Securiti Named a 2022 Cool Vendor in Data Security by Gartner
Download NowLeaders across the globe are tightening privacy laws in the midst of consumers’ growing concerns related to the privacy and security of their personal information. Most states in the US already have consumer privacy laws but with the emergence of a more stringent and extensive EU’s General Data Protection Regulation (GDPR), authorities across the US either amended existing consumer privacy laws or enacted new laws.
As an organization that collects, stores, shares, discloses or sells the personal information of consumers residing in any of the US states that have enacted privacy laws, it is critical for your organization to have a thorough understanding of the applicable laws, implement applicable data privacy and security measures, and meet compliance.
Here’s a map of the consumer privacy laws across different states in the US.
House Bill 1943 was proposed as an act to amend the Arkansas personal information protection act 2005 which was later passed into law in 2019.
The law applies to any individual or entity that acquires, owns, or licenses the personal information of Arkansas citizens.
The law doesn’t define any regulations for this section.
The applicable personal information protection act obligates organizations that own and maintain the personal information (PI) of consumers to ensure reasonable security measures.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The entity must inform the affected residents of Arkansas about the security breach, and the attorney general if the breach affects the PI of more than 1000 applicable businesses.
The state of Arkansas has vested the attorney general with the authority to enforce the law.
The California Privacy Rights Act (CPRA), amended from California Consumer Privacy Act (CCPA), was approved by ballot in 2020. It will enter into force in 2023.
The act applies to all for-profit businesses that do business in California and collect California consumers' personal information and either make annual gross revenue of $25 million or more or that buy, sell, or share the personal information of more than 100,000 California households or consumers or derive 50% or more of its annual revenues from selling or sharing California consumers' personal information.
Under CPRA, consumers have the right to access, rectify, delete, transfer (portability), and opt-out of selling or sharing their PI. Consumers also have the right to limit the use of or disclosure of their sensitive personal information (SPI), and also to opt-out of automated decision making.
The act obligates businesses to place reasonable security measures to prevent unauthorized access to data, misuse, disclosure, and modification. The act further requires businesses to monitor the privacy and security risk to PI by conducting annual audits and risk assessments.
CPRA requires opt-out consent for the selling and sharing of a consumer’s PI or the disclosure of their SPI, whereas opt-in consent is required only for selling of a minor’s (below 16 years of age) PI.
Businesses are required to notify consumers at or before the point of collection about the categories of PI collected, the purpose of collection and intended use, whether it is sold or shared, and retention period or the criteria which are used to determine the retention period as well as provide a privacy notice with additional information including rights of consumers and the mechanisms to enforce them..
CPRA doesn’t define any time period for storage limitation except that the storage period of PI should be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.
Businesses are required to sign a written agreement with service providers, vendors, or third parties that ensures the transferred PI receives the same level of privacy protection as regulated under the CPRA.
CPRA doesn’t define any breach notification regulation but under the California Civil Code, businesses are required to notify the affected consumers as soon as the breach is discovered.
The California Privacy Protection Agency (CPPA) is vested with the authority to enforce CPRA.
The Senate Bill ('SB') 21-190 was proposed and later signed into law in 2021 concerning the amendment of data protection under the Colorado Privacy Act (CPA). The CPA will go into effect in 2023.
CPA applies to data controllers (businesses) that are operating in Colorado or selling products and services that intentionally target residents in Colorado. Additionally, the data controller must control or process the personal data (PD) of more than 100,000 consumers or derive revenue or discount from the PD of 25,000 consumers. There are significant entities which are exempt from CPA requirements.
CPA gives consumers the right to access, rectify, confirm, delete, portability and opt-out of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Businesses are further required to fulfill or deny consumers’ requests within 45 days.
CPA requires businesses to establish, implement, and ensure reasonable physical and technical security measures for the protection of data integrity and confidentiality during data storage and processing.
Businesses can’t process sensitive PD of consumers or PD of minors unless they have collected consent (consent of the minor’s parents or guardians in case of children’s PD).
The notice must outline the details regarding the categories of PD that the business shares or sells (including targeted advertising), and how consumers can exercise their rights provided under the act and appeal against the denial of their requests.
