Frequently Asked Questions
General
It applies to any organization, no matter where it is located that intentionally offers goods or services or monitors individuals’ behavior of residents belonging to European Economic Area (EEA). EEA includes Europe, Iceland, Liechtenstein, and Norway.
The GDPR’s fines allow data protection authorities across Europe to issue fines of up to:
- 4% of a company’s global annual turnover
or - €20,000,000
whichever is higher.
Further, EU Member States can impose their own penalties applicable to infringements of the GDPR that are not subject to administrative fines under Article 83, GDPR.
CCPA applies to a “business” defined as a for-profit entity doing business in California that collects or processes consumers’ personal information and meets one or more of these thresholds:
- Annual gross revenues in excess of $25,000,000.
- Annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices.
- Derives 50% or more of its annual revenues from selling consumers’ personal information
The CCPA states that if a company can “cure” the non-compliance within 30 days of being notified of the offense, they get off with a warning. If they can’t remedy the situation within the provided timeframe, they are subject to fines. [Cal. Civ. Code § 1798.150]
Civil fines:
The AG’s office can seek up to $2,500 per violation for unintentional violations of the CCPA and $7,500 per violation for intentional violations.
Your website needs a privacy policy if you collect personal information of the user. Privacy policy is a document that explains how a website collects, use, and share the personal information of the user. Most websites have a privacy policy to win customer trust and offer transparency.
Your website needs a privacy policy if you collect personal information of the user. Privacy policy is a document that explains how a website collects, use, and share the personal information of the user. Most websites have a privacy policy to win customer trust and offer transparency.
Following things should be included in a privacy policy:
- What data are you collecting;
- The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- The contact details of the data protection officer;
- The recipients or categories of recipients of the personal data;
- The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- Information about all the privacy rights available to consumers and how to exercise such rights;
- The right to lodge a complaint with a supervisory authority
- Sale of Personal Information;
- Contact information.
According to GDPR it should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1).
Cookie Compliance
A cookie is a small text file. While visiting internet sites, each message is stored in a small file called cookie.txt by your browser. This cookie is sent back to the server by your browser when you request another page from the server. These files contain information about your visit to the web page including any information you have volunteered, such as your name and interests.
Read more about Cookies
First-party cookies are stored directly on the domain or website the user visits. They collect data for analytical purposes and remember user settings, including sign-in details, online shopping cart items, and website settings, such as language. First-party cookies cannot be used to track user activities on other websites.
First-party cookies won’t go away because among them there are strictly necessary cookies, which are needed for the website’s performance and are always active.
A third-party cookie is placed on a website by anyone (service partners, advertisers, etc.) other than the owner and collects user data for the third party. In other words, third-party cookies are set by a domain name that is not the one that appears in your browser address bar.
Website owners use them to track website visitors, improve the user experience, and collect data that helps them target ads to the right audiences. Third party cookies are placed on a website by adding scripts or tags.
Permanent/Persistent Cookies, also called stored cookies, are placed on your device’s hard drive, and not deleted when your browser is closed.
Persistent Cookies remember preferences, settings, information, or sign-in credentials previously saved by the user. This helps create an efficient and faster website experience.
Read more about Persistent Cookies
Session/Transient Cookies are temporary cookies. A transient cookie stores information about your current session on your hard drive but is only stored in temporary memory that is erased when the browser is closed.
Read more about Session Cookies
Cookies are often used to save your website settings. When you return to the site, the browser sends back its cookies. The site can then present you with tailored information based on your preferences.
It is possible for cookies to store a wide range of information, including personally identifiable information (such as your name, home address, email address, or telephone number).
After preparing a list of cookies for each of the website domain, you need to categorize it as per their purpose so that that consent or appropriate preferences choices can be provided to visitors.
By categorizing cookies, we can also determine which cookies may qualify for exemptions.
Generally, all cookies will fall into two large categories: essential and non-essential.
Essential Cookies (also commonly referred to as “strictly necessary”) are necessary for the website to function and store the preference settings selected by a user for this website.
A non-essential cookie is any cookie that does not fall under the definition of an essential cookie and may fall into one of several subcategories, commonly including:
- Performance and analytics cookies, allows to analyze website visits and traffic sources (e.g., number of visits, time spent on the site) to measure and improve our website’s performance.
- Functionality cookies, allow enhanced functionalities when accessing or using organizations’ websites and services.
