Data protection laws serve to govern the collection, storage, processing, disclosure, and care of personal data. With more social and economic activities taking place online, platforms have been entrusted with an increasing amount and variety of data. Thus, they must take the necessary steps to protect the data they collect from end users. Over the past years, as a result of technological developments and the need for more robust privacy and personal data protections for users, different legal frameworks have been developed in various jurisdictions.
These data protection laws and related legal frameworks are relevant to T&S teams because not complying with them could result in potential liability and regulatory action. Organizations may collect, store, process, and share personal data as long as they comply with specific safeguards provided by data protection laws and regulations around the world. Adequate compliance with these laws and regulations may require collaborative work from various teams within an organization, so as to understand what type of personal data needs to be collected, for what purposes, how the data will be stored and processed, or to respond to specific requests from governments and users in a timely manner among other crucial aspects.
Privacy policies for each platform usually detail if the company collects personal data; which types of data it collects and how it is processed; how it uses the data; if and how the company shares it with other entities; what rights users have; and jurisdiction-specific requirements among other provisions. The contents covered by privacy policies usually depend on the type of service the platform offers and the specific legal requirements by each jurisdiction.
As detailed below, organizations that operate at the global level should take into account that various countries and regions have already approved personal data protection laws and regulations, so a comprehensive understanding of each of them and their most relevant requirements is important to avoid potential liability.
The General Data Protection Regulation (GDPR)
Probably the most important framework was developed by the European Union (EU). The General Data Protection Regulation (GDPR) was adopted in 2016 and became enforceable in 2018. The aim of the GDPR is to enhance individual’s control and rights over their personal data and to simplify the regulatory environment for international business. To effectively protect data of EU citizens and residents, the GDPR also applies to organizations outside of the EU, so long as they process the personal data of EU citizens or residents, or or they offer goods or services to them.
The GDPR states seven protection and accountability principles that must be adopted by organizations:
- Lawfulness, fairness and transparency—Processing must be lawful, fair, and transparent to the data subject (as defined by the GDPR);
- Purpose limitation—Data must be processed for the legitimate purposes specified explicitly to the data subject when it was collected;
- Data minimization—Only as much data as absolutely necessary for the purposes specified must be collected and processed;
- Accuracy—Personal data must be kept accurate and up to date;
- Storage limitation—Personally identifying data must be stored only for as long as necessary for the specified purpose;
- Integrity and confidentiality—Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality;
- Accountability—The data controller (as defined by the GDPR) is responsible for being able to demonstrate GDPR compliance with all of these principles.
According to the GDPR, organizations must provide a privacy notice that is:
- In a concise, transparent, intelligible, and easily accessible form;
- Written in clear and plain language, particularly for any information addressed specifically to a child;
- Delivered in a timely manner; and
- Provided free of charge.
Other Related Legislation Impacting Privacy
Moreover, the EU’s Digital Services Act (DSA) and the Digital Markets Act (DMA)––legislation that imposes specific ex ante obligations to what it defines as “gatekeepers” and establishes penalties in case those obligations are not met––may also have a relevant impact in the privacy field, and may need to be analyzed together with GDPR provisions. The DSA and the DMA entered into force in November 2022.
The European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data is also worth considering. It is a Council of Europe treaty that became effective in 1985. The Convention protects individuals against abuses that may result from the collection and processing of personal data, and seeks to regulate at the same time the transfrontier flow of personal data. The Council of Europe updated the Convention in 2018, “in order to address the challenges for privacy resulting from the use of new information and communication technologies; and to strengthen the convention’s follow-up mechanism.”
The GDPR has had a strong impact on legal and regulatory frameworks not only in the EU but also outside. It has become a model for national data protection laws in different parts of the world. For instance, South Africa’s Protection of Personal Information Act went into effect in 2020 and has similarities with the GDPR. In addition, Australia’s Privacy Act was recently amended to reflect GDPR regulations. Moreover, a few Latin American countries have either updated their data protection laws or developed and approved a data protection framework for the first time (for instance, in Argentina, Barbados, Brazil, and Panama).
The GDPR has also had a significant impact on privacy and data protection frameworks in the U.S. Although the U.S. still does not have a single, comprehensive federal privacy law, there are various federal and state laws that provide users with different personal data protections.
The California Consumer Privacy Act of 2018 (CCPA)
The California Consumer Privacy Act of 2018 (CCPA) provides consumers with more control over the personal information that businesses collect about them. The CCPA went into effect on January 1, 2020. It protects California consumers’ rights such as:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale or sharing of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
The California Privacy Rights Act (CPRA) is a ballot initiative that amends the CCPA and includes additional privacy protections for consumers passed in November 2020. The CPRA includes additional privacy protections for consumers that began on January 1, 2023. These additional rights include:
- The right to correct inaccurate personal information that a business has about them; and
- The right to limit the use and disclosure of sensitive personal information collected about them.
Since 2018, 39 states have considered comprehensive consumer privacy laws. Apart from California, Colorado, Connecticut, Utah, and Virginia also enacted comprehensive consumer privacy laws.
The Children’s Online Privacy Protection Act of 1998 (COPPA)
Moreover, regarding children’s rights and privacy protections, the Children’s Online Privacy Protection Act of 1998 (COPPA) became effective in 2000. It prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the internet.Finally, in India, the Digital Personal Data Protection Act (DPDP) was passed in August, 2023, after two previous versions of the bill. According to organizations working in the privacy field, the DPDP shares a similar structure with the GDPR and other global laws, but it includes more limited grounds of processing, wide exemptions for government actors, and regulatory powers for the government to further specify the law and to exempt specific fiduciaries or classes of fiduciaries from key obligations among other relevant differences. At the time of this writing, many details of the law are still undefined, since the new Data Protection Board of India needs to be set up and further rules for the specification of the law have to be drafted and officially notified. The DPDP will not come into effect until the government provides notice of an effective date.