Data Privacy Laws: What You Need to Know in 2023

Today, there are over 5 billion people around the world who use the internet today according to an article by datareportal.com.¹ This means that there is a nearly unquantifiable amount of data generated each day. Much of that data is also sensitive and can leave businesses and, therefore, consumers vulnerable if leaked. Those who perpetrate cyber attacks have ample opportunity to ply their trade on unsuspecting consumers and companies. In fact, a University of Maryland study found that, on average, hackers attack computers with internet access every 39 seconds.²

What can businesses do about this ever growing problem to protect their data as well as the data of consumers? 

Data privacy policies and tools can be very powerful forces in combating data breaches and leaks. In this article, we will discuss what data privacy is, different types of data privacy, principles of data protection, and various topics regarding data privacy laws. Last, but certainly not least, this article will also cover consequences of not complying with data privacy laws.

What Is Data Privacy?

An article by the Storage Networking Industry Association defines data privacy as " the proper handling of sensitive data including...personal data but also other confidential data, such as certain financial data and intellectual property data, to meet regulatory requirements as well as protecting the confidentiality and immutability of the data."³

 In short, this means that data privacy is a set of standard practices of data management required of businesses to meet certain regulations or policies set in place by governments or organizations.

Types Of Data Privacy

Below we’ve listed a few types of data privacy to consider including: 

Information Privacy

Businesses and organizations often collect consumer data or information. This type of information can include date of birth, insurance information, or an email address. Oftentimes, this type of data can help drive a business process and/or make life for the consumer more convenient.

Communication Privacy

Communication privacy refers to the standard practices involved in protecting communication based information. For example, many consumers take advantage of the various teladoc options for simple colds or sinus infections. During these teladoc visits, it is required that the patient communicate with the doctor. These types of communications should be protected under communication privacy regulations.

Individual Privacy

Individual privacy generally deals with information regarding behavior, location, or situations of a person. An example would be turning on a location service on your mobile device. Mobile location services require a company to access your location via the GPS in your mobile device. This means they are accessing your individual data, and therefore, store it for use in their own processes.

Principles Of Data Protection

While data privacy typically deals with who has access to data, data protection defines tools and policies to restrict access to data. In other words, data privacy is the "who" and data protection is the "how." There are several key principles of data protection that are important to understand.

Lawfulness, Fairness, And Transparency

This principle states that personal data should be handled lawfully, fairly, and in a transparent manner. Essentially, this principle means that data processing should follow regulations set out by governments while also giving transparency to the consumer on what and when data is being collected.

Purpose Limitation

Purpose limitation limits undue collection of data. Businesses and organizations can only collect data from consumers for a clearly defined purpose under this data protection principle.

Data Minimization

Similarly to purpose limitation, the principle of data minimization is all about limiting exposure to attack by limiting the data that can and should be collected by an organization. Data minimization states that only the smallest amount of data necessary should be collected.

Accuracy

Simply put, the data protection principle of accuracy states that organizations should ensure the data collected and stored in their systems is accurate and up to date. This means an organization should make every reasonable effort to correct or delete inaccurate information from their systems in addition to ensuring the data is accurate upon collection.

Storage Limitation

The principle of storage limitation in data protection states that information should not be stored longer than absolutely necessary. If an organization deems the information should be archived longer than it is being utilized by their systems and processes, they must document an acceptable reason and define a retention period.

Integrity And Confidentiality

This principle deals with companies setting up the proper measures to protect consumer data and personal information. In other words, organizations must be proactive in setting up safeguards from personal information.

Accountability

The principle of accountability in data protection establishes that there should be extreme ownership by an organization when it comes to safeguarding consumer data and personal information. In addition, this principle states that companies have to be able to maintain proof of steps they have taken to establish compliance with data protection regulations.

What Are Data Privacy Laws?

Data privacy laws are pieces of legislation set forth by governments to "regulate how information is collected, how data subjects are informed, and what control a data subject has over [their] information once it is transferred," according to an article by Osano.⁴

Who Regulates Them?

Data privacy laws are regulated by whatever governing body sets them in place. For instance, some states are moving faster than other states and the federal government to put data privacy laws in place. The State of California is a good example of one of the governments that have moved quickly on privacy laws. However, privacy laws specific to California would be regulated by that specific state.

Why Are Data Privacy Laws Important?

Data privacy laws are important because they seek to give some power back to the individual or consumer. These laws seek to give rights to consumers to be able to control their data and also punish organizations who treat consumer data without care.

The Basics Of Data Privacy Laws In The U.S.

CCPA

• What Does It Entail? - The California Consumer Privacy Act (CCPA) establishes essential definitions of individual rights for consumers. In addition, it defines fines or duties that could be charged to organizations that infringe on these rights. Some of the topics covered include informing data subjects on when/how their data is used as well as providing individuals access to their data.
• Who Must Comply? - According to the California attorney general's website, "for-profit businesses that have a gross annual revenue of over $25 million and/or buy, receive, or sell personal information of 50,000 or more California residents, households, or devices."

Image alt text : CPRA logo

CPRA

• What Does It Entail? - The California Privacy Rights Act (CPRA) expanded upon the rights laid out by the CCPA by adding the right to correct inaccurate personal information, the right to limit the use of their personal information, and also updated the definition of personal information. 
• Who Must Comply? - If an organization earned $25 million in gross revenue the previous calendar year, processes the data of more than 100 thousand consumers and/or earns more than 50% of revenue from the sale of personal information they must comply with CPRA.