- Targeting and advertising cookies, used to target advertising to a user or track the user on a website or across several websites for similar marketing purposes often served by third-party companies and track a user across websites.
Read more about Cookie Categorization
Cookie consent banner is a cookie notice displayed on the websites for informing the user about the use of cookies, the rights of users and for requesting user to grant their consent for the deployment and use of cookies. There are multiple kinds of cookie consent banners used in the market. To become compliant, you must choose the right kind of banner for your website.
- Notice Only Cookie Banner: Notice-only cookie banners inform people that you use cookies but don’t give them the opportunity to accept or reject them.
- Implied Consent Banner: In an implied consent model, it assumes the user has consented to cookies from their individual actions, rather than verbally or in writing. With Implied Consent, the data subject grants consent by actions such as continuous use of the website, particularly by scrolling or refreshing the page.
- Explicit Consent Banner: Explicit consent means that the data subject must give a clear agreement that cookies will be stored on their device and until they agree with it, they cannot proceed to use the website. This model entails blocking cookies until a specific action is performed that indicates user acceptance of cookies.
Read more about types of Cookie Consent Banners
Try to consider the following points in your cookie banner to make it GDPR compliant:
- Include in clear language the cookie details including the cookie type and their purpose in your banner itself or cookie notice.
- Allow the users to have equal opportunity to accept or reject cookies.
- It is preferable to provide them with a granular consent option to make an informed choice.
- Do not drop cookie in their browser until they explicitly accept the cookies.
Read more about GDPR Compliant Cookie Banner
The California Consumer Privacy Act (CCPA) gives California consumers the right to know when their data is being collected, what information is being collected, and how that data is being used. CCPA requires organizations to provide a “Do Not Sell” button that gives users the option to opt-out of the sale of their personal data.
As per Article 7 – ‘Conditions for consent’ of EU GDPR:
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
Explanation: The website owner must be able to demonstrate that the users coming from the European Union have given their consent before processing their personal data.
Mandatly stores consent logs
Mandatly stores cookie consent records in an easy to download format which can be used to demonstrate compliance in front of authorities as and when required. This complies the conditions of informed, freely given and explicit consent as required under ePrivacy Directive (EPD).
Read more about Consent Records
There are two types of consents:
- Explicit Consent: Explicit consent means that the data subject must give a clear agreement that cookies will be stored on their device and until they agrees with it, they cannot proceed to use the website.
- With Implied Consent, the data subject grants consent by actions such as continuous use of the website, particularly by scrolling or refreshing the page. It accepts all the cookie categories that are kept active in Preference Center.
Read more about Consent Types
- Opt-out means the user is taking action to withdraw their consent. There are two ways of opt-out consent. The first way is where user unchecks a marked box. The second way is when a user opts to withdraw their permission after the original point of consent.
- Opt-in means a user is taking an affirmative action to offer their consent. Opt-in consent should be freely given, specific, informed, and unambiguous.
Granular consent means to offer the choices to the user to filter the categories of cookies as per their preferences. After rejecting all the cookies still, the user gets an access to the website and the services offered. Granular consent can also be described as freely given and informed consent as opposed to the implied consent or forced choices with cookie walls.
All cookies do not require user consent. There are cookies that are essential for a website to function properly. They are called essential cookies. Apart from essential cookies, cookies require consent if you are willing to track users for analytical purposes or to send personalized ads for them.
We record the consent of the user through the following method:
A unique identification number is allotted to each interaction with the cookie banner. This interaction ID is saved in the visitor’s browser as well as in the application for demonstrating the compliance as per Article 7 of EU GDPR. It records the anonymized IP address of the user providing their consent.
We store cookie consent records in an easy to download format which can be used to demonstrate compliance in front of authorities as and when required.
In addition to the cookie consent banner, a user should be able to see a detailed list of all the cookies that a website uses for marketing, Analysis, functional, etc purposes. Cookie details can be provided as a part of the privacy policy or separately as Cookie Notice.
Read more about Cookie Notice
Most privacy laws requires that if you use cookies to collect personal information, then you need to have a cookie policy. Businesses need to give the details about the use of their cookies to the users. You can include the cookie section in your privacy policy, or you can have a separate cookie policy too.
A cookie wall allows websites to refuse users entry if they don’t consent to all the cookies and trackers present on the website. Cookie walls do not possess a button to reject the cookies. It prohibits the user from accessing the website if they do not accept the cookies.
