Gartner estimates that by the end of this year, 65% of people across the world will have their personal data protected by privacy regulations. This is great news for consumers, but a difficult challenge for businesses trying to operate using data.
There are now over 120 data protection and privacy regulations globally. And many more are in the works. This can be very confusing for companies with global operations to navigate. It is critical for advertisers to understand these regulations to ensure they can remain compliant and confidently select privacy-compliant data providers and partners.
This comprehensive guide will explain the most heavily restrictive data protection laws so advertisers can better understand what they can and can’t do with first-party data.
Non-compliance with Data Privacy Comes at a High Price
There are two main risks when it comes to data privacy:
- Losing business because users have lost trust in the way you handle their data.
- Getting fined by regulatory bodies for non-compliant data handling.
Both of these risks come with costs that can severely hurt a business. For instance, Brazil’s data protection law can claim 2% of revenue a company generates in Brazil and the European Union’s GDPR can claim 4% of global company revenue. While many of these laws are still new, there are many companies that have already been fined significant amounts of money.
Quick facts on big GDPR fines:
- The largest fine to date is the GDPR fine to Amazon in 2021 of $877 million.
- Meta (formerly Facebook) got hit in 2022 with a fine of $433 million.
- The biggest GDPR fines also include Google, which has been hit twice with fines totaling $65 million.
- The GDPR has fined an estimated 1,000 companies in the past 2 years with cumulative fines of $1.25 billion.
For those businesses only operating in the United States, there are state-by-state regulations to contend with. The first active regulation was California’s CCPA, which fines $7,500 for each individual consumer data privacy violation. Ten businesses have been fined to date, but the total amounts have not been disclosed. What is clear is that regulations like the CCPA can cause a nightmare of inquiry resolution and additive fees once consumers identify a problem.
Companies need to take precautions to avoid non-compliance penalties. This is especially true for marketers who advertise utilizing a lot of data to identify target audiences and place ad contracts. This makes it critical for advertisers to clearly understand the most stringent policies and the important questions to ask internally and externally to ensure compliance.
Notable Data Privacy Regulations
The most talked about regulations today are the ones that have been passed into law with grace periods or ones that are actively passing out fines. The European Union’s General Data Protection Regulation (GDPR) is one of the strictest and highest publicized. Brazil’s data protection law (LGPD) came out after GDPR and is the most significant regulation in South America. In the United States, California’s Consumer Data Privacy Act (CCPA) was the first to be passed with Colorado’s Privacy Act and Virginia’s Consumer Data Protection Act (CDPA) close behind. Here’s the breakdown of these active regulations that are setting the precedent for the rest of the world.
General Data Protection Regulation (GDPR)
- Date law passed: April 14, 2016
- Date went into effect: May 25, 2018
- Definition: The GDPR requires companies to ask for some permissions to share data and gives individuals rights to access, delete, or control the use of that data. The GDPR does allow for opt-in permission where the user actively subscribes to receive emails or newsletters by providing their email address and sometimes their name and other personal information. Note, the UK also has its own version of the GDPR: UK GDPR
- Enforcement: Individual data protection authorities (DPAs) from the 27 EU member states enforce the GDPR. DPAs are independent of the government. Their role is to investigate complaints, provide advice on data protection issues, and determine when the GDPR has been breached.
- Penalties: For especially severe violations, the fine can be up to 20 million euros, or up to 4% of their total global revenue of the preceding fiscal year, whichever is higher. For less severe violations there are fines of up to 10 million euros, or up to 2% of their global revenue of the preceding fiscal year, whichever is higher.
- What this means for advertisers: The GDPR applies to any company that processes the personal data of EU citizens or residents, or offers goods or services to them. Any company that fits this description needs to adhere to these seven principles:
- Lawfulness, fairness, and transparency — Processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
- Accuracy — You must keep personal data accurate and up to date.
- Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
- Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
It is also important for advertisers to be aware of strict new rules about what constitutes consent from a data subject to process their information.
- Consent must be “freely given, specific, informed, and unambiguous.”
- Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
- Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
- Children under 13 can only give consent with permission from a parent.
- You need to keep documentary evidence of consent.
Brazil General Data Protection Law (LGPD)
- Date law passed: August 14, 2018.
- Date went into effect: September 18, 2020.
- Definition: LGPD governs the processing of personal data with the purpose of protecting the fundamental rights of freedom and privacy for individuals. Any organization, irrespective of where it is located, that has customers or clients in Brazil, needs to be in compliance with LGPD. This means that it is not just Brazilian citizens whose personal information is protected, but any individual whose data has been collected or processed while inside Brazil.
