Data Privacy Laws in 2021: What You Need to Know
Written by Rick Buck, Chief Privacy Officer, WireWheel
Last Updated: October 5, 2021
Introduction to Data Privacy in 2021
Over the past few years, the proliferation of data privacy laws has accelerated around the world.
And this trend is not about to stop. According to Gartner, “by 2023, 65% of the world’s population will have its personal data covered under modern privacy regulations”. But it is important to note that not all privacy regulations are created equal and the levels of data privacy, data protection, scope, or business obligations can vary widely. The map below, by DLA Piper, provides a good visualization of not only the current coverage for data privacy law but also their strengths and robustness
We have listed below summaries of the key privacy regulations you should be aware of and will keep updating this page as new regulations are introduced or as amendments are added.
US Data Privacy Laws by State
At this time, the United States does not have a comprehensive federal data privacy law. Although there have been many attempts over the past decades to coordinate data privacy and protection matters, there is still not one framework. You can check this useful tracker developed by IAPP to monitor federal privacy bill introductions and developments.
In the absence of a federal privacy framework, some states have taken the lead and passed new comprehensive data privacy laws, inspired by the European General Data Protection Regulation (GDPR). As new state regulations are adopted, we will keep updating this page.
The California Consumer Privacy Act (CCPA) was the first comprehensive data privacy law. The CCPA was signed into law on June 28, 2018 and went into effect on January 1, 2020.
This California data privacy law is currently applicable to for-profit entities that collect personal information from California residents and meet any of the following thresholds:
(i) At least $25 million in gross annual revenue,
(ii) Buys, sells or receives personal information about at least 50,000 California consumers, householders or devices for commercial purposes or,
(iii) Derives more than 50% of its annual revenue from the sale of personal information.
In addition, the CCPA also introduces new consumer rights for Californian residents such as the right to know, the right to delete, the right to opt-out of sale, and more.
For more details about the CCPA and what it may mean for your business, please visit our CCPA overview.
The California Privacy Rights Act (CPRA) is the 2nd version of CCPA, which is why many have nicknamed it CCPA 2.0. Alastair Mactaggart, the architect behind CCPA, introduced CPRA in Fall 2019 and gathered enough signatures to prepare a ballot initiative and bypass the legislature. On November 3, 2021, California voters approved Proposition 24 by a 13% margin, giving birth to the CPRA. The CPRA will go into effect on January 1, 2023.
Compared to the CCPA, the CPRA adds the following:
- Threshold application for organizations collecting personal information from Californian residents,
- New consumer rights such as the Right to rectification or the Right to Limit Use and Disclosure of Sensitive Data,
- Definition of a “Contractor”,
- Definitions of data sale and sharing,
- Automatic $7,500 fine for a violation involving the personal information of minors,
- Annual cybersecurity audit required for businesses whose processing presents a significant risk to consumer privacy or security,
- Businesses whose processing presents a significant risk to consumer privacy or security must submit a regular risk assessment to the CPPA.
- And more!
For more details about the CPRA and understand how it differs compared to CCPA, please refer to our CCPA vs CPRA overview.
The Virginia Consumer Data Protection Act (CDPA) was signed into law by Governor Ralph Northam on March 2, 2021 and will go into effect on January 1, 2023.
The CDPA became the second comprehensive data privacy law to be adopted in the US and was greatly inspired by the CPRA. Although many similarities exist between the two laws, there are also key differences:
- Consumers must opt-in to the collection and use of their sensitive data for processing
- The CDPA requires Data Protection Impact Assessments for any processing involving targeted advertising, data sales, profiling, or sensitive data; or any data processing that presents a “risk of harm”
- The CDPA does not require the addition of a “Do Not Sell My Personal Information” link on websites
- The enforcement of the CDPA will be done by the Virginia Attorney General’s Office
For a deeper dive into the Virginia CDPA, please refer to our CDPA overview.
The Colorado Privacy Act (CPA) unanimously passed on May 26, 2021 and was signed into law on July 7, 2021 by Governor Jared Polis. The CPA will go into effect on July 1, 2023.
While the CPA is similar to the CCPA and CDPA, certain elements distinguish the Colorado law from the two other regulations and will require additional compliance efforts from companies that fall within its jurisdiction. For example:
- The CPA does not specify a monetary value in its applicability criteria so it will be up to each company to monitor the Colorado residents and households it acquires.
- The CPA requires eligible businesses to implement a means for consumers to opt-out of the processing of their personal data for purposes of profiling
- In addition, the CPA clearly prevents eligible businesses from using dark patterns for obtaining opt-in consent from consumers
Continue your reading about the Colorado Privacy Act with our CPA overview.
Quickly compare US State Privacy Laws with our Interactive Privacy table.
Federal Data Protection Laws
Although the US does not have a comprehensive federal privacy law today, there are multiple federal regulations governing the collection of information online and specifying data protection requirements. Here are some of the main regulations you may encounter.
