11 new privacy laws around the world and how they’ll affect your analytics

GDPR was a breakthrough in data privacy – the new golden standard among data protection regulations. Here are the most important principles GDPR introduced according to the report “Global convergence of data privacy standards and laws”:

• Enabling data protection authorities (DPAs) to make binding decisions and issue administrative sanctions, including fines
• The right to object to processing based on the controller’s or public interests
• An obligation to notify DPAs and data subjects about data breach
• Stronger consent requirements
• Including biometric and/or genetic data in the definition of sensitive data
• Introducing data protection officers (DPOs) as a mandatory role in organizations that process personal data

We’ve been seeing a “GDPR domino effect” – countries are implementing GDPR-style privacy frameworks one at a time. 

New data privacy laws are having an undeniable impact on business – both locally and globally. Companies with an international presence must now adapt to a wide range of regulations, often with different requirements and restrictions. 

To help you in this quest, we’ve gathered details about new privacy laws from around the world. We’ll present the practical effect they’ll have on companies that use analytics and marketing platforms, such as CRMs, customer data platforms, or web analytics.

Effective date: January 1, 2023

The scope

The CPRA modifies the scope outlined by the CCPA. 

Namely, CPRA applies to a company that operates for profit and processes the personal information of California residents if it:

• Has a gross annual revenue greater than or equal to $25 million
• Obtains information of 100,000 or more California residents/households or devices annually
• Generates at least 50% of their annual income from selling or sharing the information of California residents

Increasing the threshold from 50,000 California residents in the CCPA to 100,000 may reduce the number of businesses that fall under the law. But including “sharing” in the provision on generating 50% or more revenue from selling personal information can potentially increase the number of organizations that the law applies to.

How it defines personal information

The definition of personal data aligns with that in the CCPA and is quite broad. It covers:

“[I]nformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The definition of personal information includes unique identifiers – many of which are the fuel that powers marketing activities:

“Unique identifier” means a persistent identifier that can be used to recognize a consumer or a device over time and across different services, including but not limited to, a device identifier; Internet Protocol address(es); cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.

How it defines sensitive personal information

The CPRA provides a new category of data – specifically, sensitive personal information (SPI). Such data requires appropriate security measures, and consumers have the right to request that organizations limit the use of their SPI.

Sensitive personal information can include:

• Social Security Number
• Driver’s license
• State identification card
• Passport number
• Financial account information and log-in credentials
• Debit card or credit card number and access codes
• Precise geolocation data
• Religious or philosophical beliefs
• Ethnic origin
• Contents of communication
• Genetic data
• Biometric information for the purposes of identification
• Health information
• Information about sex or sexual orientation

Key responsibilities under the CPRA

Take measures to protect the data of minors

There is a mandatory opt-in for selling the personal data of minors (under 16 years old). Businesses also must wait 12 months before asking a minor consumer for consent to sell or share their personal information after the minor has declined.

Map your data processes

Make sure you know what kinds of personal information you collect and that the data is prepared for access, deletion and portability requests from your clients. 

Consumers have the right to:

• Obtain a record of the personal information companies have on them (from the last 12 months and, under certain circumstances, also from beyond the 12-month period)
• Request that a business transfer specific personal information to another entity
• Request to have their data deleted
• Request the companies to stop the sale or sharing of their information
• Be informed about the length of data retention

The CPRA introduces additional consumer privacy rights that didn’t appear in the CCPA, namely:

• The right to request that a business correct any inaccurate personal information
• The right to access information about automated decision-making (such as profiling) and opt out of it

Importantly, a business can’t discriminate against consumers who have decided to exercise their rights.

Check your third-party data sources

Under the CCPA, operating on stolen or breached data is an offense. Companies that buy customer data from third parties should always make sure that it comes from a legitimate source. 

On a consumer’s request, businesses need to send the deletion request to third parties that have bought or received the consumer’s personal information.

Come up with a way for handling consumer requests

Provide users with at least two methods for placing requests. The link to those forms should be placed somewhere on your homepage, along with the text: do not sell my personal information.

Update your data privacy policy

The CCPA already required a granular, GDPR-like approach to the privacy policy.

Your privacy policy should include a description of consumers’ rights as described above, the types of personal data you gather, how you collect it, where you use it, and with what third parties you share it.

The CPRA expands on the disclosure requirements and obligates you to:

• Disclose whether collected information will be sold or shared
• Identify the sensitive personal information that you will collect
• Either disclose the length of time you’ll retain information or the criteria used to determine it
• Disclose if you don’t collect information by conspicuous notice

Take appropriate security measures to protect data

Under CPRA, any business that collects consumers’ personal information is obligated to:

“[…] implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.”

California residents have the right to sue companies that use their data if it was stolen or disclosed in a data breach. In addition, they can also sue companies that neglected the safety of their data (for instance, by failing to encrypt it).

Penalties

The California law also imposes sanctions on businesses that fail to comply with its provisions. The fines include:

• In the case of a suit filed by consumers: $100-750 (or the cost of actual damages, whichever is higher) per resident and incident in the case of data breaches or data theft if data was not properly protected.
• In the case of a suit by the State Attorney General: $2,500 per unintentional violation and up to $7,500 per intentional violation of privacy. In cases involving minors, the maximum fine is $7,500 for both intentional and unintentional violations.

With the CPRA, there is no 30-day period for businesses to remedy the violation once they’re informed of noncompliance, as is the case under CCPA.

Effective date: January 1, 2023

Who is affected by the law?

