Compare Worldwide Data Privacy Regulations

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is the first state-wide data privacy regulation that governs the processing and sale of personal information of California residents by the organizations. It came into force with effect from 1st of January 2020. It is the first of its kind and the most recent cookie law passed by the State of California in response to the increased role of personal data in business practices and privacy implications.

Scope [Section 1798.140(c)]

Section 1798.140(c) Businesses are obligated to take steps to comply with the consumers’ rights if the businesses collect personal information from California and do business in the state (whether or not they have a physical presence in California) if any of the following three additional thresholds apply: That is, the business:

1. Has annual gross revenues in excess of twenty-five million dollars ($25,000,000); or
2. Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
3. Derives 50% or more of its annual revenues from selling consumers’ personal information.

Personal Information [Section 1798.140 (o)]

1798.140 (o) Personal Information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The definition also includes other key components that may not be currently considered PI by most companies, including Personal identifiers, Commercial information, Biometric information, etc.

Data Subject Rights [Section 1798.100 - 1798.125]

Section 1798.100 - 1798.125 lists the 7 (seven) rights of consumers.

1. Right to Know what personal information is collected.
2. Right to Data Portability.
3. Right to Delete, subject to certain exceptions.
4. Right to Access personal information.
5. Right to Know if Personal Information is Sold.
6. Right to Opt Out of Sale.
7. Right against discrimination.

Organizations are excepted to fulfill the consumer request within 45 days of identifiable consumer request.

Click here to know more about CCPA.

Lei Geral de Proteção de Dados Pessoais (LGPD)

Inspired by the European regulation (General Data Protection Regulation - GDPR), the Brazilian General Data Protection Act (in Portuguese, LGPD, Lei Geral de Proteção de Dados) establishes rules on collecting, handling, storing and sharing of personal data managed by organizations. With the presidential approval, in August 2018, companies will have until 18 months to adjust to the new rules.

Scope [Article 3]

Art. 3 This Law applies to any processing operation carried out by a natural person or a legal entity of public or private law, irrespective of the mean, the country in which its headquarter is located or the country where the data are located, provided that:

1. The processing operation is carried out in the national territory;
2. The purpose of the processing activity is to offer or provide goods or services or the processing of data of individuals located in the national territory; or
3. The personal data being processed were collected in the national territory.

Personal Information

Information regarding an identified or identifiable natural person. Data is considered personal when used for the behavior profiling of a particular natural person, if that person is identified.

Data Subject Rights [Article 18]

Art. 18 Personal data rights; consumers.

1. Right of access
2. Right to rectification
3. Right to erasure
4. Right to data portability
5. Right to object processing
6. Right to review automated decision

Legal bases for data processing [Chapter 2 (Article 7)]

Processing of personal data shall only be carried out under the following circumstances:

1. Consent
2. Legal obligation
3. For the execution of public policies provided in laws or regulations
4. Studies by a research body
5. Contractual performance
6. Exercise of rights in legal proceedings
7. Protection of life and physical safety
8. Health protection
9. Legitimate interest
10. Credit protection

Click here to know more about LGPD.

Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act is Canada’s national private sector data privacy law, enforced by the Officer of the Privacy Commissioner or OPC. The Personal Information Protection and Electronic Documents Act Canada seeks to protect internet users’ privacy rights by requiring that organizations inform users of their data handling practices and get consent from users to collect, use, and disclose personal information.

Scope

PIPEDA only applies to private sector organizations when they are engaged in "commercial activity".
PIPEDA can cover organizations who are partly government-funded and non-profits acting in a commercial capacity.

Personal Information

Personal information means information about an identifiable individual.

Data Subject Rights [Schedule 1 (4.9)]

1. Right to Information Access
2. Right to rectification
3. Right to deletion

Principles of processing

1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure, and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance

Click here to know more about PIPEDA.

EU General Data Protection Regulation (GDPR)

GDPR is the core of Europe’s digital privacy legislation. It came into force on the 25th of May 2018. Its primary objective is to provide citizens with control of their personal data. GDPR aims to simplify the regulatory environment for international business by unifying the regulation within the EU from per economic standpoint.

Scope [Chapter 1 (Article 3)]

Applies to
– Controller or Processor in EU or
– Data subject in EU, although Controller or Processor outside EU if they offer goods, services or monitor the behavior of individuals located in EU.

Data Subject Rights [Chapter 3 (Article 15-22)]

1. Right of access - Article 15
2. Right to rectification - Article 16
3. Right to erasure - Article 17
4. Right to restriction on processing - Article 18
5. Right to data portability - Article 20
6. Right to object - Article 21
7. Right not to be subject to a decision based solely on automated processing, including profiling - Article 22

Legal bases for data processing [Chapter 2 (Article 6)]

1. Explicit consent of data subject
2. Contractual performance
3. Performance of a task carried out in the public interest
4. Vital interest
5. Legal obligation
6. Legitimate interest

Appointment of DPO [Article 37]

Data controllers and processors whose core activities consist either of processing operations which require regular and systematic monitoring of data subjects on a large scale, or processing on a large scale of special categories of data, are required to appoint a data protection officer (DPO).

