Data Privacy Laws & Regulations
There are several data protection and privacy laws around the world. These laws aim to regulate the collection, use, and storage of personal data by organizations and give individuals more control over their personal information. They set strict rules on obtaining consent, securing personal information, and reporting data breaches. Pandectes helps Shopify stores comply with these data privacy laws & regulations.
GDPR
What is the GDPR?
General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
The General Data Protection Regulation (GDPR) is widely considered to be the leading standard for protecting user data. It is built on the principles of consent, transparency, security, and giving users control over their personal information. It has the most stringent and comprehensive requirements for managing user data among the data protection laws.
When will the GDPR go into effect?
The General Data Protection Regulation (GDPR) went into effect on May 25th, 2018.
How do I achieve compliance?
Achieving compliance can be done by some key steps:
- Provide a cookie banner giving the option to the visitors to opt-in or opt-out which will be applied to your store cookies and scripts.
- Prepare a privacy policy page with cookies declaration.
- Give the option to the visitor to check existing consent and change preferences.
What happens if I don’t comply with the GDPR?
Failing to comply with the General Data Protection Regulation (GDPR) can result in significant fines and penalties. The GDPR gives supervisory authorities the power to impose administrative fines for non-compliance. The fines can be up to 4% of a company’s global annual revenue or €20 million (whichever is greater).
CCPA & CPRA
What is the CCPA & CPRA?
The California Consumer Privacy Act (CCPA) is a privacy law that regulates how businesses operating in California, USA must handle personal information of California residents.
The California Privacy Rights Act (CPRA) is a ballot initiative passed by California voters in November 2020, it is an amendment of the CCPA, which expands the rights of California residents and the obligations of businesses in regard to the collection, use, and sharing of personal information.
When will the CCPA & CPRA go into effect?
The California Consumer Privacy Act (CCPA) went into effect on January 1st, 2020. The California Privacy Rights Act (CPRA) was passed by California voters in November 2020 as a ballot initiative. However, it will not go into effect until 2023.
How do I achieve compliance?
Achieving compliance can be done by some key steps:
- Provide a cookie banner giving the option to the visitors to opt-out, which will be applied to your store cookies and scripts.
- Update your privacy notice to reflect the new rights of California residents under the CCPA and CPRA, and provide a specific “Do Not Sell My Personal Information” link on the homepage of your website.
What happens if I don’t comply with the CCPA & CPRA?
The fines for CCPA can be up to $2,500 per violation or $7,500 per intentional violation. The fines for CPRA are higher and can be up to $7,500 for each violation and $2,500 for each unintentional violation.
VCDPA
What is the VCDPA?
The Virginia Consumer Data Protection Act (VCDPA) is a data privacy law that regulates how businesses handle personal data of Virginia residents.
It applies to companies that conduct business in Virginia and meet certain thresholds in terms of revenue and data processing. The VCDPA is considered as one of the most stringent data protection laws in the US, and it is similar to the California Consumer Privacy Act (CCPA).
When will the VCDPA go into effect?
The Virginia Consumer Data Protection Act (VCDPA) was signed into law on March 2, 2021, and it will become effective on January 1, 2023.
How do I achieve compliance?
Achieving compliance can be done by some key steps:
- Provide a cookie banner giving the option to the visitors to opt-out, which will be applied to your store cookies and scripts.
Update Privacy Notice: Update your privacy notice to reflect the new rights of Virginia residents under the VCDPA, and provide a specific “Do Not Sell My Personal Information” link on the homepage of your website.
What happens if I don’t comply with the VCDPA?
The fines can be up to $7,500 for each violation or $750 per day for each day of a continuing violation, but not exceeding $2.5 million.
LGPD
What is the LGPD?
The Brazilian General Data Protection Law (LGPD) is a data protection law that regulates the collection, use, and storage of personal data of Brazilian citizens. It came into effect on August 2020. It is considered one of the most comprehensive data protection laws in Latin America and is similar to the EU’s General Data Protection Regulation (GDPR).
When will the LGPD go into effect?