VCDPA

• What Does It Entail? - The Virginia's Consumer Data Protection Act (CDPA) regulates that organizations must obtain consent before processing sensitive data while also informing the consumer when their data will be sold and allowing them to decline or opt-out. There is also a requirement to provide a clear privacy notice to consumers.
• Who Must Comply? - Organizations that deal with the personal data of  100,000 or more individuals or deal with the personal data of 25,000 individuals or more and earn 50% of their revenue by selling personal information.

CPA

• What Does It Entail? - The Colorado Privacy Act (CPA) covers 5 rights for Colorado residents including:
• The right to opt-out of targeted ads
• The right to their data that has been collected by a company
• The right to correct the data that has been collected
• The right to request that their data is deleted
• The right to move their data to another company
• Who Must Comply?- According to the Colorado Attorney General's site, "the law applies to entities, including nonprofits, that conduct business in Colorado or deliver commercial products or services targeted to residents of Colorado:
• Process the personal data of more than 100,000 individuals in any calendar year
• Derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals."

Data Broker Privacy Laws

• What Does It Entail? - These laws define what a data broker is and lays out protections for consumer and individual data that is handled by data brokers. Most notably, data brokers typically have to register with government organizations.
• Who Must Comply? - A data broker operating within the jurisdiction of a government that has an established data broker privacy laws must comply with these laws. A data broker is defined as a business that knowingly collects and sells data to third parties.

ISPs

• What Does It Entail? - An ISP, otherwise known as an Internet Service Provider, is defined as an organization that provides access to the internet to bother personal and business customers. These companies are typically subjected to their own set of regulations regarding data privacy and protection.
• Who Must Comply? - The compliance requirements can vary under the different ISP regulations or laws, but typically any company providing internet within the jurisdiction of the regulating organization must comply.

Children’s Online Privacy Data

• What Does It Entail? - The Children's Online Privacy Protection Rule (COPPA) sets out requirements on websites or online services that deal with children under the age of 13. This rule requires organizations to provide notice and parental consent before collecting information from kids, have a clearly communicated privacy policy, and keep children's information confidential.
• Who Must Comply? - Any site or organization with an online presence that deals with children under the age of 13 or knowingly collects the data of children under the age of 13. This is a federal law so it applies to organizations across the nation.

E-Reader Privacy

• What Does It Entail? - These types of regulations protect consumer data of e-reader users who purchase reading material from an online seller. In addition, these regulations can also protect e-readers that utilize online library services.
• Who Must Comply? - Anyone who provides e-reading services that require collecting consumer data must comply with these regulations if they operate within the jurisdiction of the regulating organization.

Data Privacy Laws In Other Countries

Data privacy issues are not something that only the United States is wrestling with. Other countries have enacted their own laws and regulations.

Europe

• GDPR - The EU's General Data Protection Regulation imposes regulations on companies or organizations anywhere that collect data of individuals that are in the European Union.
• DSA - The Digital Services Act covers a large category of online services including online marketplaces, social networks, app stores, and more. This legislation seeks to create a safer digital space and establish a level playing field within the European digital space.
• Digital Markets Act - This regulation does some heavy lifting to define roles within the digital space while also laying out obligations for those specific roles. For example, this act defines regulations that impact "gatekeepers." Gatekeepers are defined as "having a significant impact on the EU's internal marketplace, providing a core platform service which is an important gateway for business users to reach end users, and enjoying an entrenched and durable position in its operations," according to an article by JD Supra.⁵
• AI Act- The Artificial Intelligence Act is the first major attempt at regulating AI. The law defines artificial intelligence and also lays out categories of risk associated with the implementation of AI. The AI Act bans or regulates these defined risk categories. The categories are:
• Unacceptable Risk
• High-Risk
• Unassigned

Brazil

• LGPD - The Brazilian General Data Protection Law seeks to regulate the handling of data of individuals residing in Brazil. This regulation applies to companies that are not located in Brazil if they are dealing with consumer or individual data that live in the country. This law levies heavy fines against non-compliant organizations.

Is There Any Consequence For Not Complying With Data Privacy Laws?

Most of the laws, acts, and regulations mentioned earlier in this article layout clear consequences for non-compliance. Generally, the consequences are monetary and can range from a percentage fee on a company's annual revenue to a set rate based on an annual revenue tier.

 In addition, some companies can be told to cease operation within a regulating organization's jurisdiction.

Data Privacy Pride

Although hackers and other ill-meaning individuals are actively trying to access and misuse sensitive data that is collected by businesses and organizations, governments are actively trying to enact regulations to protect that data. In addition, data breaches can massively impact the public perception of companies and hurt their overall market share and revenue. 

The issue of data privacy will only become more important as our society becomes more reliant on online solutions, so it is essential for consumers to understand their rights.

Sources:

1. Digital around the world - datareportal – global digital insights. DataReportal. (n.d.). Retrieved from https://datareportal.com/global-digital-overview 
2. Study: Hackers attack every 39 seconds. Study: Hackers Attack Every 39 Seconds | A. James Clark School of Engineering, University of Maryland. (n.d.). Retrieved from https://eng.umd.edu/news/story/study-hackers-attack-every-39-seconds 
3. What is data privacy? SNIA. (n.d.). Retrieved from https://www.snia.org/education/what-is-data-privacy 
4. Staff, O. (2022, September 20). Data Privacy Laws: What you need to know in 2022: Articles. Osano. Retrieved from https://www.osano.com/articles/data-privacy-laws 
5. The EU Digital Markets Act – the holy grail of big tech regulation? JD Supra. (n.d.). Retrieved from https://www.jdsupra.com/legalnews/the-eu-digital-markets-act-the-holy-5056954/