Products

Data Command Center
View

Data+AI Teams

Data+AI Security Teams

Data Governance Teams

Data Privacy Teams

Build safe enterprise AI systems

Safe Enterprise AI Copilots

Implement rule-aware AI copilots across your organization’s data anywhere

Data Vectorization and Ingestion

Extract info from complex Unstructured Files, convert it into AI-ready formats, and sync to vector databases

Data Curation and Sanitization for AI

Transform raw, unstructured files into data ready for model training and tuning

Context-aware LLM Firewalls

Protect AI interactions with intelligent retrieval, response, and prompt firewalls

Unstructured Data Governance

Manage and govern unstructured data to enable its safe use with generative AI

Secure Data+AI anywhere

Data Security Posture Management

Secure sensitive data everywhere from hybrid multicloud to SaaS

AI Security & Governance

Establish controls for safe adoption of AI technologies including GenAI

Security for AI Copilots in SaaS

Unblock the biggest impediments for Safe Adoption of AI Copilots like Microsoft 365 Copilot

Data Access Intelligence & Governance

Monitor user access to data and enforce least privilege controls

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Compliance Management

Assess & improve compliance with security best practices frameworks

Breach Impact Analysis

Analyze breach impact & automate notifications to affected individuals

Data Flow Governance

Understand data lineage and secure real-time streaming data

Govern data for safe innovation

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Unstructured Data Governance

Manage unstructured data to enable safe use with generative AI

Data Access Governance

Monitor sensitive data access and prevent unauthorized use

AI Governance

Establish controls for safe adoption of AI technologies including GenAI

Data Catalog

Enable users to easily find, understand, trust and access the data they need

Data Lineage

Automatically track changes and transformations of data throughout its lifecycle

Data Quality

Conduct data quality checks and validation across various data types

Automate data privacy operations

Data Mapping Automation

Manage your entire data mapping lifecycle and automate RoPA reports

AI Governance

Comply with emerging AI regulations and ensure safe use of AI

Data Subject Request Automation

Automate entire DSR lifecycle from consumer request intake to secure report delivery

Assessment Automation

Automate your entire assessment lifecycle and demonstrate compliance

Consent Management

Manage your first-party and third-party consent lifecycle from scanning to reporting

Breach Management

Automate your incident management and optimize notifications to users & regulatory bodies

Privacy Center

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere

Compliance Management

Use automation to audit and improve compliance with global regulations and industry standards
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

GCP

View

AWS

View

Databricks

View

Snowflake

View

Azure

View

+ More

View

Learn more

Regulations & Frameworks

Automate compliance with global privacy regulations.

CDMC

View

EU AI Act

View

NIST AI RMF

View

European Union GDPR

View

California's CPRA

View

Brazil's LGPD

View

Canada's PIPEDA

View

China's PIPL

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Data+AI Builders

View

Data Security

View

Data Privacy

View

Data Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.

Webinars

Learn from industry thought leaders why you need a Data Command Center to enable safe use of data.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Privacy Laws in 2024 You Need to Lookout For

Published December 27, 2022 / Updated January 15, 2025

Contributors

Anas Baig

Product Marketing Manager at Securiti

Omer Imran Malik

Senior Data Privacy Consultant at Securiti

FIP, CIPT, CIPM, CIPP/US

As digital environments progress, so do the regulations safeguarding personal data. In 2024, organizations and individuals must navigate an evolving landscape of privacy legislation as new regulations arise globally and current frameworks undergo substantial revisions.

This blog emphasizes key privacy legislation to monitor this year, providing insights into maintaining compliance and protecting sensitive data in a progressively regulated environment.

Texas Data Privacy and Security Act (TDPSA)

Overview

Texas Data Privacy and Security Act (TDPSA) is a comprehensive data privacy law that grants Texas residents some key rights over their personal data. The act regulates the collection, use, processing, and treatment of consumers’ personal data by certain business entities. It grants specific rights to consumers to confirm whether an entity processes their personal data, to access it, to correct inaccuracies in the data, and to opt out of the processing of their personal data for certain purposes. Furthermore, it imposes duties on entities subject to compliance with the law to limit the collection of personal data, to provide notice about information collected, and to respond to consumer requests for access and correction of information, among other responsibilities.

Date of Enactment

The Texas Legislature passed House Bill 4 on May 28, 2023, which resulted in the enactment of the Texas Data Privacy and Security Act (TDPSA) on June 18, 2023. Texas Data Privacy and Security Act was enacted on July 1, 2024. The provisions related to consumers’ ability to direct a third-party to opt out became effective on January 1, 2025.

