Privacy Laws by Country
Argentina’s Personal Data Protection Act of 2000 applies to any individual person or legal entity within the territory of Argentina that deals with personal data. Personal data includes any kind of information that relates to individuals, except for basic information such as name, occupation, date of birth, and address.
According to Argentina’s laws concerning privacy, it’s only legal to handle or process personal data if the subject has given prior informed consent. Informed consent means you must tell them the purpose for gathering the data, consequences of refusing to provide the data or providing inaccurate information, and their right to access, correct, and delete the data. Also, any individual can request deletion of their data at any time.
Privacy policies, according to Australian law, need to detail why and how you collect personal information, the consequences for not providing personal information, how they can access and correct their own information, and how individuals can complain about a breach of the principles.
Brazil passed the Brazilian Internet Act in 2014 which deals with policies on the collection, maintenance, treatment and use of personal data on the Internet.
Any Brazilian individual and legal entity must obtain someone’s prior consent before collecting their personal data online, in any way. Consent can’t be given by those under 16 years old, and from 16 to 18 years old they must have assistance from their legal guardian to give consent. So, before collecting any information, be sure to ask whether the user is over 18 years of age.
Canada’s Personal Information Protection and Electronic Data Act (PIPEDA) governs how you can collect, store, and use information about users online in the course of commercial activity. According to the act, you must make information regarding your privacy policies publicly available to customers.
According to Chile’s Act on the Protection of Personal Data, passed in 1998, personal data can only be collected when authorized by the user. You also need to inform users of any sharing of information with third parties.
However, you don’t need to get authorization for basic information like a person’s name or date of birth, or if you’re only using the data internally to provide services or for statistical or pricing purposes.
Colombia’s Regulatory Decree 1377 states that you must inform users of the purpose their data will be used for, and you can’t use the data for any other purpose without obtaining consent.
Privacy policies must include a description of the purpose and methods for processing data, the users’ rights over their data and the procedures for exercising those rights, and identification of who is responsible for handling the data.
Act No. 101/2000 Coll., on the Protection of Personal Data governs how personal data is collected by anyone in the Czech Republic.
If you collect any kind of information relating to an identifiable person, you need to inform them of the purpose for collecting the data and the way it’s collected, and obtain their consent.
Denmark passed the Act on Processing of Personal Data in 2000. The Danish Data Protection Agency supervises and enforces the privacy laws. If they discover violations of the law, they can issue a ban or enforcement notice, or even report the violation to the police.
According to the law, personal data can only be collected if the user gives explicit consent. Also, a company can’t disclose personal information to third parties for the purpose of marketing without consent.
The Personal Data Protection Act of 2003 in Estonia states the personal data needs to be collected in an honest and legal way. You must obtain consent from users, and inform them of the purpose of collecting their data, and only use it in that way.
The European Union Data Protection Directive of 1998 states that anyone processing personal data needs must do so in a fair and lawful manner. In order for the data collection to be considered lawful, data can only be collected for specified, explicit and legitimate purposes, and users must give unambiguous and explicit consent after being informed that data collection and processing is taking place. You must also inform them if you’re going to share their data with any third party.
The General Data Protection Regulation (GDPR) standardizes data protection law across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information (PII). It also extends the protection of personal data and data protection rights by giving control back to EU residents. GDPR replaces the 1995 EU Data Protection Directive, and goes into force on May 25, 2018. It also supersedes the 1998 UK Data Protection Act.
GDPR applies to all organizations holding and processing EU resident’s personal data, regardless of geographic location. Many organisations outside the EU are unaware that the EU GDPR regulation applies to them as well. If an organization offers goods or services to, or monitors the behavior of EU residents, it must meet GDPR compliance requirements.
Fines for noncompliance are large. They can be as high as €20 million or 4% of a company’s total global revenue, whichever is larger. This is the maximum fine that can be imposed for the most serious violations, e.g. not having sufficient customer consent to process data or violating core Privacy by Design concepts.
The Personal Data Act governs the processing of personal data gathered in Finland, where privacy is considered a basic right. Anyone who gathers personal data in Finland must have a clearly defined purpose for gathering the data, and may not use it for any other purpose.
Personal data can only be gathered after obtaining unambiguous consent from the user.
The controller (the person or corporation collecting the data) of the collected data also needs to create a description of the data file, including their name and address and the purpose for collecting the data. This description needs to be made available to anyone.