The law applies to every company that does business in Virginia, offers products or services to Virginia residents and:

• Controls or processes the personal data of at least 100,000 consumers during a calendar year
• Controls or processes the personal data of at least 25,000 consumers and makes at least 50% of its gross revenue from the sale of personal data

What’s interesting is that even large businesses won’t be subject to the law if they don’t fall within one of these two categories. 

The law also doesn’t cover:

• Bodies, authorities, boards, bureaus, commissions, districts or Virginian agencies or any Virginian political subdivision
• Financial institutions or subjects to the Gramm-Leach-Bliley Act
• Anyone who is subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH)
• Non-profit organizations (including certain types of political organizations)
• Institutions of higher education

The key notions of CDPA also impact the scope of the law. According to the act:

• “Consumer” – is “a natural person who is a resident of the Commonwealth acting only in an individual or household context”, which means that the law doesn’t cover, for example, employee data.
• “Sale of personal information” – is “the exchange of personal data for monetary consideration by the controller to a third party”, which means that exchanging user data for non-monetary goods won’t qualify as a sale of data.

How CDPA defines personal data?

Personal data is “any information that is linked to or reasonably linkable to an identified or identifiable natural person”. The law doesn’t provide more guidelines on what’s “reasonably linkable” data. This indicates that the law covers all types of identifiable data about an individual, including online identifiers such as cookies or user IDs.

However, CDPA excludes from the scope of personal data:

• Data about employees
• De-identified data 
• Publicly available information

What is sensitive data

CDPA establishes a special category of personal data that qualifies as sensitive data. It includes but is not limited to:

• Data about racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status
• Genetic or biometric data that allows identifying an individual
• Personal data of a child
• Precise geolocation data

Processing this kind of information involves different privacy obligations, including the user’s active opt-in. We’ll talk about it later on.

Your key responsibilities under CDPA

✓ Respect consumers’ rights

The CDPA provides consumers with six key rights:

• Right to access – Upon consumers’ request, you must disclose what information you have collected on them.
• Right to correct – Upon consumers’ request, you must rectify the information you have collected on them.
• Right to delete – Upon consumers’ request, you must get rid of all the information you have collected on them.
• Right to data portability – Upon consumers’ request, you must provide consumers with a copy of the data you have collected on them. The copy should be in a portable and readily usable format. This should allow consumers to e.g., easily transfer their data to different institutions and companies.
• Right to appeal – Under CDPA, you have 45 days to process consumer requests. If necessary, you can prolong it by another 45 days, but you need to inform consumers about this fact within the initial response window. If you don’t meet these deadlines, consumers have a right to submit a complaint about your negligence to the attorney general.
• Right to opt out – This means you need to respect consumers’ decision to object to the collection of their data for e.g., targeted advertising, the sale of their data or profiling. You should provide them with an easy way to exercise this right, e.g., by placing an opt-out widget on your website

✓ Describe your data processing methods in your privacy policy

The law requires you to be transparent about how you collect, process and disclose consumers’ data. In your privacy policy, you need to provide your website visitors with the details on:

• The categories of personal data you process
• The categories of personal data you share with third parties
• The categories of the third parties you share personal data with
• The purpose(s) for which you process personal data 
• The ways you let consumers exercise their rights (e.g., to delete, access or correct their data)

✓ Limit the use and collection of data

You need to limit the scope of collected data to what is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.” The ways in which you use consumer data must align with what you’ve included in your privacy policy unless you have active user consent for new purposes of using the data.

✓ Apply technical safeguards to your data

You must implement a process for ensuring the confidentiality, integrity and accessibility of personal data. That said, the Act is not specific about the preferred methods.

✓ Perform data protection assessments

You should run data protection assessments that help you evaluate the potential risks of data processing. You can find a comprehensive list of activities here.

✓ Sign data processing agreements with every party processing data on your behalf

You need to sign a data processing agreement with every party that has access to the data you collect about consumers. The agreement must include the following elements:

• Clear instructions for processing the data
• The nature and purpose of processing
• The type of data subject to processing
• The duration of processing
• The rights and obligations of the parties

Penalties for non-compliance

CDPA doesn’t give consumers the power to bring a private action. Fines are imposed by the attorney general and proceeded with a 30-day cure period. If, after this time, the organization is still in breach of the law, it can face fines up to $7,500 per violation.

If passed, Bill C-27 will create:

• The Consumer Privacy Protection Act (CPPA), the main privacy law that will replace the Personal Information Protection and Electronic Documents Act (PIPEDA), as did Bill C-11.
• The Personal Information and Data Protection Tribunal Act, creating a new tribunal to replace the current role of the Federal Court under PIPEDA and enabling the new penalty regime, as did Bill C-11.
• The Artificial Intelligence and Data Act, which is a new addition to Bill C-27 compared to Bill C-11, and doesn’t exactly fit with the CPPA/Tribunal regulatory framework.

Effective date: Unknown. The act is currently in the draft stage.

What is personal information under CPPA?

The new law maintains the definition of personal information established in PIPEDA. Under CPPA, personal information is any information about an identifiable individual, living or deceased. It includes:

• Age, name, ID numbers, income, ethnic origin, or blood type
• Opinions, evaluations, comments, social status or disciplinary actions
• Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs) [source]

Who is affected by CPPA?

CPPA requirements apply to any organization that:

• Collects, uses and shares personal information for commercial purposes
• Collects, uses and shares personal information about employees and job candidates

CPPA doesn’t apply to:

• Government organizations covered by the Privacy Act
• Personal information used for journalistic, artistic and literary purposes
• Personal information used for personal purposes
• Personal information about individuals used in relation to employment, business or profession

Your key responsibilities under CPPA

✓ Take on accountability for the collected data

CPPA makes your organization fully responsible for the safety of personal information whether it’s collected, used or disclosed by you or by someone else on your behalf.

