10 new privacy laws around the world and how they’ll affect your analytics

GDPR was a breakthrough in data privacy – the new golden standard among data protection regulations. Here are the most important principles GDPR introduced according the report “Global convergence of data privacy standards and laws”:

• Enabling data protection authorities (DPAs) to make binding decisions and issue administrative sanctions including fines
• The right to object to processing based on controller’s or public interests
• An obligation to notify DPAs and data subjects about data breach
• Stronger consent requirements
• Including biometric and/or genetic data in the definition of sensitive data
• Introducing data protection officers (DPOs) as a mandatory role in organizations that process personal data

Now we see a kind of “GDPR domino effect” – countries are implementing GDPR-style privacy frameworks one at a time. 

New data privacy laws will have an undeniable impact on business – both locally and globally. Companies with international presence must now adapt to a wide range of regulations, often with different requirements and restrictions. 

To help you in this quest we’ve gathered the most important new privacy laws from around the world. We’ll also present the practical effect they’ll have for companies that use analytics and marketing platforms, such as CRMs, customer data platforms or web analytics.

Effective date: January 1, 2020

The scope

The law applies to a company that processes the personal information of California residents if it:

• Has a gross annual revenue greater than or equal to $25 million
• Obtains information of 50,000 or more California residents/households or devices annually
• Generates at least 50% of their annual income from selling the information of California residents

Considering that California is now the fifth-largest economy in the world, the law will affect virtually every midsize to enterprise-class business with a global presence.

How it defines personal information

The definition of personal data in CCPA is quite broad, and covers:

“[I]nformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The definition of personal information includes unique identifiers – many of which are the fuel that powers marketing activities:

“Unique identifier” means a persistent identifier that can be used to recognize a consumer or a device over time and across different services, including but not limited to, a device identifier; Internet Protocol address(es); cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.

The most important obligations

Under the new California law:

• Consumers have the right to obtain a record of the personal information companies have on them (from the last 12 months).
• People can request to have their data deleted or to stop the sale of their information. Businesses need to provide a “clear and conspicuous link” on their website’s homepage titled “Do not sell my personal information”. The link has to take users to a page where they can opt out of having their data sold or shared.
• California residents have the right to sue companies that use their data if it was stolen or disclosed by the data breach. In addition, they can also sue companies that neglected the safety of their data  (for instance, didn’t encrypt it).
• There is a mandatory opt-in for selling the personal data of minors (under 16 years old).

Actionable steps

• Map your data – Make sure you know what kinds of personal information you collect and that the data is prepared for access, deletion and portability requests from your clients. 
• Check your third-party data sources – Under the CCPA, operating on stolen or breached data is an offense. Companies that buy customer data from third parties should always make sure that it comes from a legitimate source. 
• Come up with a way for handling consumer requests – Provide users with at least two methods for placing requests. The link to those forms should be placed somewhere on your homepage, along with the text: do not sell my personal information.
• Update your data privacy policy – Your privacy policy should include a description of California residents’ rights. Make sure you do this before the act comes into effect.

Penalties

The new California law also imposes sanctions on businesses that fail to comply with its provisions. The fines include:

• In the case of a suit filed by consumers: $100-750 (or the cost of actual damages, whichever is higher) per resident and incident in the case of data breaches or data theft if data was not properly protected
• In the case of a suit by the State Attorney General: $2,500 per violation and up to $7,500 per intentional violation of privacy

Effective date: January 1, 2019

How the Vermont Act defines personal information

Under this new law, data brokers process “brokered personal information.” This means one or more of such data types as “name, address, date of birth, place of birth, mother’s maiden name, unique biometric data, name or address of a member of the consumer’s immediate family or household, SSN or government issued ID”, or “other information that, alone or in combination with other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.”

Brokered personal information (BPI) covers a wide range of data, similar to that in GDPR. But it has limits:

• BPI must be digitized – information solely in paper form is not BPI
• The information must be organized, categorized, or prepared for use by third parties
• BPI doesn’t include publicly available information only to the extent that it is related to a business or profession.

Who is considered a data subject of the law?

For the purposes of data broker regulations, a consumer is defined as an individual residing in
the state of Vermont.

