations of the Data Privacy Act of 2012, you have to ask for consent from your users before collecting their data.
Thailand
While the Thailand PDPA boasts of certain similarities with specific GDPR provisions such as the consumers’ right to be informed or their right to access the data collected about them, the two privacy laws also have significant differences. Secure Privacy offers a solution for PDPA compliance.
Latin America
As South America grows economically, so does privacy protection become a relevant issue. Brazil was the first country to introduce a new data protection law inspired by EU laws. As of now, not all of the Latin American region follows.
Brazil
Having an easy-to-understand privacy policy is a must to comply with the Brazilian Internet Act of 2014. Also, you have to get voluntary consent from your users prior to injecting cookies in their computers. Don’t forget to ask your Brazilian users how old are they, because you can’t get consent from a person below 16 years of age. Those 16-18 years old can give consent only with the guardian’s assistance.
Starting from 15 August 2020, you’ll have to comply with a bit more rules. The General Data Protection Law (LGDP) comes into effect on 15 August 2020. It applies to all businesses in Brazil and the data collection and use of Brazilian citizens and residents.
You’ll still have to obtain consent for using cookies. Also, you’ll have to provide a comprehensive privacy policy explaining users why and how you collect and use their data, how to access, change, or delete it, the identity of the data controller and data processor, the purpose of data collection and use, the time period for which the data is being kept, and others.
In general, if your privacy policy complies with the GDPR, it will comply with the LGDP as well.
Argentina
If you tell your users that you collect their data, why and how you do it, and they give you a voluntary consent for collection and use, you are in compliance with the Argentina Personal Data Protection Act of 2000.
Chile
Processing personal data without explicit consent is forbidden in Chile. You have to let users know about their rights under Chile´s privacy laws and privacy policy is the most practical way to do so. In addition, you have to let them object to using their data for marketing purposes.
Mexico
According to the Federal Law on Protection of Personal Data Held by Private Parties of Mexico, you can collect and process personal data only if it is stated in your privacy policy and you have got prior consent.
Rest of the World
Many other countries around the world regulate the processing of personal data in their territory or of their residents. To keep it concise and simple, here are the most important of them.
Israel
The use of cookies and tracking mechanisms falls under the scope of the Privacy Protection Act of 1981 and the Privacy Protection Regulations of 2017. They don’t have a clear provision on cookies and privacy policies. However, it implies that you need a privacy policy, and you have to obtain prior consent before using cookies.
Russia
Russia has many laws pertaining to personal data protection. The most important of them is the Data Protection Act. According to this law, you have to register as a data operator with the state agency Roskomnadzor. Then, you have to store the data you collect in Russia or from Russian residents on servers located in Russia.
You will also need a privacy policy with information on the data operator, i.e. you, why and how you collect and process data, information about how the user can access their data, how to correct or block the data usage, how to delete it, and other information.
Prior consent is necessary before sending out cookies.
According to the Data Protection Act, users can ask for the erasure of their personal data only if the data is unlawfully obtained, incomplete, out of date, not necessary for the purposes it has been collected for, or if it is inaccurate. A user cannot request data deletion without a reason, as in other countries.
Turkey
Turkish law also tends to harmonize with EU law. It doesn’t require explicit consent for each and every purpose you collect data for, but you’re prohibited from sending out cookies before getting users’ consent.
The consent has to be given freely. It is valid only if you have informed the user about the reasons and the ways you collect and use data. Finally, you have to delete or anonymize the data upon a user’s request.
The Turkish DPA published draft cookie guidelines on 11 January 2022 for public consultation.
South Africa
The Protection of Personal Information Act 4 of 2013 of South Africa obliges you to get a voluntary consent from your users before getting and processing their data.
Gulf Countries
Qatar was the first Gulf country to pass a data protection law back in 2016 and Bahrain followed with its Personal Data Protection Law in 2019. Both laws are heavily influenced by the EU laws and both require getting prior consent before collecting data. United Arab Emirates (where Dubai and Abu Dhabi are located) are in the process of preparing a GDPR-like law. The Dubai International Finance Centre, however, has a data protection law since 2007. It requires consent for the processing of users’ personal information.