Read more about Cookie Wall
We do not collect any personal information of customers.
We record the consent of the user through the following method:
A unique identification number is allotted to each interaction with the cookie banner. This interaction ID is saved in the visitor’s browser as well as in the application for demonstrating the compliance as per Article 7 of EU GDPR. It records the anonymized IP address of the user providing their consent. As you can see no personal information is collected in the process.
Data Subject Access Request
A Data Subject Access Request (DSAR) is a legal right provided under data protection and privacy laws that allows individuals to request access to the personal data that an organization holds about them. This concept is a key aspect of data protection regulations like the European Union’s General Data Protection Regulation (GDPR) and similar laws in other jurisdictions.
DSARs are designed to give individuals more control over their personal data and enhance transparency in how organizations handle and process that data. They empower individuals to understand how their information is being used and ensure that their rights to privacy are being respected.
When an individual submits a DSAR, they are essentially asking the organization to provide information about:
- What personal data is being collected and processed about them.
- How and why their personal data is being used.
- Who else has access to their personal data.
- How long their personal data will be retained.
- Any automated decision-making or profiling based on their data.
- Where the organization obtained their personal data from.
- Any data transfers to other countries.
An individual is entitled to make an access request when an organization processes their personal data. This right allows them to obtain information about what data is being processed, why, by whom, and for how long. Organization must verify their identity, and while they don’t usually need to state a reason for the request, there may be limitations on excessive requests.
The requirement for an access request to be made in writing depends on the specific data protection laws and regulations in place. In some jurisdictions, access requests can be made verbally or through electronic means, while in others, they might need to be in writing.
For example, under the European Union’s General Data Protection Regulation (GDPR), individuals can make access requests in any form, including electronically. This means that written requests are not the only option; requests can also be made through email or other electronic communication methods. However, organizations may require reasonable verification of the requester’s identity to prevent unauthorized access to personal data.
Responding to Data Subject Access Requests (DSARs) for data involves a series of steps to ensure compliance with data protection laws and the provision of accurate information. Here’s a concise guide on how to respond effectively:
- Verify Identity: Confirm the requester’s identity to ensure data security.
- Acknowledge Receipt: Inform them that their request is being processed.
- Gather Data: Collect their personal data from relevant sources.
- Prepare Response: Compile a clear and comprehensive response.
- Provide Information: Share requested data and details on processing.
- Use Understandable Language: Present information in a clear, accessible manner.
- Meet Deadlines: Respond within the specified time frame.
- Ensure Security: Maintain data security throughout the process.
- Document Process: Keep records of the request and response.
Remember, the steps may vary based on specific regulations and organizational policies. Always consult the relevant data protection laws and guidelines for your jurisdiction to ensure proper handling of DSARs.
The parties involved in the Data Subject Access Request (DSAR) process include;
- Data controller: Data controllers determine how and why personal data is processed.
- Data protection officer (DPO): DPOs are responsible for ensuring their organization complies with applicable laws and data privacy regulations when processing personal data of employees, customers, providers, or other data subjects.
- Data Subject/Requester: DSARs are submitted by the requester.
- The legal team, IT personnel, and relevant departments that hold the requested data (if applicable then).
The deadline for responding to a Data Subject Access Request (DSAR) can vary depending on the data protection regulations in your jurisdiction. It’s important to note that these deadlines might differ under other data protection laws in different countries. For example,
- Under GDPR, organizations generally have 30 days to respond to a DSAR while under CCPA, organizations must respond to a DSAR within 45 days. LGPD organizations are required to respond promptly to a DSAR, because the specific time frame is not explicitly defined in the law. However, organizations are expected to respond within a reasonable time, which is generally considered to be around 15 days.
- This period can be extended when reasonably necessary, taking into account the complexity and number of requests.
DSAR responses should be free of charge.
A reasonable fee may be charged for administrative costs or other costs associated with responding to an excessive DSAR when it incurs high costs for you to respond. In this case, however, the data subject is not entitled to a free answer.
A list of criteria should be developed for determining what is a reasonable fee so you can explain it to the supervisor if necessary. Organizations should make the criteria clear and explain the costs to individuals.
It is, however, risky to rely on these exceptions since the Dutch DPA has issued a fine of 830K euros for charging a fee for accessing information in violation of the GDPR.