Key obligations

The law introduces several ways of protecting consumers, including:

• Prohibiting the acquisition and use of data for fraudulent purposes
• Increasing transparency through registration and disclosure 
• Providing for minimum information security requirements

Additionally, upon filing, a data broker must provide consumers with:

• The name, email and internet addresses of the data broker
• Information on how to opt out of first-party and third-party data collection
• Notice whether the data broker has implemented a purchaser credentialing process, and if the business has experienced any security breaches within the last year as well as the number of individuals affected by the breach

Data of minors is subject to additional restrictions.

Actionable points

For data brokers:

• Evaluate if the act applies in your case. Check if you aggregate and sell data about the Vermont residents. 
• Register yourself with Vermont Secretary of State. The annual registry takes places between January 1st and 31st. You can do it here.
• Develop an opt-out mechanism for consumers. Under the new law, you should provide consumers with a way to object to the processing of their data. You’ll need to come up with a mechanism for identifying individuals and deleting them from all of your databases.
• Design a process for informing consumers about the data you collect on them. After all, this is a legal obligation under the act!
• Map all the data in search for data about minors and to provide reliable information on any possible breaches.

This law imposes certain obligations on businesses that engage in third-party data selling across the web – in other words, companies that collect and store data in data management platforms (DMPs). When choosing a vendor, ask about compliance first if you plan to target Vermont-based customers.

What’s important,  the Vermont bill doesn’t impose an obligation to collect active consents from users whose data is being collected by brokers (as is demanded under the EU’s GDPR or California’s CCPA).

Penalties

A data broker that fails to register will be subject to a penalty of $50 for each day they fail to register (up to a maximum of $10,000 per year). The data broker will also be required to pay the $100 registration fee.

The same penalty applies to foreign corporations that fail to register to do business in Vermont.

Effective date: January 1, 2023

Who is affected by the law?

The law applies to every company that does business in Virginia, offers products or services to Virginia residents and:

• Controls or processes the personal data of at least 100,000 consumers during a calendar year
• Controls or processes the personal data of at least 25,000 consumers and makes at least 50% of its gross revenue from the sale of personal data

What’s interesting is that even large businesses won’t be subject to the law if they don’t fall within one of these two categories. 

The law also doesn’t cover:

• Bodies, authorities, boards, bureaus, commissions, districts or Virginian agencies or any Virginian political subdivision
• Financial institutions or subjects to the Gramm-Leach-Bliley Act
• Anyone who is a subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH)
• Non-profit organizations
• Institutions of higher education

The key notions of CDPA also impact the scope of the law. According to the act:

• “Consumer” – is “a natural person who is a resident of the Commonwealth acting only in an individual or household context”, which means that the law doesn’t cover, for example, employee data.
• “Sale of personal information” – is “the exchange of personal data for monetary consideration by the controller to a third party”, which means that exchanging user data for non-monetary goods won’t qualify as a sale of data.

How CDPA defines personal data?

Personal data is “any information that is linked to or reasonably linkable to an identified or identifiable natural person”. The law doesn’t provide more guidelines on what’s “reasonably linkable” data. This indicates that the law covers all types of identifiable data about an individual, including online identifiers such as cookies or user IDs.

However, CDPA excludes from the scope of personal data:

• Data about employees
• De-identified data 
• Publicly available information

What is sensitive data

CDPA establishes a special category of personal data that qualifies as sensitive data. It includes but is not limited to:

• Data about racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status
• Genetic or biometric data that allows to identify an individual
• Personal data of a child
• Precise geolocation data

Processing this kind of information involves different privacy obligations, including user’s active opt-in. We’ll talk about it later on.

Your key responsibilities under CDPA

✓ Respect consumers’ rights

The CDPA provides consumers with six key rights:

• Right to access – Upon consumers’ request, you must disclose what information you have collected on them.
• Right to correct – Upon consumers’ request, you must rectify the information you have collected on them.
• Right to delete – Upon consumers’ request, you must get rid of all the information you have collected on them.
• Right to data portability – Upon consumers’ request, you must provide consumers with a copy of data you have collected on them. The copy should be in a portable and readily usable format. This should allow consumers to e.g. easily transfer their data to different institutions and companies.
• Right to appeal – Under CDPA, you have 45 days to process consumer requests. If necessary, you can prolong it by another 45 days, but you need to inform consumers about this fact within the initial response window. If you don’t meet these deadlines, consumers have a right to submit a complaint about your negligence to the attorney general.
• Right to opt out – This means you need to respect consumers’ decision to object to collection of their data for e.g. targeted advertising, the sale of their data or profiling. You should provide them with an easy way to exercise this right, e.g. by placing an opt-out widget on your website