What does the future bring?
From this overview, it is obvious that the trend between all the recently enacted data protection laws is the requirement for prior consent before sending out cookies. None of them would allow you tracking tools or technologies in your users’ computers before getting their permission. Also, the right to be forgotten, i.e. deletion of data is gaining significant legal momentum.
Some of the countries listed above are in the process of drafting or passing new legislation on personal data protection. Here is what the future brings you:
California
In 2020, the California Consumer Privacy Act will come into force. It gives users more rights, such as the right to get information about the data that has been or is being collected about them. They can also ask for the erasure of their data. Compared to the CalOPPA, the most important changes are the right to be forgotten and the right to prohibit the sale of your data.
European Union
Only a year after introducing the GDPR, the EU plans to enact yet another data protection privacy law. This time it is the ePrivacy Regulation 2019 which, among other things, is expected to simplify the cookie rules. Legislators will likely remove the need for prior consent for non-privacy intrusive cookies aimed for improving or the user experience.
Post-Brexit United Kingdom
As long as the UK is an EU member-state, the GDPR applies and the Data Protection Act 2018 applies. After leaving the Union, which is set for spring 2019, the GDPR may not apply anymore. It is going to depend on the choices the UK government will make in the process of leaving. However, the Data Protection Act 2018 is fully harmonized with the Regulation, so it doesn’t really make a difference.
India
Compared to the current law, the proposed Personal Data Protection Bill of India introduces several significant changes, including prior consent requirement for collection and processing of any data (not just the sensitive one), as well as the right to access, correct, and move one’s data, and the right to be forgotten.
Indonesia
The current law requires only telling your users why and how you collect data and get their consent. When it comes to cookies, the new law is expected to introduce the right to be forgotten, to correct and move the personal data.
The Takeaways
There are many different laws all around the world and compliance with all of them may seem intimidating to you. But it is not as hard as it looks.
As you would notice from the article, the legal requirements often overlap. So, if you comply with one law, you are likely to comply with many others at the same time.
The GDPR is the one that stands off. It requires an obligatory active opt-in, which is not needed for many of the other countries. So, how do you stay compliant with the GDPR cookie-wise, without going that far with the consent request for each single data collection purpose?
The online cookie banner generators provide a simple and straightforward solution. The one from Secure Privacy will scan your website for the cookies you use. Then the cookie banner generator and the privacy policy generator will use that data to create a tailored-for-you GDPR compliant cookie banner and privacy policy.
Adding a privacy policy to your website with Secure Privacy is a breeze. Adding a privacy policy button on your website is equally easy. And if you use Magento and need Magento cookie compliance with a privacy policy, or you use Hubspot, we’ve got you covered.
You can choose to show this banner only to the visitors from the EU. For visitors from other countries, you can generate another cookie banner compliant with their respective laws.
That way, you’ll always show the right cookie banner to the right persons.
Disclaimer: This website contains general information about legal matters. This article is for informational purposes only. The information is not advice, and should not be treated as such.
EU Cyber Resilience Act (CRA) Explained
Discover the EU Cyber Resilience Act (CRA) and its impact on businesses. Learn compliance requirements for hardware, software, and digital products, including cybersecurity standards and exemptions.
- Legal & News
NIS2 Directive of the EU: The Guide for Businesses
Learn about the EU NIS2 Directive, its cybersecurity requirements, and which businesses it applies to. Understand compliance obligations, penalties, and key measures for ensuring cybersecurity.
- Legal & News
The Role of Consent Management Platforms (CMPs) in Cookie Management
Discover how Consent Management Platforms (CMPs) simplify cookie management, ensure compliance with GDPR and CCPA, and foster user trust. Learn best practices for cookie banners and integrating Google Consent Mode.
- Legal & News
- Cookie Consent