You need to protect personal information through physical, organizational and technological security safeguards, adjusting the level of protection to the sensitivity of the data. You also need to take “reasonable measures to authenticate the identity of the individual to whom the personal information relates.”

You should also assign one person to be in charge of compliance with privacy obligations and disclose their contact details, e.g. in your privacy policy or upon visitor’s request.

✓ Collect consents

You need to acquire meaningful consents for collecting, processing and disclosing users’ personal information. Likewise, you have to write your request in plain language to make sure visitors are properly informed about their options. 

The consent request can take two forms:

• Implicit – you need to inform users about the collection of their personal data and give them a way to opt out of it
• Explicit – you need to obtain users’ active opt-in before you start tracking their data

Your choice of implicit or explicit consent should depend on the type of personal information at stake. While more sensitive data will require active consent, in the case of less sensitive data you will be able to rely on implied consent. Keep in mind that documenting consents, which is an obligation under CPPA, is a lot easier with explicit consents than with those based on inaction. 

No matter which type of consent you choose, be sure your message to the visitor includes the following information:

• The purposes and ways for which you want to collect, use and disclose personal information
• The consequences of the collection, use or disclosure of the personal informa­tion
• The types of personal information you collect, use and disclose
• The names of any third parties you share users’ personal information with

Finally, remember about users’ right to withdraw consent. You should provide them with an easy way to change their mind, e.g. through a contact form or email address on your privacy page. After receiving a request to withdraw consent, you need to inform the user about the consequences of withdrawal and cease the collection, use and disclosure of data as soon as feasible.

✓ Respect user rights to data transfer and deletion

Under CPPA, users have the right to:

• Transfer their personal information between organizations, e.g. banks or insurance providers
• Request the deletion of their personal information

✓ Remember about privacy management programs and transparency

Companies have to come up with transparent processes for handling personal information. Every organization should prepare materials in which it describes:

• How it protects personal information
• How it manages requests for information and complaints
• How it meets other obligations under the legislation
• What training and information is provided to staff

You also need to update your privacy policy so it clearly describes what types of personal information you collect and how you process it. You should make sure that your privacy policy is written in plain and understandable language.

✓ Keep records of consents and privacy policies

Your organization needs to keep records of consents and the purposes for which it collects, uses and discloses data. If you decide to use data for any new purpose, you need to obtain a separate consent, document it and add it to those records. 

You should keep this data in an easily accessible form. In case of an audit, you need to make readily available, in plain language, information that explains the organization’s privacy policies and practices, as well as the consent records.

✓ Consider working with de-indentified data

CPPA doesn’t specify the definition of de-indentified information. Instead, it provides the description of the process of de-identifiyng data:

De-identify means to modify personal information – or create information from personal information – by using technical processes to ensure that the information does not identify an individual or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual.‍ 

According to the law, you can collect de-identified data without visitors’ consent.

✓ Take special precautions with personal data of minors

Bill C-27 considers minors’ personal data to be sensitive. Parents or guardians can exercise the rights (including consent) on behalf of their child, but the child can object to their authorization. Also, children have more rights to have their personal data deleted.

CPPA: What are the penalties for non-compliance?

Fines for non-compliance with CPPA are up to $10 million or up to 3% of global revenue. The law also includes higher penalties for more serious and deliberate violations, up to $25 million or 5% of global revenue. 

What’s important, under CPPA, consumers have a right of private action, which means they can sue companies that have used their data in a way that violates the obligations of the act.

Effective date: December 1, 2020

The scope

The bill applies to every business dealing with data of New Zealand residents, even if they’re not physically present in the country. Almost every person or organization that holds personal information is an “agency” according to the law. This means that the legislation covers all government departments, companies as well as religious groups, schools and clubs.

How it defines personal information

Personal information is information about an identifiable, living individual. It includes names, email addresses and biometric data as well as:

• IP addresses
• Unique IDs 
• Search and browser history
• Data about the device, operating system, updates, etc.
• Location data
• Purchase and online shopping history
• Settings and website preferences
• Behavioral data, such as speed of scrolling and hovering of mouse and cursor

Key obligations and provisions

• Inform individuals about collecting their data. You need to notify and inform users about the collection, use and sharing of their personal information. The notification can take many forms, e.g. a privacy disclaimer placed on the bottom bar of your website.
• Respect individuals’ rights. Under the New Zealand Privacy Act, people have a right to access and rectify data companies collect about them.
• Notify authorities about data breaches. If a breach of privacy reaches a defined threshold, an agency must notify both the affected individual and the privacy commissioner.
• Be careful with cross-border data transfers. The Act introduces a new prohibition on disclosing personal information overseas. A business or organization may only disclose personal information to another organization outside New Zealand if they verify that the receiving organization:
  • is subject to the Privacy Act because they do business in New Zealand
  • will adequately protect the information
  • is subject to privacy laws that provide comparable safeguards to the Privacy Act
  • obtains permission to the disclosure from the person concerned

As you can see, although the law aims to regulate the flow of information about users between countries and companies, it lacks the strength of GDPR and other modern privacy laws. For one thing, it doesn’t establish a framework that would give internet users a way to opt in or oppose the tracking of their data. Also, it doesn’t give individuals the right to be forgotten or the right to data portability. Finally, it doesn’t give a privacy commissioner the ability to hand out fines for privacy breaches, as opposed to the GDPR or CCPA.