✓ Describe your data processing methods in your privacy policy

The law requires you to be transparent about how you collect, process and disclose consumers’ data. In your privacy policy, you need to provide your website visitors with the details on:

• The categories of personal data you process
• The categories of personal data you share with third parties
• The categories of third party you share personal data with
• The purpose(s) for which you process personal data 
• How you make it possible for consumers to exercise their rights (e.g. to delete, access or correct their data)

✓ Limit the use and collection of data

You need to limit the scope of collected data to what is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.” The ways in which you use consumer data must align with what you’ve included in your privacy policy unless you have an active user consent for new purposes of using the data.

✓ Apply technical safeguards to your data

You must implement a process for ensuring the confidentiality, integrity and accessibility of personal data. That said, the Act is not specific about the preferred methods.

✓ Perform data protection assessments

You should run data protection assessments that help you evaluate the potential risks of data processing. You can find a comprehensive list of activities here.

✓ Sign data processing agreements with every party processing data on your behalf

You need to sign a data processing agreement with every party that has access to the data you collect about consumers. The agreement must include the following elements:

• Clear instructions for processing the data
• The nature and purpose of processing
• The type of data subject to processing
• The duration of processing
• The rights and obligations of the parties

Penalties for non-compliance

CDPA doesn’t give consumers the power to bring a private action. Fines are imposed by the attorney general and proceeded with a 30-day cure period. If after this time the organization is still in breach of the law, it can face fines up to $7,500 per violation.

Effective date: Unknown. The act is currently in the draft stage.

What is personal information under CPPA?

The new law maintains the definition of personal information established in PIPEDA. Under CPPA, personal information is any information about an identifiable individual, living or deceased. It includes:

• Age, name, ID numbers, income, ethnic origin, or blood type
• Opinions, evaluations, comments, social status or disciplinary actions
• Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs) [source]

Who is affected by CPPA?

CPPA requirements apply to any organization that:

• Collects, uses and shares personal information for commercial purposes
• Collects, uses and shares the personal information about employees and job candidates

CPPA doesn’t apply to:

• Government organizations covered by the Privacy Act
• Personal information used for journalistic, artistic and literary purposes
• Personal information used for personal purposes
• Personal information about individuals used in relation to employment, business or profession

Your key responsibilities under CPPA

✓ Take on accountability for the collected data

CPPA makes your organization fully responsible for the safety of personal information whether it’s collected, used or disclosed by you or by someone else on your behalf. You should also assign one person to be in charge of compliance with privacy obligations and disclose their contact details, e.g. in your privacy policy or upon visitor’s request.

✓ Collect consents

You need to acquire meaningful consents for collecting, processing and disclosing users’ personal information. Likewise, you have to write your request in plain language to make sure visitors are properly informed about their options. 

The consent request can take two forms:

• Implicit – you need to inform users about the collection of their personal data and give them a way to opt out of it
• Explicit – you need to obtain users active opt-in before you start tracking their data

Your choice of implicit or explicit consent should depend on the type of personal information at stake. While more sensitive data will require active consent, in the case of less sensitive data you will be able to rely on implied consent. Keep in mind that documenting consents, which is an obligation under CPPA, is a lot easier with explicit consents than with those based on inaction. 

No matter which type of consent you choose, be sure your message to the visitor includes the following information:

• The purposes and ways for which you want to collect, use and disclose personal information
• The consequences of the collection, use or disclosure of the personal informa­tion
• The types of personal information you collect, use and disclose
• The names of any third parties you share users’ personal information with

Finally, remember about users’ right to withdraw consent. You should provide them with an easy way to change their mind, e.g. through a contact form or email address on your privacy page.

