Since Novatiq last provided a digest on global privacy regulations, there has been a steady growth in the number of jurisdictions enshrining data privacy regulations into law. At the same time, enforcement has increased, and it is clear that data protection authorities (DPAs) and their counterparts outside of the EU will waste no time in fining organisations that have breached the rules. With millions at stake, as well as the trust of increasingly privacy-conscious consumers, brands are under more pressure than ever to stay on top of global privacy laws.
When Novatiq last wrote on this subject, the main global data privacy regulations were: the General Data Protection Regulation (GDPR); the California Consumer Privacy Act (CCPA); Virginia Consumer Data Protection Act (CDPA); Brazil’s Lei Geral de Proteção de Dados (LGPD); China’s Personal Information Protection Law (PIPL); and Japan’s Act on the Protection of Personal Information (APPI).
Since then, the below additional laws have come into force, or been mooted. As before, this blog is intended only for general information purposes, and is not intended to represent regulatory or other professional advice.
Emerging global data privacy laws of note
US: the California Privacy Rights Act (CPRA)
The CPRA was enacted on 1st January 2023, and amends the CPPA (see above). In addition to existing requirements to inform Californian data subjects how their data is used and enabling the opt-out of data processing, the CPRA adds a right to rectification for consumers where their personal information is inaccurate and a right to restriction so consumers can limit the use of their private data. In addition, the CPRA limits the duration for which a company can retain personal data.
US: Utah Consumer Privacy Act (UCPA)
Due to come into force in December 2023, the UCPA follows the course set by the EU’s GDPR. However, the type of organisation covered by the law is restricted. The regulation will only apply to businesses generating over $25 million in annual revenue and those which process the data of 100,000 or more consumers. That number falls to 25,000 if more than 50% of the company’s revenue comes from data processing. The law will give consumers the right to confirm whether a company is processing their data, obtain copies of their data, and opt-out of the processing of their data for advertising or sales.
US: Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring” (CTDPA)
Coming into effect in July 2023, CTDPA is similar in makeup to data privacy regulations enacted in Virginia. Unusually, the law will exclude payment transaction data to help small businesses that process payments data. As with other state-level laws in the US, the CTDPA includes an opt-out mechanism that will enable consumers to block the use of their data for advertising, profiling, or sales.
EU: the Digital Markets Act (DMA)
While primarily intended to stop major tech platforms from engaging in uncompetitive practices, the DMA also includes a provision that businesses should not reuse consumer data outside of the original context for which consent was provided. The law also requires regulated companies to provide communications channels with customers and make it easy for them to port their data to other providers.
Canada: Consumer Privacy Protection Act (CPPA)
Introduced by the Canadian federal government in June 2022, CPPA will replace the Personal Information Protection and Electronic Documents Act (PIPEDA). The CPPA will require supervised entities to take accountability for the data they collect, acquire consent for collecting, processing, and disclosing personal information, and respect consumers’ rights to data transfer and deletion.
Singapore: Personal Data Protection Act (PDPA)
PDPA came into force in 2014. In 2021, amendments were made to include a beefed-up consent framework and more robust rules around offshore data transfers. With these changes, this law is one of Asia’s strictest data protection acts. In addition to stipulations around consent and opt-out mechanisms, the law also requires businesses to limit the processing of personal data and data transfers.
Privacy laws in the future
These are just a few of the laws in force today. In total, it’s estimated that 71% of countries have data protection and privacy legislation in place. More is coming, including potentially game-changing laws such as the American Data Privacy Protection Act and the EU’s ePrivacy Regulation.
The message for brands, advertisers, and agencies is clear: privacy compliance must be front and centre of digital marketing moving forward. That means embracing privacy-first technologies, including telco-verified IDs that can help embed compliance within the programmatic advertising ecosystem.