A Complete Guide to International Data Privacy Law
Many businesses are doing business online serving customers internationally from different parts of the world. Trying to keep with all regulations worldwide is both complicated and highly time-consuming.
That is why we have created this complete guide within in-depth articles and infographics to help you get an overview of the different international data privacy laws, how they may have consequences to you and how your business can become compliant in relevant markets.
Tracking users data
Tracking users’ data is crucial for business success in this data-driven world. If your operations are not data-driven, it may hinder your chances to get the results your business need.
However, your users’ data belong to them. They have the right to proper data protection, which brings us to today’s data protection laws. These laws have been existing in parts of the world for quite some time and their importance has grown. Data protection laws are here to stay and you have to comply with them if you want to do business ethically, build a relationship based on trust and avoid penalties.
What Are Data Privacy Laws and Who Do They Apply To?
What Are Data Privacy Laws and Who Do They Apply To?
When tracking technologies became available years ago, data collection was yet not regulated. Website owners could freely collect visitors’ data and use it for any purpose they wished.
That has changed. As the existing privacy laws were not sufficient for regulating data collection and use, governments began passing new laws or updating the existing ones. As technology changes, governments try to keep up with the changes and requirements needed in the privacy laws.
When it comes to your duty to comply with these laws, it is important to remember that there is no single universal data protection law. Every single government can pass laws that meet their jurisdiction, which means that their laws only apply in certain territories or for a group of people.
Wherever you are based, you have to know what local data privacy law that applies to you. Wherever you have a visitor from, your local privacy law and probably their local privacy law applicable to the collection and use of their data.
Let’s imagine that you are a US citizen and your website has visitors from different parts of the world. You have to comply with US federal laws, as well as the laws of your state and your industry. However, when a visitor from Canada lands on your website, the collection and use of their data have to be done in compliance with both the US and Canadian laws. The same goes if the visitor is from an EU country; both the US and the EU laws apply to the relationship between you and your EU visitor. The US laws apply to you, while the Canadian and EU laws apply to your interactions with Canadian and EU visitors respectively.
Overview of the Current Data Protection Laws from Around the World
Overview of the Current Data Protection Laws from Around the World
As tracking technologies change, so does data protection laws. New ones are being passed, or existing ones are being updated on a regular basis.
To give you an idea of what you have to do to stay fully compliant no matter where you have visitors from, we created an overview of the most important data protection laws from around the world. It focuses on the requirements needed specifically around privacy policies and cookie banners.
When it comes to complying with the data protection laws in Europe, you have to be aware of the European Union (EU) laws and the laws of the EU member states.
The EU is a union of European States. Each one of them is a sovereign country with its laws. When an EU institution passes a law (regulation or directive), it applies to the EU level. It means that in each country, both EU laws and domestic laws apply. In case of a collision, the EU law applies. That’s why EU member states regularly update domestic laws in line with EU laws.
That’s also the case with the General Data Protection Regulation (GDPR) of the EU. Although every member state has its own data protection law, you have to comply with it to make sure you do everything right.
If you collect data from EU residents, you need to comply with the EU privacy laws. There are two main laws you should take note of the General Data Protection Regulation and the ePrivacy Directive.
GDPR, which came into effect on 25 May 2018, is the most extensive personal data protection law to date. As you’ll see from the rest of this article, very few countries of the rest of the world have as many requirements about using tools for data collection and processing. However, the GDPR has set the trend of the data protection laws of the 21st century and we see more and more countries are following their example.
Do I Have To Be GDPR Compliant?
If you are located in the EU or are collecting and processing personal data from EU residents, then the answer is yes.
How To Be GDPR Compliant?
- Inform your users that you collect and process their data, tell them how you do it and list the reasons why you collect and process their data.
- Get prior consent before collecting any data. Injecting cookies in their computers and waiting for the consent afterward puts you in breach of the GDPR. If you collect data from a child under 16, you need to get explicit consent from the parents. The soon-to-be-passed ePrivacy regulation will allow you inject privacy non-intrusive cookies, but until then, keep the cookies out of their computers for full compliance.
- Obtain consent for each purpose you collect data for, except for necessary functions. Let’s say that you collect data about users’ preferences, analytics, and marketing. You have to obtain an active opt-in for each one of them. This means that you have to provide a checkbox or similar for each function. If they don’t check any of the boxes, you are not allowed to collect their data for any purposes.