✓ Respect user rights to data transfer and deletion

Under CPPA, users have the right to:

• Transfer their personal information between organizations, e.g. banks or insurance providers
• Request the deletion of their personal information

✓ Remember about privacy management programs and transparency

Companies have to come up with transparent processes for handling personal information. Every organization should prepare materials in which it describes:

• How it protects personal information
• How it manages requests for information and complaints
• How it meets other obligations under the legislation
• What training and information is provided to staff

You also need to update your privacy policy so it clearly describes what types of personal information you collect and how you process it. You should make sure that your privacy policy is written in plain and understandable language.

✓ Keep records of consents

Your organization needs to keep records of consents and the purposes for which it collects, uses and discloses data. If you decide to use data for any new purpose, you need to obtain a separate consent, document it and add it to those records. 

You should keep this data in an easily accessible form. In case of an audit from data protection authorities, you’ll need to share your records with the privacy commissioner.

✓ Consider working with de-indentified data

CPPA doesn’t specify the definition of de-indentified information. Instead, it provides the description of the process of de-identifiyng data:

De-identify means to modify personal information – or create information from personal information – by using technical processes to ensure that the information does not identify an individual or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual.‍ 

According to the law, you can collect de-identified data without visitors’ consent.

CPPA: What are the penalties for non-compliance?

Fines for non-compliance with CPPA are up to $10 million or up to 3% of global revenue. The law also includes higher penalties for more serious and deliberate violations, up to $25 million or 5% of global revenue. 

What’s important, under CPPA consumers have a right of private action, which means they can sue companies that have used their data in a way that violates the obligations of the act.

Effective date: December 1, 2020

The scope

The bill applies to every business dealing with data of New Zealand residents, even if they’re not physically present in the country. Almost every person or organization that holds personal information is an “agency” according to the law. This means that the legislation covers all government departments, companies as well as religious groups, schools and clubs.

How it defines personal information

Personal information is information about an identifiable, living individual. It includes names, email addresses and biometric data as well as:

• IP addresses
• Unique IDs 
• Search and browser history
• Data about device, operating system, updates etc.
• Location data
• Purchase and online shopping history
• Settings and website preferences
• Behavioral data, such as speed of scrolling and hovering of mouse and cursor

Key obligations and provisions

• Inform individuals about collecting their data. You need to notify and inform users about collection, use and sharing of their personal information. The notification can take many forms, e.g. a privacy disclaimer placed on the bottom bar on your website.
• Respect individuals’ rights. Under the New Zealand Privacy Act people have a right to access and rectify data companies collect about them.
• Notify authorities about data breaches. If a breach of privacy reaches a defined threshold, an agency must notify both the affected individual and the privacy commissioner.
• Be careful with cross-border data transfers. The Act introduces a new prohibition on disclosing personal information overseas (to an entity outside of New Zealand that is not subject to the regime), unless:
  • The individual consents to the disclosure
  • The overseas entity is in a country with comparable privacy laws to New Zealand
  • The agency believes the overseas entity must protect the information in a similar way
  • There is a permitted exception

As you can see, although the law aims to regulate the flow of information about users between countries and companies, it lacks the strength of GDPR and other modern privacy laws. For one thing, it doesn’t establish a framework that would give internet users a way to opt in or oppose the tracking of their data. Also, it doesn’t give individuals the right to be forgotten or the right to data portability. Finally, it doesn’t give a privacy commissioner the ability to hand out fines for privacy breaches like under GDPR or CCPA.

Penalties

The bill introduces new criminal offenses. It will be an offense for a person to:

• Make or give any false or misleading statements
• Falsely represent that a person has authority under the Privacy Act
• Impersonate or falsely pretend to be an individual for the purposes of obtaining access to an individual’s personal information 
• Knowingly destroy documents containing personal information that is the subject of a request

Any person that commits any of the above offenses will be liable for a fine of up to $10,000.

Effective date: September 18, 2020

The scope

Like the EU’s GDPR, the LGPD has extraterritorial application. It means that the law affects every foreign company that processes the personal data of Brazilian residents.

How it defines personal information

Similarly to GDPR – the scope of personal data includes: 

“[A]ny data, isolated or aggregated to another, that may allow the identification of a natural person or subject them to a certain behavior (interpretation possible from an integrative reading of the text). In this time of big data, which allows the rapid correlation of large, structured and unstructured databases, virtually any data can eventually be considered personal, therefore subject to the law.”