- Enforcement: A part of this law included the creation of a federal independent regulatory authority, The Autoridade Nacional de Proteção de Dados (ANPD). Their role is to interpret and enforce the LGPD and act as the national supervisory authority.
- Penalties: Administrative sanctions may be applied by authority in case of violation of LGPD. Among the sanctions, there are notices and fines, that may vary from 2 percent of the company’s turnover in Brazil in its last fiscal year, limited in total to 50,000,000.00 (fifty million reais) per infraction. There is also the possibility of a daily fine to compel the entity to cease violations.
- What this means for advertisers: Any business that collects information on users while they are in Brazil needs to ensure compliance with these standards, including obtaining unambiguous consent to use their personal data. If you follow the opt-in consent rules for GDPR, you will be compliant with the LGPD.
California Consumer Privacy Act (CCPA & CPRA)
- Date law passed: June 28, 2018 the CCPA was passed. The CPRA is an amendment to the CCPA and was passed on November 3, 2020.
- Date went into effect: The CCPA went into effect Jan 1, 2020. The CPRA amendment went into effect on Jan 1, 2023.
- Definition: This landmark law secures new privacy rights for California consumers, including:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt out of the sale or sharing of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
In November 2020, California voters approved Proposition 24, the CPRA, which amended the CCPA and added new additional privacy protections that began on January 1, 2023. As of January 1, 2023, consumers have new rights in addition to those above, such as:
- The right to correct inaccurate personal information that a business has about them; and
- The right to limit the use and disclosure of sensitive personal information collected about them.
- Enforcement: The California Attorney General has complete authority to enforce the CCPA. That said, the CPRA amendment granted the California Privacy Protection Agency full administrative power, authority, and jurisdiction to implement and enforce the CCPA; the Attorney General retained enforcement powers.
- Penalties: Violations of the CCPA are subject to enforcement by the California attorney general’s office, which can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation after notice and a 30-day opportunity to cure have been provided.
- What this means for advertisers: Businesses that are subject to the CCPA have several responsibilities, including responding to consumer requests to exercise these rights and giving consumers certain notices explaining their privacy practices.
Virginia Consumer Data Protection Act (VCDPA)
- Date law passed: March 2, 2021
- Date went into effect: January 1, 2023
- Definition: The VCDPA gives consumers the right to access their personal data and request that it be deleted by businesses. It also requires companies to conduct data protection assessments related to processing personal data for targeted advertising and sales purposes. The law even contains some restrictions on the use of de-identified data, or data modified to no longer directly identify individuals from whom the data were derived.
- Enforcement: The Virginia Attorney General is the only entity that can enforce the VCDPA and seek damages.
- Penalties: Violations can result in civil penalties of up to $7,500 per individual consumer violation. In addition, businesses can be held responsible for the reimbursement of the office’s reasonable expenses, which include attorney’s fees.
- What this means for advertisers: Virginia’s act is not much different from the CCPA, but it is important to note that it does not specify company revenue. Meaning, this applies to any size company processing data.
A comprehensive list of regulations in countries throughout the world can be found here.
New Data Privacy Regulations Passing in 2023
More data privacy regulations are in the works, but here are some of the big ones going into effect in the near future.
The Colorado Privacy Act (CPA)
- Date law passed: July 7, 2021
- Date goes into effect: July 1, 2023
- Definition: The Colorado Privacy Act provides Colorado residents with the right to opt out of targeted advertising, the sale of their personal data, and certain types of profiling. Starting July 1, 2024, controllers will need to honor user-selected universal opt-outs for targeted advertising and sales. Colorado residents also have the right to access, correct, and delete their personal data as well as the right to data portability. Controllers will generally have 45 days to respond to consumer requests.
- Enforcement: Compliance with the CPA is exclusively enforced by the Colorado Attorney General or the district attorney.
- Penalties: Under the CPA, violations are subject to civil penalties under the Colorado Consumer Protection Act, which provides for civil penalties of no more than $20,000 for each violation from an individual consumer.
- What this means for advertisers: As another consumer protection law, this will be additive to the activity from California and Virginia. That means that if a company is accused of a violation in one state, that may quickly spill over into other states with similar regulations.
The Connecticut Data Privacy Act (CTDPA)
- Date law passed: May 10, 2022
- Date goes into effect: July 1, 2023
- Definition: The CTDPA provides Connecticut residents the following enumerated rights:
- The right to access personal data that a controller has collected about them.
- The right to correct inaccuracies in their personal data.