- Only use the data for the purposes you communicated and received valid consent for.
- Provide them with access to their data and the possibility to correct and transfer the data to somewhere else.
- Provide a possibility for withdrawing the already given consent. Opting out should be as easy as opting in.
- Document each consent you receive from your users and keep it documented until necessary or until they ask for removal.
- Delete users’ data upon request.
The requirement for an active opt-in has been confirmed by a decision of the Court of Justice of the EU, where the court acknowledged that a pre-ticked box for obtaining consent does not mean a freely and clearly given consent. Therefore, you need to provide users non-ticked boxes, and only if they tick them, you are free to place cookies.
In another case, the same court clarified the limits of the scope of the right to be forgotten. Namely, the court confirmed that a non-EU website does not have to delete users’ information from all its versions, but only from the EU ones. Therefore, under the GDPR a user can be forgotten only in the EU, but not outside of the EU.
What are the Consequences for Non-Compliance?
If you don’t comply with any of these requirements, you risk huge penalties. In case you were wondering why the GDPR is important, this may be the answer. Penalties are capped at 4% of the annual global turnover or €20 million - whichever is higher. The authorities have discretionary right to decide about penalties on a case-by-case basis. However, don’t take this lightly and make sure you are GDPR compliant to avoid any troubles with the EU institutions.
To give you an idea of how GDPR fines look like in reality, here are some examples:
- The Polish data protection agency issued a €220,000 fine to Bisnode for scraping personal data of 6 million Polish citizens while obtaining consent for only 90,000 of them.
- A UK real estate company was fined €80,000 for failing to keep clients’ data safe during and after properly transferring it to a partner organization.
- Unicredit Bank in Romania has received a €130,000 fine due to failing to provide sufficient technical and organization measures in processing data, as well as collecting more data than necessary.
- The Municipality of Bergen was fined with €170,000 by Datatilsynet, the Norwegian data protection authority because they left a file with the login credentials of students and employees of a public school operated by them in a public storage area.
- The Hungarian data protection authorities have issued a €1,560 fine to a debt collector who has refused to comply with a request for data deletion.
Quick research will show you that no one is spared from GDPR fines. Both big and small businesses could be fined at any moment, should they breach the provisions of the regulation.
Also, violation of the GDPR will likely mean a violation of the national data privacy laws of the EU member state you collect data from. If not with the EU agencies, that could bring problems with the national law enforcement agencies and fines according to the national data protection laws.
Unlike the GDPR, the ePrivacy Directive does not require asking for consent for each and every purpose you collect data for. One general consent is enough.
However, since the application scope of the directive is the same as GDPR, compliance with the GDPR means compliance with the ePrivacy Directive as well.
The ePrivacy Regulation will replace the ePrivacy Directive. It has not been passed yet, but the EU institutions have provided information to give us an idea about how it is going to impact data privacy around the continent. As of now, we know that it is going to cover all electronic communications, including messaging services like WhatsApp, Skype, and Facebook Messenger, and will clarify certain aspects of the cookie rules.
The ePrivacy Regulation was initially planned to come into effect on 25 May 2018, the same day when the GDPR did, but it hasn’t been passed yet. It is planned to come into effect by the end of 2019.
The information we have about it at the moment promises some changes in the EU data protection landscape, but it won’t change a lot substantially. In fact, this regulation provides just some specifications for the GDPR.
For your website, the most important part of the regulation is the simpler cookie laws. The GDPR required endless clicking on cookie banners, but this law is set to streamline the process. Most importantly, it clearly states that:
- cookie consent is not needed for cookies improving the user experience without collecting any data
- you need a consent for collecting metadata, such as time and date of creation of the data, creator, or file size unless the metadata is needed for billing.
In addition, this regulation prescribes a strict ban on unsolicited emails, SMS messages, and automated phone calls. Every EU member state will have the right to choose whether to protect consumers by default or by using do-not-call lists.
Post-Brexit United Kingdom
The only thing you’ll need to take care of in the case of no-deal Brexit is your right to transfer personal data through the UK borders. Some businesses will likely need to review their data transfer contracts and act as necessary for full compliance.