There are no specific regulations provided under this law, only that controllers shall not collect unnecessary personal data of consumers or process the personal data for purposes beyond what was disclosed to consumers without gaining their consent.
The law doesn’t define any regulations for this section.
There are no regulations regarding breach notification but the Colo. Rev. Stat. § 6-1-716 mandates businesses to notify the affected residents of Colorado.
Under the CPA, only the District Attorney or the Attorney General can enforce the act or impose penalties in the event of any violations.
The Illinois Personal Information Protection Act (PIPA) was signed in June 2005 by the Illinois State and took effect on January 1, 2006. However, in 2017, PIPA was updated to account for up-gradation in technology and data collection methods, such as biometrics.
PIPA applies to government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and entities that handle, collect, disseminate, or otherwise deal with nonpublic personal information.
PIPA protects Illinois residents from the mishandling, misuse, or abuse of their personal information. The Act imposes various requirements on companies and other organizations that collect, handle or store non-public personal information.
PIPA requires data collector entities to implement and maintain reasonable security measures to protect records containing the personal information of customers from any unauthorized access, acquisition, destruction, use, modification, or disclosure.
The revised version of PIPA, known as the Biometric Information Privacy Act, requires entities to obtain written consent from consumers before collecting any biometric information, such as fingerprints, voiceprints, or scans of hand or face geometry.
The act doesn’t define any regulations for this section.
Under PIPA, entities must safely dispose of information that's no longer needed for ongoing services or business operations. This includes either paper or electronic documents containing the personal information of Illinois persons. Paper records must be properly burned, shredded, or otherwise disposed of, and electronic records must be rendered unreadable and unrecoverable.
The act doesn’t define any regulations for this section.
PIPA requires the data collector to immediately notify the Illinois resident(s) and the Attorney General of the data breach.
Illinois has empowered the state Attorney General to enforce the law.
The legislative document 946 was signed into law in 2019 and later came into effect in 2020 as an act to Protect the Privacy of Online Customer Information.
The law applies to providers providing broadband internet access services to customers physically located and billed in Maine.
The law doesn’t define any regulations for this section.
The law requires providers to take reasonable security measures for customers’ data protection against unauthorized access or disclosure.
A customer’s affirmative and express consent is required by the provider for the use, access, permit, or selling of customer’s personal information. A provider may use, disclose, sell, or provide access to information that 'pertains to a customer' but that does not fall within the above definition of 'customer personal information' unless and until a customer affirmatively opts-out of the use, disclosure, sale, or provision of access of his non-personal information.
Providers are required to provide customers with a clear, conspicuous and non deceptive notice at the point of sale or on the provider’s website, informing customers of the provider’s obligations and customers’ rights under the law.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
There are no regulations regarding breach notification but 10 Me. Rev. Stat. § 1346 mandates businesses to notify the affected residents and the appropriate state regulators within the Department of Professional and Financial Regulation, or if the Entity is not regulated by the department, the state AG of Maine.
The law doesn’t define any regulations for this section.
The Massachusetts Data Privacy Law became notable in 2009. However, Massachusetts comprehensive privacy law act was filed in March 2021 and contains strict rules for employers from recording or monitoring employee data.
Massachusetts Data Privacy Law applies to any business that deals with the personal information of Massachusetts residents - thus it has an extraterritorial application.
The law protects Massachusetts residents from any misuse of their personal information and holds companies responsible in case of any misuse.
The law requires covered companies to implement a Written Information Security Program (WISP), under which they should consider "its scale, scope, amount of capital, nature, and quantity of data collected or stored, and the need for security" and all third-party service providers to covered companies need to maintain adequate security measures to protect the personal information.
The act doesn’t define any regulations for this section.
The act doesn’t define any regulations for this section.
The act doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
There are no regulations regarding breach notification but under Mass. Gen. Laws 93H § 1 notification needs to be made by covered companies to affected state residents and the State Attorney General and the Director of Consumer Affairs and Business Regulation.
Massachusetts has empowered the state Attorney General to enforce the law. Penalties of up to $5,000 per violation (plus fair costs of prosecution and litigation).
A Senate Bill 260 was signed into law in June 2021 and later came into effect in October 2021 amending the Internet Privacy Act ( Nevada Revised Statutes Chapter 603A).