There are also special restrictions that apply if you’re collecting data for the purpose of direct marketing or other personalized mailing related to marketing. Your database must be limited to basic information and contact information (no sensitive data can be collected).
The Data Protection Act (DPA) of 1978 (revised in 2004) is the main law protecting data privacy in France. The Postal and Electronics Communications Code also touches on the collection of personal data when it’s used for sending electronic messages.
The DPA applies to the collection of any information that can be used to identify a person, which is very broad in scope. The rules apply to anyone collecting data who is located in France or who carries out its activities in an establishment in France (such as if your hosting server or other service provider related to collecting or processing data is located in France). This is why the French Data Protection Authority was able to fine Google for violating their privacy laws.
Before automatically processing any kind of personal data, you must obtain the consent of the subject, and inform them of a number of things, including the purpose of the processing, the identity and address of the data controller, the time period the data will be kept, who can access the data, how the data is secured, etc.
In Germany, the Federal Data Protection Act of 2001 states that any collection of any kind of personal data (including computer IP addresses) is prohibited unless you get the express consent of the subject. You also have to get the data directly from the subject (it’s illegal to buy email lists from third parties, for example).
According to the act’s Principle of Transparency section, the subject must be informed of the collection of the data and its purpose. Once the data is collected for a specific purpose, you can’t use it for any other purpose without getting additional consent.
These laws apply to any collection of data on German soil, and Federal Data Protection Agency and 16 separate state data protection agencies enforce them.
The Processing of Personal Data laws in Greece protect the rights of individuals’ privacy in regard to electronic communications.
The processing of personal data is only allowed in Greece if you obtain consent after notifying the user of the type of data and the purpose and extent of processing. Consent can be given by electronic means if you ensure that the user is completely aware of the consequences of giving consent. Also, they can withdraw consent at any time.
Hong Kong’s Personal Data Ordinance states that users must be informed of the purpose of any personal data collection, and the classes of persons the data may be transferred to (such as if you use any third-party services for processing data, like a email newsletter service).
The openness principle of the ordinance states that your personal data policies and practices must be made publicly available, including what kind of data you collect and how it’s used.
If you’re in violation of the Personal Data Ordinance, you could face fines up to HK$50,000 and up to 2 years in prison, and you could be sued by your users as well.
In Hungary, the privacy of personal data is protected by Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests, whose main purpose is to ensure that individuals have control over their own data.
According to the act, you must obtain a person’s consent in order to handle their personal data. You can only collect data with an express purpose, and you must inform the user that handing over their personal data is voluntary.
If you violate the act, then your users may sue you, and you may be liable to pay for any damage you cause by mishandling their data.
Iceland has been called the ‘Switzerland of data’ for its strict privacy laws. The Data Protection Act of 2000 states that data must be obtained for specific purposes, and only after the subject has given unambiguous and informed consent.
In order to give consent, they must be made aware of the type of data collected, the purpose of the collection, how the data processing is conducted, how their data is protected, and that they can withdraw their consent at any time.
Not obeying the act could result in fines or even a prison term up to 3 years.
In Ireland, the privacy of personal data is regulated by the Data Protection Act 1988, including a 2003 amendment. There’s also the ePrivacy Regulations 2011 (S.I. 336 of 2011), which deals with electronic communication.
A privacy statement, on the other hand, is a public document on a website that clearly and concisely declares how the organization applies the principles to how they collect personal data (including the use of browser cookies) through their website.
It’s a legal requirement for any organization in Ireland to have a public privacy statement on their website.
If your website collects any kind of personal information or tracks users with cookies, and you don’t have a privacy statement, you could be investigated by the Data Protection Commissioner and fined up to €100,000.
Italy’s Data Protection Code states has strict rules for any kind of electronic marketing. According to the code, you must obtain a user’s consent before tracking them or using data for advertising or marketing communications. You must provide the users with specific information before collecting or processing their data, including the purpose and methods for processing the data and their individual rights under the law.
The Italian Data Protection Authority protects the rights of individuals regarding the privacy of their personal data. They can impose fines, such as the million-euro fine they threatened Google with for violating Italian privacy regulations.
In Japan, The Personal Information Protection Act protects the rights of individuals in regard to their personal data. The definition of personal data in the act is very broad, and even applies to information that could be found in a public directory.