Key obligations

LGPD shares many characteristics with GDPR, but is not identical. Let’s see its most important principles:

• Choose between 10 lawful grounds for processing data. Apart from GDPR’s six bases for lawful processing, the LGPD lays out some additional, more specific bases. The Brazilian law introduces four new options, including the conducting of research studies, medical procedures, protection of credit and judicial proceedings. 
• Collect consents. LGPD treats consent as a freely given, informed and unambiguous indication of the data subjects’ agreement for processing data. 
• Respect data subject rights. LGPD introduces new rights for data subjects, such as right of access, right of data rectification, cancellation or exclusion, right to object to processing, right to revoke consent previously given, right of information and explanation regarding the use of data, and right of data portability. It also establishes a relatively short timeframe for processing data subjects’ requests resulting from those rights (15 days vs one month under GDPR). 
• Notify authorities about data breaches. Data breach notifications to the data protection authority become mandatory, and must take place within a “reasonable time frame”, not within 72 hours as under GDPR.
• Assign a DPO. Similarly to GDPR, LGPD introduces the obligation to appoint a DPO (protection officer’. The entity that processes data and falls under LGDP must appoint an officer to conduct communication between lawmakers and data subjects. 
• Respect principles of privacy by design and by default. When designing services, products and business models, you’ve got to do it with respect for privacy and data protection rights. The general principles of LGPD and safety standards should be taken into consideration from conception to execution of a product or service.
• Respect 10 principles of processing personal data, which include:
  • Purpose limitation
  • Adequacy
  • Necessity
  • Quality of data
  • Transparency
  • Security
  • Non-discrimination 
  • Accuracy
  • Prevention
  • Principle of accountability

Actionable steps

If you already operate in compliance with GDPR, you already meet the lion’s share of the obligations imposed by LGPD. However, there are important differences you’ll have to address. They include a shorter time period for processing data subject requests and additional lawful bases for data processing. Nevertheless, it seems that in the case of LGDP, consent will also be the most suitable grounds for marketing and sales activities.

Penalties

The sanctions include notices and fines. They can’t go up to two percent of the company’s turnover in Brazil in the last fiscal year, limited in total to 50 million reals (app. USD $13,305,657) per violation. A daily fine can also be imposed to compel those in breach of the law to cease violations.

Effective date: Not yet established, probably in 2021

The scope

The proposed bill applies to both government and private entities that:

• Conduct business in India
• Offer goods and services to data principles (also generally referred to as
• data subjects) in India
• Run activities such as profiling of data subjects within the territory of India

How it defines personal information

The law defines personal data as:

 “[D]ata about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic […] of the identity of such person.”

The most important obligations & actionable steps

• Limit your data collection. Organizations will need to limit data collection to the minimum required for the purpose of processing. 
• Collect user consents. Companies will have to obtain the consent of the data principal before they start processing personal data. They’ll need explicit consent before processing any sensitive personal data (e.g. financial data, health data, biometric data, passwords). Valid consent will have to be freely given, detailed, specific, clear and easy to withdraw.
• Respect data subjects rights. The subjects of the law will be granted with: the “right to confirmation and access” and “right to correction”, “right to data portability” and “right to be forgotten”.
• Assign a DPO. Organizations involved in “high-risk processing activities” will be required to appoint a data protection officer. Moreover, organizations not present in India but falling under the scope of the law will be required to appoint a DPO who is based in India.
• Be mindful about data transfers. An organization will need to store at least one copy of the personal data on a server or at a data center located in India. Also, the bill forbids organizations from transferring or storing sensitive personal data and “critical personal data” overseas.

To transfer of personal data (other than sensitive personal data or critical personal data) outside India, an organization will have to agree on standard contract clauses approved by the authority.

Penalties

The draft bill includes both civil and criminal penalties. It establishes two categories of civil penalties:

• The first category permits penalties up to five crore rupees (app. $730,000 USD) or two percent of the company’s gross revenue from the last financial year, whichever is higher.
• The second category includes penalties up to fifteen crore rupees (approximately $2.2M USD) or four percent of the company’s total gross revenue from the last financial year, whichever is higher.

Effective date: February 1, 2021

The scope

PDPA regulates the collection, use and disclosure of personal data in Singapore. It makes website owners, companies and organizations responsible for establishing a lawful data collection process. 