The law applies to any operator who owns a website or an online service for any commercial purpose and collects certain personally identifiable information (PII) of consumers who live in the state of Nevada or to “data brokers” defined to include any person whose primary business is “purchasing covered information” about Nevada residents “with whom the person does not have a direct relationship”.
The law doesn’t define the extensive rights of consumers, except that the consumer can submit a verified request to the operator or data broker limiting them from making any sale of the covered PI of the customer.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
Covered entities are required to make available notice for customers with information detailing the covered PI that is collected, any process for the customer to make a request for changes to the collected PI, and the effective date of the notice.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
There are no regulations regarding breach notification but under Nev. Rev. Stat. § 603A.010 there are requirements for Nevada based companies to notify residents in case of breach.
The Nevada attorney general has the right to enforce penalties against the violation of any provisions and can impose penalties of up to $5,000 per violation.
A Senate Bill 110 was signed into law in 2020 and later came into effect for an Act relating to Data Privacy and Consumer Protection.
The law applies to “operators” of websites, online services, or applications that are knowingly used and marketed for PreK-12 school purposes.
Operators are prohibited from engaging in targeted advertising or to amass a profile about a student based on any information the operator has acquired because of the use of its site, service, or application for PreK-12 purposes; nor sell, barter or rent student’s information or Disclose covered information to a third party, unless a specific exception applies.
The operator must implement and maintain reasonable security procedures and practices.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
There are no breach notification obligations under this law but under 9 V.S.A. §§ 2430, 2435 notification must be made to affected residents of the state.
The Attorney General and the State’s Attorney have the right to assess violations against any provisions under this act.
The Senate Bill ('SB') 1392 and House Bill 2307 for the Virginia Consumer Data Protection Act (VCDPA) was signed into law in 2021. VDCPA will go into effect in 2023.
VCDPA applies to persons or entities (businesses) that are operating in the Commonwealth or offering products or services to residents of Virginia and control and process the personal data of at least 100,000 Virginia residents; or for an entity that derives over half (50%) of its gross revenue from the sale of personal data, of at least 25,000 Virginia residents.
VCDPA gives consumers the right to confirm, access, rectify, delete, port, and opt-out, while persons or entities are required to either fulfill or deny the consumers’ request within 45 days.
Persons or entities must establish technical, administrative, and physical security measures for data protection.
Consent is required for the processing of sensitive data of any consumer. In the case of minors, parental consent is required.
Covered entities are required to publicly disclose and provide the school with information about the operator’s collection, use, and disclosure of covered information.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
There are no regulations regarding breach notification under VCDPA but as per Va. Code §18.2-186.6. businesses are mandated to notify the affected residents of Virginia.
VCDPA empowers an Attorney General to enforce the provisions.
On February 1st, 2022, Indiana became the first US state to pass a consumer privacy bill outside of a chamber.
The bill covers entities processing the data of:
There is no explicit data protection law in New Jersey. However, the state lawmakers have proposed a bill to strengthen data privacy guidelines and inflict stricter limits on the tech industry, The Wall Street Journal reported on Monday (March 2).
The bill mandates that tech firms get authorization from New Jersey consumers before collecting and selling information to third parties.
The New Jersey bill mandates that any firms collecting personal data tell people how the information will be used in plain language. The measure also empowers consumers to ask companies to copy their personal data and request that the information be deleted.
The bill would establish specific security standards.
The bill would require businesses to explicitly obtain consent from consumers before their data can be collected and sold to third parties.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
Under the bill, entities must notify the breach to a customer who is a resident of New Jersey and whose personal information is believed to have been accessed by an unauthorized person. Additionally, entities must also disclose any breach of security of their computerized records.
New Jersey has empowered the Attorney General to enforce the law.
The North Carolina General Assembly introduced the Senate bill known as the Consumer Privacy Act (CPA) on April 6, 2021.
The proposed Act would apply to companies that provide products and services to North Carolina residents. As such, companies that gather, control, or process the personal data of the following would need to comply: have at least 100,000 consumers annually, or have at least 25,000 consumers, and Acquire over 50% of their gross revenue from the sale of personal data.
The proposed Act empowers consumers with the right to knowledge and access, right to correction, right to deletion, right to opt-out, and the privacy right to the action.