The act states that you must describe as specifically as possible the purpose of the personal data you’re collecting. Also, in order to share the personal data with any third party (such as an email newsletter service) you must obtain prior consent.
The Personal Data Protection Law of Latvia applies to the processing of all kinds of personal data. It states that you may only process personal data after obtaining the consent of the user. When you collect personal data, you must inform them of specific information, including the purpose for collecting their data, any third parties that might have access to their data, and their individual rights to protect their own data under the law.
Lithuania’s Law on Legal Protection of Personal Data states that in order to collect and process any kind of personal information that can identify an individual, you must obtain clear consent from the individual first. The law says that consent can only be defined as consent if the individual agrees for their data to be used for a specific purpose known to them.
In Luxembourg, Law of 2 August 2002 on the protection of persons with regard to the processing of Personal Data states that users must give informed consent before their data can be collected and processed. The user must be informed of your identity, your purpose for collecting their data, any third parties with access to their data, and their specific rights regarding their data.
Anyone in violation of the law could face prison time between 8 days to 1 year and/or a fine of anywhere from 251 to 125,000 euros.
Malaysia’s Personal Data Protection Act 2010 protects any personal data collected in Malaysia from being misused. According to the act, you must obtain the consent of users before collecting their personal data or sharing it with any third parties. In order for their consent to be valid, you must give them written notice of the purpose for the data collection, their rights to request or correct their data, what class of third parties will have access to their data, and whether or not they’re required to share their data and the consequences if they don’t.
In Malta, the right to privacy is considered a fundamental human right, and is protected in part by The Data Protection Act of 2001. The act states that personal data can only be collected and processed for specific, explicitly stated and legitimate purposes, and that the user must give their informed and unambiguous consent before it’s collected. For their consent to be valid, you must inform them of your identity and residence, the purpose of the data collection, any other recipients of the data, whether their participation is required or voluntary, and all about their applicable rights to access, correct, or erase the data.
Morocco’s Data Protection Act defines personal data as any information of any nature that can identify an individual person. In order to collect or process any personal data, it needs to be for a specific purpose, and you must obtain the express consent of the user before you collect it, unless the data was already made public by that individual.
For their consent to be valid, you need to inform the person of your identity, the purpose of the data collection, and their rights regarding their own data.
The National Commission for the Protection of Personal Data, established in 2010, conducts investigation and inquiries related to privacy laws. Breaking the law can be punishable by fines or even imprisonment.
In the Netherlands, the Dutch Personal Data Protection Act states that you must obtain the unambiguous consent of the user before collecting or processing any information that personally identifies them.
According to New Zealand’s Privacy Act of 1993, you must collect any non-public personal information directly from the individual, and make sure they’re aware of your name and address, the purpose for the data collection, any recipients of that data, whether the collection is required by law or optional, and their rights regarding their own data.
Any user may make a complaint and possibly trigger an investigation into whether you’re following the law when collecting their personal data.
Norway’s Personal Data Act states that personal data can only be collected after obtaining the consent of the user. Before asking for consent, you need to inform them of your name and address, the purpose of the data collection, whether the data will be disclosed to third parties and their identities, the fact that their participation is voluntary, and their rights under the law.
The Philippines is known for having “one of the toughest data privacy legislations in the region.” In the Philippines, anyone who collects personal data needs to get specific and informed consent from the user first. You must declare the purpose of the data processing before you begin to collect it (or as soon as reasonably possible after).
Under the Republic Act No. 10173, individuals have the right to know your identity, what personal data you’re collecting and for what purpose, how it’s being processed, who it’s being disclosed to, and all their rights regarding their own data.
Poland’s Act of the Protection of Personal Data, passed in 1997, states that the processing of data is only permitted if the data subject has given their consent. You’re also obliged to provide your name and address, the purpose of the data collection, any other recipients of the data, the subject’s rights, and whether participation is required or voluntary.
According to Portugal’s Act on the Protection of Personal Data, the processing of data needs to be carried out in a transparent manner, respecting the privacy of your users. Personal data can only be collected for specific and legitimate purposes, and only after obtaining the unambiguous consent of the user. You must also provide the user with specific information including your identity, the purpose of the data processing, any other recipients of the data, etc.
In Romania, the law states that you must inform users of their rights when collecting any kind of personal data, including their name. You also need to obtain their “express and unequivocal consent” beforehand.