Covered Entities

The law applies only to a person who:

Conducts business in Texas or produces a product or service consumed by Texas residents;
Processes or engages in the sale of personal data; and
It is not a small business as defined by the United States Small Business Administration, except to the extent that Section 541.107 of TDPSA applies to a person described by this sub-division.

Data Privacy Rights

Under the Texas Data Privacy and Security Act, consumers are entitled to exercise the following consumer rights granted to them under the law:

Right to confirm whether a controller is processing consumer’s personal data and to access the personal data;
Right to correct inaccuracies in consumer’s personal data, taking into account the nature of personal data and purposes of the processing of consumer’s personal data;
Right to delete personal data provided by or obtained about the consumer;
Right to obtain a copy of consumer’s personal data, available in digital format, that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance; and
Right to opt out of the processing of personal data for the purposes of targeted advertising, sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

Regulatory Authority

The Texas Attorney General has the enforcement authority under the Texas Data Privacy and Security Act.

Privacy Rights Violations

Under Section 541.155, a person who violates the provision of the Texas Data Privacy and Security Act following the thirty (30) day cure period, as mentioned in Section 154.154, or who breaches the written statement provided to the attorney general under the same section shall be liable to a civil penalty of an amount not exceeding $7500 for each violation.

The Attorney General may bring the following actions in the name of the state:

Recover civil penalty;
Restrain or enjoin the person from violating TDPSA;
Recover civil penalty and seek injunctive relief; and
Recover reasonable attorney’s fees and other reasonable expenses incurred in investigating and bringing the action.

However, consumers protected by TDPSA are not granted a private right of action for the violation of this law.

Exemptions

Texas Data Privacy and Security Act does not apply to the following entities:

A state agency or a political subdivision of the state;
A financial institution or data subject to Title V, Gramm-Leach-Bliley Act;
A covered entity or business governed by the privacy, security and breach notification rules issued by the United States Department of Health and Human Services, 45 C.F.R. Parts 160 and 164, established under the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section1320d et seq.), and the Health Information Technology for Economic and Clinical Health Act (Division A, Title XIII, and Division B, Title IV,Pub.L.No.A111-5);
A non-profit organization;
An institution of higher education; and
An electric utility, a power generation company, or a retail electric provider, as defined by Section 31.002 of the Utilities Code.

The provisions of the Texas Data Privacy and Security Act do not apply to the processing of personal data by a person in the course of a purely personal or household activity.

Furthermore, the following information is exempt from the provisions of the Texas Data Privacy and Security Act:

Protected health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
Health records;
Patient-identifying information;
Identifiable private information for research, health improvement and patient safety purposes;
Information and documents created for the purposes of the Healthcare Quality Improvement Act of 1986;
Patient safety work product for the purposes of the Patient Safety and Quality Improvement Act of 2005;
Information derived from any of the healthcare-related information that is de-identified in accordance with the de-identification requirements under the Health Insurance Portability and Accountability Act of 1996;
Information collected or used only for public health activities and purposes as authorized by the Health Insurance Portability and Accountability Act of 1996;
Personal data subject to the Fair Credit Report Act (FCRA);
Personal data collected, processed, sold, or disclosed in compliance with Driver’s Privacy Protection Act of 1994;
Personal data regulated by the Family Educational Rights and Privacy Act of 1974;
Personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act of 1971;
Data processed or maintained as the emergency contact information of an individual; and
Personal data processed in the employment context.

Facts

TDPSA requires the controller to respond to the consumer’s request without undue delay, which may not be later than forty-five (45) days after receiving the request. However, based on the complexity and number of consumer requests, the controller may extend the response period by an additional forty-five days, so long as the controller informs the consumer of the reason for such an extension.
TDPSA considers any provision of a contract or agreement limiting the rights of consumers in any way to be void and contrary to public policy.
A consumer may designate another person to serve as the consumer’s authorized agent and act on the consumer’s behalf to opt-out of the processing of the consumer’s personal data.
TDPSA prohibits the controller from processing the sensitive data of a consumer without obtaining the consumer’s consent.
Under TDPSA, a controller is required to provide consumers with a reasonably accessible and clear privacy notice that highlights information such as the categories of personal data processed by the controller, the purpose of processing, how consumers may exercise their rights, and the categories of personal data that the controller shares with third parties.

Learn more about the Texas Data Privacy and Security Act (TDPSA).

Oregon Consumer Privacy Act (OCPA)

Overview

Oregon Consumer Privacy Act (OCPA), or Senate Bill 619 (SB 619), is an addition to US state privacy laws. It is modeled after other state privacy laws, including the Connecticut Data Privacy Act (CDPA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Utah Consumer Privacy Act (UCPA), and the California Consumer Privacy Act (CCPA).