Non-EU European Countries
Not all European countries are EU member states, which means that the GDPR doesn’t apply to them. However, most of these countries are part of the European Economic Area (EEA) or are preparing to become EU member states, so they are updating their national data protection laws in line with the GDPR.
EEA member states such as Iceland and Norway have accepted the GDPR. Unlike them, Switzerland has not. They still rely on their own Federal Act of Data Protection of 1992 and the Ordinance of 1993. In addition, every canton of the country has its own data protection laws. As of now, neither of these laws requires an active opt-in for cookie use, but they require an opt-out option. For sending cookies to your Swiss customers it is enough to provide them with sufficient information on what information you collect and what you do with it. Keep in mind, however, that the Swiss federal government works on a full revision of the current law, which may require an active opt-in in perspective.
Many of the other non-EU European countries mostly want to become EU member-states, therefore they tend to harmonize their legal systems with the EU. As a result, many of them already have privacy laws aligned with the GDPR. Those that have no intention of joining the EU also align with their laws due to the proximity and the market demands.
Albania hasn’t passed a modern privacy law yet. The one from 2008 requires consent for using personal data, nevertheless.
The Law on Protection of Personal Data of Bosnia and Herzegovina is nowhere near GDPR or any other modern data protection law. It has come into force back in 2006 and doesn’t deal with data collection and use as we know it nowadays. However, it requires the user’s consent for the use of data.
Ukraine’s law on data protection dates from 2010 with amendments from 2012. It is aligned with the ePrivacy Directive, but not with the GDPR. You need, however, to obtain consent before using the data.
All in all, non-EU European countries are either very close to aligning with the GDPR or are about to reach that level.
Despite the calls for federal privacy laws by the tech industry leaders in the US, there is no single federal data privacy law in the country yet. US privacy laws apply on a state level and on an industry sector level.
The industry laws requiring certain data privacy protection are not data privacy laws per se. They regulate entirely different matters but have provisions on data privacy as well. There are a plethora of them on the federal level and hundreds on a state level. These laws are very diverse and it’s impossible to fit them all into one article. Just to give you an idea about them, here are few examples:
FTC: Federal Trade Commission
Federal Trade Commission Rules (FTC Rules) prohibits unfair and deceptive practices on the market, including cases when companies fail to keep their promises listed in privacy policies.
Coppa: Children's Online Privacy Protection Act
Children’s Online Privacy Protection Act of 1998 (COPPA) requires providing a notice to the parent about the collection of their children’ data, obtaining a prior parental consent for websites that knowingly collect, use, or disclose children’s personal data, providing reasonable means for parents to review the collected data, withdraw the consent and deny further use of that data.
HIPAA: Health Insurance Portability and Accountability Act
Health Insurance Portability and Accountability Act (HIPAA) requires providing notice to people whose medical information you may collect or use.
Each one of them has some requirements, but none is as extensive as the GDPR or national law of any other country.
Every US state has its own laws, but California has the most extensive one and is going even further with the updates planned for 2020. The current law is called the California Online Privacy Protection Act (CalOPPA). The other one is the California Consumer Protection Act (CCPA) and is the most comprehensive US state privacy law to date.
- What type of data you collect from the users
- What third parties you share data with
- The way users can review the data you have collected from them
- The way users can change their data
- How the website responds to Do Not Track signals
You have to be compliant with the CalOPPA in any of the following two scenarios:
- If your company or your website is based in California
- If you have collected personal data from at least one user from California, no matter if the person is a citizen or only a resident
In case you breach the CalOPPA, you’ll get in trouble with the Federal Trade Commission or California Attorney General Office. The penalty will depend on the circumstances of your particular case.
The CCPA is the law that initiated a change in the data protection landscape around the USA. It is the first-ever passed GDPR-like law in the country. After passing, many other states started considering passing a similar law on their own soil.
The CCPA applies to your business if you:
- Collect personal data from California residents
- You, your parent company, or your subsidiary exceed at least one of the following three thresholds:
- Annual gross revenue of at least $25 million
- Obtain personal data of at least 50,000 California residents, households, and/or devices per year or
- At least 50% of your annual gross revenue comes from selling personal information
Employment-related personal information is exempt from the CCPA.