Penalties

The bill introduces new criminal offenses. It will be an offense for a person to:

• Make or give any false or misleading statements
• Falsely represent that a person has authority under the Privacy Act
• Impersonate or falsely pretend to be an individual for the purposes of obtaining access to an individual’s personal information 
• Knowingly destroy documents containing personal information that is the subject of a request

Any person that commits any of the above offenses will be liable for a fine of up to $10,000.

Effective date: September 18, 2020

The scope

Like the EU’s GDPR, the LGPD has extraterritorial application. It means that the law applies to:

• Processing of data within the territory of Brazil
• Processing of the data of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located
• Processing of data collected in Brazil

How it defines personal information

Similarly to GDPR – the scope of personal data includes: 

“[A]ny data, isolated or aggregated to another, that may allow the identification of a natural person or subject them to a certain behavior (interpretation possible from an integrative reading of the text). In this time of big data, which allows the rapid correlation of large, structured and unstructured databases, virtually any data can eventually be considered personal, therefore subject to the law.”

Key obligations

LGPD shares many characteristics with GDPR, but is not identical. Let’s look at the most important principles of LGPD and how they compare to GDPR:

• Choose between 10 lawful grounds for processing data. Apart from GDPR’s six bases for lawful processing, the LGPD lays out some additional, more specific bases. The Brazilian law introduces four new options, including the conducting of research studies, medical procedures, protection of credit and judicial proceedings. 
• Collect consents. LGPD treats consent as a freely given, informed and unambiguous indication of the data subjects’ agreement to processing data. The law uses an opt-in model of consent, meaning that data can’t be collected or processed until the user consents to it.
• Respect data subject rights. LGPD introduces new rights for data subjects, such as the right of access, right of data rectification, cancellation or exclusion, right to object to processing, right to revoke consent previously given, right of information and explanation regarding the use of data, and right of data portability. It also establishes a relatively short timeframe for processing data subjects’ requests resulting from those rights (15 days vs. one month under GDPR). 
• Notify authorities about data breaches. Data breach notifications to the data protection authority become mandatory and must take place within a “reasonable time frame”, not within 72 hours as under GDPR.
• Assign a Data Protection Officer (DPO). Similarly to GDPR, LGPD introduces the obligation to appoint a DPO. The entity that processes data and falls under LGDP must appoint an officer to conduct communication between lawmakers and data subjects. 
• Respect principles of privacy by design and by default. When designing services, products and business models, you’ve got to do it with respect for privacy and data protection rights. The general principles of LGPD and safety standards should be taken into consideration from conception to execution of a product or service.
• Respect 10 principles of processing personal data, which include:
  • Purpose limitation
  • Adequacy
  • Necessity
  • Quality of data
  • Transparency
  • Security
  • Non-discrimination 
  • Accuracy
  • Prevention
  • Principle of accountability

Actionable steps

If you already operate in compliance with GDPR, you already meet the lion’s share of the obligations imposed by LGPD. However, there are important differences you’ll have to address. They include a shorter time period for processing data subject requests and additional lawful bases for data processing. Nevertheless, it seems that in the case of LGDP, consent will also be the most suitable grounds for marketing and sales activities.

Penalties

The sanctions include notices and fines. They can go up to 2% of the company’s turnover in Brazil in the last fiscal year, limited in total to 50 million reals (around $13,305,657) per violation. A daily fine can also be imposed to compel those in breach of the law to cease violations.

Effective date: February 1, 2021

The scope

PDPA regulates the collection, use and disclosure of personal data in Singapore. It makes website owners, companies and organizations responsible for establishing a lawful data collection process. 

The law has an extraterritorial effect, meaning that it applies to every company dealing with data of Singapore’s residents. 

The PDPA covers private organizations that collect, use and/or disclose personal data. But there are some exceptions, such as:

• Individuals using data for their personal purposes
• Employees in the course of their employment with an organization
• Public and government agencies, as they have their own set of privacy rules

How PDPA defines personal data

Personal data in PDPA is a very broad notion. It covers “data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organization has or is likely to have access”. This includes:

• Names, addresses, email addresses, telephone numbers
• IP addresses, cookie identifiers, unique IDs, search history, browser history, device data, location data
• Information about age, gender, race, health, sexual orientation, appearance, political and religious convictions

Your key obligations under PDPA

✓ Obtain consent to process individuals’ personal data

One of the crucial obligations under PDPA is acquiring a visitor’s consent to collect their data. The consent can be affirmative or deemed. Deemed consent means users are informed about data collection and provided with a way to opt out, but do not opt out. Affirmative consent is similar to GDPR – it requires the visitors’ active opt-in.

The other rules around collecting lawful consents include informing users about:

• Your intention to process their data, before you begin collecting it
• The purposes of processing
• Their right to withdraw consent anytime

Finally, you’re not allowed to force users into consent by limiting access to a product or service.

✓ Respect visitor’s rights

At a user’s request, you must:

• Inform them what personal data you collected on them
• Disclose how you’ve used their personal data within one year before the request took place
• Provide them with a portable and transferable copy of their personal data
• Rectify any error or omission in their personal data

✓ Limit your data collection

Your organization may collect, use and disclose personal data only for the purposes visitors have consented to. What’s more, the data should be kept only for the time it’s used for a given purpose and deleted right after that.

✓ Limit data transfers

Under PDPA, you can transfer users’ personal data offshore. But the country you want to keep it in needs to provide a standard of protection comparable to the one afforded by Singapore law. This makes it virtually impossible to send the data to countries such as the US, where user data can become a subject of invigilation by national security agencies. That puts into question the lawfulness of using e.g. Google Analytics, which stores user data in many locations, including the US.