Click here to know more about GDPR.

Personal Information Protection Law (PIPL)

PIPL serves the dual purpose of protecting individual's privacy and ensuring China's national security. It regulates how data on Chinese citizens is stored and processed in the country with the intent to preserve China's digital sovereignty.

Scope [Article 3]

This law applies to the processing of personal information of natural persons within the territory of the People's Republic of China.

This law also applies to the processing of personal information of natural persons within the territory of the People’s Republic of China outside the People’s Republic of China under any of the following circumstances:

1. For the purpose of providing products or services to domestic natural persons;
2. Analyze and evaluate the behavior of natural persons in the territory;
3. Other circumstances stipulated by laws and administrative regulations.

Personal Information [Article 4]

Personal information is a variety of information related to an identified or identifiable natural person recorded electronically or by other means, excluding anonymized information. The processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of personal information.

Data Subject Rights [Chapter V (Article 44-50)]

Individuals are granted with certain rights for their personal information processing activities.

1. Right to know (Article 44)
2. Right to restrict or refuse the processing of their personal information (Article 44)
3. Right to data portability (Article 45)
4. Right to recertify/rectify (Article 46)
5. Right to deletion (Article 47)
6. Right to understand the processing rules of processor. (Article 48)

Legal bases for data processing [Article 13]

Personal information processors may process personal information only if one of the following circumstances is met:

1. Personal consent
2. Performance of a contract
3. Statutory duties or statutory obligations
4. Vital interest
5. Public interest
6. Self-disclosed or legally disclosed personal information
7. Other circumstances stipulated by laws and administrative regulations.

Click here to know more about PIPL.

Nigeria Data Protection Regulation (NDPR)

NDPR aims to safeguard the rights of natural persons to data privacy and foster safe conduct for transactions involving the exchange of Personal Data and to prevent manipulation of Personal Data.

Scope

This Regulation applies to all transactions intended for the processing of Personal Data, to the processing of Personal Data notwithstanding the means by which the data processing is being conducted or intended to be conducted in respect of natural persons in Nigeria; This Regulation applies to natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria;

Personal Information

“Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’).

Data Subject Rights

1. Right to Information Access
2. Right to rectification
3. Right to deletion
4. Right to restriction of processing
5. Right to object processing
6. Right to Data Portability

Legal bases for data processing

Processing shall be lawful if at least one of the following applies:

1. Consent
2. Performance of a contract
3. Compliance with a legal obligation
4. Protect the vital interests of the Data Subject
5. Task carried out in the public interest.

Click here to know more about NDPR.

DIFC Data Protection Law, 2020

This law came into force from 01 July, 2020. This law has repealed the previous Data Protection Law of 2017. Purpose of this law is to provide standards and controls for the Processing and free movement of Personal Data and protect the fundamental rights of Data Subjects.

Scope

This Law applies to the Processing of Personal Data by a Controller or Processor incorporated in the DIFC or This Law applies to such Controller or Processor in the context of its Processing activity in the DIFC (and not in a Third Country), including transfers of Personal Data out of the DIFC.

Personal Information

Personal Data is any information referring to an identified or Identifiable Natural Person.

Data Subject Rights

1. Right to access
2. Right to rectification
3. Right to deletion
4. Right to object to processing
5. Right to restriction on processing
6. Right to data portability
7. Right to object to any decision based on automated processing

An Data Protection Impact Assessment of the proposed high risk Processing Activities shall be carried out on the protection of Personal Data. (Article 20) Data Export and Sharing from the DIFC to a Third Country or to an International Organisation shall be done with adequate level of protection. (Article 26-28)

Click here to know more about DIFC.

Protection of Personal Information Act

It came into force with effect from 01 July, 2021. POPIA is South Africa’s data privacy law and it stands for the Protection of Personal Information Act. This piece of legislation controls when and how organizations can collect, use, store, delete and handle our personal information.

Scope

POPIA applies to the processing of personal information entered in a record by or for a responsible party: That is domiciled in South Africa or That is not domiciled in South Africa where that responsible party makes use of automated or non-automated means within South Africa.

Personal Information (Section 1)

‘‘Personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.

Data Subject Rights (Section 5)

1. Right to access
2. Right to rectification
3. Right to deletion
4. Right to object to processing
5. Right to object to processing for the purposes of direct marketing
6. Right to data portability
7. Right not to be subject to a decision based solely on automated processing, including profiling

Conditions for Lawful Processing (Section 8-25)

1. Accountability
2. Processing limitation
3. Purpose specification
4. Further processing limitation
5. Information quality
6. Openness
7. Security safeguards
8. Data Subject participation

Processing of Personal Information of Children is prohibited subject to the section 35 of the Act. (Section 34) Rules relating to transfer of information outside the Republic are described in Section 72 of the Act.

