Top 10 Data Privacy Laws to Watch in 2021
Data privacy used to be a random buzzword a few years ago, but it is no longer an option for online businesses. eCommerce websites and eService platforms now have to make sure that personal data and information is secure at all times to stay compliant, regardless of where they are operating. Here are the top 10 data privacy laws you need to acknowledge and follow to avoid legal consequences today.
Reflectiz wishes to emphasize that this list is not exhaustive by any means. You may need to check for additional rules and regulations that may apply in your country.
Top 10 Data Privacy Laws to Watch in 2021:
- 23 NYCRR 500
Implemented on 25 May 2018, GDPR is a EU drafted law that enforces privacy and security standards on everyone who collects data from customers based in Europe.
Many consider GDPR to be the data privacy law that started it all. While privacy guidelines have been with us for decades, GDPR was the law that started holding businesses accountable for data leaks and hacking incidents caused by the mishandling of third-party applications and insecure communication practices. Read more about the Ticketmaster UK incident and it’s GDPR implications.
Key GDPR takeaways:
- Data is Siloed – As data collection and storage trends up, online businesses are realizing that they are responsible for all data collection and processing.
- Layered Security – Online businesses can’t trust stand-alone solutions as their websites become more dynamic with third-party integrations.
- Companies are Accountable – The company that holds and collects user data is responsible, not third-party vendors (data processors).
CCPA deals with user privacy standards when it comes to California-based customers or potential customers. CCPA extends the outdated California Online Privacy Protection Act from 2004 and aims at giving users more control of their information. The regulation requires businesses to add an opt-out option to avoid user data collection as well as integrate parental consent for minors below 13.
Key CCPA takeaways:
- Similar to GDPR – There are many overlaps and if a business complies with GDPR, it probably doesn’t have to implement many process changes.
- “Do not sell” Button – Companies are required to add a “do not sell” button to give users a choice. It should be clearly visible on the website’s homepage.
- Engage with Third-Party Vendors – CCPA also holds companies accountable for misdeeds of their third-party services. Create proper SLAs with them.
HIPAA is a set of regulations that apply to any healthcare facility in the US. It aims at protecting and securing personal health information. The regulations address the rules of disclosure of the Protected Health Information (PHI) and deal with the maintenance of healthcare records and transactions. The main goal is to provide the best possible level of care while ensuring the security of patient information.
Key HIPAA takeaways:
- HIPAA is Not Only About Healthcare – Probably the most important takeaway is the applicability of the HIPAA regulations across the industries. HIPAA’s requirements that refer to data security, employee permissions that work with sensitive information, and role management are universal guidelines.
- Risk Analysis – HIPAA requires healthcare institutions to conduct risk analysis to detect possible vulnerabilities that could potentially expose sensitive data. A thorough risk analysis is a good practice for every business as it uncovers hidden bottlenecks that can lead to serious issues if gone unnoticed.
- Cost Savings – Compliance with HIPAA regulations helps companies save millions that they would otherwise spend on remediation and settlements.
The New York State Department of Financial Services (NYDFS) officially launched this law in 2020. 23 NYCRR 500 addresses regulations that help NY-based financial service companies ensure optimal cybersecurity standards. These regulations tackle the issues surrounding application security procedures like protecting company and user data from hackers and malicious entities.
Key 23 NYCRR 500 takeaways:
- Establish A Cybersecurity Policy – The document is contingent on the company’s regulations, workflow, technology, size, and other aspects. Besides creating the set of rules, 23 NYCRR 500 advises companies to train the employees and make sure they are familiar with the policies and precautions.
- Reporting is Key – Despite the risk analysis and security measures, businesses still experience data breaches. The best thing they can do is to report the attacks to the New York State Department of Financial Services (NYDFS) to warn other companies about the occurrence and mitigation efforts.
- Third-party Security – Since companies nowadays have multiple third-party integrations (eCommerce websites have over 60 on average) keeping track of the security compliance of each and every one of them can be difficult. 23 NYCRR 500 holds businesses accountable for overlooked vulnerabilities.
The SOX law incorporates a set of regulations that are aimed at protecting investors from potential fraudulent accounting. The act is directed at corporations and forces them to disclose financial reports in order to prevent fraudulent accounting. Passed all the way back in in 2002, SOX was trying to rehabilitate public trust in corporations by imposing high penalties on violators.
Key SOX takeaways:
- Fraud Accountability – The SOX regulations elaborate on corporate fraud and define the various ways of fraud and corresponding ramifications.
- Personal Responsibility – To protect investors, SOX forces corporate officers to personally certify the company’s financial statements. In case officers vouch for fraudulent or inaccurate information, they will be subject to large fines and even imprisonment in cases where criminal activity is detected.
- Security Means Transparency – SOX provides an opportunity for whistleblower complaints. In such cases, the involved employee can file an official complaint with the Occupational Safety and Health Administration (OSHA) that will investigate the case under SOX regulations.
In a nutshell, the Act on the Protection of Personal Information is the Japanese equivalent of GDPR and enforces strict data security rules for any person or business that handles the personal data of Japanese residents. Handling in the APPI has a very broad meaning: collecting, storing, using, and exchanging data. This act was enacted in June 2020 and will be revised every three years from now on.
