A Complete Guide to GDPR, CCPA and International Privacy Laws


By

A Complete Guide to International Data Privacy Law

Many businessess are doing business online serving customers internationally from different parts of the world. Trying to keep with all regulations worldwide is both complicated and highly time consuming.

That is why we have created this complete guide with in in-depth article and infographic to help you get an overview of the different international data privacy laws, how they may have consequenses to you and how your business can become compliant in relevant markets.

Tracking users data

Tracking users’ data is crucial for business success in this data-driven world. If your operations are not data-driven, it may hinder your chances to get the results your business need.

However, your users’ data belong to them. They have the right to proper data protection, which brings us to today’s data protection laws. These laws have been existing in parts of the world for quite some time and their importance has grown. Data protection laws are here to stay and you have to comply with them if you want to do business ethically, build relationship based on trust and avoid penalties.

What Are Data Privacy Laws and Who Do They Apply To?

What Are Data Privacy Laws and Who Do They Apply To?

When tracking technologies became available years ago, data collection was yet not regulated. Website owners could freely collect visitors’ data and use it for any purpose they wished.

That has changed. As the existing privacy laws were not sufficient for regulating data collection and use, governments began passing new laws or updating the existing ones. As technology changes, governments try to keep up with the changes and requirements needed in the privacy laws.

When it comes to your duty to comply with these laws, it is important to remember that there is no single universal data protection law. Every single government can pass laws that meet their jurisdiction, which means that their laws only apply in certain territories or for a group of people.

Wherever you are based, you have to know what local data privacy law that applies to you. Wherever you have a visitor from, your local privacy law and probably their local privacy law apply to the collection and use of their data.

Let’s imagine that you are a US citizen and your website has visitors from different parts of the world. You have to comply with the US federal laws, as well as the laws of your state and your industry. However, when a visitor from Canada lands on your website, the collection and use of their data have to be done in compliance with both the US and the Canadian laws. The same goes if the visitor is from an EU country; both the US and the EU laws apply to the relationship between you and your EU visitor. The US laws apply to you, while the Canadian and EU laws apply to your interactions with Canadian and EU visitors respectively.

It may sound like a hassle to comply with all the laws from around the world. It is true that you have to be very careful and obey every single law when collecting users’ data. From the rest of this article, you’ll notice that all the governments tend to pass similar laws, making it easier for businesses with online presence. Also, there are advanced tools to help you stay compliant with all the laws all of the time at no significant effort, like the Secure Privacy online privacy policy generator and the cookie banner generator.

Overview of the Current Data Protection Laws from Around the World

Overview of the Current Data Protection Laws from Around the World

As tracking technologies change, so does data protection laws. New ones are being passed, or existing ones are being updated on a regular basis.

To give you an idea of what you have to do to stay fully compliant no matter where you have visitors from, we created an overview of the most important data protection laws from around the world. It focuses on the requirements needed specifically around privacy policies and cookie banners.

Europe

Europe

When it comes to complying with the data protection laws in Europe, you have to be aware of the European Union (EU) laws and the laws of the EU member states.

The EU is a union of European States. Each one of them is a sovereign country with its own laws. When an EU institution passes a law (regulation or directive), it applies on EU level. It means that in each country, both EU laws and domestic laws apply. In case of collision, the EU law applies. That’s why EU member states regularly update domestic laws in line with EU laws.

That’s also the case with the General Data Protection Regulation (GDPR) of the EU. Although every member state has its own data protection law, you have to comply with it to make sure you do everything right.

If you collect data from EU residents, you need to comply with the EU privacy laws. There are two main laws you should take note of: the General Data Protection Regulation and the ePrivacy Directive.

GDPR

GDPR, which came into effect on 25 May 2018, is the most extensive personal data protection law to date. As you’ll see from the rest of this article, the rest of the world doesn’t have as many requirements about using tools for data collection and processing.

Do I Have To Be GDPR Compliant?

If you are located in the EU or are collecting and processing personal data from EU residents, then the answer is yes.

How To Be GDPR Compliant?

