Storage
Mobility
Protection
Analysis and control
TOPICShare
What Are Data Privacy Regulations?
Data privacy relates to the regulation of sensitive or personally identifiable information (PII), including how it is stored and used. PII includes any data that can be directly tied to a user, including name, ID numbers, date of birth, address or location, and phone number. It may also refer to associated information, including social media posts, profile photos, or IP addresses.
This is part of an extensive series of guides about compliance management.
Data privacy regulations are laws for enforcing data privacy protections. These regulations vary by location, with some covering specific states and others collections of countries.
Data privacy regulations around the world include:
- USA Data Privacy Laws
- Canada Data Privacy Laws
- EU Data Privacy Laws
- China Data Privacy Laws
- Australia Data Privacy Laws
- Singapore Data Privacy Laws
- Data Privacy Regulations with NetApp Cloud Data Sense
USA Data Privacy Laws
Despite several regulations being introduced, there is currently no federal law universally regulating data privacy in the US. There are, however, several acts that protect specific types or uses of data. These include:
- Federal Trade Commission Act—prohibits deceptive practices related to privacy policies, failure to provide sufficient protections for privacy, and misleading advertising.
- Children’s Online Privacy Protection Act—regulates the collection of data related to minors.
- Health Insurance Portability and Accounting Act (HIPAA)—regulates the storage, privacy, and use of health information.
- Gramm Leach Bliley Act—regulates personal information collected and stored by financial institutions and banks.
- Fair Credit Reporting Act—regulates the collection, use, and accessibility of credit histories and information.
Additionally, the US Federal Trade Commission (FTC) oversees users' protection from deceptive or unfair trade practices, including data security and privacy. The FTC can define regulations, enforce laws, punish noncompliance, and investigate organizations suspected of fraud or violation.
USA State-Level Data Privacy Laws
In addition to federal guidelines, 25 states also have various laws regulating data. Depending on the law, regulations apply to government organizations, private organizations, or both.
The most notable example of state-level privacy laws is the California Consumer Privacy Act (CCPA). This act went into effect in January 2020 and provides numerous protections to California residents. These protections include the ability to access data, opt out of collection or sale, and request the deletion of data.
Canada Data Privacy Laws
Canada has 28 statues dedicated to data privacy, spread across a combination of territorial, provincial, and federal bodies. These statues vary widely in scope and guidelines, but all define broad coverage of actions related to the collection, use, or disclosure of personal data.
Canada’s most notable statutes include:
- Personal Information Protection and Identity Theft Prevention Act (PIPITPA)
- Personal Information Protection Act (PIPA BC)
- Personal Information Protection Act (PIPA Alberta)
- Quebec Privacy Act
- Personal Information Protection and Electronic Documents Act (PIPEDA)
Of these statues, PIPEDA is the broadest and applies to:
- Organizations performing federal or business activities
- Organizations operating in areas that do not have “substantially similar” legislation in place (i.e., PIPA BC, PIPA Alberta or the Quebec Privacy Act)
- Organizations operating interprovincially or internationally
EU Data Privacy Laws
The most notable privacy law in the EU is the General Data Protection Regulation (GDPR). This regulation addresses the collection, use, storage, security, and transfer of data related to any resident of the EU. It applies to data handled by organizations regardless of location, including those operating outside the EU. Breaches of the guidelines can result in fines of up to 4% of global turnover or 20€ million.
The primary goals of GDPR include:
- Establishing privacy for personal data as a basic human right
- Enforcing baseline requirements of privacy
- Standardizing how privacy rules are applied
GDPR includes protections for the following data types:
- Personally identifiable information (PII) including names, ID numbers, date of birth, and addresses
- Web data including IP addresses, cookies, and location
- Health information including diagnoses and health summaries
- Biometric data including voice data, DNA, fingerprints, or gait information
- Private communications
- Photos and videos
- Cultural, social, or economic data
Related content: learn more in our guide to GDPR Subject Access Requests
China Data Privacy Laws
China does not have a federal law relating to data privacy but does have a framework of regulations and laws that cover many cases. For example, the Tort Liability Law and the General Principles of Civil Law both have provisions which have been interpreted to cover privacy or reputation as protections that should be applied to data.