If you recognized your business in the criteria above, then ensure to comply with the CCPA requirements by complying with the following:
- Inform your users how to access the data you have collected from them, upon request, and provide them with access when they request so
- Tell them who you sell their data to if you sell it at all
- Let them opt-out from selling data by providing a “Do Not Sell My Personal Data” button or link
- Ask for explicit consent for selling children’s data (from the children if they are 13-15 years of age or from their parents if younger)
- Introduce a system for verification of the identity for the persons making these requests
- Do not discriminate against persons who practice their privacy rights in providing your services
Despite not being in force yet, the CCPA is under continuous amending. In the next period, we expect to see:
- Removing household from the definition of personal information, hence the consumer will be the only one linkable to personal information
- A requirement for verifiable parental consent for opening a social media account
- Disclosing the use of facial recognition technology on entrance doors.
Senate Bill 220 is the new privacy law of the State of Nevada. It has been into effect since October 2019. This law seems very similar to the CCPA, but it has some significant differences that make it less comprehensive than the California counterpart.
SB220 applies to you if you:
- Own or operate a website or online service for commercial purposes
- Collect and keep personal information of Nevada residents and
- Engage in any activity that constitutes a nexus in Nevada, which means that you purposefully undertake commercial activities in Nevada, such as online sales, advertising, and so on.
- Categories of personal information you collect
- Whether you collect information about their online behavior
- Categories of third parties with whom you share such information
- How users can access and change the information
- How to opt-out from data collection
An opt-in for collecting information is not required. However, you have to let them know how to opt-out from data collection. Unlike the CCPA, the SB220 does not require a “Do Not Sell My Personal Information” button or link. All you need to do is inform them about a toll-free number or an email address where they could request the opt-out.
The opt-out requirement is limited to certain types of personal data. It includes only personal name, physical and email addresses, phone number, social security number, an identifier that allows the person to be contacted online or offline, and any other information that you collect and can be related to the user herself.
Moreover, the SB220 limits the definition of data sale only to data for money exchange. Exchanging your customers’ data for a non-monetary benefit is not under the scope of Nevada privacy law.
Consumers have no right to act against you under the SB220. However, if authorities that you violate the law, you may be required to pay up to $5,000 in civil fines.
Maine’s Act to Protect the Privacy of Online Customer Information is also narrower in scope than the CCPA. It applies to you as long as you are an internet service provider who collects data from internet users located in Maine and billed for services in Maine.
Chances are that you are not an internet service provider (ISP) from Maine, so here is just a quick overview of the law that likely does not apply to your business:
- It goes into effect on 1 July 2020
- ISPs must obtain explicit consent from users before using, disclosing, selling, or permitting access to users’ data
- ISPs must provide clear notice about users’ rights
- It is not clear who enforces this law
All other US states
There are California and Nevada privacy laws, and all the other US states privacy laws. As for now, there are several other states in the process of passing a comprehensive data protection rules. Most of the states, however, have not announced any intention of passing such laws yet, nor has the US government on a federal level. All of the states have some kind of privacy laws pertaining to personal data collected by businesses, but none of them is extensive as the CalOPPA, CCPA or the GDPR.
Like the US, Canada has several privacy laws - on the federal, province, and industry sector level.
There are two laws that regulate data collection and management on the federal level in Canada.
The first one is the Privacy Act, but it applies only to government institutions and what they do with citizens’ data, so it doesn’t affect you in any way.
The second one affects your business if you are based in Canada or collect data from Canadian visitors. This law is called the Personal Information Protection and Electronic Documents Act (PIPEDA). It doesn’t apply to nonprofits, political parties, and associations. It applies to all the Canadian provinces, except for Quebec, Alberta, and British Columbia, only if the business is entirely operated in these provinces. As soon as the first visitors from these provinces arrive at the company’s website, PIPEDA applies. Don’t let it confuse you, because the requirements by the local province laws are almost the same as the federal law.
To comply with PIPEDA, you have to:
- Appoint someone to be in charge of the data you collect and use
- Identify the purposes you will collect and use data for and limit your actions to those purposes only.
- Understandably inform your users what data you collect, what you do with it, and for what purpose
- Get consent from each user before or at the time of collecting their data, as well as when you want to use their data for a purpose you haven’t got consent for already.
- Keep the data for a reasonable time and delete it as soon as you don’t need it for the purposes you have got the consent.
- Safeguard the data
- Upon request, grant your users access to their data and inform them about the data you have collected about them, how it has been used, to whom it has been disclosed, or anything else you have done with their data.
