In this evolving digital age, privacy laws are essential for organizations to secure any individual's personal data. There are many different data protection regulations around the world that share similar regulations and impose strict penalties for companies failing to achieve compliance while collecting and using data. However, data privacy laws are not identical; they contain distinctive requirements and methods depending on the country and circumstances.
Throughout this article, we will compare four data privacy laws while determining their differences and similarities.
GDPR: The general data protection regulation "GDPR" became effective on May 25, 2018. It regulates the protection of any personal information related to EU citizens. GDPR is based on seven fundamental principles:
-
Lawfulness, fairness, and transparency
-
Purpose limitation
-
Data minimization
-
Accuracy
-
Storage limitation
-
Integrity and confidentiality
-
Accountability
In addition, the term "pseudonymized" is often used in GDPR. Pseudonymization is a method incorporated to diminish the possibilities of personal data leading to identifying the natural person they are attributed to. Therefore, organizations that process personal data from EU-based subjects should be GDPR-compliant. Or else they can face fines up to €20 million or 4% of a company's annual turnover.
CCPA: California Consumer Privacy Act was enacted on January 1, 2020, to protect any personal information that could be linked to Californian residents, whether it's a consumer or household. CCPA disregards de-identified data (called pseudonymized in GDPR), public information, and aggregate input. The CCPA is based on three principles, transparency, accountability, and control. The most significant difference with GDPR is probably that CCPA applies not only to individual data, but also covers household data.
Any entity that conducts business in California and meets the following criteria should comply with CCPA:
-
Annual revenues of more than $25 million,
-
Data processing of greater than 50,000 users
-
Gains at least 50% of revenue from selling personal data.
The CCPA fines include: $2500 for unintentional violation and $7,500 for intentional violation.
However, in 2023 a new legalization act, the CPRA, will become the successor of the CCPA and will replace and amend a few rules included in the precedent law. For example, the CCPA allows individuals to refuse their personal data to be shared by organizations, whereas CPRA also gives them the right to decide who can sell and collect their data.
CPA: The Colorado Privacy Act will operate starting July 1, 2023; it protects the personal information of consumers that are residents of Colorado. Any controller that handles a business in Colorado, whether it's selling products or delivering services for its residents, should be compliant with CPA. In addition, controllers should satisfy these two requirements:
-
Processing data annually of greater than 100,000 consumers.
-
Obtain revenue or discounts from selling data of 25,000 consumers.
So far, no penalties are set yet, so a breach of CPA is regarded as a deceptive trade practice.
VCDPA: The VCDPA (Virginia Consumer Data Protection Act) acts similarly to the previous laws mentioned above. It provides consumers the right to access their personal data and request businesses to delete their information, excluding de-identified data or publicly available information. This act won't be enforced until January 1, 2023; entities operating businesses in Virginia should ensure their companies fully comply with VCDPA to avoid penalties. Any organization violating this act will face up to $7500 fines plus attorney fees.
In the end, make sure to research privacy data laws in your area that apply to your company's thresholds. This way, you can protect your users without breaching any rules, and you can avoid hefty fines and sanctions.
0 comments