Click here to know more about POPIA.

Thailand Personal Data Protection Act (PDPA)

Effective Date: 1 June 2022

Thailand’s PDPA is its first national data protection law. Among its provisions are requirements for data controllers and data processors, including both public and private entities, are required to obtain consent from data subjects before processing, collecting, or disclosing personal data under its provisions. Thailand’s Personal Data Protection Act ensures that personal data is protected and not misused.

Scope

The PDPA applies to personal data collected, used, and disclosed by a data controller or data processor in Thailand, irrespective of whether the collection, use, or disclosure occurs in Thailand or elsewhere.

If a Data Controller or a Data Processor is outside of Thailand, the PDPA shall apply to the collection, use, or disclosure of personal data of data subjects who are in Thailand, where the activities of such data Controller or data processor are the following activities:

1. The offering of goods or services to the data subjects who are in Thailand, irrespective of whether the payment is made by the data subject;
2. The monitoring of the data subject’s behavior, where the behavior takes place in Thailand.

To whom it can be enforce:

1. Civil Liability (Section 77 and 78):

The Data Controller or the Data Processor, whose operation in relation to Personal Data violates or fails to comply with the provisions of this Act which causes damages to the data subject, shall compensate the data subject whether such operation is performed intentionally or negligently. The compensation includes all necessary expenses incurred by the data subject for the prevention of the damages likely to occur, or which was spent to suppress the damages occurred.

2. Criminal Liability (Section 79-81):

Any Data Controller who violates the provisions under section 27, or fails to comply with section 28, which relates to the Personal Data under section 26 can be punished with imprisonment for a term not exceeding one year and fine ranging from few thousand baht to 5 million depending upon the nature of violation.

Personal Data:

Under the Thailand Personal Data Protection Act (PDPA), "Personal Data" refers to any information relating to an identifiable individual, whether directly or indirectly, whether in a private or public context, and regardless of the medium used to process that data. This includes any data that can be used to identify a person, such as their name, identification number, contact information, financial data, online identifiers, biometric data, and more.

The PDPA recognizes two main categories of personal data:

1. Personal Data: This category includes personal data that is commonly available and not considered sensitive. Examples include names, addresses, phone numbers, and email addresses.
2. Sensitive Personal Data: This category includes personal data that is considered more private and sensitive. It includes data related to race, ethnicity, political opinions, religious or philosophical beliefs, sexual orientation, health information, genetic data, biometric data, criminal records, and more.

Privacy Assessments:

The Thailand Personal Data Protection Act (PDPA) requires organizations to conduct privacy assessments as part of their data protection practices. Privacy assessments, also known as data protection impact assessments (DPIAs) in some contexts, are a systematic way of identifying and evaluating potential privacy risks that may arise from processing personal data. These assessments help organizations make informed decisions about how to handle personal data in a way that respects individuals' privacy rights and complies with the PDPA.

Data Subject Rights (Section 30-35)

1. Right to information access (Section 30)
2. Right to data portability (Section 31)
3. Right to object the collection use or disclosure of personal data (Section 32)
4. Right to erasure (Section 33)
5. Right to ask data controller to restrict the use of the personal data (Section 34)
6. Right to accurate and up-to-date personal data (Section 35)
7. Right to withdraw consent (Section 19)

Data Controller and Data Processor Obligations:

1.Consent:

Organizations must obtain consent from individuals before collecting, using, or disclosing their personal data, unless there is a legal basis for doing so without consent.

2.Cross-Border Data Transfer:

The PDPA sets requirements for transferring personal data outside of Thailand, including obtaining consent and ensuring that the recipient country offers an adequate level of data protection.

3.Data Security:

Organizations are required to implement appropriate security measures to protect personal data from unauthorized access, disclosure, or loss. The PDPA requires that employers implement a system to destroy personal data when the retention period is over, when the data is no longer necessary or when the employee requests its destruction.

4.Data Breach Notification:

Organizations are obligated to report data breaches to the relevant authorities and affected individuals within a specified timeframe.

5.Data Protection Officer (DPO):

Certain organizations are required to appoint a Data Protection Officer responsible for ensuring compliance with the PDPA. A DPO is a new position established under the PDPA as the person responsible in helping the organization in ensuring that the data subjects’ personal data is processed in the most consistent manner and feasible with the PDPA requirements as well as being a contact point for PDPA issues with authority and the data subjects.

6.Penalties:

Non-compliance with the PDPA can result in fines, imprisonment, or other sanctions. The PDPA imposes penalties for non-compliance with administrative fines (up to THB 5 million), criminal penalties (imprisonment up to one year and/or fines up to THB 1 million), and punitive damages up to twice the amount of the actual damages.

Click here to know more about PDPA.