Date of Enactment

Governor Tina Kotek signed OCPA on June 22, 2023, and took effect on July 1, 2024. The law does not exempt not-for-profit businesses, but they are provided time until July 1, 2025, to comply.

Covered Entities

The Act applies to any person who conducts business in Oregon or offers goods and services targeted to the state's residents. Organizations further need to meet the following requirements to become OCPA-covered businesses:

The business controls or processes the personal data of at least 100,000 consumers. However, this does not include personal data that is solely processed for payment transactions;
The business controls and processes the personal data of at least 25,000 consumers and derives 25% or more of its gross revenue from the sale of personal information that it collects or processes.

Data Privacy Rights

The OCPA provides the following data privacy rights to consumers. Here are the following consumer rights:

Right to confirm processing and accessing of the personal data;
Right to correct personal data;
Right to delete personal data;
Right to opt-out of targeted advertising, sale of personal data, and automated profiling; and
Right to data portability.

Regulatory Authority

The state's Attorney General will act as the sole authority to enforce the OCPA provisions and impose penalties or fines of up to $7,500 per willful violation.

Privacy Rights Violations

The OCPA provides a 30-day cure period to businesses that are engaged in or found to be violating OCPA provisions. However, if any business fails to remediate any violations within the notice or cure period, the AG may bring the action without further notice.

Exemptions

The law also does not have any application to the following entities:

Public bodies/corporations;
Financial institutions, their affiliates, or their subsidiaries that are only and directly engaged in financial activities, as described in 12 U.S.C. 1843(k);
An insurer, as defined in ORS 731.106;
An insurance producer, as defined in ORS 731.104;
An insurance consultant, as defined in ORS 744.602;
A person who holds a third-party administrator license issued under ORS 744.710; and
A nonprofit organization that is established to detect and prevent fraudulent acts in connection with insurance.

Exempt Data

The law also does not have any application to the following types of data:

Data covered under medical laws: Protected health information processed in accordance with HIPAA or other federal or state medical laws;
Personal data used for research: Identifiable private information collected, used or shared in research conducted in accordance with applicable laws;
GLBA data: Personal data collected, processed, sold, or disclosed in compliance with the Gramm-Leach-Bliley Act.
Driver data: Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994;
FERPA data: Personal data regulated by the federal Family Educational Rights and Privacy Act (FERPA);
ADA data: Personal data collected, processed, sold, or disclosed in relation to price, route, or service under the Airline Deregulation Act (ADA), to the extent the provisions of OCPA are preempted by ADA; and
Employment data: Personal data maintained for employment records.

Exempt Activities

The law also does not have any application to the following activities:

Any activity that involves collecting, maintaining, disclosing, selling, communicating or using information if done strictly in accordance with the provisions of the federal Fair Credit Report Act (FCRA) by:
- A consumer reporting agency;
- A person who furnishes information to a consumer reporting agency; or
- A person who uses a consumer report.
Non-commercial activity of:
- A publisher, editor, reporter or other person who is connected with or employed by a newspaper, magazine, periodical, newsletter, pamphlet, report or other publication in general circulation;
- A radio or television station that holds a license issued by the Federal Communications Commission;
- A nonprofit organization that provides programming to radio or television networks; or
- An entity that provides an information service, including a press association or wire service.

Facts

The OCPA provides detailed provisions for conducting data protection assessments to identify and remediate “heightened risks”.
Businesses compliant with verifiable parental consent requirements of COPPA shall be deemed compliant with parental consent obligations under OCPA.
Consumers can designate an authorized agent to act on their behalf to opt out of processing their personal data, and the data controllers must comply with a request from such a designated agent.
Data controllers should process the sensitive personal data of children in accordance with COPPA.
OCPA requires businesses to provide clear, concise, and easily accessible privacy notices and conduct data protection assessments where processing poses significant harm to consumers.
OCPA stipulates that there should be an agreement between a controller and a processor governing the processor's data processing procedures.

Learn more about the Oregon Consumer Privacy Act (OCPA).

Florida Digital Bill of Rights (FDBR)

Overview

Florida Digital Bill of Rights (FDBR) or Senate Bill 262 is an addition to the US state privacy laws, making Florida among the US states to have a comprehensive data privacy law. FDBR is modeled after other state privacy laws, including the Connecticut Data Privacy Act (CDPA), the Virginia Consumer Data Protection Act (VCDPA), etc.

Date of Enactment

FDBR was signed by Florida’s Governor Ron DeSantis on June 6, 2023, and is set to take effect on July 1, 2024.

Covered Entities

FDBR applies to any person that;

conducts business in Florida or offers goods and services targeted to the state's resident, and
processes or engages in the sale of personal data.

