Data Privacy Laws & Regulations

There are several data protection and privacy laws around the world. These laws aim to regulate the collection, use, and storage of personal data by organizations and give individuals more control over their personal information. They set strict rules on obtaining consent, securing personal information, and reporting data breaches. Pandectes helps Shopify stores comply with these data privacy laws & regulations.

CCPA & CPRA

California Consumer Privacy Act & California Privacy Rights Act

What is the CCPA & CPRA?

The California Consumer Privacy Act (CCPA) is a privacy law that regulates how businesses operating in California, USA must handle personal information of California residents.

The California Privacy Rights Act (CPRA) is a ballot initiative passed by California voters in November 2020, it is an amendment of the CCPA, which expands the rights of California residents and the obligations of businesses in regard to the collection, use, and sharing of personal information.

When will the CCPA & CPRA go into effect?

The California Consumer Privacy Act (CCPA) went into effect on January 1st, 2020. The California Privacy Rights Act (CPRA) was passed by California voters in November 2020 as a ballot initiative. However, it will not go into effect until 2023.

How do I achieve compliance?

Achieving compliance can be done by some key steps:

Provide a cookie banner giving the option to the visitors to opt-out, which will be applied to your store cookies and scripts.
Update your privacy notice to reflect the new rights of California residents under the CCPA and CPRA, and provide a specific “Do Not Sell My Personal Information” link on the homepage of your website.

What happens if I don’t comply with the CCPA & CPRA?

The fines for CCPA can be up to $2,500 per violation or $7,500 per intentional violation. The fines for CPRA are higher and can be up to $7,500 for each violation and $2,500 for each unintentional violation.

VCDPA

Virginia Consumer Data Protection Act

What is the VCDPA?

The Virginia Consumer Data Protection Act (VCDPA) is a data privacy law that regulates how businesses handle personal data of Virginia residents.

It applies to companies that conduct business in Virginia and meet certain thresholds in terms of revenue and data processing. The VCDPA is considered as one of the most stringent data protection laws in the US, and it is similar to the California Consumer Privacy Act (CCPA).

When will the VCDPA go into effect?

The Virginia Consumer Data Protection Act (VCDPA) was signed into law on March 2, 2021, and it will become effective on January 1, 2023.

How do I achieve compliance?

Achieving compliance can be done by some key steps:

Provide a cookie banner giving the option to the visitors to opt-out, which will be applied to your store cookies and scripts.
Update Privacy Notice: Update your privacy notice to reflect the new rights of Virginia residents under the VCDPA, and provide a specific “Do Not Sell My Personal Information” link on the homepage of your website.

What happens if I don’t comply with the VCDPA?
The fines can be up to $7,500 for each violation or $750 per day for each day of a continuing violation, but not exceeding $2.5 million.

CPA

Colorado Privacy Act

What is the CPA?

The Colorado Privacy Act (CPA) grants Colorado residents certain data rights and places responsibilities on data controllers and processors. It is comparable to the California Privacy Rights Act (CPRA), Virginia’s Consumer Data Protection Act (CDPA), and draws from the EU’s General Data Protection Regulation (GDPR). Common features include opt-out provisions for data collection and processing, protection for sensitive data, and the application of privacy-by-design principles. However, there are significant differences in the specifics, as noted by privacy attorney Kirk Nahra from Wilmer Hale. For example, the CPA and the CPRA differ in their definitions of “sensitive data,” requiring careful examination for compliance. The definition of sensitive data under the CPA, among other provisions, will be further explored in subsequent discussions.

When will the CPA go into effect?

The CPA tasked the with implementing and enforcing the CPA, including adopting new rules. The CPA is a part of the State of Colorado’s Consumer Protection Act and goes into effect July 1, 2023.

How do I achieve compliance?

Understanding the Act
Identify and Classify Data
Review Your Data Collection Practices
Review Your Data Processing Activities
Implement Mechanisms for User Requests
Security Measures
Data Protection Impact Assessments
Training
Contracts with Third Parties

What happens if I don’t comply with the CPA?

The Colorado Privacy Act (CPA) doesn’t specify penalties for violations, instead treating them as deceptive trade practices under the Colorado Consumer Protection Act, with fines ranging from $2,000 to $20,000 per violation and potential criminal charges. The CPA is enforced by the Colorado attorney general and district attorneys, who implement injunctions, penalties, and settlements, but it does not provide a private right of action, preventing individuals from filing lawsuits against businesses for rights violations. A notice of violation is issued before enforcement, providing a 60-day cure period to rectify the violation. After January 1, 2025, the cure period will be replaced by an option to request interpretative guidance and opinion letters from the attorney general’s office.

CTDPA

Connecticut Data Privacy Act

What is the CTDPA?

