17 new privacy laws around the world and how they’ll affect your analytics

17 new privacy laws around the world and how they’ll affect your analytics

It seems that privacy on the web has never been so widely discussed. The abundance of data breaches and controversies around Big Tech giants made us realize how modern technology can erode our privacy. The response to this is the growing number of new laws that regulate how companies and organizations should handle users’ data.

Read our recap to learn more about and prepare for 17 new and upcoming data privacy laws from around the world.

Chapters

Chapter 1

Introduction: GDPR – a ray of light in dark times

Chapter 2

California Privacy Rights Act (CPRA)

Chapter 3

Virginia Consumer Data Protection Act (CDPA)

Chapter 4

Canada’s Consumer Privacy Protection Act (CPPA)

Chapter 5

New Zealand Privacy Act

Chapter 6

Brazilian General Data Protection Law (LGPD)

Chapter 7

Singapore’s Personal Data Protection Act (PDPA)

Chapter 8

Thailand’s Personal Data Protection Act 2019 (PDPA)

Chapter 9

ePrivacy Regulation

Chapter 10

German Telecommunications and Telemedia Data Protection Act (TTDSG)

Chapter 11

China’s Personal Information Protection Law (PIPL)

Chapter 12

Switzerland’s new Federal Act on Data Protection (nFADP)

Chapter 13

South Korea’s Personal Information Protection Act (PIPA)

Chapter 14

Saudi Arabia’s Personal Data Protection Law (PDPL)

Chapter 15

India's Digital Personal Data Protection (DPDP) Act

Chapter 16

Colorado Privacy Act (CPA)

Chapter 17

Utah Consumer Privacy Act (UCPA)

Chapter 18

Connecticut Data Privacy Act (CTDPA)

Chapter 19

How to prepare for these regulations globally?

Chapter 1

Introduction: GDPR – a ray of light in dark times

Learn about the impact the EU's General Data Protection Regulation (GDPR) had on privacy frameworks all over the world

GDPR was a breakthrough in data privacy – the new golden standard among data protection regulations. Here are the most important principles GDPR introduced according to the report “Global convergence of data privacy standards and laws”:

  • Enabling data protection authorities (DPAs) to make binding decisions and issue administrative sanctions, including fines
  • The right to object to processing based on the controller’s or public interests
  • An obligation to notify DPAs and data subjects about data breach
  • Stronger consent requirements
  • Including biometric and/or genetic data in the definition of sensitive data
  • Introducing data protection officers (DPOs) as a mandatory role in organizations that process personal data

Learn more about GDPR requirements from our blog.

We’ve been seeing a “GDPR domino effect” – countries are implementing GDPR-style privacy frameworks one at a time. 

New data privacy laws are having an undeniable impact on business – both locally and globally. Companies with an international presence must now adapt to a wide range of regulations, often with different requirements and restrictions. 

To help you in this quest, we’ve gathered details about new privacy laws from around the world. We’ll present the practical effect they’ll have on companies that use analytics and marketing platforms, such as CRMs, customer data platforms, or web analytics.

Chapter 2

California Privacy Rights Act (CPRA)

The shift in California privacy legislation began with the passing of the California Consumer Privacy Act (CCPA) in June 2018. The CCPA went into effect on January 1, 2020, giving residents of California the right to know the types of personal information businesses collect about them and to object to the sale of their personal data to other parties. The California Privacy Rights Act (CPRA) is a ballot initiative that was approved by California voters on November 3, 2020. The CPRA significantly amends and expands the CCPA, updating, modifying, and extending certain rules and stipulations to expand the rights of California consumers.

Effective date: January 1, 2023

The first set of CPRA regulations was finalized on March 29, 2023, instead of the initial deadline of July 1, 2022. The regulations can only be enforced 12 months after the implementation date. As a result, enforcement of CPRA regulations was pushed back from July 1, 2023, to March 29, 2024.

The scope

The CPRA modifies the scope outlined by the CCPA. 

Namely, CPRA applies to a company that operates for profit and processes the personal information of California residents if it:

  • Has a gross annual revenue greater than or equal to $25 million
  • Obtains information of 100,000 or more California residents/households or devices annually
  • Generates at least 50% of their annual income from selling or sharing the information of California residents

Increasing the threshold from 50,000 California residents in the CCPA to 100,000 may reduce the number of businesses that fall under the law. But including “sharing” in the provision on generating 50% or more revenue from selling personal information can potentially increase the number of organizations that the law applies to.

How it defines personal information

The definition of personal data aligns with that in the CCPA and is quite broad. It covers:

“[I]nformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The definition of personal information includes unique identifiers – many of which are the fuel that powers marketing activities:

“Unique identifier” means a persistent identifier that can be used to recognize a consumer or a device over time and across different services, including but not limited to, a device identifier; Internet Protocol address(es); cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.

This means that, just as in the case of GDPR, tracking cookies and other types of online identifiers are also covered by the regulation!

How it defines sensitive personal information

The CPRA provides a new category of data – specifically, sensitive personal information (SPI). Such data requires appropriate security measures, and consumers have the right to request that organizations limit the use of their SPI.

Sensitive personal information can include:

  • Social Security Number
  • Driver’s license
  • State identification card
  • Passport number
  • Financial account information and log-in credentials
  • Debit card or credit card number and access codes
  • Precise geolocation data
  • Religious or philosophical beliefs
  • Ethnic origin
  • Contents of communication
  • Genetic data
  • Biometric information for the purposes of identification
  • Health information
  • Information about sex or sexual orientation

Key responsibilities under the CPRA

Take measures to protect the data of minors

There is a mandatory opt-in for selling the personal data of minors (under 16 years old). Businesses also must wait 12 months before asking a minor consumer for consent to sell or share their personal information after the minor has declined.

Map your data processes

Make sure you know what kinds of personal information you collect and that the data is prepared for access, deletion and portability requests from your clients. 

Consumers have the right to:

  • Obtain a record of the personal information companies have on them (from the last 12 months and, under certain circumstances, also from beyond the 12-month period)
  • Request that a business transfer specific personal information to another entity
  • Request to have their data deleted
  • Request the companies to stop the sale or sharing of their information
  • Be informed about the length of data retention

The CPRA introduces additional consumer privacy rights that didn’t appear in the CCPA, namely:

  • The right to request that a business correct any inaccurate personal information
  • The right to access information about automated decision-making (such as profiling) and opt out of it

Importantly, a business can’t discriminate against consumers who have decided to exercise their rights.

Check your third-party data sources

Under the CCPA, operating on stolen or breached data is an offense. Companies that buy customer data from third parties should always make sure that it comes from a legitimate source. 

On a consumer’s request, businesses need to send the deletion request to third parties that have bought or received the consumer’s personal information.

Come up with a way for handling consumer requests

Provide users with at least two methods for placing requests. The link to those forms should be placed somewhere on your homepage, along with the text: do not sell my personal information.

Update your data privacy policy

The CCPA already required a granular, GDPR-like approach to the privacy policy.

Your privacy policy should include a description of consumers’ rights as described above, the types of personal data you gather, how you collect it, where you use it, and with what third parties you share it.

The CPRA expands on the disclosure requirements and obligates you to:

  • Disclose whether collected information will be sold or shared
  • Identify the sensitive personal information that you will collect
  • Either disclose the length of time you’ll retain information or the criteria used to determine it
  • Disclose if you don’t collect information by conspicuous notice

Take appropriate security measures to protect data

Under CPRA, any business that collects consumers’ personal information is obligated to:

“[…] implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.”

California residents have the right to sue companies that use their data if it was stolen or disclosed in a data breach. In addition, they can also sue companies that neglected the safety of their data (for instance, by failing to encrypt it).

The new law also introduces an exclusive agency for interpreting and regulating the law – the California Privacy Protection Agency (CPPA). It will provide guidance on the enforcement of the CPRA and have powers to investigate violations, conduct hearings and assign liability to covered entities for violations. Crucially, the CPPA will be the first US-based regulatory authority exclusively focused on data privacy issues.

Penalties

The California law also imposes sanctions on businesses that fail to comply with its provisions. The fines include:

  • In the case of a suit filed by consumers: $100-750 (or the cost of actual damages, whichever is higher) per resident and incident in the case of data breaches or data theft if data was not properly protected.
  • In the case of a suit by the State Attorney General: $2,500 per unintentional violation and up to $7,500 per intentional violation of privacy. In cases involving minors, the maximum fine is $7,500 for both intentional and unintentional violations.

With the CPRA, there is no 30-day period for businesses to remedy the violation once they’re informed of noncompliance, as is the case under CCPA.

pro tip

How Piwik PRO Analytics Suite helps you comply with CPRA:

  • Get full control over collected data
  • Quickly set up banners to inform visitors about the collection of their data and give them a way to opt out and send data request
  • Collect and process user requests using Piwik PRO Consent Manager

Chapter 3

Virginia Consumer Data Protection Act (CDPA)

Virginia’s Consumer Data Protection Act (CDPA) was adopted on March 2, 2021, making Virginia the second state to enact a comprehensive data privacy law after California’s CPPA. It gives Virginia residents more control over how companies use and sell their data. CDPA is a so-called “opt-out law”, which means that under the act consumers need to take action to object to the collection of their data.

Effective date: January 1, 2023

Who is affected by the law?

The law applies to every company that does business in Virginia, offers products or services to Virginia residents and:

  • Controls or processes the personal data of at least 100,000 consumers during a calendar year
  • Controls or processes the personal data of at least 25,000 consumers and makes at least 50% of its gross revenue from the sale of personal data

What’s interesting is that even large businesses won’t be subject to the law if they don’t fall within one of these two categories. 

The law also doesn’t cover:

The key notions of CDPA also impact the scope of the law. According to the act:

  • “Consumer” – is “a natural person who is a resident of the Commonwealth acting only in an individual or household context”, which means that the law doesn’t cover, for example, employee data.
  • “Sale of personal information” – is “the exchange of personal data for monetary consideration by the controller to a third party”, which means that exchanging user data for non-monetary goods won’t qualify as a sale of data.

How CDPA defines personal data?

Personal data is “any information that is linked to or reasonably linkable to an identified or identifiable natural person”. The law doesn’t provide more guidelines on what’s “reasonably linkable” data. This indicates that the law covers all types of identifiable data about an individual, including online identifiers such as cookies or user IDs.

However, CDPA excludes from the scope of personal data:

  • Data about employees
  • De-identified data 
  • Publicly available information

What is publicly available data according to CDPA

CDPA defines publicly available data as any data that was lawfully published through media by the consumer or a person to whom they have disclosed this information. This could mean that the information disclosed e.g. via social media profiles will be considered publicly available under CDPA.

What is sensitive data

CDPA establishes a special category of personal data that qualifies as sensitive data. It includes but is not limited to:

  • Data about racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status
  • Genetic or biometric data that allows identifying an individual
  • Personal data of a child
  • Precise geolocation data

Processing this kind of information involves different privacy obligations, including the user’s active opt-in. We’ll talk about it later on.