The Health Insurance Portability and Accountability Act, also known as HIPAA, is a federal law that came into effect on April 14, 2003 and that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s prior consent or knowledge.
As per the HHS, HIPAA requires “appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.”
HIPAA also “gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.”
This comprehensive regulation defines the covered entities, the permitted use of data, the exemptions as well as patient data protection protocols. You can learn more about HIPAA on the CDC website and on the HHS website.
The Children’s Online Privacy Protection Rule, also known as COPPA, is a US Federal Data Privacy law passed by Congress in 1998 and took effect in April 2000.
COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age, as per the FTC’s website.
At a high level, the act specifies:
- That sites must require parental consent for the collection or use of any personal information of young Web site users.
- When and how to seek verifiable consent from a parent or guardian.
- What responsibilities the operator of a Website legally holds with regards to children’s privacy and safety online, including restrictions on the types and methods of marketing targeting those under 13.
You can access the full official text of COPPA on the FTC website.
The Fair Credit Reporting Act, also known as FCRA, was enacted in 1970 and went into effect on April 25, 1971. According to the FTC, the primary purpose of the FCRA is to “promote fairness, accuracy, and privacy of the personal information contained in the files of the credit reporting agencies.”
This federal law regulates the “collection of consumers’ credit information and access to their credit reports.”
The FCRA created numerous new consumer rights and business obligations covering scope, credit report content, dispute, access to data, and much more.
You can review both a summary and the full text of the FCRA on the FTC’s website.
The Gramm-Leach-Bliley Act (GLBA) was enacted on November 12, 1999 and requires “financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.”
The scope of the data covered (10+ data points) as well as the regulated entities covering organizations that either process loans or assume credit risks have had far-reaching impacts. GLBA has provided consumer protection benefits like:
- Private or sensitive information being secured against unauthorized access,
- Customers being notified of private information sharing between financial institutions and third-parties, and having the ability to opt-out if desired,
- User and employee activity being tracked including any attempts to access sensitive information or protected records.
You can access the full text of GLBA here.
US Privacy Act of 1974
In 1974, Congress passed the US Privacy Act of 1974, containing important data privacy and protection for US consumers. The primary purpose of the Act is to “balance the government’s need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy stemming from federal agencies’ collection, maintenance, use, and disclosure of personal information about them”.
Some of the highlights and new developments of the Privacy Act are the following:
- Right of US citizens to access and copy any data held by government agencies,
- Right of citizens to correct any information errors contained in their data,
- Agencies should follow data minimization principles when collecting data – least information “relevant and necessary” to accomplish its purposes,
- Access to data is restricted on a need-to-know basis – for example, employees who need the records for their job role,
- Sharing of information between other federal (and non-federal) agencies is restricted and only allowed under certain conditions.
You can review the full text of the US Privacy Act on the DOJ website.
Although not a truly comprehensive data privacy law, some refer to the Federal Trade Commission Act (FTC Act) in 1914 as the first federal privacy law.
Under the FTC Act, the Commission is empowered to:
- (a) prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce,
- (b) seek monetary redress and other relief for conduct injurious to consumers,
- (c) prescribe rules defining with specificity acts or practices that are unfair or deceptive, and establishing requirements designed to prevent such acts or practices,
- (d) gather and compile information and conduct investigations relating to the organization, business, practices, and management of entities engaged in commerce, and
- (e) make reports and legislative recommendations to Congress and the public.
To date, the Federal Trade Commission has broadly relied on Section 5 of the Federal Trade Commission Act (FTC Act) to investigate and enforce against consumer protection violations, including in the context of data privacy and security.
You can access the full text of the FTC Act on the FTC website.
International Data Privacy Laws
The General Data Protection Regulation (GDPR) changed the privacy landscape and inspired recent privacy laws in the US and around the world. The GDPR went into effect on May 25, 2018 but it was years in the making. The IAPP has a fairly extensive timeline of privacy developments leading to the adoption of GDPR.
The GDPR introduced consumer rights to all EU residents, require data protection and privacy impact assessments, and added the opt-in consent which should be “freely given, specific, informed and unambiguous” given by a “clear affirmative action.”
The regulation also introduced 7 key principles:
- Lawfulness, Fairness, and Transparency
- Purpose Limitation
- Data Minimization
- Storage Limitation
- Integrity and Confidentiality
If you want to learn more about the GDPR, please check out our complete GDPR guide.
The Brazilian Lei Geral de Proteção de Dados (LGPD) went into effect on September 18. 2020 but the administrative sanction provisions of the LGPD went into effect on August 1, 2021.
The LGPD is the first comprehensive data privacy regulation in Brazil and drew inspiration from the GDPR. While many similarities exist between the LGPD and GDPR, there are notable differences mostly around the definition of the data in scope, the extraterritoriality, the data protection officer requirements, or the consumer privacy rights requests (DSARs).