The proposed Act demands data controllers to employ data protection, such as cybersecurity measures for consumer data security.
The proposed Act demands data controllers to obtain the consumer’s consent before processing their data.
Under the proposed Act, data controllers are required to provide consumers with a clear and accessible privacy notice. The privacy notice must include the classification of personal data being processed, the purposes of such processing, how consumers may exercise their rights, and information regarding the sharing of personal consumer data with third parties.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
North Carolina has empowered the Attorney General to enforce the law.
The Ohio Personal Privacy Act (OPPA) or HB 376 was introduced in June 2021 by Ohio State.
The OPPA would apply to companies conducting business in Ohio or target Ohioans, and either: have gross revenue exceeding $25 million annually; controls or processes the personal data of 100,000 or more Ohio consumers yearly; or derives over 50% of its gross revenue from selling the personal data of Ohio consumers, and processes or controls the personal data of 25,000 or more Ohio consumers during a calendar year.
The OPPA would create various consumer rights, such as the right to: know what type of personal data is being collected about the consumer; gain unrestricted access to the consumer's personal data collected so far; request to the immediate deletion of their personal data; and decline or opt-out of the sale of the consumer's personal data.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The OPPA requires businesses to provide consumers with a notice about the personal data they process regarding a consumer. Additionally, businesses need to provide consumers with an easily accessible and clear privacy policy.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
Ohio State has empowered the Attorney General to enforce the law.
The recently introduced Oklahoma Computer Data Privacy Act (OCDPA) will be the State’s first opt-in proposed data privacy law.
The OCDPA would apply to businesses in Oklahoma that: conduct business in Oklahoma; collect the personal information of consumers or have that information collected by a third party on their behalf; alone or in conjunction with others determine the purpose for and means of processing consumers' personal information and satisfy specified financial and business thresholds.
The OCDPA empowers consumers the right to opt-in to the sale of their personal information. Additionally, consumers have the right to request deletion of their personal information, request a report containing the categories of personal information collected, sold, or disclosed about them for business purposes; and the categories of third parties to whom that information was sold or disclosed.
Under the OCDPA, businesses would be required to implement and maintain reasonable security procedures and practices to protect the personal information of consumers.
The OCDPA would also require businesses to obtain the explicit consent of the consumer before it begins collecting and selling the consumer’s personal information.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
Although the breach notification hasn’t been mentioned, violations of the act could seek monetary fines of $2,500 for each violation and $7,500 for each intentional violation.
The Oklahoma State has empowered the Attorney General to enforce the law.
On April 7, 2021, Pennsylvania legislators introduced a comprehensive consumer data protection bill (HB 1126). The bill takes inspiration from the California Consumer Privacy Act (CCPA).
The proposed bill applies to businesses that need to comply with any consumer access requests. Businesses must comply with any consumer request within 45 days after receiving a verifiable request from a consumer.
Under the proposed bill, Pennsylvania consumers would have a right to request disclosure of personal information collected by a business; have their personal information deleted; request information about any personal data sold or used for business purposes by a business, and outright decline or opt-out of the sale of personal information to third parties.
The law doesn’t define any regulations for this section.
The proposed bill would require companies to obtain the consumer’s consent before collecting and processing data.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The Pennsylvania bill provides for a private right of action but only in cases of breaches where the personal data is nonencrypted and nonredacted.
Pennsylvania has empowered the Attorney General to enforce the law.
Utah Governor Spencer J. Cox signed the Utah Consumer Privacy Act (UCPA) into law in March 2022. By doing so, Utah became only the fourth state in the US to have an active data protection act in place after Colorado, Virginia, and California. The Utah Consumer Privacy Act will go into effect on December 31, 2023
All data processors and controllers that have annual gross revenue in excess of $25 million are subject to the UCPA if they have at least 100,000 customers during a calendar year or make 50% of their gross revenue from selling/sharing user data.
Like all other major data protection laws, the UCPA gives all consumers certain rights. These include the right to access, delete, or obtain a copy of their data, as well as the right to confirm processing of their data. Additionally, consumers can opt out of any targeted advertising and sale of personal information. Consumers also have a right to face no discrimination as a result of exercising their consumer rights under the Act. All such authenticated requests must be responded to within 45 days of their receipt, with the provision for 45 additional days if the request is of a complex nature and its completion would require more time.