Regulation
California Privacy Rights Act (CPRA)
The California Privacy Rights Act (CPRA), also known as Proposition 24, is a ballot measure that was approved by California voters on Nov. 3, 2020. It amends and expands the CCPA, and also referred to as “CCPA 2.0.”
In enacting this Act, it is the purpose and intent of the people of the State of California to further protect consumers’ rights, including the constitutional right of privacy. This Act came effective from December 16, 2020, but exemption has been given until January 1, 2023. Enforcement will begin from July 1, 2023.
CPRA will work as an addendum to CCPA, which will strengthen the rights of Californian residents.
In many respects, the CPRA substantially amends and amplifies the CCPA, bringing California privacy law closer to Europe’s GDPR.
Following are some of the noteworthy changes of CPRA:
- Discontinuing the CCPA’s exception relating to employee and B2B personal information on January 1, 2023.
- Purpose limited obligation, a business’ collection, use, retention, and sharing of a personal information must be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.
- New consumer rights like the right to correction, right to limit the use of sensitive personal information and the right to opt-out of automated decision making.
- Expanding the consumers rights like right to opt-out of sale, right to delete personal information and right to know.
- Adding a duty for businesses to implement reasonable security procedures for handling consumer’s personal information.
By changing the definition of a covered “business,” the CPRA modifies the scope of the CCPA. Because the CPRA applies to “businesses,” it determines the types of entities that may be covered.
CPRA will be applicable on the businesses who meets any of the following conditions:
- As of January 1, of the calendar year, had
- Annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year or
- Alone or in combination, annually buys or sells or shares the personal information of 1,00,000 or more consumers or households or
- Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal Information.
Under the CPRA, consumers have a new right to limit how their sensitive personal information is used and disclosed.
“Sensitive personal information” is defined as personal information that reveals:
- A consumer’s social security, driver’s license, state identification card, or passport number.
- A consumer’s account log-in, financial account, debit card or credit card number combined with any required security or access code, password or credentials allowing access to an account.
- A consumer’s precise geolocation.
- A consumer’s racial or ethnic origin, religious or philosophical beliefs or union membership.
- The contents of a consumer’s physical mail, email and text messages, unless the business is the intended recipient of the communication.
- A consumer’s genetic data.
- Biometric information processed for the purpose of uniquely identifying a consumer.
- Personal information collected and analyzed concerning a consumer’s health.
- Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
- Businesses need to give consumers the notice of Right to limit along with limit the use of my sensitive personal information link.
Following are the new rights which have been added by CPRA:
- The right to correct inaccurate information:
CPRA introduced a new right for the consumer in which they can request the business to correct inaccurate personal information held by the business. - The right to limit the use of sensitive personal information:
CPRA has included a new definition that is of sensitive personal information. Consumers now have the right to direct the business to limits its use of sensitive personal information. Business will have to provide a link on their website titled “Limit the use of my sensitive personal information” for consumers. Business can provide a single link as well which will combine the link with the link of do not share or sell my personal information link. - The right to opt-out of automated decision making:
Following are the rights which have been amended by CPRA:
- The right to delete personal information:
Under the CPRA business also needs to notify any third parties to delete the personal information pf consumers, while in CCPA businesses were required to notify only service providers. CPRA has also provided some new exceptions for the deletion requirement. - The right to know:
CPRA expands the right to know by adding following requirements:- Business needs to provide information about the categories of personal information shared with the third parties.
- Now, business will need to provide information for more than 12 months unless the disclosure would be impossible or involve disproportionate effort.
- The right to opt-out of sale:
CPRA expands on the existing opt-out right by including both the sale and sharing of personal information. Now the link posted on the website should be do not sell or share my personal information. - Right of non-discrimination:
The CPRA expands the right of non-discrimination against employees, applicants for employment, and independent contractors.
CPRA gives additional protections for the personal information of children under the age of 16. The CPRA restricts a business from selling or sharing the personal information of a consumer under the age of 16 unless the consumer (for consumers at least 13 years old) or the consumer’s parent (for consumers who are less than 13 years old) have authorized the sale or sharing. If the consumer under 16 (or the consumer’s parent if the consumer is under the age of 13) does not provide consent, the business must wait at least 12 months before requesting the consumer’s consent again or until the consumer turns 16.
These obligations apply if the business has “actual knowledge” of the child’s age. Notwithstanding anything in the CPRA, a business must comply with its obligations under the federal Children’s Online Privacy Protection Act for the personal information of children under the age of 13.