GDPR requirements are clear and concise. To make sure that you have a GDPR compliant privacy policy and cookie banner, make sure you include the following:

  • Inform your users that you collect and process their data, tell them how you do it and list the reasons why you collect and process their data.
  • Get a prior consent before collecting any data. Injecting cookies in their computers and waiting for the consent afterward puts you in breach of the GDPR. If you collect data from a child under 16, you need to get explicit consent from the parents.
  • Obtain consent for each purpose you collect data for, except for necessary functions. Let’s say that you collect data about users’ preferences, analytics, and marketing. You have to obtain an active opt-in for each one of them. This means that you have to provide a checkbox or similar for each function. If they don’t check any of the boxes, you are not allowed to collect their data for any purposes.
  • Only use the data for the purposes you communicated and received valid consent for.
  • Provide them with access to their data, possibility to correct and transfer the data to somewhere else.
  • Provide a possibility for withdrawing the already given consent. Opting out should be as easy as opting in.
  • Document each consent you receive from your users and keep it documented until necessary or until they ask for removal.
  • Delete users’ data upon request.

 

What are the Consequences for Non-Compliance?

If you don’t comply with any of these requirements, you risk huge penalties. In case you were wondering why the GDPR is important, this may be the answer. Penalties are capped at 4% of the annual global turnover or €20 million - whichever is higher. The authorities have discretionary right to decide about penalties on a case-by-case basis. However, don’t take this lightly and make sure you are GDPR compliant to avoid any troubles with the EU institutions.

Also, violation of the GDPR will likely mean violation of the national data privacy laws of the EU member state you collect data from. If not with the EU agencies, that could bring problems with the national law enforcement agencies and fines according to the national data protection laws.

ePrivacy Directive

The ePrivacy Directive of the EU is an older law than GDPR and is not as extensive. It requires having a privacy policy, a cookie banner, and prior consent before using cookies.

Unlike the GDPR, the ePrivacy Directive does not require asking for consent for each and every purpose you collect data for. One general consent is enough.

However, since the application scope of the directive is the same as GDPR, compliance with the GDPR means compliance with the ePrivacy Directive as well.

Non-EU European Countries

Not all European countries are EU member states, which means that the GDPR doesn’t apply to them. However, most of these countries are part of the European Economic Area (EEA) or are preparing to become EU member states, so they are updating their national data protection laws in line with the GDPR. EEA member states such as Iceland and Norway have accepted the GDPR, while EU member state candidates, such as Serbia and Macedonia, have fully harmonized their laws with the GDPR. Ensure you check out the law of every non-EU country your business is related with but keep in mind they all incline toward the GDPR.

United States

United States

There is no single federal data privacy law in the United States. US privacy laws apply on a state level and on an industry sector level.

Federal level

The industry laws requiring certain data privacy protection are not data privacy laws per se. They regulate entirely different matters but have provisions on data privacy as well. There are a plethora of them on federal level and hundreds on a state level. These laws are very diverse and it’s impossible to fit them all into one article. Just to give you an idea about them, here are few examples:

FTC: Federal Trade Conmission

Federal Trade Commission Rules (FTC Rules) prohibit unfair and deceptive practices on the market, including cases when companies fail to keep their promises listed in privacy policies.

Coppa: Children's Online Privacy Protection Act

Children’s Online Privacy Protection Act of 1998 (COPPA) requires providing a notice to the parent about the collection of their children’ data, obtaining a prior parental consent for websites that knowingly collect, use, or disclose children’s personal data, providing reasonable means for parents to review the collected data, withdraw the consent and deny further use of that data.

HIPAA: Health Insurance Portability and Accountability Act

Health Insurance Portability and Accountability Act (HIPAA) requires providing notice to people whose medical information you may collect or use.

Each one of them has some requirements, but none is as extensive as the GDPR or national law of any other country.

State level

California

Every US state has its own laws, but California has the most extensive one and is going even further with the updates planned for 2020. The law is called California Online Privacy Protection Act (CalOPPA) and is the only one in the US strictly requiring a privacy policy in place. A link to the privacy policy has to appear on the homepage when a visitor lands on the website. A regular cookie banner is enough to comply with the law, as long as the privacy policy includes:

  • What type of data you collect from the users
  • What third parties you share data with
  • The way users can review the data you have collected from them
  • The way users can change their data
  • The way you’ll inform your users about any changes in the privacy policy
  • How the website responds to Do Not Track signals
  • The effective date of the privacy policy

You have to be compliant with the CalOPPA in any of the following two scenarios:

  • If your company or your website is based in California
  • If you have collected personal data from at least one user from California, no matter if the person is a citizen or only a resident
  • Although extensive compared to other US privacy laws, the CalOPPA doesn’t require prior consent from the user. It is enough to put a privacy policy in place and let them know about it.

