It seems that privacy on the web has never been so widely discussed.
Thanks in part to the Facebook and Cambridge Analytica saga, as well as the abundance of data breaches in recent years, the world is waking up to the dangers of how modern technology can erode our privacy.
The response to this state of affairs seems to be an increasing amount of new laws and regulations around the world aimed at codifying how companies and organizations should handle Internet users’ data.
A breakthrough in privacy issues has come in the form of GDPR, considered by many to be the new golden standard among data privacy regulations.
Researchers compiling the Global Convergence Of Data Privacy Standards And Laws report mention among the most important principles introduced by the law:
- Enabling DPAs to make binding decisions and issue administrative sanctions including fines
- The right to object to processing based on controller or public interests
- Data breach notification to DPA and to data subjects
- Stronger consent requirements
- Including biometric and/or genetic data in the definition of sensitive data
- Introducing Data Protection Officers (DPOs) as a mandatory role in an organization in case of certain types of personal data processing
Learn more about GDPR requirements from our blog.
It’s possible that we will see a kind of GDPR domino effect – in fact, it may already be happening. As one country adopts a GDPR-type framework, so do others: countries are implementing European-style privacy frameworks one after the other.
According to the study mentioned above, the following GDPR standards have already been enacted by at least 10 countries.
This means that companies with a global presence must keep their ear to the ground and prepare to adapt to a wide range of regulations, often with different requirements and restrictions. That’s quite a hassle.
In this post, we’ve gathered the most important initiatives both upcoming and already in effect. The list includes:
- Vermont Act 171 of 2018 Data Broker Regulation
- California Consumer Privacy Act
- Brazilian General Data Protection Law (LGPD)
- India Personal Data Protection Bill
- Chile Privacy Bill Initiative
- New Zealand Privacy Bill
We’ll also present the real consequences they have for companies processing hundreds of thousands of pieces of user data on a daily basis – using analytical platforms, CRMs, emailing lists, and a host of other tools.
So let’s get down to it!
Effective date: January 1, 2019
The new law from this New England state aims to regulate the activities of brokerage companies. Beginning this year, data brokers – businesses that aggregate and sell data on individuals they don’t have a direct relationship with – must register themselves with the Vermont Secretary of State on an annual basis, comply with a long list of security requirements, and provide customers with a way to opt-out from the sale of their personal information.
What is Data Broker
It’s the first law of its kind in the US. That said, it may inspire other states to introduce similar solutions.
Under this new law, data brokers deal with brokered personal information. This means one or more of such data types as name, address, date of birth, place of birth, mother’s maiden name, unique biometric data, name or address of a member of the consumer’s immediate family or household, SSN or government issued ID, or other information that, alone or in combination with other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.
Brokered personal information (BPI) is a broad definition intended to cover a wide range of data, similar to that in GDPR. But it has limits:
- BPI must be computerized – information solely in paper form is not BPI
- The information must be organized, categorized, or prepared for use by third parties
- BPI doesn’t include publicly available information only to the extent that it is related to a business or profession.
For the purposes of data broker regulations, a consumer is defined as an individual residing in the state of Vermont.
The law introduces several approaches to ensuring the protection of consumers, including:
- Prohibiting the acquisition and use of data for fraudulent purposes
- Increasing transparency through registration and disclosure
- Providing for minimum information security requirements
Additionally, upon filing, a data broker must provide consumers with:
- The name, email and internet addresses of the data broker
- Information on how to opt out of first-party and third-party data collection
- Notice whether the data broker has implemented a purchaser credentialing process and if the business has experienced any security breaches within the last year as well as the number of individuals affected by the breach
Data belonging to minors is a subject to additional restrictions.
For data brokers:
- Evaluate if the act applies in your case. Although Vermont is the second smallest state in the US, it’s still home to more than 600,000 residents. There is a chance that there is information about them in your databases. Be sure to check this out before you decide to ignore the obligations arising from the new act.
- Register yourself! From February 1, 2019 brokers are faced with penalties for each day of delay. So register your database as soon as possible.