The Brazilian General Data Protection Law (LGPD) went into effect on August 14th, 2020. However, the National Data Protection Authority (ANPD) has implemented a transitional period until August 2021, in which it will prioritize guidance, education and awareness-raising over fines and penalties for non-compliance with the LGPD.
How do I achieve compliance?
Achieving compliance can be done by some key steps:
- Provide a cookie banner giving the option to the visitors to opt-in or opt-out which will be applied to your store cookies and scripts.
- Prepare a privacy policy page with cookies declaration.
- Provide a way to customers to make data requests.
What happens if I don’t comply with the LGPD?
The fines can be up to 2% of the company’s gross revenue or up to 50 million reais (which is the equivalent of around 8.5 million US dollars) whichever is higher.
PIPEDA
What is the PIPEDA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal privacy law that governs how organizations collect, use, and disclose personal information in the course of commercial activities. It applies to all private sector organizations engaged in commercial activities and sets out the rules for how personal information should be handled.
It establishes principles such as obtaining meaningful consent for the collection, use, and disclosure of personal information, providing individuals with access to their personal information, and protecting personal information through appropriate security measures.
When will the PIPEDA go into effect?
The Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect on January 1st, 2001. However, it was not fully enforced until January 1st, 2004, after a 3-year transition period.
How do I achieve compliance?
Achieving compliance can be done by some key steps:
- Provide a cookie banner giving the option to the visitors to opt-out, which will be applied to your store cookies and scripts.
Update Policies and Procedures: Review and update your policies and procedures to ensure they comply with PIPEDA requirements, such as obtaining consent, providing transparent information, and allowing individuals to exercise their rights.
What happens if I don’t comply with the PIPEDA?
Organizations can be ordered to pay Administrative Monetary Penalties of up to $10,000 for each violation of the Act.
The Privacy Commissioner of Canada can issue compliance orders requiring organizations to take specific actions to come into compliance with PIPEDA.
APPI
What is the APPI?
The Act on the Protection of Personal Information (APPI) is Japan’s national data protection legislation. The APPI aims to protect the personal information of individuals by regulating the collection, use, and disclosure of personal data by organizations. It establishes principles such as obtaining consent for the collection, use and disclosure of personal information, providing individuals with access to their personal information, and protecting personal information through appropriate security measures.
When will the APPI go into effect?
The Act on the Protection of Personal Information (APPI) was first enacted in 2003 and came into effect in April 1st, 2005. However, it was amended in 2015, and the amendment to the APPI came into effect in May 30th, 2017.
How do I achieve compliance?
Achieving compliance can be done through some key steps:
- Provide a cookie banner giving the option to the visitors to opt-out, which will be applied to your store cookies and scripts.
- Prepare a privacy policy page with cookie declaration.
- Give the option to the visitor to check existing consent and change preferences.
What happens if I don’t comply with the APPI?
The Personal Information Protection Commission (PPC), which is responsible for enforcing the APPI, has the power to impose administrative fines for non-compliance. The fines can be up to JPY 1,000,000 (around 9,300 USD).
Thailand PDPA
What is the PDPA?
The Thailand Personal Data Protection Act (PDPA) is a data protection law in Thailand. It aims to protect the personal data of individuals by regulating the collection, use, and disclosure of personal data by organizations. It establishes principles such as obtaining consent for the collection, use, and disclosure of personal data, providing individuals with access to their personal data, and protecting personal data through appropriate security measures.
When will the PDPA go into effect?
The Thailand Personal Data Protection Act (PDPA) was passed on May 27, 2019 and it came into effect on May 27, 2020. However, the Personal Data Protection Committee (PDPC) has implemented a grace period until May 26, 2021, during which it will prioritize guidance, education and awareness-raising over fines and penalties for non-compliance with the PDPA.
How do I achieve compliance?
Achieving compliance can be done by some key steps:
- Provide a cookie banner giving the option to the visitors to opt-in or opt-out which will be applied to your store cookies and scripts.
- Prepare a privacy policy page with cookies declaration.
- Give the option to the visitor to check existing consent and change preferences.
What happens if I don’t comply with the PDPA?
The Personal Data Protection Committee (PDPC) has the power to impose administrative fines for non-compliance. The fines can be up to 5 million baht (around 160,000 USD) per violation.