In case you breach the CalOPPA, you’ll get in trouble with the Federal Trade Commission or California Attorney General Office. The penalty will depend on the circumstances of your particular case.

All other US states

There are California privacy laws, and all the other US states privacy laws. As for now, no other state follows the example of California. All of them have some kind of privacy laws pertaining to personal data collected by businesses, but none of them is extensive as CalOPPA .

To ensure that you stay compliant with all the US states laws and the law of California, having a privacy policy in accordance with the CalOPPA and showing it on a cookie banner will be enough to comply.

Canada

Canada

Like the US, Canada has several privacy laws - on federal, province, and industry sector level.

There are two laws that regulate data collection and management on federal level in Canada.

The first one is the Privacy Act, but it applies only to government institutions and what they do with citizens’ data, so it doesn’t affect you in any way.

The second one affects your business if you are based in Canada or collect data from Canadian visitors. This law is called Personal Information Protection and Electronic Documents Act (PIPEDA). It doesn’t apply to nonprofits, political parties, and associations. It applies to all the Canadian provinces, except for Quebec, Alberta, and British Columbia, only if the business is entirely operated in these provinces. As soon as the first visitors from these provinces arrive at the company’s website, PIPEDA applies. Don’t let it confuse you, because the requirements by the local province laws are almost the same as the federal law.

To comply with PIPEDA, you have to:

  • Appoint someone to be in charge of the data you collect and use
  • Identify the purposes you will collect and use data for and limit your actions to those purposes only.
  • Inform your users in an understandable way what data you collect, what you do with it, and for what purpose
  • Get consent from each user before or at the time of collecting their data, as well as when you want to use their data for a purpose you haven’t got consent for already.
  • Keep the data for a reasonable time and delete it as soon as you don’t need it for the purposes you have got the consent.
  • Safeguard the data
  • Upon request, grant your users access to their data and inform them about the data you have collected about them, how it has been used, to whom it has been disclosed, or anything else you have done with their data.

Australia

Australia

If you operate in Australia or have website visitors from there, you have to comply with the Australia’s Privacy Principles (APP). They explicitly require having a privacy policy. It must contain the following:

  • What type of data you collect
  • How you collect and hold it
  • For what purpose you collect data
  • How your users can access their collected data
  • How users can complain for breach of their privacy rights

Prior consent is not necessary, but to avoid troubles with the Australian Information Commissioner, having a privacy policy is a must.

New Zealand

New Zealand

New Zealand regulates personal data collection with the Privacy Act 1993. It doesn’t require a privacy policy per se, but the requirements might mean that having one is a wise choice.

To comply with the law, you have to:

  • Collect the personal information directly from the individual concerned
  • Let the users know that you are collecting data
  • Inform them about what data you collect and for what purpose
  • Inform them about your name and address of the subject that collects and holds the information

As you can see, the Privacy Act 1993 has more or less the same requirements as other laws. While privacy policy is never mentioned in the law, it would be the most practical way to comply with the law.

Asia

Asia

Not all Asian countries have enacted data privacy laws, but those who have done that have clear requirements that you need to follow if you operate from there or interact with website visitors from those countries. Here is a short overview of what you should take note of when collecting and using data from them.

China

China

If you are doing business in China or collect and use Chinese visitors’ data, there are two laws to comply with: The Cybersecurity Law and the Information Security Technology - Personal Information Security Specification. The law has come into force in 2016, while the Specification has come into effect on 1 May 2017.

The Cybersecurity Law provides the data protection standard in broader terms, while the Specification makes it more concrete. To make sure that you comply with both, you have to make sure you:

  • Tell users that you collect and use their data
  • Inform them why and how you do it
  • Obtain explicit consent before collecting and using their data for each purpose separately
  • Store the data safely and keep it for the minimum period necessary
  • Let them know how they can access, correct, and delete their data
  • Inform them about the use of third-party data processors (Google Analytics, widgets, plugins, and others)
  • Conduct a security assessment of the third-party data processors before letting them collect data for you

The Specification is very similar to the GDPR, with one big difference: there are no penalties. However, don’t let this confuse you. If you don’t comply with the Specification, it is likely that you don’t comply with the Cybersecurity Law. That could get you in trouble with the Chinese law enforcement agencies. To avoid that, get a privacy policy with the standards as provided in the Specification.

