Not so long ago, on-premise data centers meant that data privacy compliance was reasonably straightforward. With data increasingly moving to the cloud, however, concerns about control, sovereignty, and privacy are coming to the forefront.
Today, it’s almost impossible to live online without disclosing personal information. Visiting most websites and using most apps leaves behind a goldmine for data analysis firms to sift through on behalf of their corporate clients. Tools like AI and machine learning can be leveraged to reveal a lot of sensitive information about a person: location, interests, health status, political views, and more. Such advancements have left people worried about the potential misuse of their personal data by corporations, governments, and malicious actors.
Because of these concerns, many nations are looking to improve or are in the process of creating data privacy laws. These laws are meant to protect and more effectively control the personal data of their citizens.
GDPR: a model for data privacy laws
Among the most significant international data privacy laws is the European Union’s GDPR (General Data Protection Regulation), which went into effect in 2018. Any organization — regardless of where it’s headquartered — that targets or collects data from people and businesses in EU member nations must comply with the law. The GDPR became the guiding light for many subsequent data privacy laws globally. Today, more than 100 countries worldwide have enacted their own data privacy laws that address the fundamental right to privacy for an individual.
The state of data privacy in the U.S.
The United States still does not have a national data privacy law. However, the American Data and Privacy Protection Act (ADPPA) could soon be codified into law to become the first federal data privacy law in the US that protects individual privacy rights.
Meanwhile, a growing number of states in the U.S. have enacted their own data privacy laws. California leads the pack with the California Consumer Privacy Act (CCPA) that went into effect in 2018. It’s arguably the strongest privacy law in the United States, with states like Virginia and Colorado close on its heels.
Here is a list of the new state data privacy statutes scheduled to go into feffect in 2023:
- The California Privacy Rights Act (CPRA) expands upon the CCPA to include the right to restrict the use of personal data, the right to correction, the right to access, and the right to opt out. The CPRA established a new enforcement agency, the California Privacy Protection Agency (CPPA), as the primary body responsible for enforcing data privacy rights of Californians.
- The Virginia Consumer Data Privacy Act (VCDPA) was enacted on January 1, 2023. It affects both government and non-government organizations that control and process specific quantities of personal data.
- The Colorado Privacy Act (CPA) is scheduled to go into effect on July 1, 2023, providing Colorado residents the right to opt out of the processing of personal data for targeted advertising or the sale of such personal data.
- The Connecticut Data Privacy Act (CDPA) will go into effect on July 1, 2023. It gives Connecticut consumers choices regarding the personal data collected about them by companies that do business in the state.
- The Utah Consumer Privacy Act (UCPA) becomes effective on December 31, 2023. It takes a more business-friendly approach to consumer privacy and applies only to companies with annual revenue of at least $25 million. It consists of less stringent mandates, such as the lack of a requirement to conduct data protection assessments for certain types of processing activities.
Last year, legislators in nearly 30 other states contemplated bills offering varying degrees of consumer privacy protection. Some of them may be reintroduced in 2023 legislative sessions along with other new bills in the works.
Data privacy laws from around the world
- The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law of Canada that governs how private sector organizations collect, use, and disclose personal information in the course of commercial business.
- Bill C-27, the Digital Charter Implementation Act, was introduced by the Canadian federal government in June of 2022. It contains three proposed acts, which relate to consumer privacy, data protection, and AI systems. The proposed acts are The Consumer Privacy Protection Act (CPPA), The Personal Information and Data Protection Tribunal Act (PIDPTA), and The Artificial Intelligence and Data Act (AIDA).
- The Personal Information Protection Law (PIPL) is China’s first comprehensive law designed to regulate online data and protect the personal information of Chinese consumers. It went into effect in November of 2021. The PIPL requires consent as its principal basis for data collection and handling, restricts cross-border data transfers, and imposes strict revenue-based fines for non-compliance.
- The General Data Protection Law or the Lei Geral de Proteção de Dados Pessoais (LGPD) came into effect in August of 2020 in Brazil. It creates a legal framework for the use of the personal data of individuals in Brazil, regardless of where the data processor is located.
- The Protection of Personal Information Act (POPIA) is South Africa’s data privacy law aimed at safeguarding the personally identifiable information (PII) of South African citizens.
The future of data privacy
As the reality of hefty fines and penalties for violating data privacy legislation hits closer, companies will be investing more time and resources to establish robust internal compliance programs.
Governments and legislative bodies will together press for greater enforcement of existing laws like the GDPR and CCPA. In 2023, expect more emerging data privacy laws addressing privacy concerns arising from data collected by Internet of Things (IoT) devices and other connected devices. As individuals become more aware of the dangers of misuse of their personal data, how their personal data is handled and processed will impact their faith in a business and determine the company’s profit.
To win user confidence and to manage business reputation and compliance, companies will need to invest more in privacy-enhancing technologies (PETs) where user insights take precedence over user identity.
Google’s Privacy Sandbox initiative limits sharing of user data with third parties and operates without cross-app identifiers to create technologies that protect people’s privacy online while giving companies tools to build profitable businesses. Companies like DSpark aggregate and anonymize highly sensitive personal mobility data, converting it into insights on shoppers’ demographics and behaviors, the number of unique visitors, total footfalls, and more. DSpark markets this data without selling or transferring sensitive personal data.
All things considered, data privacy is a global concern. Since many companies operate across borders, we may see nations collaborating for over-arching data privacy legislation covering all nations, businesses, and people.
The protection of citizens’ personal data is a huge concern for governments around the globe. Laws are being formalized to control the kinds of personal data that can be collected, and how it can be used, stored, and shared. Compliance with global data privacy laws is obligatory for every business: not only for financial liabilities like expensive lawsuits and hefty fines that non-compliance can bring, but it’s also a trust issue: consumers sharing their personal data expect it to remain private.
Sophos solutions offer multiple ways to ensure that personal data remains safe, putting organizations a step ahead when it comes to meeting regulatory requirements. Take a look at our compliance solutions section to learn more.