Your key responsibilities under CDPA

Respect consumers’ rights

The CDPA provides consumers with six key rights:

  • Right to access – Upon consumers’ request, you must disclose what information you have collected on them.
  • Right to correct – Upon consumers’ request, you must rectify the information you have collected on them.
  • Right to delete – Upon consumers’ request, you must get rid of all the information you have collected on them.
  • Right to data portability – Upon consumers’ request, you must provide consumers with a copy of the data you have collected on them. The copy should be in a portable and readily usable format. This should allow consumers to e.g., easily transfer their data to different institutions and companies.
  • Right to appeal – Under CDPA, you have 45 days to process consumer requests. If necessary, you can prolong it by another 45 days, but you need to inform consumers about this fact within the initial response window. If you don’t meet these deadlines, consumers have a right to submit a complaint about your negligence to the attorney general.
  • Right to opt out – This means you need to respect consumers’ decision to object to the collection of their data for e.g., targeted advertising, the sale of their data or profiling. You should provide them with an easy way to exercise this right, e.g., by placing an opt-out widget on your website

This rule has one important exemption. If you want to work on data that falls into the category of sensitive information, you need the user’s active consent for it. In that case, you need to apply consent mechanisms similar to the ones required by GDPR or LGPD. To read more about good practices for collecting consents, be sure to read this guide.

Describe your data processing methods in your privacy policy

The law requires you to be transparent about how you collect, process and disclose consumers’ data. In your privacy policy, you need to provide your website visitors with the details on:

  • The categories of personal data you process
  • The categories of personal data you share with third parties
  • The categories of the third parties you share personal data with
  • The purpose(s) for which you process personal data 
  • The ways you let consumers exercise their rights (e.g., to delete, access or correct their data)

Limit the use and collection of data

You need to limit the scope of collected data to what is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.” The ways in which you use consumer data must align with what you’ve included in your privacy policy unless you have active user consent for new purposes of using the data.

Apply technical safeguards to your data

You must implement a process for ensuring the confidentiality, integrity and accessibility of personal data. That said, the Act is not specific about the preferred methods.

Perform data protection assessments

You should run data protection assessments that help you evaluate the potential risks of data processing. You can find a comprehensive list of activities here.

Sign data processing agreements with every party processing data on your behalf

You need to sign a data processing agreement with every party that has access to the data you collect about consumers. The agreement must include the following elements:

  • Clear instructions for processing the data
  • The nature and purpose of processing
  • The type of data subject to processing
  • The duration of processing
  • The rights and obligations of the parties
pro tip

How Piwik PRO helps you comply with CDPA:

  • Get full control over collected data and rest assured we don’t use it for our own purposes
  • Quickly set up banners to inform visitors about the collection of their data and give them a way to opt out or send a data request
  • Adjust tracking methods to visitor privacy choices thanks to a built-in consent manager and tag manager

Penalties for non-compliance

CDPA doesn’t give consumers the power to bring a private action. Fines are imposed by the attorney general and proceeded with a 30-day cure period. If, after this time, the organization is still in breach of the law, it can face fines up to $7,500 per violation.

Chapter 4

Canada’s Consumer Privacy Protection Act (CPPA)

On June 16, 2022, the much-anticipated Digital Charter Implementation Act, 2022, known as Bill C-27, was introduced by the Canadian federal government. It is a reintroduction of Bill C-11, which was first introduced in 2020 and then failed on the order paper as a result of the federal election in 2021. Notably, a significant portion of Bill C-11 has been transposed into Bill C-27.

If passed, Bill C-27 will create:

  • The Consumer Privacy Protection Act (CPPA), the main privacy law that will replace the Personal Information Protection and Electronic Documents Act (PIPEDA), as did Bill C-11.
  • The Personal Information and Data Protection Tribunal Act, creating a new tribunal to replace the current role of the Federal Court under PIPEDA and enabling the new penalty regime, as did Bill C-11.
  • The Artificial Intelligence and Data Act, which is a new addition to Bill C-27 compared to Bill C-11, and doesn’t exactly fit with the CPPA/Tribunal regulatory framework.

Effective date: Unknown. The act is currently in the draft stage.

What is personal information under CPPA?

The new law maintains the definition of personal information established in PIPEDA. Under CPPA, personal information is any information about an identifiable individual, living or deceased. It includes:

  • Age, name, ID numbers, income, ethnic origin, or blood type
  • Opinions, evaluations, comments, social status or disciplinary actions
  • Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs) [source]

Who is affected by CPPA?

CPPA requirements apply to any organization that:

  • Collects, uses and shares personal information for commercial purposes
  • Collects, uses and shares personal information about employees and job candidates

CPPA doesn’t apply to:

  • Government organizations covered by the Privacy Act
  • Personal information used for journalistic, artistic and literary purposes
  • Personal information used for personal purposes
  • Personal information about individuals used in relation to employment, business or profession

Your key responsibilities under CPPA

✓ Take on accountability for the collected data

CPPA makes your organization fully responsible for the safety of personal information whether it’s collected, used or disclosed by you or by someone else on your behalf.

You need to protect personal information through physical, organizational and technological security safeguards, adjusting the level of protection to the sensitivity of the data. You also need to take “reasonable measures to authenticate the identity of the individual to whom the personal information relates.”

You should also assign one person to be in charge of compliance with privacy obligations and disclose their contact details, e.g. in your privacy policy or upon visitor’s request.

✓ Collect consents

You need to acquire meaningful consents for collecting, processing and disclosing users’ personal information. Likewise, you have to write your request in plain language to make sure visitors are properly informed about their options. 

The consent request can take two forms:

  • Implicit – you need to inform users about the collection of their personal data and give them a way to opt out of it
  • Explicit – you need to obtain users’ active opt-in before you start tracking their data

Your choice of implicit or explicit consent should depend on the type of personal information at stake. While more sensitive data will require active consent, in the case of less sensitive data you will be able to rely on implied consent. Keep in mind that documenting consents, which is an obligation under CPPA, is a lot easier with explicit consents than with those based on inaction. 

There are some exceptions for which you don’t need to obtain consent. They include:

  • Transfers to service providers
  • Use of personal information for internal research, analysis and development, provided the information is de-identified
  • Defined business activities if a reasonable person would expect the collection or use for such an activity; and the personal information is not collected or used for the purpose of influencing the individual’s behavior or decisions
  • If there is a legitimate interest that outweighs any potential adverse effect on the individual

No matter which type of consent you choose, be sure your message to the visitor includes the following information:

  • The purposes and ways for which you want to collect, use and disclose personal information
  • The consequences of the collection, use or disclosure of the personal informa­tion
  • The types of personal information you collect, use and disclose
  • The names of any third parties you share users’ personal information with

Finally, remember about users’ right to withdraw consent. You should provide them with an easy way to change their mind, e.g. through a contact form or email address on your privacy page. After receiving a request to withdraw consent, you need to inform the user about the consequences of withdrawal and cease the collection, use and disclosure of data as soon as feasible.

If you want to read more about the grounds for processing data under CPPA, be sure to check out this guide by McCarthy.

✓ Respect user rights to data transfer and deletion

Under CPPA, users have the right to:

  • Transfer their personal information between organizations, e.g. banks or insurance providers
  • Request the deletion of their personal information

✓ Remember about privacy management programs and transparency

Companies have to come up with transparent processes for handling personal information. Every organization should prepare materials in which it describes:

  • How it protects personal information
  • How it manages requests for information and complaints
  • How it meets other obligations under the legislation
  • What training and information is provided to staff

You also need to update your privacy policy so it clearly describes what types of personal information you collect and how you process it. You should make sure that your privacy policy is written in plain and understandable language.

If you’d like to learn more about good practices around privacy policies, be sure to read this blog post.

✓ Keep records of consents and privacy policies

Your organization needs to keep records of consents and the purposes for which it collects, uses and discloses data. If you decide to use data for any new purpose, you need to obtain a separate consent, document it and add it to those records. 

You should keep this data in an easily accessible form. In case of an audit, you need to make readily available, in plain language, information that explains the organization’s privacy policies and practices, as well as the consent records.

✓ Consider working with de-indentified data

CPPA doesn’t specify the definition of de-indentified information. Instead, it provides the description of the process of de-identifiyng data:

De-identify means to modify personal information – or create information from personal information – by using technical processes to ensure that the information does not identify an individual or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual.‍ 

According to the law, you can collect de-identified data without visitors’ consent.

CPPA also incorporates the concept of anonymized data. Anonymizing means to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means. However, anonymized data is said to be outside the scope of CPPA.

✓ Take special precautions with personal data of minors

Bill C-27 considers minors’ personal data to be sensitive. Parents or guardians can exercise the rights (including consent) on behalf of their child, but the child can object to their authorization. Also, children have more rights to have their personal data deleted.

CPPA: What are the penalties for non-compliance?

Fines for non-compliance with CPPA are up to $10 million or up to 3% of global revenue. The law also includes higher penalties for more serious and deliberate violations, up to $25 million or 5% of global revenue. 

What’s important, under CPPA, consumers have a right of private action, which means they can sue companies that have used their data in a way that violates the obligations of the act.

pro tip

How Piwik PRO Analytics Suite helps you comply with CPPA:

Chapter 5

New Zealand Privacy Act

New Zealand’s new Privacy Bill has replaced the outdated Privacy Act. The new bill implements recommendations from the Law Commission issued in 2011. The amendments cover a broad range of topics including the extraterritorial scope of the law, new mandatory data breach notification requirements, changes to “compliance notices” as a key enforcement tool of the Office of the Privacy Commissioner, to data subject access requests, restrictions on cross-border transfers of personal information, and the general enforcement regime.

Effective date: December 1, 2020

The scope

The bill applies to every business dealing with data of New Zealand residents, even if they’re not physically present in the country. Almost every person or organization that holds personal information is an “agency” according to the law. This means that the legislation covers all government departments, companies as well as religious groups, schools and clubs.

How it defines personal information

Personal information is information about an identifiable, living individual. It includes names, email addresses and biometric data as well as:

  • IP addresses
  • Unique IDs 
  • Search and browser history
  • Data about the device, operating system, updates, etc.
  • Location data
  • Purchase and online shopping history
  • Settings and website preferences
  • Behavioral data, such as speed of scrolling and hovering of mouse and cursor

This means that marketing tools operating on unique identifiers and cookies (e.g. analytics platforms, customer data platforms or CRMs) are also affected by the law.

Key obligations and provisions

  • Inform individuals about collecting their data. You need to notify and inform users about the collection, use and sharing of their personal information. The notification can take many forms, e.g. a privacy disclaimer placed on the bottom bar of your website.
  • Respect individuals’ rights. Under the New Zealand Privacy Act, people have a right to access and rectify data companies collect about them.
  • Notify authorities about data breaches. If a breach of privacy reaches a defined threshold, an agency must notify both the affected individual and the privacy commissioner.
  • Be careful with cross-border data transfers. The Act introduces a new prohibition on disclosing personal information overseas. A business or organization may only disclose personal information to another organization outside New Zealand if they verify that the receiving organization:
    • is subject to the Privacy Act because they do business in New Zealand
    • will adequately protect the information
    • is subject to privacy laws that provide comparable safeguards to the Privacy Act
    • obtains permission to the disclosure from the person concerned

As you can see, although the law aims to regulate the flow of information about users between countries and companies, it lacks the strength of GDPR and other modern privacy laws. For one thing, it doesn’t establish a framework that would give internet users a way to opt in or oppose the tracking of their data. Also, it doesn’t give individuals the right to be forgotten or the right to data portability. Finally, it doesn’t give a privacy commissioner the ability to hand out fines for privacy breaches, as opposed to the GDPR or CCPA.