India

India

The India Information Technology Act 2000, amended in 2011 with the Information Technology Rules of 2011, applies only to businesses and persons located in India. They require every website to have a privacy policy in place and comply with the following:

  • Inform users that you collect data and why you collect it
  • Use the data only for the purpose you have collected it for
  • Get prior consent before collecting sensitive data (passwords, financial statements, credit card information, biometric data, etc.). Collecting any other data doesn’t require prior consent.
  • Keep the data safely stored, but only for the minimum necessary period of time

As of the moment of writing, the Indian government is in the process of enacting the Data Privacy Bill 2018. The proposed draft has many similarities with the GDPR. You’ll find more details about that at the end of this article. We will keep you updated for any changes.

Other Asian countries

Other Asian countries

Not all Asian countries have personal data privacy laws in place. The ones that are more technologically advanced, however, have laws that you should bear in mind when doing business with their residents or operating from these countries.

Most have similar laws in place. They all require some kind of written document, like a privacy policy, with information on why you collect data, how you collect it, for what purpose, and how you process it. There are just a few differences among them pertaining to giving prior consent or the jurisdiction. Here is a short overview of them.

Japan

The Amendments to the Act of Protection of Personal Information of Japan doesn’t require prior consent from users, except for when you want to use the data for a purpose other than the one you have collected the data for, or cases when you disclose personal data to third-party service providers.

South Korea

The Personal Information Protection Act requires obtaining prior consent from users before collecting their data. The consent will be valid only if you provide correct information about yourself through your privacy policy. The consent from children younger than 14 has to be given by their guardian.

Malaysia

The Malaysian Personal Data Protection Act 2010 requires getting explicit consent for collection and use of personal data on top of providing the usual information on why, how, and what you do with the information.

Indonesia

Indonesia doesn’t have a consolidated law on privacy. The government still prepares the bill planned to be enacted in 2019. For now, there are many laws touching the subject of personal data protection. Cookie-wise, the most important of them is the Law on Electronic Information and Transaction.

Unlike other privacy laws, this one applies to companies and persons who:

  • Operate in Indonesia
  • Collect personal data from Indonesian residents
  • Operate outside of Indonesia, but their legal acts have legal consequences in the country

Except for privacy policy and the usual information of why and how you collect data, this law also requires obtaining explicit consent for collecting and using user’s personal data for whatever purposes.

Singapore

In Singapore, you also have to obtain prior consent from your user before injecting tracking mechanisms into their computers. Check out the Personal Data Protection Act 2012.

Hong Kong

As long as you provide information about what you collect, how, and for what purpose, you are compliant with the Hong Kong Personal Data Ordinance.

Taiwan

The Computer-Processed Personal Data Protection Law of Taiwan also doesn’t require prior consent. All you have to do is have a document informing users that you collect their data, how you do it, and for what purpose.

Vietnam

The personal data collection by cookies is regulated by the Vietnamese Law on Cyber Information and Security. It requires prior consent before injecting them into someone’s computer.

Philippines

According to the Data Privacy Act of 2012 and the Implementing Rules and Regulations of the Data Privacy Act of 2012, you have to ask for consent from your users before collecting their data.

Rest of the world

Rest of the World

There are many other countries around the world that regulate the processing of personal data in their territory or of their residents. To keep it concise and simple, here are the most important of them.

Israel

Use of cookies and tracking mechanisms falls under the scope of the Privacy Protection Act of 1981 and the Privacy Protection Regulations of 2017. They don’t have clear provision on cookies and privacy policies. However, it implies that you need a privacy policy, and you have to obtain prior consent before using cookies.

Russia

Russia has many laws pertaining to personal data protection. The most important of them is the Data Protection Act. According to this law, you have to register as a data operator with the state agency Roskomnadzor. Then, you have to store the data you collect in Russia or from Russian residents on servers located in Russia.

You will also need a privacy policy with information on the data operator, i.e. you, why and how you collect and process data, information about how the user can access their data, how to correct or block the data usage, how to delete it, and other information.

Prior consent is necessary before sending out cookies.

According to the Data Protection Act, users can ask for erasure of their personal data only if the data is unlawfully obtained, incomplete, out of date, not necessary for the purposes it has been collected for, or if it is inaccurate. A user cannot request data deletion without a reason, as in other countries.