- Develop an opt-out mechanism for consumers. Under the new law, you should provide consumers with a means of objecting to the processing of their data. This means that, among other things, you’ll need to come up with a mechanism for identifying them as well as deleting them from all of your databases.
- Design a process for informing consumers about the data you collect on them. After all, this is a legal obligation under the act!
- Map all the data in a search for data about minors and to provide reliable information on any possible breaches.
This law is especially interesting from the marketer’s perspective as it imposes certain obligations on businesses that engage in third-party data selling across the web; in other words, companies that collect and store data in Data Management Platforms (DMPs). When choosing a vendor, ask about compliance first if you plan to target Vermont-based customers.
However, companies that have to adjust their practices to GDPR requirements won’t gain much from the act, since the Vermont bill doesn’t impose an obligation to collect active consents from users whose data is being collected by brokers (as is demanded under the European regulation).
A data broker will be subject to a penalty of $50 for each day they fail to register, beginning February 1, 2019 (up to a maximum of $10,000 per year). The data broker will also be required to pay the $100 registration fee.
The same penalty applies to foreign corporations that fail to register their business.
Effective date: January 1, 2020
In a nutshell, CCPA will empower residents of California to know the types of personal information businesses collect about them, and give them the right not to agree to the sale of their personal data to other parties.
Many people believe that GDPR is the spiritual progenitor of the CCPA. There’s some truth in that, because they do share some characteristics. However, unlike the European law, CCPA is largely concerned with the sale of data, not the collection and processing of data as such.
California Consumer Privacy Act and Marketers: 5 Actionable Steps to Follow.
The law applies to every company processing the personal information of California residents that either:
- has a gross annual revenue greater than or equal to $25 million
- obtains information of 50,000 or more California residents/households or devices annually
- generates at least 50% of their annual income from selling the information of California residents
Overview and scoring of how websites have adapted to data privacy regulationsDownload FREE Report
Considering that California is now the fifth-largest economy in the world, it would be no exaggeration to say that the law will affect virtually every midsize to enterprise-class business with a global presence.
The definition of personal data given in CCPA is quite broad, and it includes:
[I]nformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
What’s particularly important from the marketer’s standpoint is that the definition of personal information includes unique identifiers – many of them are the fuel that powers marketing activities:
“Unique identifier” means a persistent identifier that can be used to recognize a consumer or a device over time and across different services, including but not limited to, a device identifier; Internet Protocol address(es); cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.
It turns out that, just as in the case of GDPR, tracking cookies and other types of online identifiers are also covered by the regulation!
Under the new California law:
- Consumers have the right to obtain a record of the personal information companies have on them (from the last 12 months).
- People can request to have their data deleted or to stop the sale of their information. Businesses will be required to have a clear and conspicuous link on their website’s homepage titled Do Not Sell My Personal Information. The link would take users to a page where they can opt out of having their data sold or shared.
- California residents have the right to sue companies that use their stolen data or data that was disclosed to them by a data breach. In addition, they can also sue companies that were negligent in the handling of their data (for instance, the data was not encrypted).
- There is a mandatory opt-in with regards to selling the personal data of minors (under 16 years old).
The new California law continues to stir controversy and many of its provisions will have to be clarified. However, 11 months is really not a lot of time, so it’s worth taking some steps to comply with its provisions.
There are a number of things you can start doing today. For instance, you could:
- Map your data – You’ll have to map every piece of personal information about customers your tools gather and make sure that the data is prepared for access, deletion, and portability requests from your clients. That may include checking if your marketing software vendors are up to the task and will help you fulfill these obligations.
- Check your third-party data sources – Under the CCPA, operating on stolen or breached data is an offense that can result in hefty fines. That’s why companies that buy customer data from third parties should always make sure that it comes from a legitimate source.
- Come up with a way for handling consumer requests – Under the CCPA, businesses must provide at least two methods by which consumers can make their requests. The link to those forms should be placed somewhere on your homepage, along with the text: Do Not Sell My Personal Information.
