Data Privacy Laws & Regulations
There are several data protection and privacy laws around the world. These laws aim to regulate the collection, use, and storage of personal data by organizations and give individuals more control over their personal information. They set strict rules on obtaining consent, securing personal information, and reporting data breaches. Pandectes helps Shopify stores comply with these data privacy laws & regulations.
GDPR - EU & UK
What is the GDPR?
General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
The General Data Protection Regulation (GDPR) is widely considered to be the leading standard for protecting user data. It is built on the principles of consent, transparency, security, and giving users control over their personal information. It has the most stringent and comprehensive requirements for managing user data among the data protection laws.
When will the GDPR go into effect?
The General Data Protection Regulation (GDPR) went into effect on May 25th, 2018.
How do I achieve compliance?
Achieving compliance can be done by some key steps:
- Provide a cookie banner giving the option to the visitors to opt-in or opt-out which will be applied to your store cookies and scripts.
- Prepare a privacy policy page with cookies declaration.
- Give the option to the visitor to check existing consent and change preferences.
What happens if I don’t comply with the GDPR?
Failing to comply with the General Data Protection Regulation (GDPR) can result in significant fines and penalties. The GDPR gives supervisory authorities the power to impose administrative fines for non-compliance. The fines can be up to 4% of a company’s global annual revenue or β¬20 million (whichever is greater).
CCPA & CPRA - California
What is the CCPA & CPRA?
The California Consumer Privacy Act (CCPA) is a privacy law that regulates how businesses operating in California, USA must handle personal information of California residents.
The California Privacy Rights Act (CPRA) is a ballot initiative passed by California voters in November 2020, it is an amendment of the CCPA, which expands the rights of California residents and the obligations of businesses in regard to the collection, use, and sharing of personal information.
When will the CCPA & CPRA go into effect?
The California Consumer Privacy Act (CCPA) went into effect on January 1st, 2020. The California Privacy Rights Act (CPRA) was passed by California voters in November 2020 as a ballot initiative. However, it will not go into effect until 2023.
How do I achieve compliance?
Achieving compliance can be done by some key steps:
- Provide a cookie banner giving the option to the visitors to opt-out, which will be applied to your store cookies and scripts.
- Update your privacy notice to reflect the new rights of California residents under the CCPA and CPRA, and provide a specific “Do Not Sell My Personal Information” link on the homepage of your website.
What happens if I don’t comply with the CCPA & CPRA?
The fines for CCPA can be up to $2,500 per violation or $7,500 per intentional violation. The fines for CPRA are higher and can be up to $7,500 for each violation and $2,500 for each unintentional violation.
CPA - Colorado
What is the CPA?
The Colorado Privacy Act (CPA) grants Colorado residents certain data rights and places responsibilities on data controllers and processors. It is comparable to the California Privacy Rights Act (CPRA), Virginiaβs Consumer Data Protection Act (CDPA), and draws from the EUβs General Data Protection Regulation (GDPR). Common features include opt-out provisions for data collection and processing, protection for sensitive data, and the application of privacy-by-design principles. However, there are significant differences in the specifics, as noted by privacy attorney Kirk Nahra from Wilmer Hale. For example, the CPA and the CPRA differ in their definitions of “sensitive data,” requiring careful examination for compliance. The definition of sensitive data under the CPA, among other provisions, will be further explored in subsequent discussions.
When will the CPA go into effect?
The CPA tasked theΒ Colorado Attorney General with implementing and enforcing the CPA, including adopting new rules. The CPA is a part of the State of Coloradoβs Consumer Protection Act and goes into effectΒ July 1, 2023.
How do I achieve compliance?
- Understanding the Act
- Identify and Classify Data
- Review Your Data Collection Practices
- Review Your Data Processing Activities
- Implement Mechanisms for User Requests
- Security Measures
- Data Protection Impact Assessments
- Training
- Contracts with Third Parties
CTDPA - Connecticut
What is the CTDPA?
Effective from May 10, 2022, the CTDPA (Connecticut Data Privacy Act) grants Connecticut residents increased control over their personal data. Under this act, a consumer is defined as a resident of the state who acts on their own behalf and not in a commercial or employment context. This distinguishes it from states like California, where employees receive data privacy protection under the CPRA (California Privacy Rights Act).
While the CTDPA incorporates many similar provisions found in data privacy acts of other states, it closely resembles the regulations in Colorado (CPA) and Virginia (CDPA).
When will the CTDPA go into effect?
As state-level data protection legislation steadily expands, one of the countryβs early comprehensive privacy laws to be enacted, the Connecticut Data Privacy Act (CTDPA), will take effect onΒ July 1, 2023.