- What type of data you collect
- How you collect and hold it
- For what purpose you collect data
- How your users can access their collected data
- How users can complain about the breach of their privacy rights
To comply with the law, you have to:
- Collect the personal information directly from the individual concerned
- Let the users know that you are collecting data
- Inform them about what data you collect and for what purpose
- Inform them about your name and address of the subject that collects and holds the information
Not all Asian countries have enacted data privacy laws, but those who have done that have clear requirements that you need to follow if you operate from there or interact with website visitors from those countries. Here is a short overview of what you should take note of when collecting and using data from them.
If you are doing business in China or collect and use Chinese visitors’ data, there are two laws to comply with: The Cybersecurity Law and the Information Security Technology - Personal Information Security Specification. The law has come into force in 2016, while the Specification has come into effect on 1 May 2017.
The Cybersecurity Law provides the data protection standard in broader terms, while the Specification makes it more concrete. To make sure that you comply with both, you have to make sure you:
- Tell users that you collect and use their data
- Inform them why and how you do it
- Obtain explicit consent before collecting and using their data for each purpose separately
- Store the data safely and keep it for the minimum period necessary
- Let them know how they can access, correct, and delete their data
- Inform them about the use of third-party data processors (Google Analytics, widgets, plugins, and others)
- Conduct a security assessment of the third-party data processors before letting them collect data for you
In addition, you have to ensure compliance with China’s Regulation on Network Protection of Children’s Personal Information. Aside from the requirements of the Cybersecurity Law, ensure to:
- Obtain parental consent for collecting and using children’s data
- Designate a person responsible for children’s information
- Safeguard children’s data by encryption or other means
- Have user agreements on children’s data
- Inform users that you collect data and why you collect it
- Use the data only for the purpose you have collected it for
- Get prior consent before collecting sensitive data (passwords, financial statements, credit card information, biometric data, etc.). Collecting any other data doesn’t require prior consent.
- Keep the data safely stored, but only for the minimum necessary period of time
As of the moment of writing, the Indian government is in the process of enacting the Data Privacy Bill. The proposed draft has many similarities with the GDPR. You’ll find more details about that at the end of this article. We will keep you updated on any changes.
Other Asian countries
Other Asian countries
Not all Asian countries have personal data privacy laws in place. The ones that are more technologically advanced, however, have laws that you should bear in mind when doing business with their residents or operating from these countries.
The Amendments to the Act of Protection of Personal Information of Japan don’t require prior consent from users, except for when you want to use the data for a purpose other than the one you have collected the data for, or cases when you disclose personal data to third-party service providers.
The Malaysian Personal Data Protection Act 2010 requires getting explicit consent for the collection and use of personal data on top of providing the usual information on why, how, and what you do with the information.
Indonesia doesn’t have a consolidated law on privacy. The government still prepares the bill planned to be enacted in 2019. For now, many laws are touching the subject of personal data protection. Cookie-wise, the most important of them is the Law on Electronic Information and Transaction.
Unlike other privacy laws, this one applies to companies and persons who:
- Operate in Indonesia
- Collect personal data from Indonesian residents
- Operate outside of Indonesia, but their legal acts have legal consequences in the country
In Singapore, you also have to obtain prior consent from your user before injecting tracking mechanisms into their computers. Check out the Personal Data Protection Act 2012.
As long as you provide information about what you collect, how, and for what purpose, you are compliant with the Hong Kong Personal Data Ordinance.
The Personal Data Protection Act of Taiwan also requires prior consent. Also, you have to provide users with a document informing them that you collect their data, how you do it, and for what purpose, as well let them know how they can access, change, or delete their data.
The personal data collected by cookies is regulated by the Vietnamese Law on Cyber Information and Security. It requires prior consent before injecting them into someone’s computer.
According to the Data Privacy Act of 2012 and the Implementing Rules and Regulations of the Data Privacy Act of 2012, you have to ask for consent from your users before collecting their data.
Rest of the world
As South America grows economically, so does privacy protection become a relevant issue. Brazil was the first country to introduce a new data protection law inspired by EU laws. As of now, not all of the Latin American region follows.
Starting from 15 August 2020, you’ll have to comply with a bit more rules. The General Data Protection Law (LGDP) comes into effect on 15 August 2020. It applies to all businesses in Brazil and the data collection and use of Brazilian citizens and residents.