To make this task a bit easier, you might want to use some dedicated tool to automate things. There are a few solutions available on the market that simplify the process of collecting and handling GDPR data subject requests. Considering that those are almost identical to consumer requests under CCPA, these tools could be used for both purposes.
- Keep your ear to the ground – As we’ve said earlier, the California Consumer Privacy Act will probably evolve because of lobbying and some improvements to its current version. That’s why it’s extremely important to stay in the loop and see what the future will bring.
The new California law also imposes sanctions on businesses that fail to comply with its provisions. The fines include:
- in the case of a suit filed by consumers: $100-750 (or the cost of actual damages, whichever is higher) per resident and incident in the case of data breaches or data theft if data was not properly protected
- in the case of a suit by the State Attorney General: $2,500 per violation and up to $7,500 per intentional violation of privacy
Effective date: Early 2020
The Brazilian General Data Protection Law (LGPD) creates a new legal framework for the use of personal data in Brazil, both online and offline, in the private and public sectors. It’s important to note that the country already has more than 40 legal norms at the federal level that directly and indirectly deal with the protection of privacy and personal data.
The LGPD will replace and enhance these sectoral frameworks, which were sometimes in conflict with one another.
Like the European Union’s General Data Protection Regulation, the LGPD will have extraterritorial application. It means that the law will also affect every foreign company that offers services to the Brazilian market and collects and processes the personal data of data subjects located in Brazil.
Similarly to GDPR – the scope of personal data includes:
[A]ny data, isolated or aggregated to another, that may allow the identification of a natural person or subject them to a certain behavior (interpretation possible from an integrative reading of the text). In this time of big data, which allows the rapid correlation of large, structured and unstructured databases, virtually any data can eventually be considered personal, therefore subject to the law.
Overview and scoring of how websites have adapted to data privacy regulationsDownload FREE Report
As we’ve mentioned before, LGPD shares many characteristics with GDPR. However, it approaches certain duties in a slightly different way. Let’s see the most important LGPD principles:
- 10 lawful grounds for processing data. Apart from GDPR’s six bases for lawful processing, the LGPD also lays out some additional, more specific bases. The Brazilian law introduces four new options, including the conducting of research studies, medical procedures, protection of credit and judicial proceedings.
- Consent. LGPD qualifies consent as a freely given, informed and unambiguous indication of the data subjects’ agreement for processing data as a general rule.
- Data subject rights and requests. LGPD introduces new rights for data subjects, such as right of access, right of data rectification, cancellation or exclusion, right to object to processing, right to revoke consent previously given, right of information and explanation regarding the use of data, and right of data portability. What’s particularly interesting is the fact that it establishes a relatively short timeframe for processing data subjects’ requests resulting from those rights (15 days vs one month under GDPR).
- Mandatory data breach notification. Data breach notifications to the data protection authority become mandatory, and must be performed within a reasonable time frame, not within 72 hours as under GDPR.
- DPO. Similarly to GDPR, LGPD also introduces the obligation to appoint a DPO (‘data protection officer’ as defined in Article 5). The present draft of the law indicates that any entity that processes data and falls under LGDP must appoint an officer to conduct communication between lawmakers and data subjects. However, it’s possible that data protection authorities will establish some complementary norms that will shed some more light on the matter.
- Privacy by design and by default. When designing services, products, and business models, you’ve got to adopt measures that guarantee privacy and data protection rights. The general principles of LGPD and safety standards should be observed from conception to execution of a product or service.
- 10 principles of processing personal data that should observed in the processing of personal data, including:
- purpose limitation
- quality of data
- principle of accountability
If you already operate in compliance with GDPR, then you already meet the lion’s share of the obligations imposed by LGPD. However, there are important differences you’ll have to address, including a shorter time period for processing data subject requests and additional lawful bases for data processing. Nevertheless, it seems that in the case of LGDP, consent will also be the most suitable grounds for marketing and sales activities.
How Will GDPR Affect Your Web Analytics Tracking?
The sanctions include notices and fines that can go up to 2 percent of the company’s turnover in Brazil in the last fiscal year, limited in total to 50 million reals (app. USD $13,305,657) per violation.