How do I achieve compliance?
- Determine if your company is required to comply
- Create a comprehensive Privacy Policy
- Inform users about their rights
- As a best practice, review and update your Privacy Policy or Notice every 12 months
- Enable clear options when consent is required
- Authenticate consent for collection of sensitive personal data or data from minors
- Enable consumers to make Data Subject Access Requests (DSARs)
- Set up a system to verify Data Subject Access Requests (DSARs)
- Keep track of Data Subject Access Requests (DSARs)
- Fulfill Data Subject Access Requests DSARs)
What happens if I don’t comply with the CTDPA?
The Connecticut Attorney General possesses the power to enforce violations and impose fines of up to $5,000 per violation. Furthermore, the Attorney General can issue orders to prevent offenders from breaking the law, require them to compensate victims, and demand disgorgement of any profits obtained through illegal activities.
MCDPA - Montana
What is the MCDPA?
The Montana Consumer Data Protection Act (MCDPA) provides Montana residents with certain rights pertaining to their data and imposes obligations on those who control and process data. It shares some similarities with other state laws such as the California Privacy Rights Act (CPRA) and Virginiaβs Consumer Data Protection Act (CDPA), as well as draws inspiration from the EUβs General Data Protection Regulation (GDPR).
When will the MCDPA go into effect?
The Montana Consumer Data Protection Act (MCDPA) was signed into law and will become effective on July 1, 2025.
How do I achieve compliance?
Achieving compliance can be done by following some key steps:
Provide a Cookie Banner: Ensure your website includes a cookie banner that gives visitors the option to opt-out.Β
Update Privacy Notice: Update your privacy notice to reflect the new rights of Montana residents under the MCDPA. Include a specific “Do Not Sell My Personal Information” link on the homepage of your website.
What happens if I don’t comply with theΒ MCDPA?
Violations of the MCDPA are considered deceptive trade practices and will be dealt with under the Montana Consumer Protection Act. While the MCDPA does not specify exact fines, violators could face substantial penalties as determined by the Montana Attorney General. Potential fines and penalties can vary, but non-compliance could also result in criminal charges.
OCDPA - Oregon
What is the OCDPA?
The Oregon Consumer Data Privacy Act (OCDPA) is a data privacy law that regulates how businesses handle personal data of Oregon residents.
It applies to companies that conduct business in Oregon and meet certain thresholds in terms of revenue and data processing. The OCDPA is considered one of the most stringent data protection laws in the US, and it is similar to the California Consumer Privacy Act (CCPA).
When will the OCDPA go into effect?
The OCDPA tasks the Oregon Attorney General with implementing and enforcing the OCDPA, including adopting new rules. The OCDPA is a part of the State of Oregonβs Unlawful Trade Practices Act and goes into effect on July 1, 2025.
How do I achieve compliance?
Achieving compliance can be done by following some key steps:
Provide a Cookie Banner: Ensure your website includes a cookie banner that gives visitors the option to opt-out.
Update Privacy Notice: Update your privacy notice to reflect the new rights of Oregon residents under the OCDPA. Include a specific “Do Not Sell My Personal Information” link on the homepage of your website.
What happens if I don’t comply with the OCDPA?
The OCDPA doesnβt specify the penalties or fines that violators will have to pay. However, violations of the regulation are considered a deceptive trade practice. This means that violations will be dealt with as per the Oregon Unlawful Trade Practices Act.
TDPSA - Texas
What is the TDPSA?
The Texas Data Privacy and Security Act (TDPSA) provides Texas residents with certain rights pertaining to their data and imposes obligations on those who control and process data. It shares some similarities with other state laws such as the California Privacy Rights Act (CPRA) and Virginiaβs Consumer Data Protection Act (CDPA), as well as draws inspiration from the EUβs General Data Protection Regulation (GDPR).
When will the TDPSA go into effect?
The TDPSA tasks the Texas Attorney General with implementing and enforcing the TDPSA, including adopting new rules. The TDPSA is a part of the State of Texasβs Deceptive Trade Practices-Consumer Protection Act and goes into effect on July 1, 2025.
How do I achieve compliance?
- Determine if your company is required to comply
- Create a comprehensive Privacy Policy
- Inform users about their rights
- As a best practice, review and update your Privacy Policy or Notice every 12 months
- Enable clear options when consent is required
- Authenticate consent for collection of sensitive personal data or data from minors
- Enable consumers to make Data Subject Access Requests (DSARs)
- Set up a system to verify Data Subject Access Requests (DSARs)
- Keep track of Data Subject Access Requests (DSARs)
- Fulfill Data Subject Access Requests DSARs)
UCPA - Utah
What is the UCPA?
