GDPR is often considered as the toughest data protection law to date. In 2018, GDPR undoubtedly set the bar for privacy legislation worldwide and a number of countries have since reformed data privacy laws with the aim of giving users ownership of their data. Consequently, the global legislation landscape is becoming ever-increasingly difficult for website publishers to navigate. It is especially difficult to know which laws apply to you and which do not, but those that aren’t aware of which laws apply risk hefty fines.
We’ve compiled a list of major data protection laws, which we intend to continually update, so that publishers understand which data protection laws they need to be aware of and listed the countries that come under each jurisdiction. Other countries, such as India and Australia, are also expected to reform their data protection laws in the near future so be sure to check back for the latest updates. It should be noted that this list is an overview of major data protection laws and should not be supplemented for legal advice.
GDPR: General Data Protection Regulation
General Data Protection Regulation, or GDPR, is Europe’s data privacy and security law which imposes consent-first obligations on any organization, regardless of location, that targets or collects data from EU citizens. Any publisher with users located within the European Economic Area (EEA) needs to comply with the requirements of GDPR. This doesn’t just apply to organisations located in the EEA themselves, but also those outside of Europe serving an audience that includes European citizens and residents.
GDPR impacts any user data that is collected, processed or stored. This includes Cookies. For ad-serving publishers this usually means also having cookie notices and using systems like the Transparency & Consent Framework to handle advertising consent. Many publishers have implemented Consent Management Platforms (CMPs) to manage user consent.
Do I need to worry about GDPR?
Websites that offer goods or services to EU citizens and residents, or those that track their activity online, are required by law to obtain consent from users on the personal information they collect and who this data is shared with.
Therefore, if you serve users in any of the following countries then GDPR matters to you:
- Republic of Cyprus
- Czech Republic
- United Kingdom
Organisations that are found to be non-compliant with GDPR can be fined up to $20 million or 4% of global revenue depending on which figure is higher.
To view GDPR in its entirety, please click here.
CCPA: California Consumer Privacy Act
California Consumer Privacy Act, or CCPA, is a legislation that outlines the requirements for businesses that collect, use and sell the personal information of California-based consumers. CCPA became effective on January 1, 2020 though enforcement only began on July 1, 2020.
Like GDPR, CCPA applies to any organization that collects, uses or sells data from residents in California regardless of where the business is actually based. This means that publishers that track users across the web and target ads using cookies and mobile advertising IDs should be aware of their obligations under CCPA.
Do I need to worry about CCPA?
CCPA is a California state law but its scope impacts business across the USA as well as around the globe. This is because CCPA applies to any business or individual, even if not located in California, that can answer ‘yes’ to any of the following:
- Your website serves 50,000 or more unique visitors from California per year
- You conduct 50,000 or more credit transactions per year
- The combined total number of California-based users and credit transactions per year equates to 50,000 or more
CCPA does not apply to all states in the USA, but others are expected to issue their own iteration in the near future. Effectively, if you are targeting US users, it is highly likely that you will encounter users based in California, so it is best to ensure compliance in order to avoid any penalties.
Publishers that fail to comply with CCPA and do not enable users to either opt-out, request deletion or request access to personal data risk facing fines of $2,500 up to $7,500 per incident regardless of whether the business is actually located.
To learn more about CCPA compliance, please click here.
LGPD: Brazil’s General Data Protection Law
LGPD, also known as Lei Geral de Proteção de Dados, is Brazil’s general data protection law. LGPD is equivalent to Europe’s version of GDPR and is aimed at regulating how the personal data of users in Brazil should be used and processed.
Passed on August 14, 2018 LGPD is set to be enforced starting August 15, 2020. Similar to other new data privacy laws, LGPD applies to any data processing activity that occurs in Brazil regardless of where the data processor is situated.
Do I need to worry about LGPD?
LGPD applies to any business or individual that processes or collects data in Brazilian territory. Therefore, if you receive website traffic from users that are located in Brazil, you must adhere to the requirements as set by LGPD even if your business is not located in Brazil.
Any publisher that violates LGPD risks incurring a fine of up to 2% of the previous year’s revenue up to a total maximum of 50 million Brazilian realis.
PIPEDA: Personal Information Protection and Electronic Documents Act
PIPEDA, which is an initialism for Personal Information Protection and Electronic Documents Act, is Canada’s federal privacy law for private-sector organizations. The purpose of PIPEDA is to govern the collection, use and sharing of personal data during commercial activities. PIPEDA was introduced in Canada in April 2000 with the aim of providing users with more transparency and control over their personal data.
Web publishers that receive traffic from users in Canadian territory are required to adhere to PIPEDA, particularly if they serve personalised ads. This is because targeted ads function through the collection of user data.
Do I need to worry about PIPEDA?
PIPEDA applies to all private-sector organizations in all provinces and territories in Canada, aside from Alberta, British Columbia, Quebec, Ontario, New Brunswick, Nova Scotia, and Newfoundland and Labrador. Businesses or individuals that operate in Canada, regardless of where they are based, are also subject to the requirements of PIPEDA.
Publishers that receive traffic from Canada will need to obtain consent from Canadian users when they collect, use or share their personal data in the course of any commercial activity. This includes targeting ads.
Failure to comply with PIPEDA can result in imposed fines of up to $100,000 CAD per violation.
PDPA: Thailand’s Personal Data Protection Act
PDPA, or Personal Data Protection Act, is Thailand’s data privacy law that gives Thai residents and citizens the right to control how their personal information is collected, stored and shared by organisations and companies. PDPA came into effect on 28 May 2019 and enforcement is due to begin on 27 May 2021, giving companies and organizations plenty of time to ensure compliance.
Similar to other data protection laws, PDPA applies to all data collection, usage and dissemination activities for all Thai residents and citizens regardless of where the data processor is located. Under PDPA, explicit consent must be obtained from users in order to target users through methods such as cookie matching, behavioural targeting and frequency capping.
Do I need to worry about PDPA?
If your business is based in Thailand or if you receive any traffic from users located in Thailand, then you are subject to the requirements of PDPA and must ensure compliance. This includes collecting the personal data of people in Thailand, offering goods or services in Thailand or tracking the behaviour of Thai internet users. For publishers, this means ensuring that you obtain explicit consent before collecting, using or sharing the personal data of users in Thailand.
Depending on the severity of the violation, companies or organizations that fail to comply with PDPA can receive fines of up to 5 million baht, which is approximately $157,000. In certain cases, such as the disclosure of personal information without consent, violations can lead to imprisonment of up to one year.