A business, including a sole proprietorship, partnership, limited liability company, corporation, association, or legal entity, is a ‘controller’ and subject to most of the obligations under the FDBR if it:

Is organized or operated for the profit or financial benefit of its shareholders or owners;
Conducts business in the state;
Collects personal data about consumers, or is the entity on behalf of which such information is collected;
Determines the purposes and means of processing personal data about consumers alone or jointly with others;
Makes more than $1 billion in global gross annual revenues; and
Meets at least one of the following:

Derives 50 percent or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online;
Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation. This excludes a motor vehicle or speaker or device associated with or connected to a vehicle that is operated by a motor vehicle manufacturer or a subsidiary or affiliate thereof; or
Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.

Data Privacy Rights

The FDBR provides the following data privacy rights to consumers:

Right to confirm processing and access to personal data;
Right to correct personal data;
Right to delete personal data;
Right to data portability; and
Right to opt-out of targeted advertising, sale of personal data, automated profiling, collection of sensitive data, including precise geolocation data, or the processing of sensitive data, and the collection of personal data collected through the operation of a voice recognition or facial recognition feature.

Regulatory Authority

The Department of Legal Affairs (DLA) has the sole authority to enforce the FDBR provisions and impose civil penalties of up to $50,000 per violation. Civil penalties may be tripled for any of the following violations:

A violation involving a Florida consumer who is a known child. A controller that willfully disregards the consumer’s age is deemed to have actual knowledge of the consumer’s age.
Failure to delete or correct the consumer’s personal data after receiving an authenticated consumer request or directions from a controller to delete or correct such personal data, unless an exception applies to the requirements to delete or correct such personal data.
Continuing to sell or share the consumer’s personal data after the consumer chooses to opt-out.

Privacy Rights Violations

If the DLA has reason to believe that a person is in violation of the FDBR, the department may notify the person of the violation and may bring an action against such person for an unfair or deceptive act or practice.

After the DLA has notified a person in writing of an alleged violation, the DLA may grant a 45-day period to cure the alleged violation; however, no cure period is granted for the violations involving a Florida consumer who is a known child. If the alleged violation is cured to the satisfaction of the DLA and proof of such cure is provided to the DLA, the DLA may not bring an action for the alleged violation but, at its discretion, may issue a letter of guidance that indicates that the person will not be offered a 45-day cure period for any future violations. However, if the person fails to cure the alleged violation within 45 calendar days, the department may bring an action on behalf of a consumer against such person for the alleged violation.

Exemptions

The law does not apply to:

a state agency or a political subdivision of Florida;
a financial institution subject to Title V, Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.);
a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services (HHS), established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH);
a nonprofit organization;
a postsecondary educational institution; and
the processing of personal data:
- By a person in the course of a purely personal or household activity; and
- Solely for measuring or reporting advertising performance, reach or frequency.

The following information is also exempt from the application of the FDBR:

Medical data covered under any medical laws: Many forms of health information, records, data, and documents protected and covered under HIPAA or other federal or state medical/healthcare laws;
Personal data used for research: Identifiable private information collected, used, or shared in research conducted in accordance with applicable laws;
FCRA-covered data: Any personal information of consumers collected or used for consumer credit scoring and reporting to the extent the activity is authorized and regulated by the federal Fair Credit Report Act (FCRA);
GLBA data: Financial data subject to Title V of the federal Gramm-Leach-Bliley Act;
Driver data: Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994;
FERPA data: Personal data regulated by the federal Family Educational Rights and Privacy Act (FERPA);
FCA data: Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (FCA);
Employment data: Personal data maintained for employment records;
ADA data: Personal data collected, processed, sold, or disclosed in relation to price, route, or service as those terms are used in the Airline Deregulation Act (ADA), 49 U.S.C. ss. 40101 et seq., by entities subject to that act, to the extent the provisions of FDBR are preempted by 49 U.S.C. s. 41713;
Personal data used for payment: Personal data collected and transmitted which is necessary for the sole purpose of sharing such personal data with a financial service provider solely to facilitate short-term, transactional payment processing for the purchase of products or services; and
Personal data shared between a manufacturer and distributors: Personal data shared between a manufacturer of a tangible product and authorized third-party distributors or vendors of the product, as long as such personal data is used solely for advertising, marketing, or servicing the product that is acquired directly through such manufacturer and such authorized third-party distributors or vendors.

Facts

The FDBR provides a detailed set of provisions for conducting data protection assessment to identify and remediate “heightened risks”;
Businesses compliant with verifiable parental consent requirements of COPPA shall be deemed compliant with parental consent obligations under FDBR;
Data controllers should process the sensitive personal data of children in accordance with COPPA;
FDBR requires businesses to provide a clear, concise, and easily accessible privacy notice and conduct data protection assessment where processing poses significant harm to consumers;
FDBR stipulates that there should be an agreement between a controller and a processor governing the processor's data processing procedures.