The Utah Consumer Privacy Act (UCPA), enacted on March 24, 2022, is a data privacy law that protects the privacy rights of Utah residents and sets rules for businesses in the state. It concentrates on the sale of personal data and targeted advertising, defining a sale as the exchange of personal data for monetary consideration to a third party. Unlike the California Privacy Rights Act (CPRA), the UCPA does not consider data sharing and does not view targeted advertising as a direct transaction with the consumer. The law follows an opt-out model, permitting the collection, sale, and use of personal data for targeted advertising without explicit consent, except for children’s data. Consumers can opt out of the sale of their data or its use for targeted advertising, and businesses must provide them with this option.
When will the UCPA go into effect?
Scheduled to take effect on December 31, 2023, the Utah Consumer Privacy Act (UCPA) serves as Utahβs data privacy law. It grants consumers certain rights while imposing obligations on businesses operating within the state.
How do I achieve compliance?
- Determine if your company is required to comply
- Create a comprehensive Privacy Policy
- Inform users about their rights
- As a best practice, review and update your Privacy Policy or Notice every 12 months
- Enable clear options when consent is required
- Authenticate consent for collection of sensitive personal data or data from minors
- Enable consumers to make Data Subject Access Requests (DSARs)
- Set up a system to verify Data Subject Access Requests (DSARs)
- Keep track of Data Subject Access Requests (DSARs)
- Fulfill Data Subject Access Requests DSARs)
VCDPA - Virginia
What is the VCDPA?
The Virginia Consumer Data Protection Act (VCDPA) is a data privacy law that regulates how businesses handle personal data of Virginia residents.
It applies to companies that conduct business in Virginia and meet certain thresholds in terms of revenue and data processing. The VCDPA is considered as one of the most stringent data protection laws in the US, and it is similar to the California Consumer Privacy Act (CCPA).
How do I achieve compliance?
Achieving compliance can be done by some key steps:
- Provide a cookie banner giving the option to the visitors to opt-out, which will be applied to your store cookies and scripts.
Update Privacy Notice: Update your privacy notice to reflect the new rights of Virginia residents under the VCDPA, and provide a specific “Do Not Sell My Personal Information” link on the homepage of your website.
LGPD - Brazil
What is the LGPD?
The Brazilian General Data Protection Law (LGPD) is a data protection law that regulates the collection, use, and storage of personal data of Brazilian citizens. It came into effect on August 2020. It is considered one of the most comprehensive data protection laws in Latin America and is similar to the EU’s General Data Protection Regulation (GDPR).
How do I achieve compliance?
Achieving compliance can be done by some key steps:
- Provide a cookie banner giving the option to the visitors to opt-in or opt-out which will be applied to your store cookies and scripts.
- Prepare a privacy policy page with cookies declaration.
- Provide a way to customers to make data requests.
PIPEDA - Canada
What is the PIPEDA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal privacy law that governs how organizations collect, use, and disclose personal information in the course of commercial activities. It applies to all private sector organizations engaged in commercial activities and sets out the rules for how personal information should be handled.
It establishes principles such as obtaining meaningful consent for the collection, use, and disclosure of personal information, providing individuals with access to their personal information, and protecting personal information through appropriate security measures.
When will the PIPEDA go into effect?
The Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect on January 1st, 2001. However, it was not fully enforced until January 1st, 2004, after a 3-year transition period.
How do I achieve compliance?
Achieving compliance can be done by some key steps:
- Provide a cookie banner giving the option to the visitors to opt-out, which will be applied to your store cookies and scripts.
Update Policies and Procedures: Review and update your policies and procedures to ensure they comply with PIPEDA requirements, such as obtaining consent, providing transparent information, and allowing individuals to exercise their rights.
What happens if I don’t comply with the PIPEDA?
Organizations can be ordered to pay Administrative Monetary Penalties of up to $10,000 for each violation of the Act.
The Privacy Commissioner of Canada can issue compliance orders requiring organizations to take specific actions to come into compliance with PIPEDA.
APPI - Japan
What is the APPI?
The Act on the Protection of Personal Information (APPI) is Japan’s national data protection legislation. The APPI aims to protect the personal information of individuals by regulating the collection, use, and disclosure of personal data by organizations. It establishes principles such as obtaining consent for the collection, use and disclosure of personal information, providing individuals with access to their personal information, and protecting personal information through appropriate security measures.Β
How do I achieve compliance?
Achieving compliance can be done through some key steps:
- Provide a cookie banner giving the option to the visitors to opt-out, which will be applied to your store cookies and scripts.
- Prepare a privacy policy page with cookie declaration.
- Give the option to the visitor to check existing consent and change preferences.