The CPRA imposes higher administrative and civil penalties for violations relating to the personal information of children and minors.
Under CCPA, employee data is not expressly protected just like consumer data is in CCPA. In CCPA employee data acts as an exemption to consumer rights. But due to CPRA, that exemption will expire on January 1, 2023.
CPRA brings new rights for employees with regard to how the businesses will collect, use, store and process their information. CPRA will now offer six new privacy rights to the employees with respect to their data. Due to the CCPA employee exemption it prevented the employees to exercise the same rights as consumers, but the exemption will now expire on January 1, 2023.
The expansion of rights to employees will enable greater transparency to them and will also provide greater agency over the management and protection for their data.
Following rights have been given to employees under CPRA:
- Right to access the data.
- Right to correction of the data.
- Right to deletion of data.
- Right to opt out of sale of data.
- Right to limit the use of sensitive information.
- Right Not to be Discriminated Against for Exercising Any of the Employee’s Rights Under CPRA.
California Privacy Protection Agency, which is vested with full administrative power, authority, and Jurisdiction to Implement and enforce the California Consumer Privacy Act. The Agency shall be governed by a five-member board, including the Chair. These appointments should be made from among Californians with expertise in the areas of privacy, technology, and consumer rights.
The Agency board shall appoint an executive director who shall act in accordance with Agency policies and regulations and with applicable law.
The agency shall perform the following functions:
- Administer, implement, and enforce the CPRA.
- Protect the fundamental privacy rights of natural persons with respect to the use of their personal information.
- Promote public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale and disclosure of personal Information, Including the rights of minors with respect to their own information.
- Provide guidance to consumers regarding their rights under this title.
- Provide guidance to businesses regarding their duties and responsibilities.
- Provide technical assistance and advice to the Legislature, upon request, with respect to privacy-related legislation.
- Monitor relevant developments relating to the protection of personal Information, and In particular, the development of Information and communication technologies and commercial practices.
- Cooperate with other agencies with Jurisdiction over privacy laws and with data processing authorities In California, other states, territories, and countries to ensure consistent application of privacy protections.
- Perform all other acts necessary or appropriate In the exercise of its power, authority, and Jurisdiction, and seek to balance the goals of strengthening consumer privacy while giving attention to the impact on businesses.
-
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a comprehensive data protection and privacy regulation introduced by the European Union (EU). It came into effect on May 25, 2018, with the primary objective of enhancing individuals’ control over their personal data and ensuring the responsible handling of such data by organizations. The 1995 Data Protection Directive, which produced a patchwork of data protection rules across different countries, was replaced by the GDPR. It places a significant emphasis on transparency, consent, and the rights of data subjects.
The General Data Protection Regulation (GDPR) applies to a wide range of entities, including businesses, organizations, and individuals, that process personal data of individuals within the European Union (EU). Here’s a breakdown of who must comply with GDPR:
- Organizations based in the European Union (EU) that process personal data.
- Non-EU organizations that offer goods/services to EU residents or monitor their behavior.
- Data processors that handle data for EU-based controllers.
- Online businesses collecting/process data from EU users.
- Data brokers that share/sell personal data.
- Employers that process employee data.
- Both public and private entities process EU residents’ data.
In essence, any entity handling personal data of EU residents, regardless of location, must adhere to GDPR’s rules to protect individuals’ privacy and data rights.
Under the General Data Protection Regulation (GDPR), individuals are granted several privacy rights that empower them to have more control over their personal data. These rights include:
- Right to be informed: The right to be informed about data collection and processing.
- Right of access: The right to access personal data is held by an organization.
- Right to rectification: The right to correct inaccurate or incomplete data.
- Right to Be Forgotten: The right to request deletion of personal data under specific circumstances.
- Right to restrict processing: The right to limit data processing in certain situations.
- Right to data portability: The right to receive personal data in a usable format and transfer it to another controller.
- Right to object to processing: The right to object to specific types of data processing.
- Rights in relation to automated decision-making: The right to avoid solely automated decisions affecting the individual.
These rights empower individuals to have more control over their personal information and its use.
The GDPR is a regulation that protects the personal data of individuals in the European Union. According to the GDPR, there are seven principles that govern how personal data should be processed:
- Lawfulness, fairness and transparency: Data should be processed in a legal, fair and clear way.