✓ Be transparent

Designate a data protection officer and remember to publish their contact information on your website. Update your privacy policy so it properly describes your data collection, processing and disclosure processes.

✓ Respect Do-not-call (DNC) requirement

Respect the will of people who have registered in the national do-not-call (DNC) registry, unless you obtained their clear and unambiguous consent or have an ongoing business relationship with them. 

✓ Keep your data collection relevant and up-to-date

Make sure that the personal data you work with is accurate and complete.

✓ Protect the security of your collected data

Keep personal data secure and protect it from unauthorized access, modification or use.

✓ Always notify authorities about data breaches

Notify users and Singapore’s Personal Data Protection Commission (PDPC) of data breaches within three days.

Penalties

Fines for non-compliance with PDPA have been increased to 10% of the annual turnover of an organization with an annual turnover exceeding $10 million, or $1 million, whichever is higher.

Effective date: June 1, 2022

The scope

PDPA has an extraterritorial scope. It applies to all organizations that collect, use or disclose personal data in Thailand or of Thai residents, regardless of whether they are formed or recognized under Thai law, and whether they are residents or have a business presence in Thailand.

How it defines personal data

The law provides the following definition of personal data:

“Personal data” means any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased persons in particular.

Aside from this, the law doesn’t list many specific examples of personal data.

Exemptions from the scope of personal data include:

• Data collected for private purposes
• Data collected by government agencies related to national security, money laundering and cybersecurity
• Media subject to ethical standards and public interest purposes
• Data collected by Members of Parliament and Judiciary
• Data collected by credit bureaus

Key obligations

✓ Obtain user consent for processing data

The law requires asking for user consent for cookies and other means of tracking based on unique identifiers. You also need to comply with the following principles:

• Consent has to be freely given and obtained in written form (e.g., by ticking a box on a consent pop-up)
• Users need to be informed about the purpose of data collection (e.g., remarketing, A/B testing or analytics)
• The request must be expressed in clear and plain language
• Records of consent need to be stored for five years

You can process personal data from before June 1, 2022, if you use it for the same purpose you initially collected it for. However, you have to provide users with a way to withdraw their consent. And if you decide to use or disclose the gathered data beyond the original purpose, you need to get valid user consent.

✓ Prevent unauthorized access to users’ personal data

According to PDPA, you should ensure the highest security and privacy standards for collected data. The law doesn’t propose any specific data protection methods, leaving it to you to define sufficient measures for preventing unauthorized access, disclosure or copying of personal data within your organization. 

✓ Respect users’ rights

PDPA introduces the following user rights:

• The right to be informed about the purpose of collecting and processing data 
• The right to withdraw the given consent
• The right to non-discrimination for not providing consent – which means that you can’t limit the access to products or services for visitors who decline tracking
• The right to access and obtain the data collected from individuals
• The right to object to the collection, use and disclosure of their data
• The right to restrict the use of their data – which means that the user should be able to specify purposes for which they allow you to use their data
• The right to correction of their data
• The right to transfer their data to another data controller
• The right to have their data erased, destroyed or anonymized

✓ Transfer data only to countries with high privacy standards

PDPA allows for sending data only to jurisdictions with the same or higher security standards. It’s not yet clear which countries comply with the obligations of PDPA. However, the law provides other grounds for data transfer, such as:

• Compliance with legal obligations
• Contract
• Compliance with contractual obligations of the data controller with a third party for the benefit of the data subject
• Vital interest
• Carrying out an important task of public interest

It’s difficult to predict if any of these grounds will apply to data processing performed with analytics and marketing.

Penalties

For breaching the rules of PDPA, you may face:

• Fines up to THB (Thai baht) 5 million ($159,591) or up to 4% of global turnover 
• Criminal penalties which could include imprisonment for up to one year

The full name: Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications).

Effective date: Still unknown, but not earlier than 2023. The Council and the European Parliament are now negotiating the terms of the final text. It’s not yet sure if the law will be enforced in its current form, as it’s been heavily criticized by EU authorities, including Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI). 

The law will enter into force 20 days after its publication and will start to apply two years after that.

Who will be affected by the ePrivacy regulation?

If adopted, the latest draft will apply to the processing of personal data collected via a “publicly available” electronic communication service or network. It will cover:

• Providers of electronic communications services
• Providers of publicly available directories 
• Those who use electronic communication services to send direct marketing commercial communications 
• Those who process and store data in users’ terminal equipment 
• Those who collect information processed, emitted by or stored in end-users’ terminal equipment

This means that the law affects most organizations that deal with user data acquired through electronic data collection.

The regulation has an extraterritorial effect. It safeguards the data of EU residents no matter where collecting and processing take place. 

What will be your main obligations under the current ePrivacy draft?

Compared to previous proposals, the newest ePrivacy Regulation draft is less strict and detailed. That said, it still covers multiple types of electronic data processing. In this article, we’ll focus on the parts related to marketing and analytics.

Cookies and consent

The new version of the law upholds consent as one of the pillars of user privacy on the internet. However, compared to previous iterations of the law, it loosens the restrictions around obtaining consent.

The most important arrangements around consent and cookies include: 

1. Allowing access to personal data on users’ devices without permission

In the current version, the law allows service providers to access personal data on users’ devices for the performance of a contract. In the previous version, such access was permitted only where it was technically necessary. This way, the clause becomes more ambiguous and leaves room for interpretation of what’s necessary to perform a contract.