Penalties

The bill introduces new criminal offenses. It will be an offense for a person to:

  • Make or give any false or misleading statements
  • Falsely represent that a person has authority under the Privacy Act
  • Impersonate or falsely pretend to be an individual for the purposes of obtaining access to an individual’s personal information 
  • Knowingly destroy documents containing personal information that is the subject of a request

Any person that commits any of the above offenses will be liable for a fine of up to $10,000.

pro tip

How Piwik PRO Analytics Suite helps you comply with the New Zealand Act:

  • Collect and process user requests for data access and rectification through integrated consent manager
  • Store the collected data in a safe public cloud or private cloud

Chapter 6

Brazilian General Data Protection Law (LGPD)

The Brazilian General Data Protection Law (LGPD) creates a new legal framework for the use of personal data in Brazil, online and offline, in the private and public sector. The LGPD is Brazil’s first comprehensive data protection regulation, and it broadly aligns with the GDPR, as both are based on very similar concepts, including consent and robust data subject rights.

Effective date: September 18, 2020

The scope

Like the EU’s GDPR, the LGPD has extraterritorial application. It means that the law applies to:

  • Processing of data within the territory of Brazil
  • Processing of the data of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located
  • Processing of data collected in Brazil

How it defines personal information

Similarly to GDPR – the scope of personal data includes: 

“[A]ny data, isolated or aggregated to another, that may allow the identification of a natural person or subject them to a certain behavior (interpretation possible from an integrative reading of the text). In this time of big data, which allows the rapid correlation of large, structured and unstructured databases, virtually any data can eventually be considered personal, therefore subject to the law.”

Key obligations

LGPD shares many characteristics with GDPR, but is not identical. Let’s look at the most important principles of LGPD and how they compare to GDPR:

  • Choose between 10 lawful grounds for processing data. Apart from GDPR’s six bases for lawful processing, the LGPD lays out some additional, more specific bases. The Brazilian law introduces four new options, including the conducting of research studies, medical procedures, protection of credit and judicial proceedings. 
  • Collect consents. LGPD treats consent as a freely given, informed and unambiguous indication of the data subjects’ agreement to processing data. The law uses an opt-in model of consent, meaning that data can’t be collected or processed until the user consents to it.
  • Respect data subject rights. LGPD introduces new rights for data subjects, such as the right of access, right of data rectification, cancellation or exclusion, right to object to processing, right to revoke consent previously given, right of information and explanation regarding the use of data, and right of data portability. It also establishes a relatively short timeframe for processing data subjects’ requests resulting from those rights (15 days vs. one month under GDPR). 
  • Notify authorities about data breaches. Data breach notifications to the data protection authority become mandatory and must take place within a “reasonable time frame”, not within 72 hours as under GDPR.
  • Assign a Data Protection Officer (DPO). Similarly to GDPR, LGPD introduces the obligation to appoint a DPO. The entity that processes data and falls under LGDP must appoint an officer to conduct communication between lawmakers and data subjects. 
  • Respect principles of privacy by design and by default. When designing services, products and business models, you’ve got to do it with respect for privacy and data protection rights. The general principles of LGPD and safety standards should be taken into consideration from conception to execution of a product or service.
  • Respect 10 principles of processing personal data, which include:
    • Purpose limitation
    • Adequacy
    • Necessity
    • Quality of data
    • Transparency
    • Security
    • Non-discrimination 
    • Accuracy
    • Prevention
    • Principle of accountability

Actionable steps

If you already operate in compliance with GDPR, you already meet the lion’s share of the obligations imposed by LGPD. However, there are important differences you’ll have to address. They include a shorter time period for processing data subject requests and additional lawful bases for data processing. Nevertheless, it seems that in the case of LGDP, consent will also be the most suitable grounds for marketing and sales activities.

Penalties

The sanctions include notices and fines. They can go up to 2% of the company’s turnover in Brazil in the last fiscal year, limited in total to 50 million reals (around $13,305,657) per violation. A daily fine can also be imposed to compel those in breach of the law to cease violations.

On July 6, 2023, the Brazilian National Data Protection Authority (ANPD) issued its first sanction for non-compliance with LGPD, against a small business entity that was fined 2% of its revenue. This decision indicates how ANPD will handle similar cases in the future, including with regard to companies of different sizes.

pro tip

How Piwik PRO Analytics Suite helps you comply with LGPD:

Chapter 7

Singapore’s Personal Data Protection Act (PDPA)

Singapore’s Personal Data Protection Act (PDPA) came into force in 2014. Over time, amendments were made to the law, most recently in 2021. The law now includes a more robust consent framework and more defined rules around off-shore data transfers. These changes made it one of the strictest data protection acts in Southeast Asia.

Effective date: February 1, 2021

The scope

PDPA regulates the collection, use and disclosure of personal data in Singapore. It makes website owners, companies and organizations responsible for establishing a lawful data collection process. 

The law has an extraterritorial effect, meaning that it applies to every company dealing with data of Singapore’s residents. 

The PDPA covers private organizations that collect, use and/or disclose personal data. But there are some exceptions, such as:

  • Individuals using data for their personal purposes
  • Employees in the course of their employment with an organization
  • Public and government agencies, as they have their own set of privacy rules

How PDPA defines personal data

Personal data in PDPA is a very broad notion. It covers “data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organization has or is likely to have access”. This includes:

  • Names, addresses, email addresses, telephone numbers
  • IP addresses, cookie identifiers, unique IDs, search history, browser history, device data, location data
  • Information about age, gender, race, health, sexual orientation, appearance, political and religious convictions

Marketing tools operating on unique IDs and cookies such as analytics platforms are also subject to the law. Using them to track the activity of Singapore residents requires prior consent, with an exception for cookies necessary for the website to function properly.

Your key obligations under PDPA

✓ Obtain consent to process individuals’ personal data

One of the crucial obligations under PDPA is acquiring a visitor’s consent to collect their data. The consent can be affirmative or deemed. Deemed consent means users are informed about data collection and provided with a way to opt out, but do not opt out. Affirmative consent is similar to GDPR – it requires the visitors’ active opt-in.

Deemed consent may seem a more handy way to deal with the obligations imposed by PDPA. 
However, according toAdvisory guidelines on key concepts in the PDPA this approach involves more risk and liabilities:

The Commission would recommend that organizations obtain consent from an
individual through a positive action of the individual to consent to the collection, use
and disclosure of his personal data for the stated purposes. If an organization intends
to adopt the opt-out approach in seeking consent, the organization should consider
the risks that it may not have satisfied the Notification Obligation and Consent
Obligation.

The scope of “deemed consent” has been expanded to include circumstances where:

  • The collection, use or disclosure of personal data is reasonably necessary to perform or conclude a contract or transaction
  • Users have been notified about the purpose of the intended collection, use or disclosure of their personal data and have a reasonable opportunity to opt out and haven’t opted out

The other rules around collecting lawful consents include informing users about:

  • Your intention to process their data, before you begin collecting it
  • The purposes of processing
  • Their right to withdraw consent anytime

Finally, you’re not allowed to force users into consent by limiting access to a product or service.

Organizations are now also permitted to collect, use, or disclose personal data without having to obtain consent from users. These exceptions include:

  • Legitimate interest
  • Business improvement purposes

Learn more about them from Singapore’s Personal Data Protection Commission’s advisory guidelines.

✓ Respect visitor’s rights

At a user’s request, you must:

  • Inform them what personal data you collected on them
  • Disclose how you’ve used their personal data within one year before the request took place
  • Provide them with a portable and transferable copy of their personal data
  • Rectify any error or omission in their personal data

Under PDPA, if you can’t respond to a customer’s access request within 30 days, you’ll be granted 30 more days to fulfill your obligation. After that, you may face fines for PDPA violation.

✓ Limit your data collection

Your organization may collect, use and disclose personal data only for the purposes visitors have consented to. What’s more, the data should be kept only for the time it’s used for a given purpose and deleted right after that.

✓ Limit data transfers

Under PDPA, you can transfer users’ personal data offshore. But the country you want to keep it in needs to provide a standard of protection comparable to the one afforded by Singapore law. This makes it virtually impossible to send the data to countries such as the US, where user data can become a subject of invigilation by national security agencies. That puts into question the lawfulness of using e.g. Google Analytics, which stores user data in many locations, including the US.

✓ Be transparent

Designate a data protection officer and remember to publish their contact information on your website. Update your privacy policy so it properly describes your data collection, processing and disclosure processes.

✓ Respect Do-not-call (DNC) requirement

Respect the will of people who have registered in the national do-not-call (DNC) registry, unless you obtained their clear and unambiguous consent or have an ongoing business relationship with them. 

What is the national do-not-call (DNC) registry?

The national DNC registry is a registry that lets you opt out of marketing messages and calls addressed to your Singapore telephone.

✓ Keep your data collection relevant and up-to-date

Make sure that the personal data you work with is accurate and complete.

✓ Protect the security of your collected data

Keep personal data secure and protect it from unauthorized access, modification or use.

✓ Always notify authorities about data breaches

Notify users and Singapore’s Personal Data Protection Commission (PDPC) of data breaches within three days.

Penalties

Fines for non-compliance with PDPA have been increased to 10% of the annual turnover of an organization with an annual turnover exceeding $10 million, or $1 million, whichever is higher.

pro tip

How Piwik PRO Analytics Suite helps you comply with PDPA:

Chapter 8

Thailand’s Personal Data Protection Act 2019 (PDPA)

The new Thailand privacy law, the Personal Data Protection Act 2019 (PDPA), is highly influenced by the EU’s GDPR. It’s also the very first law dedicated specifically to data protection in Thailand.

Effective date: June 1, 2022

The scope

PDPA has an extraterritorial scope. It applies to all organizations that collect, use or disclose personal data in Thailand or of Thai residents, regardless of whether they are formed or recognized under Thai law, and whether they are residents or have a business presence in Thailand.

How it defines personal data

The law provides the following definition of personal data:

“Personal data” means any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased persons in particular.

Aside from this, the law doesn’t list many specific examples of personal data.

As user IDs and cookies also enable user identification, marketing tools such as customer relationship management systems (CRMs), customer data platforms (CDP) or analytics software are also subject to the law.