Learn more about the Florida Digital Bill of Rights (FDBR).

Montana Consumer Data Privacy Act (MCDPA)

Overview

The Montana Consumer Data Privacy Act (MCDPA) aims to enhance the protection of consumer data and ensure that data handling practices are both secure and appropriate. Thus, like the California Privacy Rights Act and other US state data protection laws, it introduces administrative, technical, and physical security measures.

Date of Enactment

Senate Bill No. 384 to establish the MCDPA was signed by the Montana Governor on May 19, 2023, and entered into effect on October 1, 2024. However, some provisions allow compliance until January 1, 2024. Moreover, the MCDPA also includes a preliminary grace period for entities found in violation, which concludes on April 1, 2026.

Covered Entities

The MCDPA applies to entities that conduct business in Montana or offer products and services to Montana residents. It specifically covers those entities that handle personal data of not less than 50,000 consumers, excluding data used solely for payment transactions. Alternatively, it applies to entities managing personal data of not less than 25,000 consumers if more than 25% of their gross revenue comes from selling consumer data.

Data Privacy Rights

A consumer is entitled to the following rights:

Right to access their personal data unless access would disclose a trade secret;
Right to correct any inaccuracies in their personal data;
Right to request the deletion of their personal data;
Right to data portability provided that no trade secrets are revealed; and
Right to opt out of the processing of their personal data for the following purposes:

(i) Targeted advertising;

(ii) The sale of their personal data, with special conditions attached to consumers below 16 years; and

(iii) Profiling that leads to automated decision-making with significant legal or similar effects on the consumer.

Regulatory Authority

The Office of the Attorney General will be the regulatory authority and is given the power to enforce violations under the MCDPA. When the attorney general becomes aware of a violation, it must notify the controller before taking action or imposing any penalty. The controller will then have a 60-day cure period to provide an express written notice to the attorney general that includes evidence that the controller has corrected the violations and has taken reasonable measures to ensure similar violations do not occur in the future. However, this cure provision terminates on April 1st, 2026. Moreover, the attorney general’s office may also require data protection impact assessments to be conducted and evaluate them. Additionally, it reviews complaints by data subjects when their requests have been refused and appeal is denied.

Privacy Rights Violations

Unlike most other US state laws regarding data privacy, the MCDPA does not specify penalty amounts for violations.

Exemptions

Entities that are not covered by the MCDPA include state agencies, nonprofit organizations, institutions of higher education, national securities associations, financial institutions, and those regulated under HIPAA. Moreover, there are also classes of data that are excluded subject to applicable laws and conditions. These include protected health information, patient-identifying information, personal data used for research, healthcare quality improvement information, and public health data. Additionally, credit information, driver’s privacy data, educational records, and employment data are excluded. Data overseen by the Family Educational Rights and Privacy Act, Fair Credit Reporting Act, Airline Deregulation Act, or the federal Farm Credit Act is also excluded.

Entities that comply with the Children's Online Privacy Protection Act are also considered to meet related parental consent requirements and are exempted from complying with the MCDPA.

Facts

Controllers must conduct Data Protection Assessments (DPA) for high-risk data processing activities, starting January 1, 2025.
Consumers must be able to revoke consent for data processing, with controllers required to cease processing within 45 days of revocation. Controllers must also obtain express consent for processing data beyond the original purpose.
Controllers must provide a clear privacy notice detailing data processing practices, including data categories, purposes, third parties involved, and contact information for rights exercise.
Processors must assist controllers in meeting their obligations specified in the MCDPA. They are also required to adhere to contracts detailing data processing terms, including confidentiality, data return or deletion, and compliance assessments.

Learn more about the Montana Consumer Data Privacy Act (MCDPA).

Indonesia Personal Data Protection Law (PDPL)

Overview

The main legislation overseeing personal data protection in Indonesia is Law No. 27 of 2022, also known as the Personal Data Protection Law (PDPL). It outlines specific standards for handling personal data, requiring informed consent and transparency in data processing operations. Moreover, it introduces obligations for data controllers, establishes data subject rights, and mandates the implementation of security measures to protect personal data.

Date of Enactment

The PDPL was ratified on September 20, 2022, and enacted on October 17, 2023. However, organizations processing personal data have a two-year grace period until October 17, 2024, to comply with its provisions.

Covered Entities

The Indonesia PDPL applies to individuals, private and public bodies, entities, and international organizations located inside or outside Indonesia, processing personal data that can have legal implications:

within Indonesia; and
on Indonesian citizens, whether inside or outside of the country.