- Purpose limitation: Data should be collected for specific and legitimate purposes and not used for other purposes.
- Data minimization: Data should be relevant and limited to what is necessary for the purposes of processing.
- Accuracy: Data should be accurate and up to date and corrected or deleted if not.
- Storage limitation: Data should be kept for no longer than necessary for the purposes of processing.
- Integrity and confidentiality: Data should be protected from unauthorized or unlawful access, loss, destruction or damage.
- Accountability: Data controllers should be responsible for complying with the principles and demonstrate their compliance.
The GDPR can affect companies outside the EU in two ways:
- If they offer goods or services to individuals in the EU, even if they do not charge for them or have a physical presence in the EU.
- If they monitor the behavior of individuals in the EU, such as through cookies, tracking or profiling.
In these cases, companies outside the EU must comply with the GDPR rules and obligations, such as obtaining consent, respecting data subject rights, appointing a representative in the EU, and reporting data breaches. Non-compliance can result in fines, and companies also may need to appoint an EU representative.
The General Data Protection Regulation (GDPR) imposes two tiers of penalties:
- Lower Tier: Up to €10 million or 2% of the company’s global annual revenue, whichever is higher. This applies to breaches related to data processing obligations, data protection impact assessments, and data protection officer appointments.
- Higher Tier: Up to €20 million or 4% of the company’s global annual revenue, whichever is higher. This applies to breaches of individuals’ rights and freedoms, consent violations, and transferring data to non-compliant countries.
The exact penalty depends on factors like the nature and severity of the breach, mitigating actions taken, and the company’s cooperation with authorities. Penalties aim to be proportionate, dissuasive, and reflective of the breach’s impact.
Lei Geral de Proteção de Dados Pessoais (Brazil LGPD)
LGPD stands for “Lei Geral de Proteção de Dados” in Portuguese, which translates to the “General Data Protection Law” in English. It is a data protection and privacy law in Brazil that governs how personal data is collected, processed, and handled by organizations.
The LGPD was signed into law on August 14, 2018, by then-President Michel Temer. However, its enforcement provisions came into effect on September 18, 2020. This allowed organizations time to prepare and adapt their data handling practices complying with the new regulations. The law aims to enhance individuals’ privacy rights and regulate how businesses handle personal data within Brazil.
Similar to the European Union’s GDPR, LGPD aims to safeguard individuals’ data rights, enhance privacy, and establish guidelines for businesses when dealing with personal data.
The LGPD applies to both public and private sector organizations that collect, process, or handle personal data in Brazil, regardless of where they are located. This includes companies based outside of Brazil if they offer goods or services to individuals in Brazil or process data of individuals in Brazil.
In essence, any organization that deals with Brazilian residents’ personal data needs to comply with the LGPD’s regulations to ensure data protection and privacy rights.
LGPD exempts certain activities from its provisions, including data processing for personal purposes, journalistic, academic, artistic, and literary purposes. It may also exempt data processed exclusively for national security, defense, public safety, and law enforcement activities.
Under LGPD, data subjects (individuals whose personal data is being processed) have various rights, including:
- Right to Access: The right to obtain confirmation if their data is being processed and access to their personal data.
- Right to Information: The right to receive clear and comprehensive information about data processing activities.
- Right to Rectification: The right to correct inaccurate or incomplete data.
- Right to Deletion: The right to request the deletion of personal data under specific circumstances.
- Right to Portability: The right to receive personal data in a structured, commonly used, and machine-readable format, and transmit it to another controller.
- Right to Consent Withdrawal: The right to withdraw consent for data processing at any time.
- Right to Objection: The right to object to processing based on legitimate interests or for direct marketing purposes.
- Right to Anonymization, Blocking, or Elimination: The right to request anonymization, blocking, or elimination of unnecessary or excessive data.
- Right to Review of Decisions: The right to review decisions made solely on automated processing that significantly affect the data subject.
These rights empower individuals to control their personal data and enhance transparency and accountability in data processing.
Under LGPD, fines and penalties for non-compliance can be substantial.
Fines can range up to 2% of a company’s revenue in Brazil, limited to a maximum of R$50 million (Brazilian Reais) per violation. (For some violations, the fine can reach 2% of the company’s annual revenue, and for more severe violations, it can go up to 10%.)
The specific fine amount depends on factors like the violation’s nature, severity, organization size, and previous violations. It’s crucial to ensure compliance to avoid these penalties and maintain data protection standards.