Exemptions from the scope of personal data include:

  • Data collected for private purposes
  • Data collected by government agencies related to national security, money laundering and cybersecurity
  • Media subject to ethical standards and public interest purposes
  • Data collected by Members of Parliament and Judiciary
  • Data collected by credit bureaus

Key obligations

✓ Obtain user consent for processing data

The law requires asking for user consent for cookies and other means of tracking based on unique identifiers. You also need to comply with the following principles:

  • Consent has to be freely given and obtained in written form (e.g., by ticking a box on a consent pop-up)
  • Users need to be informed about the purpose of data collection (e.g., remarketing, A/B testing or analytics)
  • The request must be expressed in clear and plain language
  • Records of consent need to be stored for five years

You can process personal data from before June 1, 2022, if you use it for the same purpose you initially collected it for. However, you have to provide users with a way to withdraw their consent. And if you decide to use or disclose the gathered data beyond the original purpose, you need to get valid user consent.

PDPA also gives the possibility to collect deemed (implied) consents. However, relying on them is acceptable only in certain situations. For example, you can employ this approach if a user has voluntarily given you their data by subscribing to a newsletter or an online event. In this case, you still need to give users a way to opt out as well as use their data only for the purpose they agreed to.

That said, this doesn’t apply to sensitive data. Processing this kind of information requires explicit consent except for when it’s used for scientific, historical or statistical purposes. For more information about how PDPA governs working with sensitive data, visit this page.

✓ Prevent unauthorized access to users’ personal data

According to PDPA, you should ensure the highest security and privacy standards for collected data. The law doesn’t propose any specific data protection methods, leaving it to you to define sufficient measures for preventing unauthorized access, disclosure or copying of personal data within your organization. 

✓ Respect users’ rights

PDPA introduces the following user rights:

  • The right to be informed about the purpose of collecting and processing data 
  • The right to withdraw the given consent
  • The right to non-discrimination for not providing consent – which means that you can’t limit the access to products or services for visitors who decline tracking
  • The right to access and obtain the data collected from individuals
  • The right to object to the collection, use and disclosure of their data
  • The right to restrict the use of their data – which means that the user should be able to specify purposes for which they allow you to use their data
  • The right to correction of their data
  • The right to transfer their data to another data controller
  • The right to have their data erased, destroyed or anonymized

✓ Transfer data only to countries with high privacy standards

PDPA allows for sending data only to jurisdictions with the same or higher security standards. It’s not yet clear which countries comply with the obligations of PDPA. However, the law provides other grounds for data transfer, such as:

  • Compliance with legal obligations
  • Contract
  • Compliance with contractual obligations of the data controller with a third party for the benefit of the data subject
  • Vital interest
  • Carrying out an important task of public interest

It’s difficult to predict if any of these grounds will apply to data processing performed with analytics and marketing.

Penalties

For breaching the rules of PDPA, you may face:

  • Fines up to THB (Thai baht) 5 million ($159,591) or up to 4% of global turnover 
  • Criminal penalties which could include imprisonment for up to one year
pro tip

How Piwik PRO Analytics Suite helps you comply with PDPA:

Chapter 9

ePrivacy Regulation

The ePrivacy Regulation is a law that complements and elaborates the General Data Protection Regulation also known as GDPR. It gives detailed instructions on how to deal with cookies, Internet of Things (IoT) devices, email marketing and other digital communication channels. At the same time, it replaces Directive 2002/58/EC (also known as ePrivacy Directive).

The full name: Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications).

Effective date: Still unknown, but not earlier than 2023. The Council and the European Parliament are now negotiating the terms of the final text. It’s not yet sure if the law will be enforced in its current form, as it’s been heavily criticized by EU authorities, including Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI)

The law will enter into force 20 days after its publication and will start to apply two years after that.

Who will be affected by the ePrivacy regulation?

If adopted, the latest draft will apply to the processing of personal data collected via a “publicly available” electronic communication service or network. It will cover:

  • Providers of electronic communications services
  • Providers of publicly available directories 
  • Those who use electronic communication services to send direct marketing commercial communications 
  • Those who process and store data in users’ terminal equipment 
  • Those who collect information processed, emitted by or stored in end-users’ terminal equipment

What is end-users’ terminal equipment?

This means a device used as a transmission source or destination of data (e.g. a computer, server or IoT device). Activities that involve users’ terminal equipment include, for example:

  • Placing cookies or using device fingerprinting to serve interest-based advertising or personalize website content
  • Collecting data from IoT devices for marketing purposes
  • Using first-party cookies to get information on page usage and to ensure its proper functioning

This means that the law affects most organizations that deal with user data acquired through electronic data collection.

The regulation has an extraterritorial effect. It safeguards the data of EU residents no matter where collecting and processing take place. 

What will be your main obligations under the current ePrivacy draft?

Compared to previous proposals, the newest ePrivacy Regulation draft is less strict and detailed. That said, it still covers multiple types of electronic data processing. In this article, we’ll focus on the parts related to marketing and analytics.

The new version of the law upholds consent as one of the pillars of user privacy on the internet. However, compared to previous iterations of the law, it loosens the restrictions around obtaining consent.

The most important arrangements around consent and cookies include: 

1. Allowing access to personal data on users’ devices without permission

In the current version, the law allows service providers to access personal data on users’ devices for the performance of a contract. In the previous version, such access was permitted only where it was technically necessary. This way, the clause becomes more ambiguous and leaves room for interpretation of what’s necessary to perform a contract.

2. Consent exception for analytics cookies

According to the new draft, using cookies for simple audience measuring won’t require user consent “if it is necessary for the sole purpose of audience measuring, provided that such measurement is carried out by the provider of the service requested by the end-user, or by a third party”. Such cookies, usually called analytics cookies, could be used without prior opt-in.

3. Unclear guidance on collecting personal data to improve the effectiveness of the provided service

The proposed draft indicates that gathering statistics to measure the performance of a website won’t require consent. Even using tracking pixels to measure advertising won’t call for the user’s permission, provided that the cookies won’t be used to gather personal data, but rather aggregated statistical data.

This rule doesn’t apply to any kind of remarketing or data activation activities carried out with the use of personal data.

4. Soft “yes” for cookie walls

The current draft introduces less rigorous rules around providing access to information or service based on users’ consent. It allows companies to create different offers for users according to their privacy choices:

Requiring […] consent would normally not be considered as depriving the end-user of a genuine choice if the end-user is able to choose between services, on the basis of clear, precise and user-friendly information about the purposes of cookies and similar techniques […]

5. No solution for global privacy preferences expressed through browser settings 

In the new iteration of the draft, end users are able to give consent to the use of certain types of cookies only by whitelisting one or several providers in their browser settings:

Where available and technically feasible, an end user may therefore grant, through software settings, consent to a specific provider for the use of processing and storage capabilities of terminal equipment for one or multiple specific purposes across one or more specific services of that provider.

The previous version, in the now-deleted articles 9 and 10, put forward some more user-friendly solutions. It proposed replacing consent modals and pop-ups with legally binding signals configured by the users.

6. Working with metadata without users’ consent

The draft regulation opens up the possibility of processing users’ metadata, even without their consent. The scope of metadata in the current version of the ePrivacy Regulation is as follows:

‘Electronic communications metadata’ means data processed by means of electronic communications services for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication.

According to the text, you can use this kind of data for statistical purposes and other purposes you didn’t initially collect it for, if you encrypt or pseudonymize it. In contrast, here’s what GDPR says about the obligations involved in processing pseudonymized data:

The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.

Source: Article 26 of the General Data Protection Regulation

The introduced changes have raised concerns among data protection bodies and activists, including the Panoptykon Foundation, a Polish NGO whose primary goal is to protect basic freedoms and human rights. In an open letter, Panoptykon criticized the draft for failing to protect users from tracking, allowing for coercing users into consent and placing the burden of privacy controls on them. It urged the European Parliament to close the loopholes and gray areas in the law and level it up with the protection standards afforded by GDPR.

You can read the whole letter here.

pro tip

The best way to prepare yourself for the new ePrivacy Regulation is to follow updates and possible changes in the text. The most reliable source of information is the news section of the European Council’s website.

Penalties for non-compliance

ePrivacy maintains the same fines as the ones described in GDPR – from €10M or 2% of annual turnover to €20M or 4% of annual turnover, depending on the gravity of the violation. A detailed description of the penalties is given in Article 23 of the draft.

Chapter 10

German Telecommunications and Telemedia Data Protection Act (TTDSG)

Germany’s Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG) merges the data protection regulations in telemedia and telecommunications previously scattered across various German laws. Among other things, the TTDSG regulates confidentiality and privacy protection when using internet-ready terminal infrastructure such as websites, messenger services, or smart home devices. The law also modifies the legal framework for using cookies and similar technologies. It implements the requirements featured in the ePrivacy directive and is enforced in addition to GDPR.

Effective date: December 1, 2021

The scope

As the TTDSG states:

All companies and persons who have an establishment or provide or participate in the provision of services or make goods available on the market within the scope of this Act are subject to this Act.

This means that any organization established in Germany falls under TTDSG, as well as any applicable organizations located outside of Germany.

pro tip

On December 22, 2021, the German Data Protection Conference (DSK) issued guidance on TTDSG, clarifying certain aspects of its application.

The data that TTDSG concerns

Following the ePrivacy directive, TTDSG applies to both personal and non-personal data.

If no personal data is processed, only TTDSG is applicable. If both personal and non-personal data is processed, both TTDSG and GDPR apply. 

However, when it comes to storing and accessing information on/from terminal equipment, TTDSG takes precedence. Any subsequent processing of data collected through cookies or other tracking mechanisms without further involving the end-user device (such as a computer, tablet or smartphone) is subject to the GDPR.

For more insight into the requirements of TTDSG’, check out our blog post: TTDSG – how to make sure your analytics complies with the German law.

Key obligations under TTDSG

Collect and store appropriate consents from users

You must obtain valid consent from users when applicable. Record all user consents so you can demonstrate proof of consent if needed.

As Section 25 of the TTDSG reads:

The storage of information in the end-user’s terminal equipment or the access to information already stored in the terminal equipment shall only be allowed if the end-user has consented on the basis of clear and comprehensive information.

For consent to be valid, it needs to be:

  • Given before the data processing
  • Freely given
  • Explicit
  • Informed

These requirements are the same as under GDPR, and TTDSG does not introduce any changes to them.

What makes the German regulation particularly strict is that, without consent, you can’t read or store information on a user’s device. 

As a result, many ways of collecting analytics data with cookies won’t be compliant with TTDSG prior to getting consent. For example, even using a temporary visitor cookie requires consent from users. You also can’t read additional information about the device, like screen resolution or browser plugins. 

You need to either display a consent banner to acquire explicit user consent or go for cookieless options.

TTDSG differentiates between two types of cookies: cookies that require consent, as described above, and cookies that are strictly necessary.

As we read, consent isn’t required in cases where:

  • The sole purpose of the cookie is to facilitate the transmission of a communication over a public telecommunications network, or
  • The cookie is strictly necessary to provide a telemedia service explicitly requested by the user

For example, a cookie used to store items from an online shop in a shopping cart is considered “strictly necessary,” and thus exempted from consent under the TTDSG.

Your banner needs to include information about the specific purposes of processing – terms such as “improving the user’s experience” or “advertising purposes” aren’t sufficient. Give users an option to agree to each cookie type separately.