Similar to the GDPR, the LGPD requires organizations to appoint Data Protection Officers, conduct Data Protection Impact Assessments, maintain records of processing activities and more.
For a full overview of the LGPD, please refer to our complete guide.
The recent Personal Information Protection Law (PIPL) passed on August 20, 2021 is the first comprehensive data privacy law in China based on China’s constitution. Going into effect on November 1, 2021, it is announced as a “game-changer for companies in China”.
The PIPL has extraterritorial effects: it applies not only to companies processing personal information within China but also to companies processing personal information outside China where processing activities are for the purposes of providing a product or service, analyzing the behavior of Chinese residents. The PIPL requires foreign companies to set up a special institution or to appoint a representative in China for handling personal information protection matters.
In addition, the PIPL introduced specific guidelines to collect consumer consent, data subject rights requests as well as processor’s obligations.
To learn more about PIPL, check out our complete PIPL guide.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian data privacy law that went into effect on April 13, 2000. It is Canada’s main federal privacy law governing data collection by the private sector.
Under PIPEDA, personal information refers to “any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
- age, name, ID numbers, income, ethnic origin, or blood type;
- opinions, evaluations, comments, social status, or disciplinary actions; and
- employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).”
While there are no definitions about Sensitive Data or requirements for Privacy Assessments, Consent and Consumer rights are two essential aspects of the PIPEDA.
To learn more about exemptions, data breach requirements and key consent principles, simply check out our in-depth review of PIPEDA.
The Canada Anti-Spam Law (CASL) was introduced in 2010 and went into effect on July 1, 2014. The CASL’s primary purpose is to reduce “the harmful effects of spam and related threats” and “help create a safer and more secure online marketplace”, as per the enforcement agency website.
The CASL is a comprehensive data privacy law created to combat spam and prevents organizations, including foreign ones, from sending unsolicited or misleading commercial electronic messages (“CEM”) or programs to consumers without their consent.
You can click here to learn more about the CASL and its business obligations.
Key risks of non-compliance
If your organization operates in multiple jurisdictions, you will likely have to comply with multiple regulations. As you can see, while many of these regulations share a common approach, their differences can be hard to understand and operationalize within your business in order to achieve privacy compliance.
However, the risks associated with non-compliance can have negative business outcomes:
- Lost revenues: Consumer complaints may impact your brand image, decrease trust among your customer base and impact your revenues. According to KPMG, privacy is a growing concern for 86% of consumers and 40% of US consumers do not trust companies to ethically use their personal information and a growing number are now willing to act by taking their business somewhere else.
- Increasing costs: Penalties can add up very quickly under most privacy regulations so you want to make sure you minimize your compliance risk to a minimum. More than 200 lawsuits alleging a range of CCPA have already been filed in federal courts.
- Resource allocation: Your team may use the 30-day grace period to fix or cure the alleged violation, potentially deprioritizing other important projects focused on improving your acquisition, retention, and product initiatives. Identifying your key gaps prior to a law going into effect is crucial.
- Talent retention: Some of your top, privacy-centric employees may decide to leave for a privacy-first company, potentially limiting your innovation throughput and your growth.
- Privacy performance: If you do not think through the strategic aspect of your privacy program to comply with privacy regulations, building a coalition internally around a common vision for your privacy approach will be difficult, hence limiting the impact of your privacy team.
Continue your reading
- Compare how global privacy laws differ: Identify quickly the incremental work you need to do to comply with additional privacy regulations.
- Tips to prepare and navigate a patchwork of state privacy laws: Read the privacy experts’ takes on being and staying compliant in a fragmented privacy regulatory environment.
The current patchwork of international privacy regulations can be difficult to understand. It is an even more challenging task to incorporate and operationalize in your privacy program. While these laws may share a common approach and many similarities, you will see that many specificities need to be accounted for when it comes to the scope of the protected data, types of and responses to consumer rights, assessment requirements, and more.
Our team has standardized the main provisions across these key regulations in an interactive privacy table to make it easier for you to understand their similarities and differences.
Compare eligibility, consumer rights obligations, data breach requirements, penalties, and more now on our interactive privacy table!
Suggested Blog Posts
Today… and into the futureWritten by Rick Buck, Chief Privacy Officer, WireWheelTo comply with California...
Congressional testimony from a former Facebook employee has sparked outrage over the governance of the company’s...
Introduction ‘Personal Data’ has different legal definitions in the GDPR, CCPA in California, CDPA in Virginia, LGPD...
Last Updated: October 5, 2021What is a DSAR? Data Subject Access Requests (DSARs) give individuals (also known as data...
Written by Rick Buck, Chief Privacy Officer, WireWheelIntroduction The Canada Anti-Spam Law (CASL) was introduced in...