The UCPA requires all organizations to establish, implement, and ensure reasonable physical and technical security measures to ensure appropriate security protocols are in place.
No organization can proceed with its data processing activities unless it gains the users’ affirmative and explicit consent for doing so. In case of minors, they must collect the minor’s parents' consent per the Children's Online Privacy Protection Act.
The organization must provide consumers with a reasonably accessible and transparent privacy notice that includes the following information:
There are no specific regulations provided under this law.
The law doesn’t define any regulations for this section.
The law does not outline breach notification requirements, however under, §13-61-301(1)(b) of the law, processors are required to assist the controller in meeting their obligations, including obligations related to the security of processing personal data and notification of a breach of security system under the Protection of Personal Information Act.
The UCPA's enforcement responsibilities are "shared" between the Utah Department of Commerce Division of Consumer Protection (the Division) and the Utah Attorney General’s Office. The Division if has “reasonable cause” to believe that substantial evidence of a violation exists will refer the complaint to the Attorney General. If such violation is not cured within 30 days of notice by the Utah Attorney General, the Utah Attorney General may seek actual damages for the consumer and civil penalties of up to $7,500 per violation.
Watch the demo to see how Securiti is helping organizations with global privacy regulatory compliance.
Watch the demoGet all the latest information, law updates and more delivered to your inbox
See how easy it is to manage privacy compliance with robotic automation.
[email protected]
PO Box 13039,
Coyote CA 95013
Break Silos of Sensitive Data & Risk Understanding across Multicloud and self managed systems. Common grammar, policies and reporting
Key Features
Find data assets, and discover personal and sensitive data in structured and unstructured data systems, across on-premises and multi-cloud.
Key Features
Classify & label data to ensure appropriate security controls are enabled on most sensitive data in your organization
Key Features
Collect, organize, enrich and build a data catalog to address privacy, security and governance solutions
Key Features
Connect to structured and unstructured data sources and automatically discover and build a relationship map between personal data and its owner.
Key Features
Assess risk scores for every data asset, asset location, or personal data category
Key Features
Auto discover personal data in Snowflake and enforce access governance
Key Features
Auto discover personal data in Snowflake and enforce access governance
Key Features
Discover, classify, manage and protect sensitive data in Workday. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Key Features
Discover, classify, manage and protect sensitive data in Box. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Key Features
Discover, classify, manage and protect sensitive data in Slack. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more
Key Features
Discover, classify, manage and protect sensitive data in Github. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Key Features
Discover, classify, manage and protect sensitive data in Jira. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Key Features
Discover, classify, manage and protect sensitive data in Dropbox. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Key Features
Discover, classify, manage and protect sensitive data in SAP Successfactors. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Key Features
Discover, classify, manage and protect sensitive data in Servicenow. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Key Features
Discover, classify, manage and protect sensitive data in Zendesk. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Key Features
Discover, classify, manage and protect sensitive data in Apache Hive. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Key Features
Discover, classify, manage and protect sensitive data in Apache Spark SQL. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Key Features
Discover, classify, manage and protect sensitive data in Cassandra. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Key Features
Discover, classify, manage and protect sensitive data in Couchbase. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Key Features
Enable privacy by design through the AI driven PrivacyOps platform
Key Features
Maintain your Data Catalog with continuous automated updates
Key Features
Automate data subject rights request fulfillment and maintain proof of compliance
Key Features
Connect to structured and unstructured data sources and automatically discover and build a relationship map between personal data and its owner.
Key Features
Audit once and comply with many regulations. Collaborate and track all internal assessments in one place.
Key Features
Automation of privacy assessment collection from third parties, collaboration among stakeholders, follow-ups and compliance analytics.
Key Features
Automate global cookie consent compliance.
Key Features
Simplify and automate universal consent management.
Key Features
Automate the incident response process by gathering incident details, identifying the scope and optimizing notifications to comply with global privacy regulations.