What happens if I don’t comply with the APPI?
The Personal Information Protection Commission (PPC), which is responsible for enforcing the APPI, has the power to impose administrative fines for non-compliance. The fines can be up to JPY 1,000,000 (around 9,300 USD).
PDPA - Thailand
What is the PDPA?
The Thailand Personal Data Protection Act (PDPA) is a data protection law in Thailand. It aims to protect the personal data of individuals by regulating the collection, use, and disclosure of personal data by organizations. It establishes principles such as obtaining consent for the collection, use, and disclosure of personal data, providing individuals with access to their personal data, and protecting personal data through appropriate security measures.
When will the PDPA go into effect?
The Thailand Personal Data Protection Act (PDPA) was passed on May 27, 2019 and it came into effect on May 27, 2020. However, the Personal Data Protection Committee (PDPC) has implemented a grace period until May 26, 2021, during which it will prioritize guidance, education and awareness-raising over fines and penalties for non-compliance with the PDPA.
How do I achieve compliance?
Achieving compliance can be done by some key steps:
- Provide a cookie banner giving the option to the visitors to opt-in or opt-out which will be applied to your store cookies and scripts.
- Prepare a privacy policy page with cookies declaration.
- Give the option to the visitor to check existing consent and change preferences.
What happens if I don’t comply with the PDPA?
The Personal Data Protection Committee (PDPC) has the power to impose administrative fines for non-compliance. The fines can be up to 5 million baht (around 160,000 USD) per violation.
FADP - Switzerland
What is the FADP?
The Federal Act on Data Protection (FADP) in Switzerland has been updated to address modern digital challenges. Introduced in 1992, it was revised in 2020 with the New Federal Act on Data Protection (nFADP), set for implementation in September 2023. The nFADP focuses on protecting individual data, classifying genetic and biometric information as sensitive, and emphasizes principles like βPrivacy by Designβ. It aligns closely with the European GDPR, ensuring seamless data exchange between Switzerland and the EU.
What happens if I don’t comply with the FADP?
If you don’t comply with the FADP, you risk facing financial penalties, civil claims from affected individuals, reputational damage, and enforcement actions by the FDPIC. Non-compliance can also hinder cross-border data transfers and disrupt business operations. It’s vital to prioritize adherence to avoid these consequences.
POPIA - South Africa
What is the POPIA?
The Protection of Personal Information Act (POPIA) is South Africa’s comprehensive data protection law, designed to safeguard personal information processed by public and private bodies. Enacted in 2013, POPIA aligns with global data protection standards, emphasizing the right to privacy while balancing against other rights, such as access to information.
When will the POPIA go into effect?
The Protection of Personal Information Act (POPIA) in South Africa was signed into law on November 26, 2013. However, its provisions were enacted in stages. The final provisions of POPIA came into effect on July 1, 2020, marking the start of the enforcement of the Act. Importantly, there was a grace period given to organizations to ensure full compliance with the Act’s requirements, which ended on July 1, 2021. From July 1, 2021, onwards, all organizations processing personal information in South Africa are expected to comply with POPIA’s provisions or face potential penalties and enforcement actions.
How do I achieve compliance?
To achieve POPIA compliance, start by thoroughly understanding the requirements of the Act, including lawful data processing and data subject rights. Conduct an audit of all personal data you handle to identify what you collect and how it’s used. Appoint an Information Officer to oversee compliance efforts. Update your privacy policies and procedures to align with POPIA standards, ensuring they cover data collection, processing, and sharing. Implement systems to manage consent effectively and to allow individuals to exercise their rights to access, correct, or delete their data. Lastly, ensure robust security measures are in place to protect personal information against breaches, and establish clear protocols for responding to data breaches in compliance with POPIA’s notification requirements.
NZPA - New Zealand
When will the NZPA go into effect?
The New Zealand Privacy Act (NZPA) was first enacted in 1993. However, its provisions have been updated over the years to keep pace with evolving privacy concerns. Significant amendments were made, with the most recent provisions coming into effect on December 1, 2020, marking the start of the enforcement of the updated Act.
Importantly, there was a grace period given to organizations to ensure full compliance with the Act’s requirements, which ended on December 1, 2021. From December 1, 2021, onwards, all organizations processing personal information in New Zealand are expected to comply with the NZPA’s provisions or face potential penalties and enforcement actions.
APA - Australia
What is the APA?
The Australian Privacy Act (APA) is Australia’s comprehensive data protection law, designed to safeguard personal information processed by public and private bodies. Enacted in 1988, the APA aligns with global data protection standards, emphasizing the right to privacy while balancing against other rights, such as access to information.