Be transparent about all the processing activities – what data will be processed, who will be involved, what third parties will participate, and information about the retention of the cookies. Don’t forget to include a link to your privacy policy. Since a user must opt in by performing an action, a notice-only cookie banner won’t be sufficient.

Pay attention to the banner’s design. Choose a consent manager solution that lets you customize the text and design of the cookie banner. Adjust the text on the buttons – ensure the functions of the individual buttons are clear and users can tell what consequences are associated with clicking them. 

The cookie banner should not prevent access to the website’s privacy policy or other legal notice.

Under TTDSG, you must mention the right to withdraw consent on the first level of the consent window. Users must be able to withdraw their consent at any given time. 

Revoking consent must be as simple as granting it and available through the same means – so, if a user gave consent on the website, you can’t require them to make a phone call or write an email to withdraw it.

Users need to be provided with equivalent options for accepting and rejecting cookies. For example, if an “Accept all” consent button is located on the first level of the consent banner, there should also be a reject button on the same level. Users shouldn’t have to take further action to refuse consent, such as by navigating to Settings, since it requires extra steps to complete the desired action.

You can use approved services to manage consent, such as Personal Information Management Services (PIMS). A PIMS lets users choose once which cookies they want to allow and which personal data processing they wish to consent to. The PIMS then automatically passes on the decision to different websites. However, PIMS must be verified by an independent institution to be a viable option for protecting user privacy. And no PIMS services are available on the market yet. Time will show whether the PIMS provided for consent management will bring the desired simplifications.

Implement measures to protect confidentiality and privacy

The technical and organizational measures your company adopts need to allow you to, if applicable:

  • Ensure that users can utilize telemedia services in a way that protects them from third-parties’ knowledge
  • Make sure users can stop using the service at any time
  • Provide users with options to pay anonymously or under a pseudonym
  • Ensure there is no possibility of unauthorized access to the technical equipment used for telemedia services
  • Prevent erroneous transmissions and the unauthorized disclosure of message content within your company and to third parties

You can take measures similar to those applicable under GDPR. Examples of technical measures include:

  • Encryption
  • Assigning appropriate rights and roles for those accessing the data 
  • Implementing backup systems 
  • Pseudonymization of data

In terms of organizational options, consider creating internal instructions and employee guidelines.

Personal data processed to track user behavior on websites or in apps can’t be transferred to a third country on the basis of consent, in relation to Article 49 of the GDPR. Consequently, tracking technologies will generally require consent regardless of whether personal data is processed.

pro tip

How Piwik PRO helps you comply with TTDSG:

  • Use a consent manager that seamlessly integrates with analytics and tag manager tools. You can enforce a so-called “zero-cookie load,” meaning that no cookies or other similar non-essential technologies will be loaded prior to consent
  • Review our options on collecting data without cookies prior to consent. That approach is described in more detail here: collect anonymous data in a TTDSG-compliant way
  • Get full control over the data you collect and rest assured we won’t use it for our own purposes

Penalties

Fines for non-compliance with the TTDSG go up to €300,000.00, depending on the severity of the violation. However, where provisions of the GDPR are applicable, fines can get much higher.

Chapter 11

China’s Personal Information Protection Law (PIPL)

Despite numerous yet-to-be-agreed-on elements, China passed the Personal Information Protection Law (PIPL). Though other data security laws were in force prior to PIPL – namely the Data Security Law (DSL) and Cybersecurity Law (CSL) – PIPL is China’s first comprehensive law designed to regulate and protect personal information. With the rollout of DSL and PIPL, China’s laws on data security and personal information have aligned much more closely with international benchmarks. Many of PIPL’s elements strongly resemble GDPR. If you have already adopted GDPR rules, you still need to analyze the gap between GDPR and PIPL requirements, but adjusting to PIPL won’t be challenging.

Effective date: November 1, 2021

The scope

PIPL has an extraterritorial scope and applies to:

  • Organizations or individuals who process personal information within China, or 
  • Organizations located outside China that process the personal information of Chinese residents

The entities mentioned above need to comply with PIPL if:

  • They provide products or services to domestic natural persons
  • They analyze and evaluate the activities of domestic natural persons
  • There are other circumstances as provided by laws and administrative regulations

How PIPL defines personal data

PIPL provides a broad definition of personal information that resembles the California Consumer Privacy Act (CCPA) and GDPR. It refers to personal data as:

…various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding anonymized information.

Like CCPA and GDPR, PIPL perceives anonymized information as nonpersonal and places it outside the scope of the law. The provided definition of anonymization is quite strict and states that:

Anonymization refers to a process in which the personal information is processed so that it is impossible to identify a certain natural person and unable to be reversed.

What is considered sensitive data

PIPL includes a lengthy yet unclear definition of sensitive personal information:

Sensitive personal information refers to the personal information that can easily lead to the infringement of the personal dignity of natural persons or the harm of personal or property safety once leaked or illegally used, including such information as biometrics, religious belief, specific identities, medical health, financial accounts, and whereabouts, and the personal information of minors under the age of 14.

You have to obtain separate consent for processing sensitive personal information. Where required, it may need to be written consent.

You also need to notify data subjects of the necessity of the processing and how it may impact their rights and interests.

Key obligations under PIPL

Respect users’ rights to their data

Similarly to GDPR, PIPL lists individuals’ rights relating to their personal information, such as:

  • The right to know about and decide on the processing of their personal information and the right to object to or restrict the processing of their personal information
  • The right to access and copy their personal information
  • The right to request the data processor to correct their information
  • The right to delete the information under one of the circumstances provided in Art. 47
  • The right to have data processors explain their processing rules on data subjects’ requests

The same rights apply to a deceased data subject’s relatives.

Under PIPL, consent is only one of the seven grounds for lawfully processing personal information. 

Others include:

  • When necessary to fulfill a contract or in relation to employment 
  • When required to complete a legal obligation
  • When protecting the life, health and property of individuals in emergencies or responding to emergencies concerning public health
  • Within a reasonable scope, when relating to actions such as news reporting or supervision by public opinions for the public interest
  • When the personal information disclosed by individuals themselves or other legally declared personal information is processed within a reasonable range in accordance with PIPL
  • Circumstances provided under other laws or regulations

In PIPL, legitimate interest isn’t included as a processing basis.

Where consent is required, you need to:

  • Make sure it’s informed, voluntary and explicit
  • Ensure access to products or services isn’t based on whether an individual grants consent or not
  • Make it easy to withdraw the consent
  • Request a new type of consent if the purpose of processing the data changes

Disclose your data processing activities

Prior to the processing of personal information, inform individuals about the following:

  • The processor’s (data controller in GDPR) name and contact information
  • The purpose and method of processing
  • The type of personal information processed
  • The retention period of the personal information processed, and
  • The method and procedure for individuals to exercise their data subject rights

You must notify users of any changes to these key data processing elements.

Fulfill the requirements of cross-border data transfers

Cross-border data transfers require you to fulfill one of the following conditions:

  • Pass a security assessment for cross-border transfers approved by the Cyberspace Administration of China (CAC)
  • Obtain certification for personal information protection from a professional institution
  • Execute and transfer the data subject to standard contractual clauses formulated by the CAC

Alternatively, companies may be able to fulfill other conditions set out under other laws, regulations, or by the CAC.

In February 2023, the CAC published rules on standard contractual clauses for the transfer of personal information to third countries pursuant to the PIPL (the “PIPL SCCs”). They came into effect on June 1, 2023. With that, there are specific rules for the three primary mechanisms for cross-border transfers outlined above – check out the requirements for each of them.

When transferring data outside of China, you must obtain a user’s separate consent for doing so and inform the user about:

  • The name and contact details of the receiving party
  • The purpose and method of processing 
  • The type of personal information being transferred
  • The ways for the user to exercise their rights

Provide sufficient data security

You must undertake protective measures disclosed in Art. 51, such as encryption or de-identification, to ensure legal compliance under PIPL and prevent unauthorized access. 

You also need to conduct risk assessments of your cybersecurity measures.

In the circumstances specified in Art. 55, you need to conduct a data protection impact assessment.

If an incident occurs, the company must undertake remedial measures and inform the Chinese regulators.

pro tip

How Piwik PRO helps you comply with PIPL:

  • Use a consent manager that seamlessly integrates with analytics and tag manager tools.
  • Collect and process user requests e.g. for data access or erasure.
  • Use safe data storage in a public cloud or private cloud.
  • Get full control over the data you collect and rest assured we won’t use it for our own purposes

Penalties

Penalties go up to 5% of the previous year’s revenue or 50 million yuan (around $7.7 million). Directly responsible personnel are subject to fines of between 100k and 1 million yuan.

Chapter 12

Switzerland’s new Federal Act on Data Protection (nFADP)

Switzerland’s existing Federal Act on Data Protection (FADP) shares many similarities with the GDPR. However, it still needed some improvements to better protect the personal data of Swiss citizens. Consequently, the Federal Council passed the new Federal Act on Data Protection (nFADP) in September 2020. The Federal Administration is currently in the process of drafting the associated implementing ordinances. The new Swiss privacy law introduces new provisions on consent, processing records, data breaches, and data protection impact assessment, among others. Companies already compliant with GDPR will have an advantage in preparing for nFADP.

Effective date: September 1, 2023

The scope

The Swiss FADP applies to all businesses or individuals who process personal data and:

  • Are incorporated in Switzerland.
  • Offer or provide products and services to people in Switzerland.

What’s important is that nFADP, unlike the existing FADP, does not protect legal entities’ data, but focuses on protecting individuals’ (natural persons’) personal data, which aligns with GDPR.

How nFADP defines personal data

Personal data is defined as any information that identifies a person. This information includes, but is not limited to:

  • A person’s full name
  • Picture showing a person’s face
  • Email address
  • Telephone number
  • Social security number
  • Customer number

What is considered sensitive personal data

FADP lists the following pieces of information as sensitive personal data:

  • Religious data
  • Ideological data
  • Political data
  • Trade union-related views or activities
  • Health data
  • Racial origin of an individual
  • Social security measures
  • Administrative or criminal data

With nFADP, the list has been extended to also include genetic and biometric data.

Key obligations under nFADP

Disclose your data processing activities

Clearly describe how you process personal data through transparent policies and privacy notices. 

At a minimum, provide data subjects with:

  • Details about the purpose of the data processing
  • Information about who will receive their information 
  • Contact details for the person responsible for this process

Neither the current FADP nor nFADP describe the content requirements of a data processing agreement (DPA) in more detail. The lack of precise specifications may lead to uncertainties in applying the law.

Maintain records of processing activities

You need to maintain records of your processing activities if your organization employs more than 250 people. In this case, you must be able to prove the lawfulness of the data processing you’re undertaking at any time.

However, small and medium companies with fewer than 250 employees that process low-risk data are exempt from this requirement.

The records you keep should include details about:

  • How the information is processed
  • The purpose of processing the data
  • The type of data being processed
  • Where the processing takes place
  • Who the data is disclosed to

This might require changes to your tech infrastructure. You would also need to establish a defined process for transmitting and storing the data you collect.

