Compare Global Privacy Regulations USA

9/18/21, 12:20 AM WireWheel
Compare Global Privacy Regulations.

Easily.
California Virginia Consumer Colorado Colorado EU General Data
Consumer Data Protection Act Privacy Act July 1, Protection Act
Protection Act (CDPA) 2023 (GDPR)
(CCPA)
* indicates that this

provision will come
into effect January
1, 2023 under CPRA
Effective Date
January 1, 2020
January 1, 2023 July 1, 2023 May 25, 2018
* January 1, 2023
Applicability
https://wirewheel.io/privacy-laws-table/ 1/18

(CCPA)

provision will come
into effect January
1, 2023 under CPRA
For-profit entities For-profit entities The law applies to Data controllers and
that collect personal that conduct legal entities that:
data Processors:
information from business in Virginia Established in the EU
California residents or offer products or Conduct business that process
and meet any of the services targeted to or produce personal data in the
following thresholds:
residents in Virginia products or context of activities
and
services that are of the EU
At least $25 intentionally establishment,
million in gross Control or process targeted to regardless of
annual revenue the data of at least Colorado whether the data
Buys, sells or 100,000 residents and processing takes
receives personal consumers or Either control or place within the EU.
information about Control or process process personal

at least 50,000 the data of at least data of more than Not established in
California 25,000 consumers 100,000 the EU that process
consumers, and derive more consumers per EU data subjects’
householders or than 50% of calendar year or personal data in
devices for revenue from the Derive revenue or connection with
commercial sale of personal receive a discount offering goods or
purposes or data. on the price of services in the EU, or
Derives more than goods or services monitoring their
50% of its annual from the sale of behavior.
revenue from the personal data and
sale of personal control or process
information
the personal data

of at least 25,000
* (ii) above is consumers.
replaced with
“buys, sells or
shares personal
information of
100,000 or more
California
residents or
households”
(iii) above is
replaced with
“derives 50% or
more of annual
revenue from
selling or sharing
California personal
information.

(CCPA)

provision will come
into effect January
1, 2023 under CPRA
Covered Personal Information
Information that Any information that Scope of “Personal Personal data is any
identifies, relates to, is linked or Data”: SB 21-190 information relating
describes, is reasonably defines “personal to an identified or
reasonably capable associated to an data” as “information identifiable data
of being associated identified or that is linked or subject.
with or could identifiable natural reasonably linkable

reasonably be linked, person -- also to an identified or The GDPR prohibits
directly or indirectly, includes households. identifiable processing of
with a particular individual,” with the defined special
consumer or exceptions of (a) de- categories of
household. identified data and personal data unless
(b) publicly available a lawful justification
information. for processing
applies.
Sensitive Data

(CCPA)

provision will come
into effect January
1, 2023 under CPRA
Not currently Consent is required A controller must not The following

covered
to process “sensitive process sensitive personal data is
data” which includes data concerning a considered ‘sensitive’
* New categories of racial or ethnic consumer without and is subject to
“sensitive personal origin, religious obtaining the specific processing
information,” beliefs, mental or consumer’s consent conditions
including:
physical health or, in the case of
diagnosis, sexual processing of Racial or ethnic
Social Security orientation, personal data origin
numbers (SSNs), citizenship or concerning a known Political opinions
Driver’s license immigration status, child or student, Religious or
Financial account biometric data, without obtaining philosophical
or card numbers personal data consent from the beliefs
Precise collected from a child’s or student’s Trade-union
geolocation known child and parent or lawful membership
Racial and ethnic precise geolocation guardian. SB 21-190 Genetic data
characteristics data defines “sensitive Biometric data
Religious and data” as
processed solely
philosophical to identify a
beliefs personal data human being
Union revealing racial or Health-related
membership, ethnic origin, data
Contents of mail, religious beliefs, a Sex life or sexual
email and text mental or physical orientation
messages health condition
Genetic and or diagnosis, sex
biometric data life or sexual
orientation, or
citizenship or
citizenship status,
genetic or
biometric data
that may be
processed for the
purpose of
uniquely
identifying an
individual, or
personal data
from a known
child.