The law has an extraterritorial effect, meaning that it applies to every company dealing with data of Singapore’s residents. 

The PDPA covers private organizations that collect, use and/or disclose personal data. But there are some exceptions, such as:

• Individuals using data for their personal purposes
• Employees in the course of their employment with an organization
• Public and government agencies, as they have their own set of privacy rules

How PDPA defines personal data

Personal data in PDPA is a very broad notion. It covers “data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organization has or is likely to have access”. This includes:

• Names, addresses, email addresses, telephone numbers
• IP addresses, cookie identifiers, unique IDs, search history, browser history, device data, location data
• Information about age, gender, race, health, sexual orientation, appearance, political and religious convictions

Your key obligations under PDPA

✓ Obtain consent to process individuals’ personal data

One of the crucial obligations under PDPA is acquiring a visitor’s consent to collect their data. The consent can be affirmative or deemed. Deemed consent means users are informed about data collection and provided with a way to opt out, but do not opt out. Affirmative consent is similar to GDPR – it requires the visitors’ active opt-in.

The other rules around collecting lawful consents include informing users about:

• Your intention to process their data, before you begin collecting it
• The purposes of processing
• Their right to withdraw consent anytime

Finally, you’re not allowed to force users into consent by limiting access to a product or service.

✓ Respect visitor’s rights

At a user’s request, you must:

• Inform them what personal data you collected on them
• Disclose how you’ve used their personal data within one year before the request took place
• Provide them with a portable and transferable copy of their personal data
• Rectify any error or omission in their personal data

✓ Limit your data collection

Your organization may collect, use and disclose personal data only for the purposes visitors have consented to. What’s more, the data should be kept only for the time it’s used for a given purpose and deleted right after that.

✓ Limit data transfers

Under PDPA, you can transfer users’ personal data offshore. But the country you want to keep it in needs to provide a standard of protection comparable to the one afforded by Singapore law. This makes it virtually impossible to send the data to countries such as the US, where user data can become a subject of invigilation by national security agencies. That puts into question the lawfulness of using e.g. Google Analytics, which stores user data in many locations, including the US.

✓ Be transparent

Designate a data protection officer and remember to publish their contact information on your website. Update your privacy policy so it properly describes your data collection, processing and disclosure processes.

✓ Respect Do-not-call (DNC) requirement

Respect the will of people who have registered in the national do-not-call (DNC) registry, unless you obtained their clear and unambiguous consent or have an ongoing business relationship with them. 

✓ Keep your data collection relevant and up-to-date

Make sure that personal data you work with is accurate and complete.

✓ Protect security of your collected data

Keep personal data secure and protect it from unauthorized access, modification or use.

✓ Always notify authorities about data breaches

Notify users and Singapore’s Personal Data Protection Commission (PDPC) of data breaches within three days.

Penalties

Fines for non-compliance with PDPA have been increased to 10% of the annual turnover of an organization with an annual turnover exceeding $10 million, or $1 million, whichever is higher.

Effective date: June 1, 2021

The scope

PDPA has an extraterritorial scope. Its obligations apply to all people, websites and companies that collect, use or disclose personal data of residents of Thailand.

How it defines personal data

The law interprets personal data as any data that can identify a person – directly or indirectly. The definition doesn’t list many specific examples but states that:

“Personal data” means any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased persons in particular.

Exemptions from the scope of personal data include:

• Data collected for private purposes
• Data collected by government agencies related to national security, money laundering and cybersecurity
• Media subject to ethical standards and public interest purposes
• Data collected by Members of Parliament and Judiciary
• Data collected by credit bureaus

Key obligations

✓ Obtain user consent for processing data

The law requires asking for user consent for cookies and other means of tracking based on unique identifiers. You also need to comply with the following principles:

• Consent has to be freely given and obtained in written form (e.g. through ticking a box on a consent pop-up)
• Users need to be informed about the purpose of data collection (e.g. remarketing, A/B testing or analytics)
• The request must be expressed in clear and plain language
• Records of consents need to be stored for five years

You can process personal data from before June 1, 2021, if you use it for the same purpose you initially collected it for. However, you have to provide users with a way to withdraw their consents. And if you decide to use or disclose the gathered data beyond the original purpose, you need to get a valid user consent.