You need to obtain valid consent for specific processing purposes. Under nFADP, you are required to have consent when processing sensitive personal data or using data for profiling.

The consent has to be:

  • Given prior to processing the data
  • Informed, freely given, and explicit
  • Possible to withdraw

nFADP requires you to follow the principles of:

  • Privacy by design – you have to take appropriate measures to reduce the risk of privacy breaches during data processing as early as the planning stage
  • Privacy by default – ensure, by means of default settings, that any required personal data is processed solely for the relevant purpose

Have data breach procedures in place

If a data security breach occurs, you must promptly notify the Federal Data Protection and Information Commissioner (FDPIC).

You also need to inform the affected individuals if the breach poses a risk to their fundamental rights.

Follow the requirements of cross-border data transfer

It is possible to transfer data internationally if the receiving countries guarantee adequate protection. In this case, you don’t require further approval from an entity or additional consent from a user.

You can browse the list of adequate countries issued by the FDPIC.

The rules are different for third countries. In their case, you must employ additional legal tools, such as a user’s consent, standard contract clauses, and others.

Conduct a data protection impact assessment, if required

If your company processes personal data, you have to estimate whether your processing activities pose any risk to the individual’s fundamental rights. If you discover any risks, you will have to conduct a Data Protection Impact Assessment (DPIA).

Unlike GDPR and LGPD, which obligate businesses passing certain thresholds to appoint DPOs, the new FADP has no such requirement. Businesses are encouraged to have a data protection advisor, but they are not legally compelled to have one.

pro tip

How Piwik PRO helps you comply with nFADP:

  • Use a consent manager that seamlessly integrates with analytics and tag manager tools.
  • Collect and process user requests to access or amend their data.
  • Use safe data storage in a public cloud or private cloud.
  • Get full control over the data you collect and rest assured we won’t use it for our own purposes.

Penalties

Those who violate the obligation to inform data subjects or fail to cooperate will be fined up to 250,000 CHF. The fine is not imposed on the company, but on the person responsible for the data violation.

Chapter 13

South Korea’s Personal Information Protection Act (PIPA)

The Personal Information Protection Act (PIPA) is a South Korean privacy law that sets strict rules for handling personal information, including data such as cookies or unique user identifiers used by marketing and analytics platforms.

Effective date:  The act was enforced in 2011, with two significant amendments in 2020 and 2023, the latter of which was adopted on February 27, 2023, and entered into force on September 15, 2023.

Who is affected by the law?

The Personal Information Protection Act (PIPA) in South Korea applies to data handlers, meaning public and private sector organizations that process personal information for business purposes. It also applies to data processors, meaning any third-party service provider that processes personal information on behalf of a data controller.

How does it define personal information?

Under PIPA, personal information is defined as: information relating to a living individual that makes it possible to identify the individual by his/her full name, resident registration number, image, etc. (including information which, if not by itself, makes it possible to identify any specific individual if combined with other information).

The law doesn’t include a definition of cookies or similar technologies. However, the Research Paper published by the Korean data protection authority (PIPC) in 2015 states that information contained or found through IP addresses, log records, and cookies may be combined with other information to identify an individual. This means that user identifiers used in analytics platforms are personal information under PIPA.

Data subject rights under PIPA

PIPA equips data subjects with the following rights:

  • The right to be informed of the processing of personal information.
  • The right to consent or not, and to choose the scope of consent, to the processing of such personal information.
  • The right to confirm the processing of personal information, and to request access to this data.
  • The right to suspend the processing of, and to request a correction, erasure, and destruction of personal information.
  • The right to appropriate redress for any damage that results from the processing of personal information in a prompt and fair procedure.


The new amendment to the law adds to the list the rights to data portability and the right not to be a part of automatic decision-making.

In most cases, PIPA requires explicit, informed, and specific consent for collecting, using, and handling personal information. Consent must be obtained prior to processing, and individuals have the right to withdraw their consent at any time.

The amendment to the law from 2020 aimed to loosen up the rules around consent. Among other things, it proposes that companies should be allowed to further process personal information without consent under the following circumstances:

  • Substantial relation between the original purpose of collection and intended use;
  • Predictability based on the circumstances under which data had been collected and customs of processing;
  • Such use does not unduly infringe on the data subject or any third-party’s interests; and If the purpose of such use may be achieved when the data is pseudonymized, data should be pseudonymized. [source]

Data transfers under PIPA

PIPA imposes restrictions on transfers of personal information to third parties, including cross-border transfers. The law requires explicit consent for sending data abroad or an adequate level of data protection in the recipient country. 

The newly proposed amendment to the law introduces another legal basis for data transfers – a special certification program determined by PIPC.

On December 17, 2021, the EU adopted the adequacy decision for personal data transfers between the EU and the Republic of Korea.

The adequacy decision means that the EU deems South Korea as having GDPR-grade data protection. This allows for unrestricted personal data flow of EU residents between the EU and South Korea.

How to comply with PIPA

To align with PIPA, marketers should consider the following best practices:

  • Obtain consent: Get explicit, informed, and specific consent from users for the collection, use, and handling of their personal information. Collect separate consents for transferring data abroad or processing sensitive data.
  • Inform users about your data processing activities: Give users clear and concise notice about how your organization processes data. This includes a privacy policy that explains how personal information is collected, used, and handled and any third parties with whom the information is shared.
  • Implement data security measures: Set appropriate technical and organizational measures to protect personal information from unauthorized access, use, or disclosure. Implement methods such as encryption, firewalls, and access controls.
  • Respect data subject rights: Make sure to respect the data subject rights, such as the right to access, correction, deletion, and objection, as well as the right to data portability and the right not to be a part of automatic decision-making introduced in the recent amendment to the law. Consider implementing mechanisms for users to exercise these rights – for example, a dedicated email address or contact form.
  • Monitor third-party service providers: Evaluate every third-party service provider with access to your clients’ and visitors’ data for compliance with the PIPA. Ensure that the requirements for protecting personal information are included in your contracts. This also applies to your analytics platform and other tools that process user data. 
  • Mind where you send your clients’ data: Transfer personal information only to countries and regions with a high level of data protection, or only if you received explicit user permission for such transfers.

By following these best practices, marketers can ensure that their websites comply with the PIPA and respect visitors’ privacy.

Fines for non-compliance

There are different penalties for breaching the PIPA. These include administrative sanctions such as fines, penalty surcharges, or corrective orders.

The PIPA can impose fines of up to KRW 3 billion (approx. $2.2 million) or 3% of the company’s annual revenue, whichever is higher.

pro tip

How Piwik PRO Analytics Suite helps you comply with PIPA:

Chapter 14

Saudi Arabia’s Personal Data Protection Law (PDPL)

The Saudi Arabia Personal Data Protection Law (PDPL) is the country’s first consumer data privacy law, also covering the United Arab Emirates. It was passed by a royal decree in September 2021. The PDPL aims to protect individuals' personal data privacy and regulate the collection, processing, disclosure, and retention of personal data by organizations. The law generally follows the GDPR and aligns with the standards of other international privacy laws.

Effective date: September 14, 2023. Compliance enforcement will begin after one year, on September 13, 2024.

The scope

The PDPL governs any kind of automatic or manual processing of personal data including collecting, using, storing, sharing, transferring, or updating of personal data of Saudi Arabia and United Arab Emirates residents. The legislation is extraterritorial, which means it applies to both public or private organizations located in or outside of Saudi Arabia or UAE that process personal data related to Saudi or UAE residents.

How it defines personal data

The PDPL defines personal data as any information that identifies a person specifically or could lead to their identification, including but not limited to: name, driver’s license number, phone number, email address, or social security number.

Personal data used for personal or household purposes is exempted from PDPL. The law also protects the personal data of deceased individuals if it could lead to the identification of the deceased or their family members specifically.

How it defines sensitive personal data

Sensitive personal data refers to certain types of personal data that require special handling. They include the following information:

  • Ethnic or tribal origin
  • Religious, intellectual or political beliefs
  • Membership in civil associations or institutions
  • Criminal and security data
  • Credit data
  • Genetic data
  • Health data
  • Location data
  • Biometric data
  • Data indicating an individual is unknown to one or both parents

Key requirements under PDPL

The PDPL requires organizations to collect user consent that is given freely and obtained separately for each processing purpose before the processing takes place. Data subjects may withdraw their consent to the processing of personal data at any time. Controllers cannot make consent a condition of using a service unless the processing directly relates to or enables the service.

Consent for processing the personal data of children must be obtained from a parent or legal guardian.

There are exemptions to the requirement for data subject consent, including in the following cases:

  • The data processing serves the data subject’s “actual interests” (known as “legitimate interest” under the GDPR).
  • The data processing is carried out in compliance with another law, to fulfill a contract or implement an agreement.
  • The controller is a public entity and the processing is required for security or to fulfill judicial purposes or requirements.
  • The processing is necessary to achieve the controller’s lawful interest and the data is not considered sensitive.

Respect data subject rights

Like most other data protection regulations globally, the PDPL ensures that all data subjects are guaranteed certain rights:

  • Right to know – Users have the right to be informed about the controller’s name and contact information and data processing details, such as types and purposes of data processing, how long the data will be retained, how the data will be collected and used, and who it will be shared with.
  • Right to access – Users have the right to access their personal data and to have it available to the control authority.
  • Right to correction – Users have the right to request correction of any data collected on them if it is incomplete, inaccurate, or obsolete.
  • Right to deletion – Users have the right to request the deletion of personal data if it is no longer needed by a business.
  • Right to portability – Users can obtain their personal data in a legible and clear format and request their personal data to be transferred to another controller.

The data controller must fulfill these requests within 30 days and record all data subject requests received.

Controllers can restrict a personal data subject’s request to exercise their rights if it is to protect the individual or others from harm, maintain security, or fulfill another law or judicial requirement.

Follow the requirements for data transfers

Controllers are required to store and process personal data within the geographical boundaries of Saudi Arabia. Personal data transfers or disclosure to parties outside of the Saudi Kingdom are restricted, though allowed in cases of:

  • Extreme necessity, for example, lifesaving measures.
  • For purposes determined by the PDPL.
  • When governed by a formal agreement that the Kingdom is a party to or that serves its interests.

The following purposes and conditions are applicable in most cases to allow the transfer of personal data outside the Saudi Kingdom:

  • The transfer must not harm national security or the Kingdom’s vital interests.
  • The data must be protected to prevent its leakage or disclosure.
  • The transfer is limited to the minimum amount of data required.
  • The transfer was approved by the competent authority, as determined by the regulation.

Keep records of processing activities

Businesses must keep records of their personal data processing activities for a specified time (set by the government). These records must also be made available to the authorities when requested. The records should include:

  • Contact details.
  • The purpose for processing that personal data.
  • The categories of individuals.
  • Any party to whom data has been (or will be) disclosed.
  • Data retention period.

Apply purpose limitation and data minimization

The purpose of collecting personal data must relate to the purposes of the owner, direct, clear, secure, and free from methods of deception, misleading, or extortion.

Personal data collected must be appropriate and limited to what is necessary to achieve the primary purpose. If the collected data is no longer necessary, data controllers must stop collecting or storing it and immediately destroy it.