(CCPA)

provision will come
into effect January
1, 2023 under CPRA
Anonymous, De-identified, Pseudonymous, or Aggregated Data
The CCPA does not The definition of “de-identified data” Pseudonymous data
restrict a business’s personal data goes means data that do is considered
ability to collect, use, on to explicitly not identify an personal data.
retain, sell, or exclude “de- individual with

disclose consumer identified data or respect to which Anonymous data is
information that is publicly available there is no not considered
de-identified or information, "but not reasonable basis to personal data.
aggregated.
pseudonymous believe that the
information. information can be While the GDPR does
However, the CCPA used to identify an not mention de-
establishes a high individual. identified data, the
bar for claiming data CCPA definition is
is de-identified or similar to GDPR’s
Aggregated concept of
Pseudonymous data anonymous data.
may qualify as
personal information
under the CCPA
because it remains
capable of being
associated with a
particular consumer
or household.
However, the statute
does not clearly
categorize or exclude
pseudonymous data
as personal
information.
Children

(CCPA)

provision will come
into effect January
1, 2023 under CPRA
The CCPA prohibits Sensitive data is A controller must not The GDPR’s default
selling personal provided greater process sensitive age for consent is 16,
information of a protection and data concerning a although individual
consumer under 16 includes personal consumer without member state law
without consent.
data collected from obtaining the may lower the age to
children.
consumer’s consent no lower than 13.
Children aged 13-16 or, in the case of The person with
can directly provide Businesses that processing of parental
consent.
comply with personal data responsibility must
verifiable parental concerning a known provide consent for
Children under 13 consent child or student, children under the
require parental requirements under without obtaining consent age.
consent.
the Children’s Online consent from the
Privacy Protection child’s or student’s Children must
Protections provided Act are deemed parent or lawful receive an age
in the Children’s compliant with the guardian. SB 21-190 appropriate privacy
Online Privacy CDPA obligations to defines “sensitive notice.
Protection Act obtain parental data” as (i) personal

(COPPA) still apply on consent. data revealing racial Children’s personal
top of the CCPA’s or ethnic origin, data is subject to
requirements. religious beliefs, a heightened security
mental or physical requirements.
health condition or
diagnosis, sex life or
sexual orientation, or
citizenship or
citizenship status, (ii)
genetic or biometric
data that may be
processed for the
purpose of uniquely
identifying an
individual, or (iii)
personal data from a
known child.

(CCPA)
Privacy Notice
provision will come
Businesses must CDPA does not Duty of Data controllers
into effect January
inform consumers expressly require transparency: The must provide
1, 2023 under CPRA
about:
businesses to display controller must detailed information
a privacy notice at or provide consumers about its personal
The personal before the point of with a reasonably data collection and
information the collection of accessible, clear, and data processing
categories personal data, nor meaningful privacy activities. The notice
collected. does it require notice that includes:
must include specific
The intended use businesses to information
purposes for each provide a “do not sell 1. The categories of depending on
category. my information” link. personal data whether the data is
collected or collected directly
Further notice is processed by the from the data
required to:
controller or a subject or a third
processor; party.
Collect additional 2. The purposes for
personal which the
information categories of
categories. personal data are
Use collected processed;
personal 3. An estimate of
information for how long the
unrelated controller may or
purposes. will maintain the
The CCPA requires consumer’s
that businesses personal data;
provide specific 4. An explanation of
information to how and where
consumers and consumers may
establishes exercise their
delivery rights under SB
requirements. 21-190;
Third parties must 5. The categories of
also give personal data that
consumers explicit the controller
notice and an shares with third
opportunity to opt parties, if any; and
out before re- 6. The categories of
selling personal third parties, if
information that any, with whom
the third party the controller
acquired from shares personal
another business. data.
Consumer Rights

(CCPA)

provision will come
into effect January
1, 2023 under CPRA
Rights include:
Rights include:
1. Right to opt out of Rights include:
the processing of
Know and access Know, access and personal data Information
Deletion confirm concerning the Access
Opt out of sale Deletion consumer; Rectification
(more broadly Opt out of sale 2. Right to access the Erasure
defined as the (defined as the consumer’s Restriction of
exchange of exchange of personal data and Processing
personal personal data for confirm whether a Data Portability
information for monetary controller is Objection
monetary or other consideration) processing Avoid Automated
valuable Opt out of personal data Decision-Making
consideration) processing for concerning the
Nondiscrimination targeted consumer;
Data portability advertising 3. Right to correct
Rectification Opt out of inaccurate
and correction profiling personal data
Out out of Nondiscrimination collected from the
sharing for Data portability consumer;
cross-context Rectification/correction 4. Right to delete
behavioral personal data
advertising concerning the
Limit use and consumer;
disclosure of 5. Right to obtain the
sensitive consumer’s
personal personal data in a
information portable and
Opt out of the readily usable
use of format up to two
automated times per calendar
decision- year.
making
WireWheel can help WireWheel can help WireWheel can help WireWheel can help
with our Data with our Data with our Data with our Data
https://wirewheel.io/privacy-laws-table/ S bj A S bj A S bj A 8/18
Subject Access Subject Access Subject Access
California Virginia
Request Consumer
(DSAR) Colorado Colorado
Request (DSAR) EU General
Request Data
(DSAR)
Consumer Data Protection Act
Automation Privacy
AutomationJuly 1,
Act Protection
Automation Act
(CCPA)
Contracting
provision will come
Mandatory
into effect January Requires controllers Duties of Controllers: Requires controllers
contracting
1, 2023 under CPRA to enter into Similar to preceding to enter into
requirements for contracts with data privacy contracts with
Subject Access
“service providers” processors to govern legislation, SB 21-190 processors to govern
Request (DSAR)
and “third parties” the processing of utilizes concepts of the processing of
Automation
to whom the personal data by a data “controllers” personal data by a
company does not processor on behalf and data processor on behalf
sell data. of the controller.
“processors,” where of the controller
Mandatory a “controller” is the

