At least 128 countries have laws governing privacy and data protection. Over a dozen more are processing draft legislation. Some countries such as the United States have privacy laws at the subnational level. In this context, it's not possible to cover all of the world's privacy laws here.
That said, certain privacy regulations stand out due to the number (and size) of organizations and consumers that could be potentially affected by them. We'll take a brief look at some of these. In any case, other privacy laws often borrow heavily from these major ones (especially the GDPR in more recent times) and are only amended to accommodate more local concerns.
The EU's General Data Protection Regulation (GDPR) came into effect on May 25, 2018. It enforces privacy standards on any organization collecting data from Europe-based consumers. It mandates that organizations must take appropriate technical measures and implement proper organization processes in order to protect the sensitive personal data they process or control.
The GDPR has been the most important development in privacy regulation in decades and has become the catalyst for GDPR-style legislation around the world. While privacy laws are not new, the GDPR was arguably the first that started to hold businesses accountable for data leaks caused by insecure communication practices and mishandling of third-party applications.
The California Consumer Privacy Act (CCPA) came into force in January 2020. It applies to California-based customers and gives users greater control over their personal data. Whereas it's a subnational law, it is internationally significant. California would be the world's fifth largest economy if it were a country. It hosts numerous global corporations including the tech behemoths of Silicon Valley.
In November 2020, California voters through a ballot measure approved the California Privacy Rights Act (CPRA). The CPRA is a supplemental law that amends the CCPA giving California's residents more control over their personal data and imposing new obligations on businesses falling under the jurisdiction of CCPA. Most of CPRA's provisions will start to be enforced in July 2023.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's current private sector data protection law. Organizations must obtain an individual's consent when they capture, use or disclose an individual's personal information. Individuals have a right to access their personal information and challenge its accuracy.
The Canadian government introduced the Digital Charter Implementation Act (DCIA) on 17 November 2020 that, if passed, will replace PIPEDA. The DCIA includes the Consumer Privacy Protection Act (CPPA) and could bring important developments to privacy legislation and privacy issues in Canada that may exceed the provisions of the GDPR and California's CCPA.
With BREXIT came the end of the GDPR's applicability to the UK thus making it a 'third-party' country to member states of the European Economic Area. However, the UK adopted the GDPR's requirements into its own national legislation in 2018 via the Data Protection Act (DPA).
The DPA controls how businesses, organizations or the government use individuals' personal information.
Initially adopted in 2003, the Act on the Protection of Personal Information (APPI) is Japan's equivalent of the GDPR. It received a major overhaul and was enacted in June 2020. It details strict rules for any business handling the personal information of Japan's residents.
The amended APPI is effective April 1, 2022, though penalties are already effective. Certain provisions on sharing personal information with third parties come into force October 1, 2021.
Brazil's Law for the Protection of Personal Data (Lei Geral de Proteção de Dados or LGPD) came into force in September 2020. It is Latin America's first major data protection law.
The LGPD regulates the use and processing of personal information and is heavily influenced by the GDPR. Administrative sanctions will be enforced from August 2021.
Other personal information that may be covered by Privacy Policies includes photos, videos, age, religious beliefs, marital status, sex, race and nationality.
What type of information is collected by your business, website or application? Disclose the personal data you collect both directly and indirectly. Get specific by giving as many categories and examples of the data you collect as you can.
You have limited space to cover this clause but the more thorough you are, the better you communicate to your customers, users and website visitors.
Explain how data may be collected. Your business could collect information via an online or paper form that the individual fills out and submits. However, you may also collect the data in more automatic and less obvious ways, at least in the eyes of the consumer.
Your business should collect only the data you need. Explain why you collect the personal information covered in the previous clause. You could explain this in a paragraph or more. Better yet, use a table, chart, infographic or other illustration for ease of readability.
AGC explains why it collects personal data:
Explain how the personal information you collect is used. You could use a list to convey information use in a more organized way. As always, include as many specific uses as you can.
For example, will the information collected as part of a transaction be later used in other ways? If yes, individuals should have a means of opting out of such extended usage. Extended usage may include using the information to cross-sell products and services.
The opportunity to opt out should be presented to the user before they start to receive unwanted promotional emails, instant messages, SMS, phone calls etc.
Glassdoor's policy delves into the company's use of personal information it collects:
Does your business share personal information with other affiliates, companies in the same conglomerate, or other organizations? Does it use third party tools and plugins to capture, process or distribute personal information?
Businesses, websites and applications do not exist in a vacuum. It is fairly common for businesses to use one or more third party services or tools to enhance user experience and site performance. Examples include AdSense for personalized advertising and Google Analytics for analysis of website traffic.
Each instance of third party sharing of personal data should be explained. You should provide links to the third party privacy policies, too. Break the explanation up into paragraphs for each type of third party sharing to make the text easier for readers to digest.
The Guardian goes into elaborate detail on who it shares personal information with:
It should mention how you realize the goal of ensuring access to personal information is limited to those who need it for discharging their duties. The clause should also mention the security safeguards you require of vendors and business partners that have access to this personal information.
For instance, you could state that your website uses SSL to encrypt any information sent over the Internet. The encrypted information cannot be read in transit. You may direct users to the visible signs of security such as the https lock icon in the address bar.
This date is typically placed at the very beginning of the policy, as seen below from PayPal:
Plan International has a data protection officer as the key contact for privacy matters:
UPS shows how users can access and correct their information:
Some websites and mobile apps will require users to scroll down the entire document before they can click the checkbox or an accept button.
Privacy Policies weren't always required. The rise of digital transformation as well as the ubiquity of the Internet powered the exponential growth of personal data captured by businesses. With that, privacy has steadily become a major global concern.
While these agreements are most commonly referred to as Privacy Policies, they're also referred to as a Privacy Statements, a Privacy Notice, a Privacy Page and other similar renditions of the term.