
Nearly every country in the world has privacy laws that inform what data can be used for, how it’s collected, and how much control brands and consumers have over its collection, use, and enforcement. Failure to adhere to those laws can often lead to hefty fines, lawsuits, loss of trust from customers, and in some cases, even the prohibition of your website. These laws, coupled with the widespread use of the internet for all things commerce, make it more important than ever for brands to stay up-to-date on privacy concerns that affect their customers.
Existing Data Privacy Laws to Be Aware Of
Although this blog mainly focuses on new and upcoming data privacy laws in 2024, there are some existing pieces of legislation that it’s also important for brands to be aware of.
Existing U.S Federal Laws
Despite many proposed bills over the years, including the American Privacy Rights Act (APRA), the United States doesn’t have a comprehensive federal law that covers all aspects of data privacy. There are, however, privacy laws that cover specific sectors and mediums on both the federal and state levels. Depending on the industry you operate in, these laws may impact your business.
U.S. Privacy Act of 1974
The US Privacy Act of 1974 established the rights of individuals to know what information is being collected by all federal agencies and how it’s used, as well as the ability to request corrections to old or outdated information.
HIPAA
HIPAA sets national standards for the privacy, confidentiality, and consent of a person’s medical records. The goal of this law is to ensure the privacy of individuals’ health information while allowing the flow of data that’s needed to provide and promote quality healthcare.
COPPA
COPPA regulates how brands and businesses can collect, use, and share personal information of children under 13. It requires brands to receive parental consent prior to collecting the data, disclose how the information is used, and offer access to and control of the information to the child’s guardian so it can be deleted if necessary.
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act protects consumers’ financial information while allowing commercial and investment banks, insurance companies, and securities firms to consolidate the data.
Fair Credit Reporting Act (FCRA)
The FCRA regulates and protects the collection and use of consumers’ credit information, in particular the confidentiality, accuracy, relevancy, and proper utilization of credit data.
Family Educational Rights and Privacy Act (FERPA)
FERPA protects the privacy of student education records, with parents or students being the recipients of the data control, depending on the student’s age (18 or older) and level of schooling (above high school).
Existing International Privacy Laws
With more than 130 privacy laws already in existence around the world, it would be too lengthy to list and explain them all. However, here are some important laws to be aware of in case your business operates in countries outside of the United States.
EU’s GDPR
The EU’s General Data Protection Regulation (GDPR) is widely considered to be the most comprehensive data protection legislation enacted to date. It establishes seven main principles of data privacy that apply to the collection, use, transmission, and security of data collected within any of the EU’s 28 member countries. These principles are:
Lawfulness, fairness, and transparency
Purpose limitation
Data minimization
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
GDPR applies to all EU residents, regardless of whether a business is headquartered within any of the member countries. It requires companies that collect, store, sell, or otherwise use the personal data of EU citizens to receive explicit, unambiguous consent before doing so. Those companies are also required to give citizens clarity into and control over the data that’s collected and notify authorities and data subjects within 72 hours of any data breach.
China’s PIPL
Like the GDPR, China’s Personal Information Protection Law (PIPL) has extraterritorial reach to organizations outside the People’s Republic of China, and it allows consumers the right to decide, limit, or object to the use of their personal information. Unlike the GDPR, PIPL requires a stricter standard for consent and imposes harsher penalties for companies that fail to meet its statutes.
Brazil’s LGPD
Brazil’s LGPD, or the Lei Geral de Proteção de Dados Pessoais, is another international law that offers protections similar to the GDPR. One notable difference is in the law’s more extensive limits on data portability.
Canada’s PIPEDA
PIPEDA’s regulations were fully realized in 2004 and were last updated in 2015 by the Data Privacy Act. This law regulates how private sector organizations collect, use and disclose consumers’ personal information, although to a lesser extent than the GDPR’s regulatory standard.
New and Upcoming Data Privacy Laws in 2024
Some of these laws have already passed, while others are set to go into effect later this year or are still in the proposal stage.
US Data Privacy Laws
The American Privacy Rights Act
As of this writing, the American Privacy Right Act has been introduced to congress, but it still has many more mountains to tackle before it’s likely to become law. Regardless of whether the bill passes, it’s important for brands to understand what standards they could be held to and what levels of privacy consumers expect for their data. This guide from Osano offers a comprehensive view of the legislation and its requirements.
State Privacy Laws
More than a dozen US states have enacted either comprehensive or tailored privacy legislation, and the list is growing, with many other states still evaluating proposed bills.