A daily fine can also be imposed to compel those in breach of the law to cease violations.
Effective date: Early 2020
India’s new privacy law is one of the more controversial ones. Experts accuse the draft of many shortcomings and disputable clauses. One of the most important among them is that the bill allows the processing of personal data in the interests of the security of the state, if authorized. Also, it permits the processing of personal data for prevention, detection, investigation and prosecution of any offence or any other contravention of law. It poses an enormous threat to the right to privacy, considering the weak safeguards that exist in India against state surveillance.
The proposed bill applies to both government and private entities, even those not present within the territory but which:
- conduct business in India
- offer goods and services to data principles (also generally referred to as data subjects) in India
- conduct activities such as profiling of data subjects within the territory of India
The law defines personal data as:
[D]ata about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic […] of the identity of such person.
- Data collection limitation. Organizations will need to limit data collection to the minimum required for the purpose of processing.
- Consent. Companies will have to obtain the consent of the data principal before they start processing personal data. They’ll need explicit consent before processing any sensitive personal data (e.g. financial data, health data, biometric data, passwords). Valid consent will have to be freely given, detailed, specific, clear and easy to withdraw.
- Data subjects rights and requests. The subjects of the law will be granted with: the right to confirmation and access and right to correction, right to data portability and right to be forgotten.
- Data transfer. What’s extremely important is the fact that an organization will need to store at least one copy of the personal data on a server or at a data center located in India. Also, the bill forbids organizations from transferring or storing sensitive personal data and critical personal data overseas.
Sensitive/critical information can only be stored in India! It means personal data revealing, related to, or constituting, as may be applicable, passwords, financial data, health data, official identifier, sex data, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste/tribe, religious or political belief or affiliation.
To transfer of personal data (other than sensitive personal data or critical personal data) outside India, an organization will have to agree on standard contract clauses approved by the authority.
- DPO. Organizations involved in high-risk processing activities will be required to appoint a data protection officer. Moreover, organizations not present in India but falling under the scope of the law will be required to appoint a DPO who is based in India.
- Find out if the law applies to you. It’s highly probable, considering that the obligations identified in the draft bill will be applicable not only to data controllers and processors established in India, but also everyone conducting systematic activities there. And also remember the fact that India has the second biggest population on the planet.
- Prepare your data for access, portability, rectification and erasure requests.
- Establish proper grounds for data collection and develop a mechanism for acquiring consents if necessary.
- Consider appointing a DPO.
- Consider employing servers within Indian territory. Especially if you’re processing information classified as critical or sensitive personal data.
The draft bill includes both civil and criminal penalties. It establishes two categories of civil penalties:
- The first category permits penalties up to five crore rupees (app. $730,000 USD) or two percent of the company’s gross revenue from the last financial year, whichever is higher.
- The second category includes penalties up to fifteen crore rupees (approximately $2.2M USD) or four percent of the company’s total gross revenue from the last financial year, whichever is higher.
The new law amending the Chilean Constitution was published on June 16, 2018. It establishes the protection of personal data as a constitutional right. Through this amendment, personal data protection was established as an autonomous right. Here you can find the most important facts about the new Chilean law.
The bill regulates the processing of personal data performed by individuals and organizations, both public and private.
The application of the law excludes some scenarios, such as:
- processing of data performed by the media only in regards to exercise of the freedom of press, and
- processing of data performed by individuals in regards to their personal activity
Overview and scoring of how websites have adapted to data privacy regulationsDownload FREE Report
However, it’s debatable whether the law will apply to foreign organizations that process the data of Chileans pursuant to established contracts.
The new law specifies the scope of personal data. The bill establishes that an identifiable individual is any person whose identity can be determined, directly or indirectly, by information combined with other data, in particular by an identifier, such as an ID number.
- Consent. The bill defines consent as free, specific, unequivocal, and informed. Additionally, consent should be manifested in a clear form and in an oral or written statement.
- Basis for data processing. The law establishes a new basis of legal processing of personal data, apart from the sole consent of the data subject.