Turkey

Turkish law also tends to harmonize with the EU law. It doesn’t require explicit consent for each and every purpose you collect data for, but you’re prohibited from sending out cookies before getting users’ consent.

The consent has to be given freely. It is valid only if you have informed the user about the reasons and the ways you collect and use data. Finally, you have to delete or anonymize the data upon a user’s request.

South Africa

The Protection of Personal Information Act 4 of 2013 of South Africa obliges you to get a voluntary consent from your users before getting and processing their data.

Brazil

Having an easy-to-understand privacy policy is a must to comply with the Brazilian Internet Act of 2014. Also, you have to get a voluntary consent from your users prior to injecting cookies in their computers. Don’t forget to ask your Brazilian users how old are they, because you can’t get consent from a person below 16 years of age. Those 16-18 years old can give consent only with guardian’s assistance.

Argentina

If you tell your users that you collect their data, why and how you do it, and they give you a voluntary consent for collection and use, you are in compliance with the Argentina Personal Data Protection Act of 2000.

Mexico

According to the Federal Law on Protection of Personal Data Held by Private Parties of Mexico, you can collect and process personal data only if it is stated in your privacy policy and you have got a prior consent. 

Gulf Countries

Qatar was the first Gulf country to pass a data protection law back in 2016. It requires getting a prior consent before collecting data. Bahrain hasn’t passed a separate law yet, nor has the United Arab Emirates (where Dubai and Abu Dhabi are located). The Dubai International Finance Centre, however, has a data protection law since 2007. It requires consent for processing of users’ personal information.

What the future brings

What the Future Brings?

From this overview, it is obvious that the trend between all the recently enacted data protection laws is the requirement for a prior consent before sending out cookies. None of them would allow you tracking tools or technologies in your users’ computers before getting their permission. Also, the right to be forgotten, i.e. deletion of data is gaining significant legal momentum.

Some of the countries listed above are in the process of drafting or passing new legislation on personal data protection. Here is what the future brings you:

California

In 2020, the California Consumer Privacy Act will come into force. It gives users more rights, such as the right to get information about the data that has been or is being collected about them. They can also ask for erasure of their data. Compared to the CalOPPA, the most important changes are the right to be forgotten and the right to prohibit the sale of your data.

European Union

Only a year after introducing the GDPR, the EU plans to enact yet another data protection privacy law. This time it is the ePrivacy Regulation 2019 which, among other things, is expected to simplify the cookie rules. Legislators will likely remove the need for prior consent for non-privacy intrusive cookies aimed for improving or the user experience.

Post-Brexit United Kingdom

As long as the UK is an EU member-state, the GDPR applies and the Data Protection Act 2018 applies. After leaving the Union, which is set for spring 2019, the GDPR may not apply anymore. It is going to depend of the choices the UK government will make in the process of leaving. However, the Data Protection Act 2018 is fully harmonized with the Regulation, so it doesn’t really make a difference.

India

Compared to the current law, the proposed Personal Data Protection Bill of India introduces several significant changes, including prior consent requirement for collection and processing of any data (not just the sensitive one), as well as the right to access, correct, and move one’s data, and the right to be forgotten.

Indonesia

The current law requires only telling your users why and how you collect data and get their consent. When it comes to cookies, the new law is expected to introduce the right to be forgotten, to correct and move the personal data.

Takeaways

The Takeaways

There are many different laws all around the world and compliance with all of them may seem intimidating to you. But it is not as hard as it looks.

As you would notice from the article, the legal requirements often overlap. So, if you comply with one law, you are likely to comply with many others at the same time.

The GDPR is the one that stands off. It requires an obligatory active opt-in, which is not needed for many of the other countries. So, how do you stay compliant with the GDPR cookie-wise, without going that far with the consent request for each single data collection purpose?

The online cookie banner generators provide a simple and straightforward solution. The one from Secure Privacy will scan your website for the cookies you use. Then the cookie banner generator and the privacy policy generator will use that data to create a tailored-for-you GDPR compliant cookie banner and privacy policy.

You can choose to show this banner only to the visitors from the EU. For the visitors from other countries, you can generate another cookie banner compliant with their respective laws.

That way, you’ll always show the right cookie banner to the right persons.

 

Disclaimer:  This website contains general information about legal matters. This article is for informational purposes only.  The information is not advice, and should not be treated as such.

 

Infographic showing GDPR, CCPA and International Privacy Laws