contracting The contract should person or entity that The contract should
requirements for include:
determines the include:
“contractors” to purposes and means

whom the Type of data of processing Type of data
company makes Duration of personal data and Duration of
available personal processing the “processor” is the processing
information for a The rights and person or entity that The rights and
business purpose. obligations of processes personal obligations of
both parties, with data on behalf of the both parties, with
specific controller. specific
obligations for the Controllers and obligations for the
processor processors must processor
enter into a binding
contract governing
the processing
instructions.
Controllers do not
avoid responsibility
by delegating
processing
responsibilities to a
processor.
with our Privacy with our Privacy with our Privacy with our Privacy
Operations Operations Operations Operations
Manager Manager Manager Manager
Data Protection Assessments

(CCPA)

provision will come
into effect January
1, 2023 under CPRA
Not currently Yes, for the following Yes

GDPR Article 35,
required processing activities: requires data
Under CPRA The processing of Before engaging in protection
Cybersecurity personal data for processing that assessments when
audits and risk targeted presents a processing personal
assessments will advertising heightened risk of data for certain
be required for The sale of harm to a consumer, functions such as
companies whose personal data a controller must targeted advertising,
processing The processing of conduct and the sale of the data,
presents a personal data for document a data certain types of
significant risk to purposes of protection profiling, the
consumer privacy profiling assessment of each processing of
or security The processing of of its processing sensitive data, and
sensitive data activities that processing that
Processing involves personal presents a
activities involving data acquired on or heightened risk of
personal data that after the effective harm to consumers.
present a date of SB 21-190. SB
heightened risk of 21-190 defines
harm to “processing that
consumers. presents a
heightened risk of
harm to a consumer”
as including the
following:
processing
personal data for
purposes of
targeted
advertising or
profiling;
selling personal
data; and
processing
sensitive data.

(CCPA)
with our Privacy
* indicates that this with our Privacy with our Privacy with our Privacy
Operations
provision will come Operations Operations Operations
Manager
into effect January Manager Manager Manager
1, 2023 under CPRA
Enforcement
Enforced by the Enforced by the Colorado Attorney Enforced by the

attorney general attorney general General and District European Data
Creation of new Attorneys Protection Board as
California Privacy well as binding
Protection Agency decision-making by
(Agency) for the Data Protection
enforcement, Authorities of the
rulemaking and member states.
guidance
Private Right of Action
Limited private None None Yes

right of action for
breach of
unredacted or
unencrypted
personal
information due to
failure to maintain
reasonable
security practices.
Under CPRA
private right of
action will be
available for
breach of email
address and
password or
security question
and answer that
would allow
access to account
Penalties and Damages

(CCPA)

provision will come
into effect January
1, 2023 under CPRA
Up to $2,500 for Up to $7,500 for each Violations would be Administrative fines

each violation and violation subject to civil can reach EUR 20
$7,500 for each penalties under the million or 4% of
intentional Colorado Consumer annual global
violation Protection Act (C.R.S. revenue, whichever
Automatic $7,000 6-1-112), which is highest.
fine for a violation provides for civil
involving the penalties of not
personal more than $20,000
information of per violation.
minors
Statutory damages
from $100-$750
per violation.
Cure Period
Yes, 30 days for None Yes, the Act None

Attorney General establishes a right to
enforcement cure period of 60
Removes the 30- days. This cure
day cure period period will be
and gives the repealed January 1,
Agency 2025.
discretionary
power to provide
the business with
a time period to
cure