It’s not mandatory to obtain the data subject’s consent if:
- data has been gathered from a source of public access
- processing of personal data includes data related to economic, financial, banking or commercial obligations
- processing of personal data is necessary for compliance with a legal obligation, or for the execution of an agreement which the data subject is a party to
- Confidentiality and mandatory notifications on data breaches. The law establishes the duties of information and transparency, the duty to report security breaches to the authorities and, in certain serious cases, to data subjects.
- The concept of sensitive data. The act regulates sensitive data by establishing new data, such as biometric data, and data regarding biological human profiles. It also creates a new category of special data for the data of children, and data used for historical, statistical, and scientific purposes, plus geo-referencing data.
- Data subject rights. The new Chilean act grants data subjects with the right of access, right of rectification, right of cancellation, right of portability, and a new right – the right to opposition. Under the new right, data subjects may object to a controller taking decisions that could negatively affect them.
- It regulates the sharing of data with third parties. The law distinguishes between the transfer of personal data and the disclosure of personal data. Transfer means the handing over of data from one controller to another, which needs special requirements to be met. Disclosure, in turn, involves making data known without transferring it over.
- New legal bodies dedicated to data privacy. The bill creates a Personal Data Protection Agency with the authority to monitor and punish violations of the law with fines, as well as a National Registry for Compliance and Penalties.
- Cross-border data transfer. For the first time, the bill regulates international transfers of personal data, specifying situations in which they are lawful, for example:
- whenever it‘s performed to a person, entity or organization that is subject to a country’s legal order which provides an adequate level of data protection
- whenever it’s safeguarded by a contract or other legal instruments signed between the controller who transfers personal data and the one who receives it
- whenever the data subject grants written consent in order to perform a specific international data transfer
- Find out if the law applies to you
- Come up with a way to gather and process user consent in a lawful way
- Provide your visitors with an opportunity to exercise their new rights and make sure the marketing and analytics data you’re using will allow you to fetch their data from the databases
- Notify data protection authorities in case of any data breach
- In case you’re transferring user data to third parties – make sure that your arrangements fulfill the special requirements the law imposes on this kind of data processing
The bill classifies infringements as minor, serious, and gross. It determines penalties in the form of fines ranging from 1 to 5,000 UTM (between approximately USD $74 to USD $374,000 as of October 2017).
Effective date: July 2019
New Zealand’s new Privacy Bill is set to replace the outdated Privacy Act that was passed 25 years ago, the New Zealand Herald reports. The new bill will implement recommendations from the Law Commission issued in 2011, and also would give more power to privacy commissioners.
Unfortunately, the Bill doesn’t address its application to overseas businesses that collect data on New Zealanders. This may be something that the Select Committee will consider to specify.
Personal information is information about an identifiable, living person. Almost every person or organization that holds personal information is an agency. So, among other things the Privacy Act covers government departments, companies regardless of their size, and religious groups, as well as schools and clubs.
- Data breach notifications. If a breach of privacy reaches a defined threshold, an agency must notify both the affected individual and the Privacy Commissioner.
- More power in the hands of the Data Commissioner. The Commissioner’s investigative powers will be strengthened by:
- allowing them to shorten the timeframe in which an agency must comply with information requests
- enabling them to take any other action that the they consider appropriate where a complaint is not resolved, (including referring the matter for consideration of the Human Rights Tribunal)
- Compliance notices. The Privacy Commissioner will have the ability to issue compliance notices that require an agency to do something, or stop doing something, in order to comply with privacy laws.
- Sharing information with overseas enforcement agencies. The Commissioner will gain the power to share information with an overseas privacy enforcement authority to assist it with its functions, duties or powers, or to enable it to provide information to the Commissioner.
- Cross-border data flow protections. The Bill introduces a new prohibition on disclosing personal information overseas (to a person outside of New Zealand who is not subject to the regime), unless:
- the individual consents to the disclosure
- the overseas person is in a country with comparable privacy laws to New Zealand
- the agency believes the overseas person must protect the information in a comparable manner
- there is a permitted exception
The bill introduces new criminal offences. It will be an offence for a person to:
- make or give any false or misleading statements
- falsely represent that a person has authority under the Privacy Act
- impersonate or falsely pretend to be an individual for the purposes of obtaining access to an individual’s personal information
- knowingly destroy documents containing personal information that is the subject of a request
Any person that commits any of the above offences will be liable for a fine of up to $10,000.