Key Features
Keeping privacy notices up-to-date made easy
Key Features
Operationalize GDPR compliance with the most comprehensive PrivacyOps platform
Key Features
Operationalize CCPA compliance with the most comprehensive PrivacyOps platform
Key Features
Revolutionize LGPD compliance through PrivacyOps
Key Features
Identify data risk & enable protection and control
Key Features
Discover data assets, detect & catalog sensitive data in it
Key Features
Classify and label data to ensure appropriate security controls
Key Features
Monitor data security posture and identify external and internals risks to data security
Key Features
Policy based alerts and remediations to protect data from external and internal threats
Key Features
Investigate data security issues and take remediation actions
Key Features
Snowflake is a cloud based data warehouse that allows organizations to run large scale data analytics projects to uncover business insights, run or train machine learning models, and modernize their data infrastructure.
Key Features
Microsoft O365 is the ubiquitous productivity suite for every business worker. Users rely on Office products such as OneDrive and SharePoint to collaborate with their co-workers.
Key Features
Organizations want to migrate their on-premises data to cloud data stores to take advantage of scale and flexibility while reducing operational cost of managing on-premises infrastructure. However, due to privacy regulations such as GDPR, CCPA administrators have to ensure that data is migrated in compliance with these laws.
Key Features
Protecting sensitive content is a priority for all organizations, however, due to volume of sensitive content and
Key Features
While data aids in business decision making, global privacy regulations such as GDPR, CPRA require organization to identify personal & sensitive data & use only for its intended purpose and implement adequate protection.
Key Features
The CDMC Framework sets up controls that companies should put in place, and establishes clear guidelines around data accountability, governance, classification, usage, protection and privacy.
CDMC Framework
Securiti enables organizations to meet multiple regulations around the world and helps with compliance requirements through AI-driven PI data discovery, DSR automation, documented accountability, enhanced visibility into data processing activities and AI-driven process automation.
Securiti is a complete PrivacyOps Solution.
View all solutionsThe California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018 and is scheduled to come into effect on January 01, 2020. Often compared to GDPR, CCPA protects consumers from mismanagement of their personal data and gives the consumer control over what data is collected, processed, shared or sold.
Key Features
The California Privacy Rights Act (CPRA) will take effect from January 1, 2023, and will apply to personal information collected on or after January 1, 2022. Enforcement of the CPRA will start six months later (July 1, 2023). The CPRA builds upon the CCPA, strengthening user privacy for California residents.
Key Features
The EU General Data Protection Regulation (GDPR) came into effect on May 25, 2018 and changed the global privacy landscape. It has broadened the definition of processing activities and personal data, impacting companies worldwide, and has tightened the rules to obtain consent before processing information.
Key Features
The Lei Geral de Proteção de Dados (LGPD) is modeled with similarities to the General European Data Protection Regulation (GDPR) and contains sixty-five articles. It was approved on August 14, 2018 and its validity has undergone several changes, the last relevant fact being MPV 959. LGPD is in effect since September 18, 2020. The sanctions by the ANPD (Brazilian Data Protection Authority) were postponed to August 2021. The LGPD allows people have more rights over their data and expects organizations to comply with their regulations or face heavy penalties or fines.
Key Features
China has complex data protection and data security regime, however, the following are three main laws that primarily cover China’s data protection and data security regulatory framework. These laws are:
Frameworks
UAE have number of laws in place that govern privacy as well as data security in the UAE. Some of those includes:
Frameworks
The government of New Zealand has recently replaced its long-existing Privacy Act of 1993 with a modernized version, the Privacy Act 2020. The New Zealand Privacy Act 2020 (NZPA) will take effect from December 1, 2020.
Key Features
The Personal Data Protection Act, B.E. 2562 (2019) ('PDPA') is Thailand's first consolidated data protection law, which was published in the Thai Government Gazette on 27 May 2019. This law was said to go into effect on 27 May 2020. However, in May 2020, the Thai Cabinet through a Royal Decree has deferred the enforcement of certain data protection provisions of the PDPA until 31 May 2021.
Key Features
In order to protect the data of individuals in South Africa, Parliament assented to the Protection of Personal Information Act (POPIA) on 19th November 2013. The commencement date of section 1, Part A of Chapter 5, section 112 and section 113 was 11 April 2014. The commencement date of the remaining sections (excluding section 110 and 114(4)) was 1st July 2020. As per the Regulator’s Operational Readiness Plan the Regulator will be able to take enforcement actions for the violation of POPIA by July 1st 2021.