2. Consent exception for analytics cookies

According to the new draft, using cookies for simple audience measuring won’t require user consent “if it is necessary for the sole purpose of audience measuring, provided that such measurement is carried out by the provider of the service requested by the end-user, or by a third party”. Such cookies, usually called analytics cookies, could be used without prior opt-in.

3. Unclear guidance on collecting personal data to improve the effectiveness of the provided service

The proposed draft indicates that gathering statistics to measure the performance of a website won’t require consent. Even using tracking pixels to measure advertising won’t call for the user’s permission, provided that the cookies won’t be used to gather personal data, but rather aggregated statistical data.

This rule doesn’t apply to any kind of remarketing or data activation activities carried out with the use of personal data.

4. Soft “yes” for cookie walls

The current draft introduces less rigorous rules around providing access to information or service based on users’ consent. It allows companies to create different offers for users according to their privacy choices:

Requiring […] consent would normally not be considered as depriving the end-user of a genuine choice if the end-user is able to choose between services, on the basis of clear, precise and user-friendly information about the purposes of cookies and similar techniques […]

5. No solution for global privacy preferences expressed through browser settings 

In the new iteration of the draft, end users are able to give consent to the use of certain types of cookies only by whitelisting one or several providers in their browser settings:

Where available and technically feasible, an end user may therefore grant, through software settings, consent to a specific provider for the use of processing and storage capabilities of terminal equipment for one or multiple specific purposes across one or more specific services of that provider.

The previous version, in the now-deleted articles 9 and 10, put forward some more user-friendly solutions. It proposed replacing consent modals and pop-ups with legally binding signals configured by the users.

6. Working with metadata without users’ consent

The draft regulation opens up the possibility of processing users’ metadata, even without their consent. The scope of metadata in the current version of the ePrivacy Regulation is as follows:

‘Electronic communications metadata’ means data processed by means of electronic communications services for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication.

According to the text, you can use this kind of data for statistical purposes and other purposes you didn’t initially collect it for, if you encrypt or pseudonymize it. In contrast, here’s what GDPR says about the obligations involved in processing pseudonymized data:

The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.

Source: Article 26 of the General Data Protection Regulation

Penalties for non-compliance

ePrivacy maintains the same fines as the ones described in GDPR – from €10M or 2% of annual turnover to €20M or 4% of annual turnover, depending on the gravity of the violation. A detailed description of the penalties is given in Article 23 of the draft.

Effective date: December 1, 2021

The scope

As the TTDSG states:

All companies and persons who have an establishment or provide or participate in the provision of services or make goods available on the market within the scope of this Act are subject to this Act.

This means that any organization established in Germany falls under TTDSG, as well as any applicable organizations located outside of Germany.

The data that TTDSG concerns

Following the ePrivacy directive, TTDSG applies to both personal and non-personal data.

If no personal data is processed, only TTDSG is applicable. If both personal and non-personal data is processed, both TTDSG and GDPR apply. 

However, when it comes to storing and accessing information on/from terminal equipment, TTDSG takes precedence. Any subsequent processing of data collected through cookies or other tracking mechanisms without further involving the end-user device (such as a computer, tablet or smartphone) is subject to the GDPR.

Key obligations under TTDSG

Collect and store appropriate consents from users

You must obtain valid consent from users when applicable. Record all user consents so you can demonstrate proof of consent if needed.

As Section 25 of the TTDSG reads:

The storage of information in the end-user’s terminal equipment or the access to information already stored in the terminal equipment shall only be allowed if the end-user has consented on the basis of clear and comprehensive information.

For consent to be valid, it needs to be:

• Given before the data processing
• Freely given
• Explicit
• Informed

These requirements are the same as under GDPR, and TTDSG does not introduce any changes to them.

Get consent for storing or reading information from a user’s device

What makes the German regulation particularly strict is that, without consent, you can’t read or store information on a user’s device. 

As a result, many ways of collecting analytics data with cookies won’t be compliant with TTDSG prior to getting consent. For example, even using a temporary visitor cookie requires consent from users. You also can’t read additional information about the device, like screen resolution or browser plugins. 

You need to either display a consent banner to acquire explicit user consent or go for cookieless options.

Display a compliant cookie banner

Your banner needs to include information about the specific purposes of processing – terms such as “improving the user’s experience” or “advertising purposes” aren’t sufficient. Give users an option to agree to each cookie type separately.

Be transparent about all the processing activities – what data will be processed, who will be involved, what third parties will participate, and information about the retention of the cookies. Don’t forget to include a link to your privacy policy. Since a user must opt in by performing an action, a notice-only cookie banner won’t be sufficient.

Pay attention to the banner’s design. Choose a consent manager solution that lets you customize the text and design of the cookie banner. Adjust the text on the buttons – ensure the functions of the individual buttons are clear and users can tell what consequences are associated with clicking them. 

The cookie banner should not prevent access to the website’s privacy policy or other legal notice.

Allow users to withdraw or manage their consent

Under TTDSG, you must mention the right to withdraw consent on the first level of the consent window. Users must be able to withdraw their consent at any given time. 

Revoking consent must be as simple as granting it and available through the same means – so, if a user gave consent on the website, you can’t require them to make a phone call or write an email to withdraw it.

Users need to be provided with equivalent options for accepting and rejecting cookies. For example, if an “Accept all” consent button is located on the first level of the consent banner, there should also be a reject button on the same level. Users shouldn’t have to take further action to refuse consent, such as by navigating to Settings, since it requires extra steps to complete the desired action.