Virginia's Consumer Data Protection Act (CDPA)
The Virginia Consumer Data Protection Act (CDPA) was introduced on January 1, 2021, to the House of Delegates and was signed into law by Governor Ralph Northam on March 2, 2021.
The Virginia Consumer Data Protection Act (CDPA) is a privacy law in Virginia, USA. It grants residents control over their personal data, requiring businesses to be transparent about data use, implement data security measures, and allow individuals to access, correct, and delete their data. The law applies to businesses meeting certain criteria and aims to enhance data protection practices while giving consumers more control over their personal information.
The aim of the Virginia Consumer Data Protection Act (CDPA) is to enhance individuals’ privacy rights by regulating how businesses handle their personal data. It grants consumers control over their data, enforces data security measures, promotes transparency, and holds businesses accountable for proper data handling.
Overall, it is a comprehensive data privacy regulation. It represents a significant expansion of consumer privacy rights in Virginia and imposes new obligations on businesses regarding their data protection practices.
The CDPA is applicable to those who run a business in Virginia or create goods or services that are intended for residents of the state and who:
- Control or process at least 100,000 consumer’s personal data in a calendar year; or
- Control or process at least 25,000 consumers’ personal data and generate more than 50% of total revenue from the sale of personal data.
It is not applicable to:
- Someone who represents the Commonwealth or any of its political subdivisions in any authority, board, commission, district, or agency.
- Institutions of higher education or nonprofit organizations.
- The Gramm-Leach-Bliley Act of 1999’s Title V applies to financial institutions or data subjects.
- Covered entities or business partners subject to the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act, as well as the privacy, security, and breach notification regulations issued by the U.S. Department of Health and Human Services at 45 C.F.R. Parts 160 and 164.
The Virginia Consumer Data Protection Act (CDPA) grants several privacy rights to residents of Virginia regarding their personal data. These rights include:
- Right to Access: Individuals have the right to request access to their personal data that businesses have collected and processed.
- Right to Correction: Individuals can request corrections to inaccurate or incomplete personal data held by businesses.
- Right to Deletion: Individuals can request the deletion of their personal data under certain circumstances, and businesses must comply unless there are legitimate reasons to retain the data.
- Right to Opt-Out: Individuals can opt out of businesses processing their personal data for purposes of targeted advertising, sale, or profiling.
- Right to Data Portability: Individuals have the right to receive their personal data from businesses in a structured, commonly used, and machine-readable format.
These rights are designed to give individuals more control over how their personal data is used and to enhance their privacy online. It’s important to note that these rights might come with specific conditions and exceptions as outlined in the CDPA.
The Virginia Consumer Data Protection Act (CDPA) is based on several key principles:
- Consumer Control: Individuals have the right to control their data. This includes the rights to access, correct, delete, and opt out of certain data processing activities.
- Transparency: Businesses must be transparent about data practices. They must provide clear and understandable privacy notices to consumers, informing them about how their data will be used.
- Data Security: Firms must ensure data protection. Businesses must implement reasonable data security measures to protect the personal data they collect and process.
- Sensitive Data: Special provisions for sensitive information and imposes specific requirements for its processing.
- Accountability: Businesses are accountable for data handling. This helps identify and mitigate potential privacy risks.
- Data Processor Agreements: The law requires data processing agreements between businesses that process personal data on behalf of others. These agreements outline the responsibilities of data processors in safeguarding data.
- Enforcement: The CDPA provides enforcement mechanisms through the Virginia Attorney General’s office.
- Global Applicability: The CDPA applies to businesses operating in Virginia, regardless of their location.
These principles collectively work to enhance privacy protection for consumers while establishing obligations for businesses to responsibly handle personal data.
Under the Virginia CDPA, data processors must:
- Follow data processing instructions from controllers.
- Implement data security measures.
- Maintain confidentiality.
- Assist controllers in compliance.
- Notify controllers of data breaches promptly.
- Get consent for engaging sub-processors.
These obligations ensure responsible and secure handling of personal data.
- A CDPA complaint is investigated by the Virginia Attorney General’s Office. The Attorney General’s office is the only entity that is permitted to file complaints.
- The CDPA doesn’t grant private right of action to consumers. Business owners, however, are allowed 30 days to correct any violations by the Virginia Attorney General.
- The Attorney General can fine businesses $7,500 if they fail to meet this deadline.