Key Features
Singapore’s Personal Data Protection Act (PDPA) comprises various provisions governing the collection, disclosure, use, and care of personal data. It recognizes the rights of individuals to have more control over their personal data and the needs of organizations to collect, use, or disclose personal data for legitimate and reasonable purposes.
Key Features
The Canadian data laws aim to give consumers control over their data and promote greater transparency about how organizations use data containing personal identifiers.
Frameworks
The Australian data laws aim to give consumers control over their data and promote greater transparency about how organizations use data containing personal identifiers.
Frameworks
After the invalidation of Privacy Shield, many companies are relying on the SCCs in order to continue transferring data of EU citizens to companies based in countries who are not deemed adequate for data transfer.
After the CJEU judgement, it is clear that these companies have to conduct Risk Assessments with the data recipients in these countries in order to ensure they have enough controls to mitigate any potential data or regulatory risk.
Key Features
On January 31, 2020, the government of Saudi Arabia issued the Executive Regulations to the Saudi E-Commerce Law 2019 (“ECL”) that was in effect since October 2019. The Executive Regulations together with the ECL (“Law”) aim to protect consumers’ personal data by requiring organizations to take appropriate technical and administrative measures.
Key Features
Turkey was one of the first countries to start the trend of legislating data protection. Turkey published “Law on the Protection of Personal Data No. 6698 (LPPD) covering personal data protection on April 07, 2016.” The LPPD is based on the European Union Data Protection Directive 95/46/EC and has several similarities with the GDPR. It aims to give data subjects’ control over their personal data and outlines obligations that organizations and individuals dealing with personal data must comply with. The LPPD has also provided comprehensive guidelines for the transfer of personal data to the third parties.
Key Features
In December 2019, India, following several other countries' footsteps on the privacy laws' developments, introduced the Personal Data Protection Bill (PDPB) to regulate the processing, collection, and storage of personal data. However, in November 2021, the bill’s name was amended to now be called the Data Protection Bill 2021 (DPB).
Key Features
The Irish Data Protection Act, 2018 (Irish DPA) implements the General Data Protection Regulation (GDPR) and transposes the European Union Law Enforcement Directive in Ireland. Since it incorporates most of the provisions from the GDPR and the Law Enforcement Directive with limited additions and deletions as per the national law, it is considered to be the principal data protection legislation in Ireland.
Key Features
The Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2012 (the “PDPO) is the primary legislation in Hong Kong which was enacted to protect the privacy of individuals’ personal data, and regulate the collection, holding, processing, disclosure, or use of personal data by the organizations.. The Data Protection Principles ( the “DPPs or DPP ''), which are contained in Schedule 1 to the PDPO, outline how entities should collect, handle, disclose, and use personal data.
Key Features
In 2012, the Philippines passed the comprehensive privacy law, Data Privacy Act 2012 Republic Act. No, 10173 (the "DPA"). The DPA recognizes the rights of individuals to have more control over their personal data while ensuring a free flow of information to promote innovation and growth.
Key Features
South Korea has a general law and several special laws that cover data protection and individuals' privacy. South Korea's data protection regime is considered one of the strictest data protection regimes owing to its notification requirements, opt-in consent, extensive data subject rights, mandatory data breach notifications, and heavy sanctions in case of non-compliance.
Key Features
The Act on the Protection of Personal Information (the "APPI'') regulates personal related information and applies to any Personal Information Controller (the “PIC''), that is a person or entity providing personal related information for use in business in Japan. The APPI also applies to the foreign PICs which handle personal information of data subjects (“principals”) in Japan for the purpose of supplying goods or services to those persons.
Key Features
Qatar is the first gulf country that has passed a national data privacy law and has paved the way for all other gulf countries to follow suit. In 2016, Qatar enacted Law no. 13 Concerning Personal Data Protection (the “DPL”). Qatar became the first Gulf Cooperation Council (GCC) member state to issue an “European Style” applicable data protection law. The DPL establishes a certain degree of personal data protection, provides data subject rights, and prescribes the guidelines for organizations for the processing of personal data within Qatar.