In Singapore, personal data is protected under the Personal Data Protection Act. According to the act, you may only collect personal data only with the consent of the individual, and the individual must be informed of the purpose for the data collection.
Slovenia’s Personal Data Protection Act states that you must obtain the informed consent of an individual before collecting or processing their personal data. In order for their consent to be valid, you need to inform them of your identity and the purpose of the data collection. You also need to inform them of any other information necessary to ensure that their data is being processed in a lawful and fair manner.
South Africa’s Electronic Communications and Transactions Act applies to any personal data collected through electronic transactions, such as through a website. The act sets out nine principles that you must agree to in order to collect any personal data, and also requires that you disclose in writing to the subject the specific purpose of the data collection, and obtain their express consent before collecting their data.
In South Korea, the Act on Promotion of Information and Communications Network Utilization and Data Protection states that any information and communications service provider needs to obtain the consent of the user before collecting personal information. In order for the consent to be valid, you must provide the user with specific information including your name and contact information, the purpose of the data collection, and the user’s rights concerning their own data.
The Framework Act on Telecommunications provides the definition of “information and communications service providers” as “services that mediate a third party’s communication through the telecommunications facilities and equipment or to provide the telecommunications facilities and equipment for the third party’s telecommunications.”
In Spain, the protection of personal data is regarded as a constitutional right. In order to collect any personal data, you need to provide the user with “fair processing information” including your identity and address, the purpose of the data processing, their rights under the law, whether participation is voluntary or mandatory, and any consequences for not providing their personal data.
Switzerland’s Federal Act on Data Protection states that any personal data collection or processing must be done in good faith, and that it needs to be evident to the user, especially the purpose of the data collection. In other words, you must inform the user that you’re collecting their personal data, and why. Personal data is defined as “all information relating to an identified or identifiable person.”
In Sweden, the Personal Data Act protects the privacy of personally identifying information, which it loosely defines as any data that, directly or indirectly, is referable to a live person. It states that users are entitled to information concerning processing of their personal data, and that they must give consent before you can collect their data. Consent must be informed, voluntary, specific, and unambiguous. Anyone who violates the act may be liable to pay fines or even sentenced to criminal penalties.
The Computer-Processed Personal Data Protection Law in Taiwan relates to specific kinds of personal data, including an individual’s name, date of birth, “social activities,” and any other data that can identify that individual. Data collection needs to be in good faith and in consideration of individuals’ rights. Any organization that collects personal data must publish a document that includes specific information including their name and address, the purpose and methods for the data collection, and any other recipients of the data.
New York Cyber Regulations (23 NYCRR 500)
The NY DFS Cybersecurity Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places new cybersecurity requirements on all covered financial institutions. The rules were released on February 16th, 2017 after two rounds of feedback from industry and the public. These regulations acknowledge the ever-growing threat posed to financial systems by cyber criminals, and are designed to ensure businesses effectively protect their customers’ confidential information from cyber attacks. This includes conducting regular security risk assessments, keeping audit trails of asset use, providing defensive infrastructures, maintaining policies and procedures for cyber security, and creating an incident response plan.
California Consumer Privacy Act of 2018 (AB 375)
AB 375 allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.
All companies that serve California residents and have at least $25 million in annual revenue must comply with the law. In addition, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data, also fall under the law. Companies don’t have to be based in California or have a physical presence there to fall under the law. They don’t even have to be based in the United States.
The law goes into effect on January 1, 2020. As a practical matter, companies need to have their data tracking systems in place by the start of 2019, since it gives consumers the right to request all the data a company has collected on them over the previous 12 months.
Companies have 30 days to comply with the law once regulators notify them of a violation. If the issue isn’t resolved, there’s a fine of up to $7,500 per record.
Colorado Data Destruction Law (HB 18-1128)
Colorado has enacted HB 18-1128 in effect on September 1 2018. Among other provisions, the Bill (1) amends the state’s data breach notification law to require notice to affected Colorado residents and the Colorado Attorney General within 30 days of determining that a security breach occurred, imposes content requirements for the notice to residents and expands the definition of personal information; (2) establishes data security requirements applicable to businesses and their third-party service providers; and (3) amends the state’s law regarding disposal of personal identifying information.
The Data Protection Act requires fair processing of personal data, which means that you must be transparent about why you’re collecting personal data and how you’re going to use it. The law also states that if you use browser cookies, you need to clearly explain what they do and why you’re using them, and gain the informed consent of your users.