The emergence of data privacy laws has prioritized how organizations collect, store and use consumer information - commonly referred to as personally identifiable information (PII).
Data privacy regulations such as the California Consumer Privacy act (CCPA) or the EU’s General Data Protection Regulation (GDPR) regulate how businesses use personal data and share it with third parties.
To comply with these data regulations, organizations that offer goods or services, or collect consumer data, within a region or country that has data privacy regulations must ensure they comply with those laws.
To ensure compliance, the first step for any business is to locate all PII through data discovery. This gives businesses insight into where all data is being stored, why it’s being processed, who has access to it and with which third parties that data is being shared with.
An increased visibility into data inventory gives businesses the ability to better ensure they are complying with the data privacy regulations that apply to them.
But what happens when businesses do not comply with data privacy laws? In this blog, we take a look at the consequences of non-compliance with some of the most common global data privacy laws.
As of now, there are four states (California, Colorado, Utah and Virginia) that have brought comprehensive consumer data privacy laws into effect. We cover them below.
In addition, there are many US states, including Alaska, Hawaii, Indiana, Oklahoma, Massachusetts, New York, Pennsylvania, Washington, Wisconsin and New Jersey, that have multiple privacy bills pending. Many of these bills are described as “in committee”, meaning they are someway off coming into effect as they are still being studied. To learn more, read our guide to US data protection laws.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act of 2018 gives California consumers more control over the personal information that businesses collection about them, including:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
In addition, businesses are required to give consumers certain notices explaining their privacy practices.
Presently, violations of the CCPA can result in civil penalties of up to $7,500, per violation, for willful violations and $2,500, per violation, for inadvertent violations after notice and a 30-day opportunity to cure has been provided.
Consumers may also seek statutory damages of not less than $100 and more more than $750 per consumer, per occurrence, or actual damages - whichever is greater.
Colorado Privacy Act (CPA)
The Colorado privacy act creates personal data privacy rights that apply to legal entities that conduct business or produce commercial products or services that are “intentionally targeted to Colorado residents.
The regulation only applies to organizations that:
- control or process personal data of at least 100,000 consumers per calendar year;
- or derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers;
- and does not apply to certain specified entities including state and local governments and state institutions of higher education, personal data governed by listed state and federal laws, listed activities, and employment records.
A violation is defined as a “deceptive trade practice”. While the CPA does not define a specific penalty amount, the Colorado Consumer Protection Act stipulates a penalty of up to $20,000 per violation.
Virginia Consumer Protection Act (VCDPA)
The VCDPA provides consumers with certain rights related to their personal data, including the right to know, access and confirm personal data, the right to delete personal data and the right to correct inaccuracies in personal data.
Businesses found to be in violation of VCDPA the Attorney General can bring an action on behalf of the Commonwealth seeking an injunction to prevent further violations, as well as civil penalties of up to $7,500 per violation.
Utah Consumer Privacy Act (UCPA)
In 2022, Gov. Spencer Cox signed the Utah Consumer Privacy Act into law, making Utah the fourth state to enact the comprehensive privacy legislation - which will go into effect Dec 31, 2021. It closely represents the scope of the VCDPA.
The Attorney General has exclusive enforcement powers. Entities must be notified in writing of any suspected violations, and will be given a 30-day window to correct them. They may file a lawsuit for incurred offenses and seek real damages from the consumer, as well as civil fines of $7,500 per violation.
General Data Protection Regulation (GDPR)
Created by the European Union to protect the privacy rights of its citizens, GDPR is based on the belief that individuals should have constant, unwavering security over their data sharing and online activity.
GDPR is the toughest privacy and security law in the world, setting strict guidelines on how businesses collect and process personal information from EU citizens. GDPR allows people to have easier access to the data that companies hold about them, and for the right for that data to be erased.
There’s the potential for large fines and reputational damage for companies that are found to breach the rules. Failure to comply with GDPR can cost a business 20 million (euros) or 4 percent of their annual turnover, whichever is greater.
Brazilian Data Protection Law (LGPD)
The LGPD, officially known as The Brazilian Lei Geral de Proteção de Dados, is Brazil’s first comprehensive data protection regulation, and it is broadly aligned with the EU’s General Data Protection Act. Under the LGPD, the processing of sensitive personal data is restricted to:
- when the data subject has given his/her specific consent for specific purposes;
- in the absence of consent, when the processing is indispensable for certain specified purposes (e.g., compliance with a legal obligation, protecting life or physical safety, and fraud prevention).
Although the law has been in force since 2020, penalties issued by the LGPD only became enforceable on August 1, 2021. The violations of the LGPD may result in fines of up to 2% of the organization’s global revenue for the prior year up to a total of 50 million reais (or approximately USD 9.3 million) per violation.
The Personal information Protection and Electronic Documents Act (PIPEDA)
PIPEDA is a Canadian data privacy law that relates to how private sector organizations gather, use and share the personal information they collect during the course of their business practices. In a nutshell, PIPEDA gives individuals the right to:
- The knowledge behind why an organization is collecting, using and disclosing their personal information.
- The expectation that a business will collect their information for an appropriate reason.
- Contact details for the person in the organization who is in charge of protecting their personal information, plus details of who they can complain to.
- The expectation that an organization will use appropriate security measures to protect their information.
- Access to the personal information that they have shared with an organization.
Organizations that are found to be knowingly in breach of PIPEDA requirements can be fined up to $100,000 for each violation.