You can use approved services to manage consent, such as Personal Information Management Services (PIMS). A PIMS lets users choose once which cookies they want to allow and which personal data processing they wish to consent to. The PIMS then automatically passes on the decision to different websites. However, PIMS must be verified by an independent institution to be a viable option for protecting user privacy. And no PIMS services are available on the market yet. Time will show whether the PIMS provided for consent management will bring the desired simplifications.

Implement measures to protect confidentiality and privacy

The technical and organizational measures your company adopts need to allow you to, if applicable:

• Ensure that users can utilize telemedia services in a way that protects them from third-parties’ knowledge
• Make sure users can stop using the service at any time
• Provide users with options to pay anonymously or under a pseudonym
• Ensure there is no possibility of unauthorized access to the technical equipment used for telemedia services
• Prevent erroneous transmissions and the unauthorized disclosure of message content within your company and to third parties

You can take measures similar to those applicable under GDPR. Examples of technical measures include:

• Encryption
• Assigning appropriate rights and roles for those accessing the data 
• Implementing backup systems 
• Pseudonymization of data

In terms of organizational options, consider creating internal instructions and employee guidelines.

Penalties

Fines for non-compliance with the TTDSG go up to €300,000.00, depending on the severity of the violation. However, where provisions of the GDPR are applicable, fines can get much higher.

Effective date: November 1, 2021

The scope

PIPL has an extraterritorial scope and applies to:

• Organizations or individuals who process personal information within China, or 
• Organizations located outside China that process the personal information of Chinese residents

The entities mentioned above need to comply with PIPL if:

• They provide products or services to domestic natural persons
• They analyze and evaluate the activities of domestic natural persons
• There are other circumstances as provided by laws and administrative regulations

How PIPL defines personal data

PIPL provides a broad definition of personal information that resembles the California Consumer Privacy Act (CCPA) and GDPR. It refers to personal data as:

…various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding anonymized information.

Like CCPA and GDPR, PIPL perceives anonymized information as nonpersonal and places it outside the scope of the law. The provided definition of anonymization is quite strict and states that:

Anonymization refers to a process in which the personal information is processed so that it is impossible to identify a certain natural person and unable to be reversed.

What is considered sensitive data

PIPL includes a lengthy yet unclear definition of sensitive personal information:

Sensitive personal information refers to the personal information that can easily lead to the infringement of the personal dignity of natural persons or the harm of personal or property safety once leaked or illegally used, including such information as biometrics, religious belief, specific identities, medical health, financial accounts, and whereabouts, and the personal information of minors under the age of 14.

You have to obtain separate consent for processing sensitive personal information. Where required, it may need to be written consent.

You also need to notify data subjects of the necessity of the processing and how it may impact their rights and interests.

Key obligations under PIPL

Respect users’ rights to their data

Similarly to GDPR, PIPL lists individuals’ rights relating to their personal information, such as:

• The right to know about and decide on the processing of their personal information and the right to object to or restrict the processing of their personal information
• The right to access and copy their personal information
• The right to request the data processor to correct their information
• The right to delete the information under one of the circumstances provided in Art. 47
• The right to have data processors explain their processing rules on data subjects’ requests

The same rights apply to a deceased data subject’s relatives.

Have a legal basis for processing personal data

Under PIPL, consent is only one of the seven grounds for lawfully processing personal information. 

Others include:

• When necessary to fulfill a contract or in relation to employment 
• When required to complete a legal obligation
• When protecting the life, health and property of individuals in emergencies or responding to emergencies concerning public health
• Within a reasonable scope, when relating to actions such as news reporting or supervision by public opinions for the public interest
• When the personal information disclosed by individuals themselves or other legally declared personal information is processed within a reasonable range in accordance with PIPL
• Circumstances provided under other laws or regulations

In PIPL, legitimate interest isn’t included as a processing basis.

Where consent is required, you need to:

• Make sure it’s informed, voluntary and explicit
• Ensure access to products or services isn’t based on whether an individual grants consent or not
• Make it easy to withdraw the consent
• Request a new type of consent if the purpose of processing the data changes

Disclose your data processing activities

Prior to the processing of personal information, inform individuals about the following:

• The processor’s (data controller in GDPR) name and contact information
• The purpose and method of processing
• The type of personal information processed
• The retention period of the personal information processed, and
• The method and procedure for individuals to exercise their data subject rights

You must notify users of any changes to these key data processing elements.

Fulfill the requirements of cross-border data transfers

Cross-border data transfers require you to fulfill one of the following conditions:

• Pass a security assessment for cross-border transfers approved by the Cyberspace Administration of China (CAC)
• Obtain certification for personal information protection from a professional institution
• Execute and transfer the data subject to standard contractual clauses formulated by the CAC
• Other conditions provided under other laws, regulations, or CAC

When transferring data outside of China, you must obtain a user’s separate consent for doing so and inform the user about:

• The name and contact details of the receiving party
• The purpose and method of processing 
• The type of personal information being transferred
• The ways for the user to exercise their rights

Provide sufficient data security

You must undertake protective measures disclosed in Art. 51, such as encryption or de-identification, to ensure legal compliance under PIPL and prevent unauthorized access. 

You also need to conduct risk assessments of your cybersecurity measures.

In the circumstances specified in Art. 55, you need to conduct a data protection impact assessment.

If an incident occurs, the company must undertake remedial measures and inform the Chinese regulators.

Penalties

Penalties go up to 5% of the previous year’s revenue or 50 million yuan (around $7.7 million). Directly responsible personnel are subject to fines of between 100k and 1 million yuan.