✓ Prevent unauthorized access to users’ personal data

According to PDPA, you should ensure the highest security and privacy standards for collected data. The law doesn’t propose any specific data protection methods, leaving it to you to define sufficient measures for preventing unauthorized access, disclosure or copying of personal data within your organization. 

✓ Respect users’ rights

PDPA introduces the following user rights:

• The right to be informed about the purpose of collecting and processing data 
• The right to withdraw the given consent
• The right to non-discrimination for not providing consent – which means that you can’t limit the access to products or services for visitors who decline tracking
• The right to access and obtain the data collected from individuals
• The right to object to the collection, use and disclosure of their data
• The right to restrict the use of their data – which means that the user should be able to specify purposes for which they allow you to use their data
• The right to correction of their data
• The right to transfer their data to another data controller
• The right to have their data erased, destroyed, or anonymized

✓ Transfer data only to countries with high privacy standards

PDPA allows for sending data only to jurisdictions with the same or higher security standards. It’s not yet clear which countries comply with the obligations of PDPA. However, the law provides other grounds for data transfer, such as:

• Compliance with legal obligations
• Contract
• Compliance with contractual obligations of the data controller with a third party for the benefit of the data subject
• Vital interest
• Carrying out an important task of public interest

It’s difficult to predict if any of these grounds will apply to data processing performed with analytics and marketing.

Penalties

For breaching the rules of PDPA, you may face:

• Fines up to THB (Thai baht) 5 million ($159,591) or up to 4% of global turnover 
• Criminal penalties which could include imprisonment for up to one year

The full name: Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications).

Effective date: Still unknown, but not earlier than 2023. The Council and the European Parliament are now negotiating the terms of the final text. It’s not yet sure if the law will be enforced in its current form, as it’s been heavily criticized by EU authorities, including Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI). 

The law will enter into force 20 days after its publication and will start to apply two years after that.

Who will be affected by the ePrivacy regulation?

If adopted, the latest draft will apply to the processing of personal data with the use of electronic communication. It will cover:

• Providers of electronic communications services
• Providers of publicly available directories 
• Those who use electronic communication services to send direct marketing commercial communications 
• Those who process and store data in users’ terminal equipment 
• Those who collect information processed, emitted by or stored in end-users’ terminal equipment

This means that the law affects most organizations that deal with user data acquired through electronic data collection.

The regulation has extraterritorial effect. It safeguards the data of EU residents no matter where collecting and processing takes place. 

What will be your main obligations under the current ePrivacy draft?

Compared to previous proposals, the newest ePrivacy Regulation draft is less strict and detailed. That said, it still covers multiple types of electronic data processing. In this article, we’ll focus on the parts related to marketing and analytics.

Cookies and consent

The new version of the law upholds consent as one of the pillars of user privacy on the internet. However, compared to previous iterations of the law, it loosens the restrictions around obtaining consent.

The most important arrangements around consent and cookies include: 

1. Allowing access to personal data on users’ devices without permission

In the current version, the law allows service providers to access personal data on users’ devices for the performance of a contract. In the previous version, such access was permitted only where it was technically necessary. This way the clause becomes more ambiguous and leaves room for interpretation of what’s necessary to perform a contract.

2. Consent exception for analytics cookies

According to the new draft, using cookies for simple audience measuring won’t require user consent “if it is necessary for the sole purpose of audience measuring, provided that such measurement is carried out by the provider of the service requested by the end-user, or by a third party”. Such cookies, usually called analytics cookies, could be used without prior opt-in.

3. Unclear guidance on collecting personal data to improve effectiveness of the provided service

The proposed draft indicates that gathering statistics to measure performance of a website won’t require consent. Even using tracking pixels to measure advertising won’t call for the user’s permission, provided that the cookies won’t be used to gather personal data, but rather aggregated statistical data.

This rule doesn’t apply to any kind of remarketing or data activation activities carried out with the use of personal data.

