Rest of The World

The two pieces of regulation everyone wants to talk about are GDPR and CCPA, but data privacy laws are in various stages of development all over the world. That includes the United States. Maine, Rhode Island, and Nevada have already enacted comprehensive privacy laws, and states from New York to Washington currently have bills under construction. There’s also significant pressure from both citizens and businesses to enact sweeping federal-level legislation, something you can read more about here.

On the world stage, there are numerous other countries that have or will soon have digital privacy laws. In Canada, the long-standing PIPEDA was recently strengthened by the amendment of Senate Bill S-4, which focuses strictly on privacy in the digital sphere. In Australia, the Privacy Act of 1988 has been strengthened by the recent addition of two digital-focused amendments in 2013 and 2017. Other countries have passed recent legislation updates or having legislation coming soon are:

  • Brazil (LGPD)
  • South Africa (POPI)
  • India (PDPB)
  • Japan (APPI)

The company DLA Piper keeps a useful heat map of privacy regulation by region here.

CCPA (California Consumer Privacy Act)

In a nutshell, the CCPA is the state of California’s comprehensive privacy law. It marks a milestone in US privacy regulation in the same way that GDPR did for Europe. The CCPA is not the first state privacy law in the country. Maine, Nevada, and Rhode Island have already enacted modern privacy reforms. However, it is the most comprehensive. And given the size of California’s economy – one-sixth of the whole country’s economy – it’s the most far-reaching to date. 

The CCPA is most often described in direct comparison to GDPR. While its spirit is similar, understanding the ways it deviates from its predecessor is a key business concern for many companies. There are lots of small but crucial distinctions. They range from who is protected (“subjects” vs “consumers”) to the rights bestowed (for instance, the CCPA doesn’t contain a Right to Object but does mandate that a “Do Not Sell My Information” button must be placed on consumer-facing sites).

Observers tend to agree that the CCPA is not quite as far-reaching as GDPR in most cases. However, it’s impossible to know how that will look in practice until enforcement of the law comes into effect next year. If you want to dive into the details of what the CCPA covers and how it differs from GDPR, there’s an excellent guide here.

GDPR (General Data Protection Regulation)

In a nutshell, the GDPR is a European Union regulation that outlines how companies, governments and other data processors must manage people’s data. It probably applies to you if you do business in the EU, or if you collect or store information about European citizens.

The GDPR grants individuals (who it calls data subjects) the right to see whether their data is being collected, see a record of that data, and correct any inaccuracies in the data. The process by which someone can request this info is called a Data Subject Request, and businesses under GDPR need to have a system in place to handle these quickly. 

There are a couple of other important powers the GDPR bestows. It lets individuals get their data erased (Right to Erasure), or forbid a controller from processing it (Right to be Forgotten). And it requires controllers to obtain explicit consent from individuals before they begin capturing their data. The last major pillar of GDPR concerns organizational practices. It sets out rules for how to collect and store data, and it also contains rules for responding to a data breach. Violations of GDPR are serious business, and EU regulators are permitted to impose a fine of up to 4% of global revenue on rule-breaking Data Processors. That’s a lot! For a more detailed explainer of the GDPR and its implications for business, check out this lucid Wall Street Journal explainer.