Create and maintain a privacy policy

The PDPL requires that organizations adopt a privacy policy and make it available to data subjects to review before collecting their data. This policy shall include the purpose of its collection, the content of the personal data to be collected, the method of collecting it, the means of storing it, how it will be processed and destroyed, the rights of its owner, and how these rights will be exercised.

A privacy policy or notice must be regularly reviewed and updated, and data subjects must be notified about changes to the policy.

Adopt appropriate security measures

Businesses must take the necessary administrative, technical and organizational measures to maintain the security of personal data, including when it is transferred to another party.

Notify authorities about data breaches

When a business discovers that personal data has been breached, i.e. leaked, damaged, or illegally accessed, they must immediately notify the competent authority. If the breach would cause serious harm, they must notify the affected individual immediately.

Conduct impact assessments

A business should always assess the impact of processing personal data, including the purpose for which it is being processed. If personal data is no longer needed, data collection should be stopped immediately.

Appoint a data protection officer (DPO)

In many cases, controllers are required to appoint an employee (or more than one) as a data protection officer (DPO), to be responsible for the controllers’ obligations to the law and the organization’s data privacy operations and compliance.

Select the right data processors

When choosing the processing party, organizations must select an entity that provides the necessary guarantees for enforcing the provisions of the PDPL and must continually verify that entity’s compliance with its instructions in all matters relating to the protection of personal data. There must be a contractual agreement outlining the rights and obligations of both parties.

Penalties for non-compliance

Anyone who discloses or publishes sensitive data in violation of the provisions of the law is subject to a maximum penalty of two years in prison and a fine not exceeding SAR 3 million ( $800,000), or either of these penalties. 

Anyone who violates the provisions of cross-border data transfer is subject to a maximum imprisonment of one year and a fine not exceeding SAR 1 million ($267,000), or one of these two penalties. 

For violations of all the other provisions, businesses will be issued a warning or a fine not exceeding SAR 5 million ($1.3 million). The imposed fine may be doubled for repeated violations (not exceeding SAR 10 million).

pro tip

How Piwik PRO helps you comply with the law:

Chapter 15

India's Digital Personal Data Protection (DPDP) Act

In early August 2023, the Indian Parliament passed a comprehensive data protection law – the Digital Personal Data Protection (DPDP) Act. It is largely similar to the Digital Personal Data Protection Bill, released for public comments in November 2022. The new law is the first cross-sectoral law on personal data protection in India and was enacted after more than five years of deliberations. While the DPDP Act replicates many aspects of the EU GDPR, it also differs on a number of important points.

Effective date: Pending

The scope

The DPDP Act applies to the processing of digital personal data within India that is:

  • Collected online, or
  • Collected offline and digitized.

It also concerns the processing of personal data outside India if it’s for the purpose of offering goods or services in India.

However, the DPDP Act does not apply to entities outside India that monitor the behavior of data principals within India.

The Indian Act uses different terminology for familiar concepts:

  • Data fiduciary – The entity that, alone or with others, determines the purpose and the means of processing personal data (i.e., data controller).
  • Data principal – Individuals whose personal data is collected and processed (i.e., data subject).

How it defines personal data

The Act defines personal data as any data about an individual who is identifiable by or in relation to such data.

The scope of personal data covered by the Act excludes the following types of data:

  • Personal data processed for personal or domestic purposes.
  • Aggregated personal data collected for research and statistical purposes which is not used for any decision specific to a data principal.
  • Personal data made publicly available.

How it defines sensitive data

The law doesn’t include any additional controls on processing sensitive personal data or critical personal data. Unlike GDPR, the DPDP Act applies uniformly to all types of digital personal data.

Key obligations

Data fiduciaries require the consent of data principals to process their digital personal data.

Valid consent should be:

  • Free, specific, informed, unconditional and unambiguous.
  • Communicated through a clear affirmative action signifying agreement to the processing of the data principal’s personal data for the specified purpose.
  • Limited to only the personal data necessary for the specified purpose.
  • Possible to withdraw by the data principal at any time.

Before processing the personal data of a child or a person with disabilities who has a lawful guardian, data fiduciaries are required to obtain consent from a parent or guardian. Additionally, certain types of processing involving children’s data are strictly prohibited, such as online tracking or behavioral advertising.

There are certain exceptions to the consent requirement, including processing data for the following legitimate uses:

  • When an individual has voluntarily provided personal data for a specified purpose.
  • When an agency or department of the Indian state is to provide a subsidy, benefit, service, license, certificate, or permit.
  • In a medical emergency or threat to life, epidemics or threat to public health.
  • When it concerns employment-related data.

Unlike GDPR, the DPDP Act includes the concept of a “consent manager”. It refers to a person registered with the Data Protection Board, who acts as a single point of contact to let data principals grant, manage, review and withdraw their consent.

Create and display a privacy policy

Before seeking consent, data fiduciaries must provide data subjects with a notice specifying:

  • What personal data is to be collected.
  • The purposes for which such data will be processed.
  • How the data principals can exercise their rights concerning the data.
  • The contact details of the relevant data protection officer or another person responsible for responding to data principals’ requests to exercise their rights.

Respect users’ rights

The DPDP Act grants the data principals a few rights, including:

  • The right to access.
  • The right to data correction.
  • The right to deletion.
  • The right to grievance redressal.

Follow the rules for data transfers

The Indian Act allows the transfer of personal data to any country or territory outside India. However, the central government can impose restrictions on data transfers through notifications. These restrictions will be determined after assessing relevant factors and establishing necessary terms and conditions to ensure data protection standards are maintained during international processing.

Implement data breach responses

Data fiduciaries are required to report personal data breaches to the affected data principals and to the Data Protection Board of India. This rule concerns unauthorized data processing, disclosure, alteration, loss, or actions compromising data confidentiality, integrity, or availability. Importantly, the notification requirement concerns all personal data breaches without any threshold. The form and manner of such reporting are to be prescribed in rules to be issued by the central government.

The Act establishes the Data Protection Board, which will function as a ruling body responsible for resolving privacy-related grievances and disputes between relevant parties. As an independent regulator, it will have the authority to determine non-compliance with the Act’s provisions and impose appropriate penalties.

Maintain privacy records

Data fiduciaries need to demonstrate that notice and consent requirements are met, which means they will need to maintain relevant records.

Penalties for non-compliance

The DPDP Act prescribes penalties for non-compliance of up to 250 crore rupees ($30 million).

pro tip

How Piwik PRO helps you comply with the law:

Additional reading:

Chapter 16

Colorado Privacy Act (CPA)

On July 7, 2021, Colorado officially became the third state – after California and Virginia – to pass broad consumer privacy legislation. The Colorado Privacy Act (CPA) grants Colorado residents rights over their data and places obligations on data controllers and processors. It is similar to the other state laws and borrows some ideas from the EU's GDPR.

Effective date: July 1, 2023

The scope

The Colorado law applies to legal entities that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents and that:

  • Control or process the personal data of at least 100,000 consumers per calendar year, or
  • Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.

The CPA has no applicable revenue thresholds.

Some entities are exempted from following the legislation, such as state and local governments and state institutions of higher education, personal data governed by listed state and federal laws, listed activities, and employment records.

How it defines personal data

The CPA defines personal data as “information that is linked or reasonably linkable to an identified or identifiable individual.” Personal data does not include de-identified data or publicly available information.

How it defines sensitive data

The law defines sensitive data as:

  • Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, and citizenship or citizenship status.
  • Genetic or biometric data that may be processed to uniquely identify an individual.
  • The personal data of a known child.

Key obligations

As a data controller, your organization must obtain consent:

  • For the collection and processing of sensitive data.
  • From a parent or guardian before collecting and processing data for children under 13.
  • Before beginning to process personal data for any new specific secondary purposes.

The CPA requires you to implement a user-selected universal opt-out mechanism to allow consumers to opt out of the sale of their personal data, targeted advertising, and profiling.

For consent to be valid, it must be:

  • Obtained through the consumer’s clear, affirmative action.
  • Freely given by the consumer.
  • Specific.
  • Informed.
  • Reflective of the consumer’s unambiguous agreement.

The CPA clarifies that a blanket acceptance of general terms and conditions, silence, inactivity or inaction, pre-ticked boxes or any agreement obtained through dark patterns are not valid forms of consent.

Respect users’ rights

The CPA lists five rights granted to Colorado residents: 

  • The right to opt out of targeted ads, the sale of their personal data, or being profiled. 
  • The right to access the data a company has collected about them. 
  • The right to correct data that’s been collected about them. 
  • The right to request that the data collected about them be deleted. 
  • The right to data portability – meaning access to data in an easily accessible and transportable format.

Apply purpose limitation and data minimization

The CPA mandates businesses to limit the amount of data obtained from consumers and to collect only “adequate, relevant, and reasonably necessary information,” which must be used only for a pre-established purpose.

Maintain and display a privacy policy

The CPA mandates a controller provide consumers with a “reasonably accessible, clear, and meaningful privacy notice.” You must conspicuously display the privacy policy on your company’s website.

The privacy policy must include:

  • Categories collected or processed by the data controller or processor.
  • Purpose(s) of processing the data.
  • How to exercise rights and appeal.
  • Categories of personal information shared.
  • Categories of third parties that the data is shared with.

The CPA also requires controllers to notify consumers of material changes to its privacy notice.

Conduct data protection assessments

Businesses must conduct data protection assessments before processing activities that may present a heightened risk to consumers. That could be targeted advertising or profiling, selling data, processing sensitive data, and other activities. Companies are also required to make the assessments available to the Attorney General when requested.

Establish data processing agreements (DPAs) with processors

A DPA must include processing instructions, such as:

  • The nature and purpose of the processing.
  • The type(s) of personal data to be processed.
  • The duration of the processing.

Other legal obligations include requiring processors to, among others:

  • Implement appropriate security measures to protect personal data.
  • Allow for audits.
  • Enter into similar contracts with sub-processors.

Penalties for non-compliance

The CPA does not set a fixed amount per violation. However, non-compliance with the law may constitute a deceptive trade practice under the Colorado Consumer Protection Act, which imposes a $20,000 fine per violation.

pro tip

How Piwik PRO helps you comply with the law:

  • Use a consent manager that seamlessly integrates with analytics, tag manager and customer data platform.
  • Adjust tracking methods to visitor privacy choices thanks to a built-in consent manager and tag manager.
  • Collect and process user requests.
  • Get full control over the collected data and rest assured we don’t use it for our own purposes.
  • Quickly set up banners and display your privacy policy to visitors.

Chapter 17

Utah Consumer Privacy Act (UCPA)

The Utah Consumer Privacy Act (UCPA) is the fourth state-level privacy law passed in the United States. The UCPA was signed into law on March 24, 2022. It protects the privacy rights of residents of Utah and establishes data privacy responsibilities for companies processing the data of Utah residents. The Utah privacy law is considered more business-friendly than the other state-level laws.

Effective date: December 31, 2023

The scope

The UCPA applies to any data controller or processor who:

  • Conducts business in the state or produces a product or service that is targeted to consumers who are residents of the state.
  • Has annual revenue of $25 million or more.