4. Soft “yes” for cookie walls

The current draft introduces less rigorous rules around providing access to information or service based on users’ consent. It allows companies to create different offers for users according to their privacy choices:

Requiring […] consent would normally not be considered as depriving the end-user of a genuine choice if the end-user is able to choose between services, on the basis of clear, precise and user-friendly information about the purposes of cookies and similar techniques […]

5. No solution for global privacy preferences expressed through browser settings 

In the new iteration of the draft, end users are able to give consent to the use of certain types of cookies only by whitelisting one or several providers in their browser settings:

Where available and technically feasible, an end user may therefore grant, through software settings, consent to a specific provider for the use of processing and storage capabilities of terminal equipment for one or multiple specific purposes across one or more specific services of that provider.

The previous version, in the now-deleted articles 9 and 10, put forward some more user-friendly solutions. It proposed replacing consent modals and pop-ups with legally binding signals configured by the users.

6. Working with metadata without users’ consent

The draft regulation opens up the possibility to process users’ metadata, even without their consent. The scope of metadata in the current version of the ePrivacy Regulation is as follows:

‘Electronic communications metadata’ means data processed by means of electronic communications services for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication.

According to the text, you can use this kind of data for statistical purposes and other purposes you didn’t initially collect it for, if you encrypt or pseudonymize it. In contrast, here’s what GDPR says about the obligations involved in processing pseudonymized data:

The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.

Source: Article 26 of the General Data Protection Regulation

Penalties for non-compliance

ePrivacy maintains the same fines as the ones described in GDPR – from €10M or 2% of  annual turnover to €20M or 4% of annual turnover, depending on the gravity of the violation. A detailed description of the penalties is given in Article 23 of the draft.

1. Eliminate weak links in your system

Under many of these laws, data breaches become extremely expensive. That said, websites now have dozens, if not hundreds of third-party elements embedded in their code. Since these components are hosted on external servers, you have no control over them. You also have limited possibilities to detect potential breaches resulting from malicious code modifications. 

If you decide to work with SaaS vendors that use third-party scripts, your website’s security becomes as strong as the weakest link in your vendors’ ecosystem. To eliminate that potential weak link, it’s better to move towards products hosted on safe infrastructure – secure public cloud, private cloud or even on-premises.

2. Apply consent or opt-out mechanisms

One of the most frequently recurring demands of the new laws is that every website owner should collect active consents, or at least provide a way for users to opt out of being tracked. 

In this situation, you should think of employing a mechanism to acquire, store and manage records of consents or opt-outs and all possible data subject requests resulting from the fact that you process personal data/information.

One of the most popular ways to tackle these kinds of issues are consent managers.

3. Examine where you send your data

Many of the presented laws establish specific requirements for international data transfers. It doesn’t mean you’re no longer allowed to keep data offshore. But you’ll definitely need to be more mindful when choosing the platforms you use in your day-to-day work.

For example, in the case of Singapore’s PDPA, you can’t send user data to jurisdictions with lower data protection standards. This can have a significant impact on your marketing and analytics tool set, because many software providers store data in locations scattered across the globe, including the US.

4. Find out if your software providers aid you in fulfilling your obligations

Make sure your software vendor meets your technical requirements. Your users’ data should be stored in a way that ensures full accessibility and portability. This will let you easily access, delete, rectify and transmit all the relevant information collected by your marketing tools. For these types of requests, the biggest challenge is to remove the user’s data from backups. 

Also, check if your software provider follows the best privacy practices, e.g. doesn’t use individuals’ data for their own purposes or share it with other third parties.

Finally, sign a data processing agreement (DPA) with your software providers to make sure everyone knows and respects their obligations that arise from processing user data.

5. Consider data anonymization (de-identification) options

If you want to use data about your visitors without collecting consents, you need to make sure that the data is properly anonymized. Analytics platforms featuring anonymous data collection, such as Piwik PRO, offer a third way instead of an all-or-nothing choice based on consent.

Also, don’t forget that these regulations are only part of the bigger data privacy laws ecosystem. Some countries – for example Australia – have their regulations in place for more than 30 years!

Privacy laws around the world: conclusions

We hope that this post has given you a better idea of what’s happening in the world of privacy rights. As a privacy-friendly analytics provider, we make sure that our platform helps our clients adapt to laws around the world. If you want to know how our product can help you comply with new regulations, contact us. Our team will be happy to answer all of your questions. Data privacy laws in the United States and how they affect your business >>