In addition to general protections, there have also been multiple specific regulations and guidelines that have been implemented or proposed. These include:
- People’s Republic of China Cybersecurity Law
- National Standard of Information Security Technology – Personal Information Security Specification
- Guidelines on Internet Personal Information Security Protection
- Draft National Standard of Information Security Technology – Guidelines on Personal Information Security Impact Assessment
Australia Data Privacy Laws
Australia has a variety of data protection and privacy laws at the territory, state, and federal levels. These include the Australian Privacy Principles (APPs) and the The Federal Privacy Act of 1988. These guidelines apply to all government organizations and private organizations with an annual turnover of AU$3 million.
In addition to the general guidelines, most Australian territories and states also have their own regulations. The exceptions are South and Western Australia. The acts that have been passed include:
- Information Privacy Act (Australian Capital Territory)
- Information Act (Northern Territory)
- Privacy and Data Protection Act (Victoria)
- Personal Information Protection Act (Tasmania)
- Privacy and Personal Information Protection Act (New South Wales)
- Information Privacy Act (Queensland)
Singapore Data Privacy Laws
Singapore’s data privacy laws are covered under one act; the Personal Data Protection Act (PDPA). This act regulates the collection, care, use, and disclosure of personal information.
PDPA is a general law that establishes a baseline of protections that stack on sector or industry specific regulations. It aims to balance users' rights with the goals of organizations, provided those goals include reasonable and legitimate data use. Additionally, the PDPA includes the creation of a national do not call registry that enables users to opt out of marketing communications.
Data Privacy Regulations with NetApp Cloud Data Sense
NetApp Cloud Data Sense leverages cognitive technology to discover, identify and map personal and sensitive data. Use Cloud Data Sense to maintain visibility into the privacy posture of your cloud data, generate crucial data privacy reports, and easily demonstrate compliance with data privacy regulations such as the GDPR and the CCPA.
Learn more about NetApp Cloud Data Sense
Learn More About Data Privacy Regulations
Continue exploring in our series of articles about data privacy regulations and how to manage your data effectively for compliance.
California Consumer Privacy Act
As the availability and value of personal data increases, many consumers are expressing concern over how their data is collected and used. To ensure that consumers are protected and retain rights related to their data, governments like the State of California are creating regulations like CCPA.
This article explains what the CCPA is, what rights it grants, how compliance is enforced, how it compares to GDPR, and how you can ensure that your organization is compliant.
Read more: California Consumer Privacy Act
GDPR Subject Access Request
GDPR is one of several data privacy regulations that organizations need to be aware of and responsive to. As part of this regulation, organizations are responsible for responding to requests from consumers seeking to obtain their personal data from the organization. These requests are referred to as DSARs.
This article explains what DSARs are, how to handle requests, how to deny requests, and what responses need to contain.
See Our Additional Guides on Key Compliance Management Topics
Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of compliance management.
CCPA Compliance
- California Consumer Privacy Act: The Basics and a 6-Step Compliance Checklist
- How to Prepare for CCPA Compliance: A Practical Guide for Data Controllers
- CCPA vs GDPR: What is the Difference?
Data Privacy
- Meeting Data Compliance with a Wave of New Privacy Regulations: GDPR, CCPA, PIPEDA, POPI, LGPD, HIPAA, PCI-DSS, and More
- Data Protection in the Cloud: The Basics and 7 Best Practices
- Cloud Compliance and Data Privacy: What You Need to Know
Employee Classification
Authored by Stoke
- Worker Classification: The How-To Playbook
- FLSA Classification: Who is Exempt and Why Do You Need to Know?
- Employee Misclassification 101: What You Need to Know
Read more: GDPR Subject Access Request