Effective date: September 1, 2023

The scope

The Swiss FADP applies to all businesses or individuals who process personal data and:

• Are incorporated in Switzerland.
• Offer or provide products and services to people in Switzerland.

What’s important is that nFADP, unlike the existing FADP, does not protect legal entities’ data, but focuses on protecting individuals’ (natural persons’) personal data, which aligns with GDPR.

How nFADP defines personal data

Personal data is defined as any information that identifies a person. This information includes, but is not limited to:

• A person’s full name
• Picture showing a person’s face
• Email address
• Telephone number
• Social security number
• Customer number

What is considered sensitive personal data

FADP lists the following pieces of information as sensitive personal data:

• Religious data
• Ideological data
• Political data
• Trade union-related views or activities
• Health data
• Racial origin of an individual
• Social security measures
• Administrative or criminal data

With nFADP, the list has been extended to also include genetic and biometric data.

Key obligations under nFADP

Disclose your data processing activities

Clearly describe how you process personal data through transparent policies and privacy notices. 

At a minimum, provide data subjects with:

• Details about the purpose of the data processing
• Information about who will receive their information 
• Contact details for the person responsible for this process

Maintain records of processing activities

You need to maintain records of your processing activities if your organization employs more than 250 people. In this case, you must be able to prove the lawfulness of the data processing you’re undertaking at any time.

However, small and medium companies with fewer than 250 employees that process low-risk data are exempt from this requirement.

The records you keep should include details about:

• How the information is processed
• The purpose of processing the data
• The type of data being processed
• Where the processing takes place
• Who the data is disclosed to

This might require changes to your tech infrastructure. You would also need to establish a defined process for transmitting and storing the data you collect.

Collect appropriate user consent

You need to obtain valid consent for any of the processing purposes. Under nFADP, you are required to have consent to process all personal data, not only sensitive personal data. 

The consent has to be:

• Given prior to processing the data
• Informed, freely given, and explicit
• Possible to withdraw

Have data breach procedures in place

If a data security breach occurs, you must promptly notify the Federal Data Protection and Information Commissioner (FDPIC).

You also need to inform the affected individuals if the breach poses a risk to their fundamental rights.

Follow the requirements of cross-border data transfer

It is possible to transfer data internationally if the receiving countries guarantee adequate protection. In this case, you don’t require further approval from an entity or additional consent from a user.

The rules are different for third countries. In their case, you must employ additional legal tools, such as a user’s consent, standard contract clauses, and others.

Conduct a data protection impact assessment, if required

If your company processes personal data, you have to estimate whether your processing activities pose any risk to the individual’s fundamental rights. If you discover any risks, you will have to conduct a Data Protection Impact Assessment (DPIA).

Penalties

Those who violate the obligation to inform data subjects or fail to cooperate will be fined up to 250,000 CHF. The fine is not imposed on the company, but on the person responsible for the data violation.

1. Eliminate weak links in your system

Under many of these laws, data breaches become extremely expensive. That said, websites now have dozens, if not hundreds of third-party elements embedded in their code. Since these components are hosted on external servers, you have no control over them. You also have limited possibilities to detect potential breaches resulting from malicious code modifications. 

If you decide to work with SaaS vendors that use third-party scripts, your website’s security becomes as strong as the weakest link in your vendors’ ecosystem. To eliminate that potential weak link, it’s better to move towards products hosted on safe infrastructure – secure public cloud, private cloud or even on-premises.

2. Apply consent or opt-out mechanisms

One of the most frequently recurring demands of the new laws is that every website owner should collect active consents, or at least provide a way for users to opt out of being tracked. 

In this situation, you should think of employing a mechanism to acquire, store and manage records of consents or opt-outs and all possible data subject requests resulting from the fact that you process personal data/information.

One of the most popular ways to tackle these kinds of issues are consent managers.

3. Examine where you send your data

Many of the presented laws establish specific requirements for international data transfers. It doesn’t mean you’re no longer allowed to keep data offshore. But you’ll definitely need to be more mindful when choosing the platforms you use in your day-to-day work.

For example, in the case of Singapore’s PDPA, you can’t send user data to jurisdictions with lower data protection standards. This can have a significant impact on your marketing and analytics tool set, because many software providers store data in locations scattered across the globe, including the US.

4. Find out if your software providers aid you in fulfilling your obligations

Make sure your software vendor meets your technical requirements. Your users’ data should be stored in a way that ensures full accessibility and portability. This will let you easily access, delete, rectify and transmit all the relevant information collected by your marketing tools. For these types of requests, the biggest challenge is to remove the user’s data from backups. 

Also, check if your software provider follows the best privacy practices, e.g. doesn’t use individuals’ data for their own purposes or share it with other third parties.

Finally, sign a data processing agreement (DPA) with your software providers to make sure everyone knows and respects their obligations that arise from processing user data.

5. Consider data anonymization (de-identification) options

If you want to use data about your visitors without collecting consents, you need to make sure that the data is properly anonymized. Analytics platforms featuring anonymous data collection, such as Piwik PRO, offer a third way instead of an all-or-nothing choice based on consent.

Also, don’t forget that these regulations are only part of the bigger data privacy laws ecosystem. Some countries – for example Australia – have their regulations in place for more than 30 years!

Privacy laws around the world: conclusions

We hope that this post has given you a better idea of what’s happening in the world of privacy rights. As a privacy-friendly analytics provider, we make sure that our platform helps our clients adapt to laws around the world. If you want to know how our product can help you comply with new regulations, contact us. Our team will be happy to answer all of your questions.