- The right to delete their personal data, including personal data that a controller collected through third parties.
- The right to obtain a copy of their personal data in a portable and readily usable format that allows them to transfer the data to another controller with ease.
- The right to opt out of:
- the sale of their personal data;
- the processing of personal data for the purposes of targeted advertising; and
- profiling that may have legal or other significant impacts.
- Enforcement: The Connecticut Attorney General has exclusive authority to enforce the CTDPA.
- Penalties: Up to $5,000 per violation. In addition to civil penalties, the Attorney General can also pursue litigation for additional damages.
- What this means for advertisers: Companies who collect and process personal data of Connecticut residents must:
- Provide notice regarding the types of personal data they process, the purpose(s) for processing, whether and why they share personal data with third parties and information about how consumers can exercise their various rights (e.g. access, deletion) over their personal data.
- Limit collection of personal data to what is adequate, relevant, and reasonably necessary for the specific purpose(s) for which the data is processed (also known as “data minimization”).
- Obtain consent before processing a consumer’s sensitive data.
- Respond to requests to exercise consumer rights granted under the CTDPA.
- Conduct assessments before processing personal data in a manner that presents a heightened risk of harm to consumers (called “Data Protection Assessments”). This includes processing personal data for the purposes of targeted advertising, sale, or profiling, and processing sensitive data.
Utah Consumer Privacy Act (UCPA)
- Date law passed: March 24, 2022
- Date goes into effect: December 31, 2023
- Definition: Consumers are provided four main rights under the UCPA:
- Right to access – the right to confirm whether a controller is processing their data and the right to access that personal data.
- Right to delete – the right to have the company delete their personal data that they provided to the controller.
- Right to data portability – the right to obtain a copy of their personal data in a format that is readily usable.
- Right to opt out of certain processing – the right to opt out of the processing of their personal data for the purposes of targeted advertising; or the sale of personal data.
- Enforcement: The Utah Attorney General has exclusive authority to enforce the UCPA.
- Penalties: Companies have 30 days once notified to fix the violation. If it is not fixed within that time period, the attorney general can impose penalties and damages up to $7,500 per violation.
- What this means for advertisers: This act is easier on businesses than those from California, Virginia, and Colorado. As long as a business is compliant with those stricter regulations, there should be no change when this law goes into effect.
Federal Data Protections in the US
While consumer data privacy is being handled mostly on a state level in the US, there are many federal-level regulations that apply to certain industries that also need to be adhered to.
Children’s Online Privacy Protection Act (COPPA)
COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
Health Insurance Portability and Accounting Act (HIPAA)
The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI). HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).
Gramm Leach Bliley Act (GLBA)
The Gramm-Leach-Bliley Act requires financial institutions (companies that offer consumers financial products or services like loans, financial or investment advice, or insurance) to explain their information-sharing practices to their customers and to safeguard sensitive data.
Fair Credit Reporting Act (FCRA)
The Fair Credit Reporting Act protects information collected by consumer reporting agencies such as credit bureaus, medical information companies, and tenant screening services. Information in a consumer report cannot be provided to anyone who does not have a purpose specified in the Act. Companies that provide information to consumer reporting agencies also have specific legal obligations, including the duty to investigate disputed information. In addition, users of the information for credit, insurance, or employment purposes must notify the consumer when an adverse action is taken on the basis of such reports.
Questions to Ask Data Providers to Ensure Data Privacy Compliance
When working with data providers and partners, it is now more important than ever to ensure that they are handling personal data appropriately. Here are the critical questions to ask to confirm new data providers will stay compliant with current and upcoming regulations.
- Is there a separate Privacy team in your company that drives privacy compliance? Or is privacy built-in by design?
- What documentation do you maintain on the data you’re collecting, such as consent, how it’s used, where it’s stored, which employee is responsible for it, etc.?
- What security measures do you have in place for your data storage?
- How are you handling the opt-in vs. opt-out requirements imposed by regional privacy regulators?
- What are you doing to address recent US State Laws?
- What are you doing to address recent GDPR regulations?
- How do you ensure you handle sensitive data in a privacy-compliant manner, especially sensitive health or religious data?
- Are you planning on getting a privacy audit/review for an eventual certification this year? If so, which organization are you planning to work with on this?
Asking these questions will give a clear picture of how serious the data provider is about data protection and privacy as well as how prepared they are to demonstrate compliance with international regulations. Partnering with data providers like ShareThis, who put data privacy at the forefront of their business practices, will allow advertisers to worry less about data privacy compliance and instead focus on advertising success.