California
Colorado
Connecticut
Delaware
Indiana
Iowa
Montana
Oregon
Tennessee
Texas
Utah
Virginia
Nevada
Maine
Michigan
Minnesota
Vermont
Bloomberg Law’s state privacy law map outlines the most comprehensive state legislations and what they entail. For the purposes of this post, here are some notable data privacy laws from 2024 that have either already gone into effect or will start to impact brands in the coming months.
Vermont’s Comprehensive Data Law
A new Vermont law was passed in May that allows consumers to sue companies for violating their privacy rights. It significantly impacts what consumer data companies can gather and use and bans them from selling sensitive consumer data. This bill’s right of action will need to be reauthorized after two years and applies to any business or person that processes more than 100,000 consumer records.
Florida’s Digital Bill of Rights
Along with bills in Oregon and Texas, Florida’s Digital Bill of Rights went into effect starting July 1st, 2024. This bill applies to businesses with an annual global revenue of more than US$1 billion, and it addresses two notable areas of privacy: the collection of personal information through the use of voice or facial recognition features and the collection, selling, processing, and sharing of children’s personal information and precise geolocation data.
Oregon’s Consumer Privacy Act
Oregon’s Consumer Privacy Act skips the global revenue threshold that Florida’s bill contains and instead applies to companies that conduct business in the state or produce products or services targeted to state residents. Further requirements target businesses that control or process the personal information of at least 100,00 state residents OR that control or process the personal information of 25,000 state residents while deriving more than 25 percent of their gross revenue from selling personal information. Non-profit organizations are not exempt, but instead have until July 2025 to comply.
Texas’ Data Privacy and Security Act
Texas’ Data Privacy and Security Act applies to a wider range of businesses than the other laws mentioned here. Small businesses are generally exempt unless they sell sensitive data. In which case, they’re required under this law to obtain consumer consent before selling their sensitive data to third parties.
Montana’s Consumer Data Privacy Act
Montana’s new privacy law goes into effect on October 1st, 2024. Its requirements are similar to Oregon’s Privacy Act in that they apply to companies that conduct business in the state or that have products or services targeted to state residents. It also applies to businesses that either control or process the personal information of at least 5,000 state residents or that control or process the personal information of 25,000 state residents while deriving more than 25 percent of their gross revenue from selling personal information.
European Data Privacy Laws
Digital Services Act
The Digital Services Act (DSA) was enacted on November 16, 2022, but it came fully into force on February 17, 2024. The regulation applies to four types of businesses and addresses the removal of illegal and harmful content under the principle that “what is illegal offline must be illegal online”.:
Intermediary services offering network infrastructure, such as ISPs
Hosting services, such as cloud and web-hosting services
Online platforms that bring sellers and consumers together, such as online marketplaces, social platforms, and app stores
Very large online platforms, which are defined as online platforms that reach more than 10% of the 450 million consumers in Europe
Each category faces different requirements under the same principle.
Digital Markets Act (DMA)
The Digital Markets Act came into effect in March 2024. It prevents the largest digital platforms, known as “gatekeepers”, from imposing unfair conditions on their competitors while giving their own products or services an advantage. Gatekeepers that violate the DMA may be subject to fines of up to 10% of annual global turnover or up to 20% in the case of repeated violations. Repeated violations can also result in non-financial remedies, such as forced divestitures.
Artificial Intelligence Act
The EU’s Artificial Intelligence Act was ratified on June 16, 2023 and is slated to go into effect in 2025 or 2026. Although it’s legally an EU legislation, this act covers any company doing business in the EU that develops or adopts “high-risk” AI systems, regardless of whether they’re based in the EU. Under the Act, applicable businesses are required to maintain transparency in their data usage and develop systems that adhere to non exploitative directives.
International Privacy Laws
India’s DPDPA
Although India’s Digital Personal Data Protection Act (DPDPA) was signed into law on August 11, 2023, the government has yet to announce its execution date. The DPDPA is the country’s first comprehensive data privacy law, and it covers all of India's 1.4 billion people. It applies to all businesses that operate from India or that target Indian customers, particularly for the processing of personal data that’s either collected in digital form or in non-digital form and subsequently digitized.
Ensure Compliance and Customer Privacy with One Creation’s Digital Preference Wallet
With so many existing, new, and upcoming digital data privacy legislations, it becomes clear that consumers care how their data is collected and used, and governments are starting to respond. It’s more important than ever for brands to adhere to privacy regulations and ensure they offer clarity, comfort, and control to their customers across every interaction.
If you haven’t yet started doing so, it’s not too late! One Creation’s Digital Preference Wallet helps you stay compliant with digital privacy regulations while learning more about your customers in an environment they can control. The result is higher long-term trust, lower churn rates, and ultimately, significantly higher revenue for your brand over time.
Request a demo today to get started.