Key APPI takeaways:
- Reporting – Japanese lawmakers have also realized the importance of enforced reporting. The new amendments make non-disclosure of data breaches illegal and force companies to prepare thorough reports and send them to the Personal Information Protection Commission (PPC) in Japan.
- Consent – Much like European and US privacy laws, APPI also states that consent should be acquired prior to collecting user information. Especially if the company is planning on sharing this information with third-party services, the confirmation that users agree to data collection is essential.
- Applicable for Overseas Businesses – Foreign non-Japanese businesses and individuals are also obligated to abide by APPI. Although PPC does not have the authority to fine or even supervise violators, it can alert the relevant authorities in the country of the offender’s geolocation.
DCIA is the Canadian version of GDPR law. One of the most important parts of DCIA is the Consumer Privacy Protection Act (CPPA) that regulates the collection, usage, or disclosure of personal information. This privacy law was introduced in the Canadian Parliament in November 2020 and is seen as a major overhaul of the old Personal Information Protection and Electronic Documents Act (PIPEDA).
Key DCIA takeaways:
- Service providers – The Canadian law also requires companies to demand compliance from third-party applications or service providers. The responsibility for the data breach still lies with the company, which means that it will also be accountable for all third-party service slipups.
- DCIA awareness across the company – DCIA prescribes that the company’s executives are obligated to constitute a corporate privacy management program that will entail every important aspect regarding business processes and practices. It is also mandatory that the company’s employees receive proper training.
- AI-Induced Ethical Issues – DCIA has a huge emphasis on AI systems that automate decision-making. The law states that individuals are allowed to request information on how their data has been collected and used to make a certain prediction (algorithmic decision-making) of their behavior.
Brazil now has a population of over 200 million residents. It’s only natural that data privacy is taking center stage. Law for the Protection of Personal Data or LGPD (from Portuguese: Lei Geral de Proteção de Dados Pessoais) regulates personal information collection and usage in Brazil. Every company that obtains information about Brazilian citizens has to comply with LGPD to avoid huge penalties.
Key LGPD takeaways:
- Brazil’s own GDPR, Almost – LGPD has been vastly inspired by European GDPR which also has a downside. What works in Europe might not be applicable in Latin America, mostly because of political differences. Unlike GDPR, the Brazilian law treats all companies the same, regardless of the sizes.
- Data Protection Officers (DPO) – LGPD requires every company that processes user data in Brazil to hire a data protection officer.
- Lawful Basis – The lawful basis for data collection is similar in regulations from most countries as they were mainly inspired by the European GDPR. LGPD adds four extra grounds for obtaining user data. These reasons address protection of life, physical safety, and health as well as credit protection.
The privacy law that has been enforced in 2019 in India is called the Personal Data Protection Bill. Due to the significant population size of India, the data privacy laws of this country might influence a large number of businesses outside India. Being a big player in the tech world, Indian law might reshape global policy. This replaces the Information Technology Act from the year 2000.
Key PDP takeaways:
- Government is Exempt – Although the law is also quite similar to GDPR, the biggest concern is that the government is exempt from the data collection regulations. In other words, the government may obtain data whenever it thinks that it is necessary. This is still a big dispute point in India.
- Non-personal data – Unlike American, European, and Brazilian policies, the Indian Personal Data Protection Bill also incorporates non-personal data activities. According to the bill, the government can request any business to share non-personal data (for example, mobility data).
- Potential Harm to AI Technologies – The bill’s severe limitations on data processing might hamper India’s innovations in the AI world.
DIFC Data Protection Law has been put in effect mainly to satisfy the European Commission and the UK to enable the smoother transfer of personal data to the DIFC. These laws were introduced in 2020 dus to the rapid digitization of the leading Gulf states and exponential rise in business with Europe. This newly introduced privacy law also resembles the GDPR, albeit with a few exceptions.
Key DIFC takeaways:
- Almost Identical to GDPR – The few exceptions lie in the penalty size, DPO appointment regulations, and some other nuances.
- International reach – Much like DIFC wanted, the new law allowed them to simplify the data transfer between UAE and European Union.
- Game Changer – UAE is the second largest economy in the Arab world, DIFC will positively impact the other countries in the Middle-Eastern region.
Top 10 Data Privacy Laws
3rd PARTY SECURITY
All Online Businesses
State of California
All Online Businesses
23 NYCRR 500
State of New York
Finance and Banking
All Online Businesses
All Online Businesses
All Online Businesses
All Online Businesses
Finance and Banking
Third-Party Security is No Longer an Option
The rapid digitalization of online businesses across the globe has led governments to revise or replace their old privacy laws. But there’s more to it than that.
Third-party application security is no longer just a GDPR or CCPA requirement. As evident in the Data Privacy Law list, a huge emphasis is being put on third-party management and governance. Online businesses are now fully responsible for external applications running on their website and need to answer for any data breach that may occur due to supply chain or web skimming (Magecart) attacks.
Your third-parties are boosting functionality and productivity. But what about the fourth party dependencies? What about the security blind spots and compliance loopholes? Each set of laws has its own unique requirements, but third-party application security is no longer an option. Online businesses, regardless of their location, now need to map and monitor their third-parties on an ongoing basis.