If you tell your users that you collect their data, why and how you do it, and they give you a voluntary consent for collection and use, you are in compliance with the Argentina Personal Data Protection Act of 2000.
Rest of the world
Rest of the World
Many other countries around the world regulate the processing of personal data in their territory or of their residents. To keep it concise and simple, here are the most important of them.
Russia has many laws pertaining to personal data protection. The most important of them is the Data Protection Act. According to this law, you have to register as a data operator with the state agency Roskomnadzor. Then, you have to store the data you collect in Russia or from Russian residents on servers located in Russia.
Prior consent is necessary before sending out cookies.
According to the Data Protection Act, users can ask for the erasure of their personal data only if the data is unlawfully obtained, incomplete, out of date, not necessary for the purposes it has been collected for, or if it is inaccurate. A user cannot request data deletion without a reason, as in other countries.
Turkish law also tends to harmonize with EU law. It doesn’t require explicit consent for each and every purpose you collect data for, but you’re prohibited from sending out cookies before getting users’ consent.
The consent has to be given freely. It is valid only if you have informed the user about the reasons and the ways you collect and use data. Finally, you have to delete or anonymize the data upon a user’s request.
The Protection of Personal Information Act 4 of 2013 of South Africa obliges you to get a voluntary consent from your users before getting and processing their data.
Qatar was the first Gulf country to pass a data protection law back in 2016 and Bahrain followed with its Personal Data Protection Law in 2019. Both laws are heavily influenced by the EU laws and both require getting prior consent before collecting data. United Arab Emirates (where Dubai and Abu Dhabi are located) are in the process of preparing a GDPR-like law. The Dubai International Finance Centre, however, has a data protection law since 2007. It requires consent for the processing of users’ personal information.
What the future brings
What does the future bring?
From this overview, it is obvious that the trend between all the recently enacted data protection laws is the requirement for prior consent before sending out cookies. None of them would allow you tracking tools or technologies in your users’ computers before getting their permission. Also, the right to be forgotten, i.e. deletion of data is gaining significant legal momentum.
Some of the countries listed above are in the process of drafting or passing new legislation on personal data protection. Here is what the future brings you:
In 2020, the California Consumer Privacy Act will come into force. It gives users more rights, such as the right to get information about the data that has been or is being collected about them. They can also ask for the erasure of their data. Compared to the CalOPPA, the most important changes are the right to be forgotten and the right to prohibit the sale of your data.
Only a year after introducing the GDPR, the EU plans to enact yet another data protection privacy law. This time it is the ePrivacy Regulation 2019 which, among other things, is expected to simplify the cookie rules. Legislators will likely remove the need for prior consent for non-privacy intrusive cookies aimed for improving or the user experience.
Post-Brexit United Kingdom
As long as the UK is an EU member-state, the GDPR applies and the Data Protection Act 2018 applies. After leaving the Union, which is set for spring 2019, the GDPR may not apply anymore. It is going to depend on the choices the UK government will make in the process of leaving. However, the Data Protection Act 2018 is fully harmonized with the Regulation, so it doesn’t really make a difference.
Compared to the current law, the proposed Personal Data Protection Bill of India introduces several significant changes, including prior consent requirement for collection and processing of any data (not just the sensitive one), as well as the right to access, correct, and move one’s data, and the right to be forgotten.
The current law requires only telling your users why and how you collect data and get their consent. When it comes to cookies, the new law is expected to introduce the right to be forgotten, to correct and move the personal data.
There are many different laws all around the world and compliance with all of them may seem intimidating to you. But it is not as hard as it looks.
As you would notice from the article, the legal requirements often overlap. So, if you comply with one law, you are likely to comply with many others at the same time.
The GDPR is the one that stands off. It requires an obligatory active opt-in, which is not needed for many of the other countries. So, how do you stay compliant with the GDPR cookie-wise, without going that far with the consent request for each single data collection purpose?
You can choose to show this banner only to the visitors from the EU. For visitors from other countries, you can generate another cookie banner compliant with their respective laws.
That way, you’ll always show the right cookie banner to the right persons.
Disclaimer: This website contains general information about legal matters. This article is for informational purposes only. The information is not advice, and should not be treated as such.