Key Features
Bahrain has become a part of the countries that have enacted a data privacy regulation to protect the rights of their residents. On 12 July 2018, Bahrain drafted its law on data protection regulation, Law No. 30. This then went on to go into effect on the 1st of August 2019 as the Bahrain Personal Data Protection Law (PDPL) and supersedes all other laws. The PDPL recognizes the rights of individuals to have more control over their personal data and the needs of organizations to collect, use, or disclose personal data for legitimate purposes.
Key Features
After the Success of the California Consumer Privacy Act (CCPA) in California, Virginia is now following the same path. The Virginia Consumer Data Protection Act (VCDPA) has been passed and will go into effect on 1st of January 2023. This law is closely designed after the newer California Privacy Rights Act (CPRA) but with a few significant and important differences.
Key Features
After the VCDPA in Virginia, Colorado has closely followed suit and has passed their own comprehensive data privacy law to protect the personal data of the residents of Colorado.The Colorado Privacy Act (CPA) was signed into law on the 8th of July, 2021 and has been modelled closely after the VCDPA.
Key Features
Saudi Arabia has drafted a data privacy regulation to protect the personal data of individuals in Saudi Arabia. This law was approved by the Council of Ministers in Saudi Arabia and is named the Personal Data Protection Law (the “PDPL”).
Key Features
Uganda’s Data Protection and Privacy Act 2019 seeks to protect Uganda’s citizens and their personal data by outlining and implementing rules for processing personal data and sensitive personal data by entities within or outside the country.
Key Features
Ghana Data Protection Act 2012 establishes a comprehensive set of provisions governing the collection, processing, use, and protection of personal data by the data controller or data processor.
Key Features
Kenya’s Data Protection Act, 2019 (DPA) is based on the framework of the EU’s General Data Protection Regulation (GDPR), making it the third region in East Africa to have enacted and enforced data protection regulations.
Key Features
Malaysia’s Personal Data Protection Act (PDPA) was passed by the Parliament of Malaysia on 2 June 2010. The PDPA sets out a complete cross-sectoral framework to protect the personal data of individuals with respect to commercial transactions.
Key Features
Although there is no comprehensive data protection law in Indonesia, however, there are several regulations that regulate the Indonesia's draft Personal Data Protection Bill (PDPB) & Personal Data Protection Regulations (PDP Regulations)
Frameworks
Oman’s Personal Data Protection Law (Oman’s PDPL) has been published in the country’s official gazette, and it will come into force by February 9, 2023, one year after its issuance which was February 9, 2022. The law applies to any natural person’s personal data including but not limited to their name, location data, identification number, and health-related information.
Key Features
Kuwait’s Data Privacy Protection Regulations (DPPR) applies to all public and private Telecommunication Services Providers and related industry sectors who collect, process, and store personal data and user-related content in whole or in part of a data storage system, whether processed inside or outside the State of Kuwait.
Key Features
The Personal Data Protection Act (PDPA) protects Sri Lankan residents’ data while regulating how organizations collect, process, store, and maintain this data. The PDPA also grants users a wide range of data subject rights, meant to give them more control over their data.
Key Features
Issued on 27 July 2006, the Russian Federal Law on Personal Data (No. 152-FZ) remains one of the oldest data protection laws in effect today. Moreover, it is one of the few laws enacted before the EU's landmark General Data Protection Regulation (GDPR).
Key Features
Germany’s Bundesdatenschutzgesetz (BDSG) in German, or the Federal Data Protection Act in English, was enacted in May 2018 to implement the GDPR in Germany.
Key Features
The Data Protection Act (DPA) of 2018 was passed in April 2016 and came into effect on May 25, 2018. This was the same day the General Data Protection Regulation (GDPR) came into effect.
Key Features
Directive 2002/58/EC on Privacy and Electronic Communications, known more prominently as the ePrivacy Directive, is a key set of instructions released to ensure the privacy and confidentiality of all electronic communications within the European Union (EU).
Key Features
The New York State Department of Financial Service Cybersecurity Regulations or 23 NYCRR 500 is a set of 23 cybersecurity requirements mandatory for all financial institutions registered in New York working under its Banking Law, Insurance Law, or Financial Services Law.
Key Features
In November 2020, the European Commission released a draft of the new Data Governance Act. This came as a result of the 2020 European Data Strategy that aims to facilitate data sharing across sectors and member states.
Key Features