Data Privacy Rights

The PDPL covers the following rights:

The right to obtain information;
The right to access the individual’s personal data, with the option to request a copy;
The right to correct inaccuracies in personal data;
The right to end processing or to delete personal data;
The right to restrict or limit data processing in proportion to the purpose of data processing;
The right to withdraw consent;
The right to object to automated decision-making;
The right to data portability; and
The right to seek legal recourse and compensation for breaches.

Regulatory Authority

The PDPL requires the government to establish an agency to implement the PDPL. However, Indonesia does not yet have such a regulatory authority for the PDPL, and the Ministry of Communication and Informatics (MOCI) primarily enforces data protection laws concerning electronically held data. However, once an agency is established under the PDPL, it will be responsible for:

Developing and enforcing data protection policies;
Conducting investigations, monitoring compliance, and imposing fines;
Supporting law enforcement and collaborating internationally;
Regulating international data transfers and handling complaints; and
Conducting investigations and facilitating settlements.

Privacy Rights Violations

The Indonesian PDPL imposes strict penalties for unlawful handling of personal data. Individual offenders may face:

Fines up to 5 billion rupiahs and/or up to 5 years in prison for unlawfully obtaining personal data with the intent to benefit one's self or another, which may harm the data subject.
Fines up to 4 billion rupiahs and/or up to 4 years in prison for disclosing personal data without consent with the intent to benefit one's self or anothe,r which may harm the data subject.
Fines up to 5 billion rupiahs and/or up to 5 years in prison for using personal data with the intent to benefit one's self or anothe,r which may harm the data subject.
Fines up to 6 billion rupiahs and/or up to 6 years in prison for falsifying personal data to benefit oneself or others, which may harm others.

If a corporation commits a violation, it can be fined up to ten times the maximum fine for individuals. Additional penalties may include asset confiscation, business freezing, operational prohibitions, closure of premises, compensation payments, permit revocation, or dissolution. Moreover, administrative sanctions include warnings, temporary suspensions, data deletions, and fines of up to 2% of annual revenue, as determined by the regulatory authority.

Exemptions

The PDPL does not apply to the processing of personal data by natural persons in private or household activities.

Facts

The PDPL requires organizations to establish a lawful basis for processing personal data, including consent, fulfilling contracts and legal obligations, protecting vital interests and legitimate interests, or carrying out public services and statutory duties.
Organizations must notify affected individuals and the data protection authority of data breaches within three days, including details about the breach and measures taken to mitigate its effects.
Under the PDPL, consent must be sought explicitly and should be freely given, informed, and specific.
Organizations that manage large amounts of personal data or handle certain types of personal data, as defined by the PDPL, must designate a Data Protection Officer (DPO). The DPO oversees data protection measures and ensures adherence to the PDPL.
The PDPL imposes requirements on cross-border data transfers, necessitating that organizations verify that the recipient country has data protection laws that are at least equal to those of the PDPL. If such a regulation is not in place, the data controller must ensure that adequate and binding data protection measures are present. In the absence of such safeguards, the data controller must obtain consent from the relevant data subject.

Learn more about the Indonesia Personal Data Protection Law (PDPL).

India Digital Personal Data Protection Act (DPDPA)

Overview

The Digital Personal Data Protection Act (DPDPA) of 2023, enacted in India on August 11, 2023, represents the country's first comprehensive data protection law. The DPDPA introduces a robust framework for safeguarding personal data in a rapidly digitized world.

Much like the EU’s GDPR, the DPDPA provides individuals with rights over their data and imposes obligations on businesses to ensure compliance. By aligning with global standards while catering to the unique needs of Indian society, the DPDPA aims to create a secure data environment, essential for avoiding penalties and ensuring successful data management.

Date of Enactment

While the law was published in the Official Gazette on 11th August 2023, there is no official announcement on its implementation date. Although the Act is not yet enforced, the Indian government plans to release the final draft of supplementary rules by the end of late August 2024. Full implementation of the Act is expected following the release of its supplementary rules.

Covered Entities

The DPDPA applies to data fiduciaries—individuals or organizations that determine the purpose and means of processing personal data—if they process digital personal data within India. This also extends to processing activities related to providing goods or services to individuals in India, regardless of whether the processing occurs inside or outside the country.

Data Privacy Rights

The DPDPA provides the following rights:

Right to Access
Right to Rectification
Right to Erasure
Right to Grievance Redressal
Right to Nominate

Regulatory Authority

The Data Protection Board of India will serve as the regulatory authority under the Central Government. The Board’s responsibilities include:

Investigating complaints related to data protection violations;
Levying fines and issuing orders after giving affected parties a fair hearing;
Suggesting restrictions on public access to a data fiduciary’s information if the fiduciary receives repeated fines in order to safeguard public interest;
Exercising civil court powers such as summoning witnesses, reviewing records, and examining evidence;
Issuing temporary orders during ongoing investigations;
Advising the Central Government on further actions or closing proceedings based on investigation outcomes.