Effective from May 10, 2022, the CTDPA (Connecticut Data Privacy Act) grants Connecticut residents increased control over their personal data. Under this act, a consumer is defined as a resident of the state who acts on their own behalf and not in a commercial or employment context. This distinguishes it from states like California, where employees receive data privacy protection under the CPRA (California Privacy Rights Act).

While the CTDPA incorporates many similar provisions found in data privacy acts of other states, it closely resembles the regulations in Colorado (CPA) and Virginia (CDPA).

When will the CTDPA go into effect?

As state-level data protection legislation steadily expands, one of the country’s early comprehensive privacy laws to be enacted, the Connecticut Data Privacy Act (CTDPA), will take effect on July 1, 2023.

How do I achieve compliance?

Determine if your company is required to comply
Create a comprehensive Privacy Policy
Inform users about their rights
As a best practice, review and update your Privacy Policy or Notice every 12 months
Enable clear options when consent is required
Authenticate consent for collection of sensitive personal data or data from minors
Enable consumers to make Data Subject Access Requests (DSARs)
Set up a system to verify Data Subject Access Requests (DSARs)
Keep track of Data Subject Access Requests (DSARs)
Fulfill Data Subject Access Requests DSARs)

What happens if I don’t comply with the CTDPA?

The Connecticut Attorney General possesses the power to enforce violations and impose fines of up to $5,000 per violation. Furthermore, the Attorney General can issue orders to prevent offenders from breaking the law, require them to compensate victims, and demand disgorgement of any profits obtained through illegal activities.

UCPA

Utah Consumer Privacy Act

What is the UCPA?

The Utah Consumer Privacy Act (UCPA), enacted on March 24, 2022, is a data privacy law that protects the privacy rights of Utah residents and sets rules for businesses in the state. It concentrates on the sale of personal data and targeted advertising, defining a sale as the exchange of personal data for monetary consideration to a third party. Unlike the California Privacy Rights Act (CPRA), the UCPA does not consider data sharing and does not view targeted advertising as a direct transaction with the consumer. The law follows an opt-out model, permitting the collection, sale, and use of personal data for targeted advertising without explicit consent, except for children’s data. Consumers can opt out of the sale of their data or its use for targeted advertising, and businesses must provide them with this option.

When will the UCPA go into effect?

Scheduled to take effect on December 31, 2023, the Utah Consumer Privacy Act (UCPA) serves as Utah’s data privacy law. It grants consumers certain rights while imposing obligations on businesses operating within the state.

How do I achieve compliance?

Determine if your company is required to comply
Create a comprehensive Privacy Policy
Inform users about their rights
As a best practice, review and update your Privacy Policy or Notice every 12 months
Enable clear options when consent is required
Authenticate consent for collection of sensitive personal data or data from minors
Enable consumers to make Data Subject Access Requests (DSARs)
Set up a system to verify Data Subject Access Requests (DSARs)
Keep track of Data Subject Access Requests (DSARs)
Fulfill Data Subject Access Requests DSARs)

What happens if I don’t comply with the UCPA?

Under the UCPA, enforcement occurs at multiple levels, with the Division of Consumer Protection collecting consumer complaints and investigating potential violations. If a controller or processor continues to violate UCPA provisions despite providing an express written statement, the attorney general has the authority to take enforcement action, which may result in fines of up to $7,500.

LGPD

Lei Geral de Proteção de Dados Pessoais

What is the LGPD?

The Brazilian General Data Protection Law (LGPD) is a data protection law that regulates the collection, use, and storage of personal data of Brazilian citizens. It came into effect on August 2020. It is considered one of the most comprehensive data protection laws in Latin America and is similar to the EU’s General Data Protection Regulation (GDPR).

When will the LGPD go into effect?

The Brazilian General Data Protection Law (LGPD) went into effect on August 14th, 2020. However, the National Data Protection Authority (ANPD) has implemented a transitional period until August 2021, in which it will prioritize guidance, education and awareness-raising over fines and penalties for non-compliance with the LGPD.

How do I achieve compliance?

Achieving compliance can be done by some key steps:

Provide a cookie banner giving the option to the visitors to opt-in or opt-out which will be applied to your store cookies and scripts.
Prepare a privacy policy page with cookies declaration.
Provide a way to customers to make data requests.

What happens if I don’t comply with the LGPD?
The fines can be up to 2% of the company’s gross revenue or up to 50 million reais (which is the equivalent of around 8.5 million US dollars) whichever is higher.

PIPEDA

Personal Information Protection and Electronic Documents Act

What is the PIPEDA?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal privacy law that governs how organizations collect, use, and disclose personal information in the course of commercial activities. It applies to all private sector organizations engaged in commercial activities and sets out the rules for how personal information should be handled.

It establishes principles such as obtaining meaningful consent for the collection, use, and disclosure of personal information, providing individuals with access to their personal information, and protecting personal information through appropriate security measures.