As you can see, the new data privacy laws are a complex collection of quite different guidelines for the processing of your users’ information. It’s difficult to determine one single framework that would allow you to prepare for all of them.
However, there are several issues that come up in all of them. Perhaps, therefore, applying these principles in your marketing activities can make working in harmony with any subsequent regulation much easier. Below we list the most important common points of the rights in question:
Under many of the new laws, data breaches become very expensive. However, websites now have dozens, if not hundreds of third-party elements embedded in their code. The recent data breaches from British Airways, Feedify and TicketMaster show the real danger of this, especially for websites processing sensitive data like payment card details.
Since these components are hosted on external servers, you have no control over them, and only limited possibilities to detect potential breaches resulting from malicious code modifications.
If you decide to work with SaaS vendors using third-party scripts, your website’s security becomes as strong as the weakest link in your vendors’ ecosystem. To eliminate that potential weak link, it’s better to steer away from third-party scripts and move towards products hosted on your own infrastructure or in a private cloud.
One of the most frequently recurring demands of the new laws is that every website owner should collect informed, active, unambiguous, and granular consents before they start tracking personal data. And considering that online identifiers are included in the scope of personal data, this means that every company using cookies should adapt to those obligations. The wording from law to law may differ, but the sense behind it is almost the same.
In this situation, you should think of employing a mechanism to acquire, store, and manage records of consents and all possible data subject requests resulting from the fact that you process personal data.
One of the most popular ways to tackle these kinds of issues are consent managers.
Piwik PRO GDPR Consent Manager
In order to comply with such requests, your software vendor must meet certain technical requirements. Your users’ data should be stored in a way that ensures full accessibility and portability. This will let your visitors easily obtain, move, rectify, and transmit all the relevant information collected by your marketing tools.
And also, let’s not forget about the right to erasure. For these types of requests, the biggest challenge is to remove the user’s data from backups. Unfortunately, this type of data is usually stored in a compressed form, so restoring it can be an extremely time-consuming and resource-intensive procedure. Nonetheless, your vendor should aid you in following the law.
The most crucial upcoming change under many of the new laws is that consumers will be asked for consent for the use of their personal data by third parties. Considering that users will be under no obligation to do so, it’s rather unlikely that anyone would be interested in ticking that kind of box.
This statement is not only based on common sense, but it’s backed up by facts. In a 2017 survey conducted by PageFair, the vast majority (81%) of respondents said they would not consent to having their behavior tracked by companies other than the website they were visiting. Sounds pretty serious, right?
All that will make gathering and using third-party data extremely troublesome. So you might start thinking that it’s a good idea to modify your marketing strategy to use primarily first-party data.
If you want to use data about your visitors without collecting consents, you need to make sure that the data is REALLY anonymized (that won’t be the case with Google Analytics – you can read why here). Otherwise, you expose yourself to severe fines and penalties, etc. – you know the drill.
Fortunately, there are some tools on the market that are up to the task. Analytics platforms featuring anonymous data collection, such as Piwik PRO, offer a middle way instead of an all-or-nothing choice based on consent.
Also, don’t forget that the discussed regulations are only part of the bigger data privacy laws eco system. Some countries – for example Australia – have their regulations in place for more than 30 years! If your company has a global presence, you must remember about all of them. Learn more about the current and future data privacy laws around the world with this helpful infographic:
We hope that you have gained a better idea of what’s happening in the field of privacy around the world. However, we’re aware that we haven’t managed to describe all the existing regulations on personal data. Certainly we’ll come back to this topic in future blog posts.
We can assure you that as a conscientious software provider we make sure that our solutions help our clients adapt to laws around the globe. If you want to know how our products address the requirements of the new regulations we’ve described in this article – don’t hesitate to write to us. Our specialists will gladly answer all of your questions.