Privacy Rights Violation

Under the DPDPA, fines may be imposed for various violations, including:

Up to ₹250 crore ($3 million) for failing to implement adequate safeguards to prevent data breaches;
Up to ₹200 crore ($2.4 million) for failing to notify the Data Protection Board or affected data principals about a breach;
Up to ₹200 crore ($2.4 million) for non-compliance with duties related to children’s data protection;
Up to ₹150 crore ($1.8 million) for failing to comply with the obligations of significant data fiduciaries;
₹10,000 ($120) for smaller violations;
Additional fines of up to ₹50 crore ($6 million) for breaches of the DPDPA or its regulations;
Penalties, which are scaled based on the severity of the violation, also apply to violations of voluntary commitments approved by the Board.

Exemptions

Under the DPDPA, the following types of personal data processing are exempt from its application:

Personal data processed by an individual for personal or domestic purposes;
Personal data made publicly available by:
- The Data principal to whom the data relates; or
- Any other person who is legally required to make such personal data public under applicable laws in India.

Facts

SDFs, designated based on data volume, sensitivity, and national interest risks, must appoint a Data Protection Officer (DPO) in India and conduct periodic Data Protection Impact Assessments (DPIAs).
The DPDPA introduces guardianship to protect the personal data of vulnerable groups, such as children and individuals with disabilities, assigning this responsibility to parents or lawful guardians.
The DPDPA mandates that data fiduciaries report all personal data breaches to both the affected individuals and the Data Protection Board (DPB), differing from the GDPR’s risk-based reporting approach.
The DPDPA restricts data transfers only to countries approved by the Indian government without providing for transfer mechanisms.
The DPDPA simplifies regulations by not categorizing data as sensitive, which may streamline compliance but could overlook risks associated with certain types of data.

Saudi Arabia Personal Data Protection Law (PDPL)

Overview

The Personal Data Protection Law (PDPL) was passed by the Council of Ministers of Saudi Arabia in September 2021. The Implementing Regulations of the Personal Data Protection Law and the Regulation on Personal Data Transfer outside of Saudi Arabia were introduced by the Saudi Authority for Data and Artificial Intelligence (SDAIA) in order to support the PDPL.

The purpose of the PDPL and its implementing regulations is to protect individual privacy by controlling how organizations gather, use, disclose, and process personal data. The Implementing Regulations go into additional depth about the major responsibilities on the part of the data controllers related to personal data processing under the PDPL.

Date of Enactment

The law came into force on 14 September 2023. However, organizations were given a one-year grace period till— 14 September 2024.

Covered Entities

The PDPL applies to public or private organizations that process personal data related to individuals in Saudi Arabia. It also applies to foreign organizations that process personal data related to individuals residing in Saudi Arabia.

Data Privacy Rights

The PDPL in Article 4 lists the following Data Privacy rights:

Right to Information
Right to Access
Right to Rectification
Right to Erasure
Right to Data Portability

Regulatory Authority

Saudi Data & Artificial Intelligence Authority (SDAIA) will be the main regulatory authority under the PDPL and ensure its enforcement for the first two years. In late 2024, a transfer of supervision to the National Data Management Office (NDMO) will be considered.

The SDAIA may request necessary documents or information from data controllers to verify compliance with the PDPL and its regulations.
The SDAIA can request cooperation from other parties to support its supervisory duties and the enforcement of the law.
SDAIA also has the authority to specify appropriate tools and mechanisms for monitoring data controllers' compliance, including maintaining a national register of data controllers.
Additionally, SDAIA may offer personal data protection services through the national register or other means and may collect fees for such services.
SDAIA can delegate specific supervisory or enforcement duties to other authorities as deemed necessary.
The SDAIA establishes requirements for commercial, professional, or non-profit activities related to personal data protection in coordination with relevant authorities.
It may also grant licenses to entities that issue accreditation certificates to data controllers and processors, setting rules for their issuance.
The SDAIA has the authority to grant licenses to entities conducting audits of personal data processing activities, establishing conditions and criteria for these licenses.
SDAIA will specify tools and mechanisms to monitor compliance by data controllers and processors outside the Kingdom regarding their obligations under the PDPL.
It is responsible for overseeing lawsuits arising from the implementation of the PDPL and may impose prescribed penalties.