When will the PIPEDA go into effect?

The Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect on January 1st, 2001. However, it was not fully enforced until January 1st, 2004, after a 3-year transition period.

How do I achieve compliance?

Achieving compliance can be done by some key steps:

Provide a cookie banner giving the option to the visitors to opt-out, which will be applied to your store cookies and scripts.
Update Policies and Procedures: Review and update your policies and procedures to ensure they comply with PIPEDA requirements, such as obtaining consent, providing transparent information, and allowing individuals to exercise their rights.

What happens if I don’t comply with the PIPEDA?
Organizations can be ordered to pay Administrative Monetary Penalties of up to $10,000 for each violation of the Act.

The Privacy Commissioner of Canada can issue compliance orders requiring organizations to take specific actions to come into compliance with PIPEDA.

APPI

Act on the Protection of Personal Information

What is the APPI?

The Act on the Protection of Personal Information (APPI) is Japan’s national data protection legislation. The APPI aims to protect the personal information of individuals by regulating the collection, use, and disclosure of personal data by organizations. It establishes principles such as obtaining consent for the collection, use and disclosure of personal information, providing individuals with access to their personal information, and protecting personal information through appropriate security measures.

When will the APPI go into effect?

The Act on the Protection of Personal Information (APPI) was first enacted in 2003 and came into effect in April 1st, 2005. However, it was amended in 2015, and the amendment to the APPI came into effect in May 30th, 2017.

How do I achieve compliance?

Achieving compliance can be done through some key steps:

Provide a cookie banner giving the option to the visitors to opt-out, which will be applied to your store cookies and scripts.
Prepare a privacy policy page with cookie declaration.
Give the option to the visitor to check existing consent and change preferences.

What happens if I don’t comply with the APPI?
The Personal Information Protection Commission (PPC), which is responsible for enforcing the APPI, has the power to impose administrative fines for non-compliance. The fines can be up to JPY 1,000,000 (around 9,300 USD).

Thailand PDPA

Personal Data Protection Act

What is the PDPA?

The Thailand Personal Data Protection Act (PDPA) is a data protection law in Thailand. It aims to protect the personal data of individuals by regulating the collection, use, and disclosure of personal data by organizations. It establishes principles such as obtaining consent for the collection, use, and disclosure of personal data, providing individuals with access to their personal data, and protecting personal data through appropriate security measures.

When will the PDPA go into effect?

The Thailand Personal Data Protection Act (PDPA) was passed on May 27, 2019 and it came into effect on May 27, 2020. However, the Personal Data Protection Committee (PDPC) has implemented a grace period until May 26, 2021, during which it will prioritize guidance, education and awareness-raising over fines and penalties for non-compliance with the PDPA.

How do I achieve compliance?

Achieving compliance can be done by some key steps:

Provide a cookie banner giving the option to the visitors to opt-in or opt-out which will be applied to your store cookies and scripts.
Prepare a privacy policy page with cookies declaration.
Give the option to the visitor to check existing consent and change preferences.

What happens if I don’t comply with the PDPA?
The Personal Data Protection Committee (PDPC) has the power to impose administrative fines for non-compliance. The fines can be up to 5 million baht (around 160,000 USD) per violation.

Switzerland FADP

Federal Act on Data Protection

What is the FADP?

The Federal Act on Data Protection (FADP) in Switzerland has been updated to address modern digital challenges. Introduced in 1992, it was revised in 2020 with the New Federal Act on Data Protection (nFADP), set for implementation in September 2023. The nFADP focuses on protecting individual data, classifying genetic and biometric information as sensitive, and emphasizes principles like “Privacy by Design”. It aligns closely with the European GDPR, ensuring seamless data exchange between Switzerland and the EU.

When will the FADP go into effect?

The Federal Act on Data Protection (FADP) is set to go into effect on September 1, 2023. This date marks the implementation of the revised FADP along with the related Ordinance to the FADP, which is expected to be issued by the Federal Council.

How do I achieve compliance?

To achieve compliance with the FADP, familiarize yourself with its provisions, map out personal data flows within your organization, ensure data collection is purpose-specific, and implement robust security measures. Prioritize transparency with data subjects, address their rights, and regularly audit your processes. If transferring data outside Switzerland, ensure the receiving country has adequate protection. Maintain detailed records, stay updated on FADP changes, and consider seeking expert advice for clarity. Continuous commitment is essential for sustained compliance.

What happens if I don’t comply with the FADP?
If you don’t comply with the FADP, you risk facing financial penalties, civil claims from affected individuals, reputational damage, and enforcement actions by the FDPIC. Non-compliance can also hinder cross-border data transfers and disrupt business operations. It’s vital to prioritize adherence to avoid these consequences.

Make your Shopify Store's use of cookies and online tracking compliant today