The business must also satisfy one or more of the following thresholds:

  • During a calendar year, controls or processes personal data of 100,000 or more consumers, or
  • Derives over 50% of its gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

The law excludes personal data collected in an employment or business-to-business context. 

Other exemptions include:

  • Data subject to HIPAA, the Driver’s Privacy Protection Act, and the Family Education Rights and Privacy Act.
  • Entities and businesses covered by the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act.
  • Non-profit entities, higher education institutions, tribes, and government bodies.

How it defines personal data

The UCPA defines personal data as information that is linked or reasonably linkable to an identified or identifiable individual. This includes any data that can be used to directly or indirectly identify a person, such as their name, address, email address, phone number, or other similar identifiers. 

The law does not view de-identified, aggregated, or publicly available information as personal data.

Under the UCPA, consent is only required in the context of parental consent for processing children’s data (under 13 years old).

How it defines sensitive data

Under the UCPA, sensitive data is defined as personal data that reveals:

  • Racial or ethnic origin (unless processed by a video communication service or licensed healthcare provider).
  • Religious beliefs.
  • Sexual orientation.
  • Citizenship or immigration status.
  • Medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional.
  • Genetic or biometric data if the processing is to identify a specific individual.
  • Geolocation data if the processing is to identify a specific individual.

Key obligations

Respect users’ rights

As in other state laws, the UCPA grants consumers certain rights to their personal data. Specifically, consumers may request to:

  • Access the personal data that a controller processes about them.
  • Delete personal data that the consumer provided to the controller.
  • Obtain a copy of the personal data the consumer provided to the controller in a portable format.
  • Opt out of the “sale” of personal data (defined as disclosure by a controller to a third party for monetary consideration) or processing personal data for targeted advertising.

Note that the UCPA does not grant consumers the right to request the correction of inaccurate personal data.

Follow the requirements for processing sensitive data

The Utah privacy law doesn’t require consent for processing sensitive data. However, controllers must notify consumers and allow them to opt out of processing sensitive personal data before it is collected and processed.

Maintain and display a privacy policy

Controllers must provide consumers with a privacy notice that includes:

  • Categories of personal data processed and the purpose of processing.
  • How consumers can exercise their rights.
  • What data is shared with third parties, along with categories of third parties.

If controllers sell personal data to third parties or engage in targeted advertising, they must disclose how consumers can opt out of these activities.

The UCPA does not contain a concept of “profiling.” Therefore, unlike Virginia’s CDPA, the law does not give consumers a right to opt out of profiling.

Adopt appropriate security measures

Controllers must establish and maintain reasonable administrative, technical and physical data security practices. These practices must guard the confidentiality and integrity of personal data while reducing reasonably foreseeable risks to consumers relating to the processing. A controller must consider the size, scope and type of its business to implement data security appropriate for the volume and nature of the data it collects. 

This applies to third parties the controller uses for data processing and must be included in contracts between controllers and third-party processors.

Follow the nondiscrimination clause

Controllers may not discriminate against consumers who exercise their rights under the law. Examples of prohibited discrimination include denying goods or services or charging a different price for a service. However, controllers may offer bona fide loyalty, rewards, and discount programs and provide a different price or quality of product or service if a consumer opts out of targeted advertising.

Penalties for non-compliance

If a business violates the law, the Utah Attorney General will provide written notice and a 30-day cure period. If a controller or processor fails to address the violation, the Attorney General can fine the organization for actual damages and up to $7,500 per violation.

pro tip

How Piwik PRO helps you comply with the law:

  • Get full control over collected data and rest assured we don’t use it for our own purposes.
  • Quickly set up banners to inform visitors about the collection of their data and give them a way to opt out or send a data request.
  • Collect and process user requests.
  • Adjust tracking methods to visitor privacy choices thanks to a built-in consent manager and tag manager.

Chapter 18

Connecticut Data Privacy Act (CTDPA)

The Connecticut Data Privacy Act (CTDPA) was signed into law on May 10, 2022, making Connecticut the fifth US state to enact comprehensive privacy legislation. On June 12, 2023, the CTDPA was amended by the Act Concerning Online Privacy, Data and Safety Protections, which introduces requirements for the protection of minors and health information.

Effective date: July 1, 2023

The scope

The act applies to those who conduct business in the state or who produce products or services targeted to Connecticut residents and who, during the previous year:

  • Controlled or processed personal data of 100,000 or more consumers (excluding data processed solely for completing a payment transaction), or
  • Controlled or processed personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data. 

There is no revenue threshold for organizations that the law applies to.

The law includes many exemptions, such as:

  • State agencies, non-profit organizations and higher education institutions.
  • National securities associations registered under the Securities Exchange Act of 1934.
  • Financial institutions and data subject to the Gramm-Leach-Bliley Act.
  • Covered entities or business associates subject to HIPAA.
  • Personal data maintained in compliance with other privacy laws, such as the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act.

How it defines personal data

Personal data is any information that can be linked to an identifiable individual, excluding publicly available information. 

Some examples of personal data include:

  • Home address.
  • Driver’s license or state identification number.
  • Passport information.
  • Financial account number.
  • Login credentials.
  • Payment card information.

How it defines sensitive data

The Connecticut privacy law defines sensitive data as:

  • Personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health conditions or diagnosis, sex life, sexual orientation, citizenship or immigration status.
  • Genetic or biometric data used to identify an individual.
  • Children’s information.
  • Precise geolocation data.

Key obligations

The CTDPA requires consumers to provide explicit consent before a business can collect and process sensitive data. Companies must also obtain consent when the data is collected for targeted advertising or refers to a child.

The law prohibits using dark patterns or an interface designed to impair a consumer’s ability to make decisions regarding consent.

Organizations also need to provide a way for consumers to revoke consent. The mechanism needs to be as easy as the one by which the consumer consented. After the revocation of consent, businesses must cease processing data as soon as practicable (no later than 15 days after receiving the request).

Collect only the necessary data

Businesses are required to limit the collection of personal data to what is adequate, relevant, and reasonably necessary concerning the purpose for which it is processed. In other words, you can’t collect more data than you need to accomplish your goal.

Maintain and display a privacy policy

Organizations need to prepare and maintain a privacy notice that is reasonably accessible, clear, and meaningful, and it should include:

  • Categories of personal data processed.
  • The purpose for processing personal data.
  • How consumers can exercise their rights.
  • What data is shared with third parties and their categories.
  • How to contact the controller.

Conduct data protection assessments

Carry out and document a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer. This includes:

  • The processing of personal data for targeted advertising.
  • The sale of personal data which is defined as involving a monetary transaction or “other valuable considerations.” Note that even exchanging data for services is regulated by the law.
  • The processing of personal data for profiling.
  • The processing of sensitive data.

Implement security measures

Controllers must establish, implement and maintain reasonable administrative, technical and physical security practices to protect the confidentiality, integrity, and accessibility of personal data. These practices must consider the volume and nature of the personal data in question.

Penalties for non-compliance

The Connecticut Attorney General has the authority to enforce violations and may issue fines of up to $5,000 per violation. Additionally, the Attorney General can issue orders to offenders to prevent them from violating the law, force them to pay restitution to victims, and order them to give up profits made as a result of the illegal conduct.

pro tip

How Piwik PRO helps you comply with the law:

  • Use a consent manager that seamlessly integrates with analytics, tag manager and customer data platform.
  • Get full control over collected data and rest assured we don’t use it for our own purposes.
  • Quickly set up banners to inform visitors about the collection of their data and give them a way to opt out or send a data request.
  • Collect and process user requests.
  • Adjust tracking methods to visitor privacy choices thanks to a built-in consent manager and tag manager.

Chapter 19

How to prepare for these regulations globally?

The new data privacy laws are a complex collection of guidelines. It’s difficult to determine one framework that would allow you to prepare for all of them. However, there are some issues that come up in many of these laws. Below we list the most important common points:

Under many of these laws, data breaches become extremely expensive. That said, websites now have dozens, if not hundreds of third-party elements embedded in their code. Since these components are hosted on external servers, you have no control over them. You also have limited possibilities to detect potential breaches resulting from malicious code modifications. 

If you decide to work with SaaS vendors that use third-party scripts, your website’s security becomes as strong as the weakest link in your vendors’ ecosystem. To eliminate that potential weak link, it’s better to move towards products hosted on safe infrastructure – secure public cloud or private cloud.

To learn more about the differences between these hosting options, read this:
How to host your analytics: public cloud vs private cloud vs self-hosted

One of the most frequently recurring demands of the new laws is that every website owner should collect active consents, or at least provide a way for users to opt out of being tracked. 

In this situation, you should think of employing a mechanism to acquire, store and manage records of consents or opt-outs and all possible data subject requests resulting from the fact that you process personal data/information.

One of the most popular ways to tackle these kinds of issues are consent managers.

If you’d like to know how Piwik PRO Consent Manager addresses the requirement to collect strong user consents, be sure to check out this page.

3. Examine where you send your data

Many of the presented laws establish specific requirements for international data transfers. It doesn’t mean you’re no longer allowed to keep data offshore. But you’ll definitely need to be more mindful when choosing the platforms you use in your day-to-day work.

For example, in the case of Singapore’s PDPA, you can’t send user data to jurisdictions with lower data protection standards. This can have a significant impact on your marketing and analytics tool set, because many software providers store data in locations scattered across the globe, including the US.

4. Find out if your software providers aid you in fulfilling your obligations

Make sure your software vendor meets your technical requirements. Your users’ data should be stored in a way that ensures full accessibility and portability. This will let you easily access, delete, rectify and transmit all the relevant information collected by your marketing tools. For these types of requests, the biggest challenge is to remove the user’s data from backups. 

Also, check if your software provider follows the best privacy practices, e.g. doesn’t use individuals’ data for their own purposes or share it with other third parties.

Finally, sign a data processing agreement (DPA) with your software providers to make sure everyone knows and respects their obligations that arise from processing user data.

If you don’t know how to draft a proper DPA, be sure to read this blog post:
Data processing agreement: 7 elements every DPA should have

5. Consider data anonymization (de-identification) options

If you want to use data about your visitors without collecting consents, you need to make sure that the data is properly anonymized. Analytics platforms featuring anonymous data collection, such as Piwik PRO, offer a third way instead of an all-or-nothing choice based on consent.

Learn more about your tracking options with Piwik PRO Analytics Suite

Also, don’t forget that these regulations are only part of the bigger data privacy laws ecosystem. Some countries – for example Australia – have their regulations in place for more than 30 years!

Privacy laws around the world: conclusions

We hope that this post has given you a better idea of what’s happening in the world of privacy rights. As a privacy-friendly analytics provider, we make sure that our platform helps our clients adapt to laws around the world. If you want to know how our product can help you comply with new regulations, contact us. Our team will be happy to answer all of your questions.

And if you’d like to dig even deeper into the topics of privacy and analytics, here’s a selection of blog posts you may find interesting:

Learn more about the benefits you can gain by partnering with Piwik PRO Analytics

We’re here to answer all your questions!