Privacy Rights Violation

Under the KSA PDPL, violations may lead to the following penalties:

Imprisonment for up to 2 years, a fine up to SAR 3 million, or both, for unlawful disclosure or misuse of sensitive data with malicious intent;
A maximum fine of SAR 5 million for other violations, which may double for repeat offenses;
Individuals may file a private lawsuit to recover damages caused by data breaches;
The SDAIA has the right to publish punishment rulings at the violator's expense, especially in cases with significant consequences.

Exemptions

Under KSA’s PDPL, certain personal data processing activities are exempt from its application. These include:

Personal data processing for personal or family use, where:
- The data is processed within the individual’s family or limited social circle as part of social or family activities;
- The data has not been published or disclosed outside this scope.
Personal data of deceased individuals is covered if it can be used to identify them or their family members.

The following activities are not considered personal or family use and do not fall under the exemption:

Publishing or disclosing personal data to the public or to parties beyond the family or social circle;
Using personal data for professional, commercial, or non-profit purposes.

Facts

The Saudi Data and Artificial Intelligence Authority (SDAIA) is responsible for determining which countries or organizations provide an adequate level of personal data protection, aligning with the requirements of the Personal Data Protection Law (PDPL). This list is reviewed periodically to ensure ongoing compliance.
Organizations transferring personal data outside the Kingdom must implement appropriate safeguards, such as Standard Contractual Clauses (SCCs), Binding Common Rules (BCRs), or Accreditation Certificates to ensure that the transferred data maintains a level of protection that meets or exceeds the standards set by the PDPL and its implementing regulations.
Before transferring or disclosing personal data internationally, data controllers are required to conduct a risk assessment. This evaluates the purpose, legal basis, and safeguards in place, ensuring that only the necessary data is transferred, with measures to mitigate potential risks.

Organizations must notify the SDAIA of any personal data breach within 72 hours of becoming aware of it. If the breach poses a significant risk to their rights, affected data subjects must also be informed promptly.
Controllers are required to maintain a detailed RoPA that includes information about the types of personal data processed, purposes of processing, categories of data subjects, data transfers, and security measures in place. This record must be regularly updated and made available to the SDAIA upon request.
Organizations must respond to data subject requests (DSRs) within 30 days. If necessary, a 30-day extension can be applied, provided the data subject is informed of the delay and the reasons behind it.
The PDPL also covers the deceased’s personal data if it would lead to identifying the deceased or one of his/her family members specifically.

Automate Compliance with Upcoming State Privacy Laws with Securiti

The complexity of addressing data privacy regulations increases for organizations with multicloud data environments. Moreover, an organization may be subject to multiple legal frameworks, depending on the number of jurisdictions it is operating in.

Fortunately, Securiti’s suite of automation modules offers a comprehensive solution for organizations seeking to ensure compliance with evolving regulatory requirements.

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

Request a demo to learn more.

Privacy Laws in 2024 You Need to Lookout For

Texas Data Privacy and Security Act (TDPSA)

Overview

Date of Enactment

Covered Entities

Data Privacy Rights

Regulatory Authority

Privacy Rights Violations

Exemptions

Facts

Oregon Consumer Privacy Act (OCPA)

Overview

Date of Enactment

Covered Entities

Data Privacy Rights

Regulatory Authority

Privacy Rights Violations

Exemptions

Exempt Data

Exempt Activities

Facts

Florida Digital Bill of Rights (FDBR)

Overview

Date of Enactment

Covered Entities

Data Privacy Rights

Regulatory Authority

Privacy Rights Violations

Exemptions

Facts

Montana Consumer Data Privacy Act (MCDPA)

Overview

Date of Enactment

Covered Entities

Data Privacy Rights

Regulatory Authority

Privacy Rights Violations

Exemptions

Facts

Indonesia Personal Data Protection Law (PDPL)

Overview

Date of Enactment

Covered Entities

Data Privacy Rights

Regulatory Authority

Privacy Rights Violations

Exemptions

Facts

India Digital Personal Data Protection Act (DPDPA)

Overview

Date of Enactment

Covered Entities

Data Privacy Rights

Regulatory Authority

Privacy Rights Violation

Exemptions

Facts

Saudi Arabia Personal Data Protection Law (PDPL)

Overview

Date of Enactment

Covered Entities

Data Privacy Rights

Regulatory Authority

Privacy Rights Violation

Exemptions

Facts

Automate Compliance with Upcoming State Privacy Laws with Securiti

Join Our Newsletter

Share

More Stories that May Interest You

Navigating the Evolving Data Security Landscape: Why Detection Alone Isn’t Enough

Seven Tests Your Enterprise AI Must Pass

LLM Firewalls Are Not Enough for AI Security

Newsletter

Company

Resources

Terms

Get in touch

What'sNew

What's
New