Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Data Privacy Laws Comparisons

In this evolving digital age, privacy laws are essential for organizations to secure any individual's personal data. There are many different data protection regulations around the world that share similar regulations and impose strict penalties for companies failing to achieve compliance while collecting and using data. However, data privacy laws are not identical; they contain distinctive requirements and methods depending on the country and circumstances.

Throughout this article, we will compare four data privacy laws while determining their differences and similarities.

GDPR: The general data protection regulation "GDPR" became effective on May 25, 2018. It regulates the protection of any personal information related to EU citizens. GDPR is based on seven fundamental principles:

  • Lawfulness, fairness, and transparency

  • Purpose limitation

  • Data minimization

  • Accuracy

  • Storage limitation

  • Integrity and confidentiality

  • Accountability

In addition, the term "pseudonymized" is often used in GDPR. Pseudonymization is a method incorporated to diminish the possibilities of personal data leading to identifying the natural person they are attributed to. Therefore, organizations that process personal data from EU-based subjects should be GDPR-compliant. Or else they can face fines up to €20 million or 4% of a company's annual turnover.

CCPA: California Consumer Privacy Act was enacted on January 1, 2020, to protect any personal information that could be linked to Californian residents, whether it's a consumer or household. CCPA disregards de-identified data (called pseudonymized in GDPR), public information, and aggregate input. The CCPA is based on three principles, transparency, accountability, and control. The most significant difference with GDPR is probably that CCPA applies not only to individual data, but also covers household data.

Any entity that conducts business in California and meets the following criteria should comply with CCPA:

  • Annual revenues of more than $25 million,

  • Data processing of greater than 50,000 users

  • Gains at least 50% of revenue from selling personal data.

The CCPA fines include: $2500 for unintentional violation and $7,500 for intentional violation.

However, in 2023 a new legalization act, the CPRA, will become the successor of the CCPA and will replace and amend a few rules included in the precedent law. For example, the CCPA allows individuals to refuse their personal data to be shared by organizations, whereas CPRA also gives them the right to decide who can sell and collect their data.

CPA: The Colorado Privacy Act will operate starting July 1, 2023; it protects the personal information of consumers that are residents of Colorado. Any controller that handles a business in Colorado, whether it's selling products or delivering services for its residents, should be compliant with CPA. In addition, controllers should satisfy these two requirements:

  • Processing data annually of greater than 100,000 consumers.

  • Obtain revenue or discounts from selling data of 25,000 consumers.

 So far, no penalties are set yet, so a breach of CPA is regarded as a deceptive trade practice.

VCDPA: The VCDPA (Virginia Consumer Data Protection Act) acts similarly to the previous laws mentioned above. It provides consumers the right to access their personal data and request businesses to delete their information, excluding de-identified data or publicly available information. This act won't be enforced until January 1, 2023; entities operating businesses in Virginia should ensure their companies fully comply with VCDPA to avoid penalties. Any organization violating this act will face up to $7500 fines plus attorney fees.

In the end, make sure to research privacy data laws in your area that apply to your company's thresholds. This way, you can protect your users without breaching any rules, and you can avoid hefty fines and sanctions.



Log in or Sign up to comment
AUG Leaders

Atlassian Community Events