(CCPA)

provision will come
into effect January
1, 2023 under CPRA
Exemptions

(CCPA)

provision will come
into effect January
1, 2023 under CPRA
Compliance with Individuals acting SB 21-190 does not The only way to be
the law in a commercial or apply to certain exempt from the
De-identified or employment categories of GDPR is if you:
aggregate data context personal data Actively discourage
PHI governed by Financial already governed by the processing of
HIPAA institutions various state and data from EU data
GLBA regulated subject to GLBA federal laws, such as subjects (i.e., block
data Health Care HIPAA, the Gramm- your site in the EU)
FCRA regulated entities HIPAA Leach-Bliley Act Process personal
data (GLBA), Fair Credit data of EU citizens
B2B exemption - Reporting Act, outside the EU as
personal Driver’s Privacy long as you don't
information Protection Act of directly target EU
collected by a 1994, Children’s data subjects or
business about an Online Privacy monitor their
individual Protection Act of behavior
consumer, when 1998 (COPPA), Family
the consumer is Educational Rights
acting as an and Privacy Act of
employee 1974 (FERPA), in each
case to the extent
the activity related to
the personal data is
in compliance with
such existing
governing law(s). SB
21-190 also does not
apply to data
maintained for
employment records
purposes. If a
business processes
personal data
pursuant to an
exemption under SB
21-190, the business
bears the burden of
demonstrating that
the processing
qualifies for the
exemption.

(CCPA)

provision will come
into effect January
1, 2023 under CPRA
Data Breach

(CCPA)

provision will come
into effect January
1, 2023 under CPRA
Businesses must A controller that uses The law requires 1. In the case of a
notify any California pseudonymous data notification of personal data
resident whose or de-identified data security breaches breach, the
personal information shall exercise affecting personal controller shall
was compromised as reasonable oversight information (PI), without undue
a result of a data to monitor which includes delay and, where
breach. Any business compliance with any detailed notice to feasible, not later
that is required to contractual Colorado residents than 72 hours
notify more than 500 commitments to and, in certain after having
California residents which the circumstances, become aware of
as a result of a single pseudonymous data notice to the it, notify the
breach must also or de-identified data Attorney General. personal data
submit a single is subject and shall breach to the
sample copy of that take appropriate supervisory
notification to steps to address any authority
California's Attorney breaches of competent in
General. contractual accordance with
commitments.
Article 55, unless

the personal data
Securely processing breach is unlikely
personal data, taking to result in a risk
into account the to the rights and
nature of processing freedoms of
information available natural persons.
to the processor, and Where the
complying with notification to the
security breach supervisory
notification authority is not
requirements made within 72
pursuant to § 18.2- hours, it shall be
186.6 in order to accompanied by
meet the controller's reasons for the
obligations. delay.
2. The processor
shall notify the
controller without
undue delay after
becoming aware
of a personal data
breach.
3. The notification
referred to in

(CCPA)

provision will come
into effect January
1, 2023 under CPRA
paragraph 1 shall
at least:
a. describe the
nature of the
personal data
breach
including where
possible, the
categories and
approximate
number of data
subjects
concerned and
the categories
and
approximate
number of
personal data
records
concerned;
b. communicate
the name and
contact details
of the data
protection
officer or other
contact point
where more
information can
be obtained;
c. describe the
likely
consequences
of the personal
data breach;
d. describe the
measures taken
or proposed to
be taken by the
controller to
address the
personal data
breach,
including,

(CCPA)

provision will come
into effect January
1, 2023 under CPRA
where
appropriate,
measures to
mitigate its
possible
adverse effects.
4. Where, and in so
far as, it is not
possible to
provide the
information at the
same time, the
information may
be provided in
phases without
undue further
delay.
5. The controller
shall document
any personal data
breaches,
comprising the
facts relating to
the personal data
breach, its effects
and the remedial
action taken.
2That
documentation
shall enable the
supervisory
authority to verify
compliance with
this Article.

Compare Global Privacy Regulations USA

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Compare Global Privacy Regulations USA

Uploaded by

Copyright:

Available Formats

9/18/21, 12:20 AM WireWheel

Compare Global Privacy Regulations.

* indicates that this

California Virginia Consumer Colorado Colorado EU General Data

* indicates that this

information about Control or process process personal

California Virginia Consumer Colorado Colorado EU General Data

* indicates that this

Covered Personal Information

with or could identifiable natural reasonably linkable

California Virginia Consumer Colorado Colorado EU General Data

* indicates that this

Not currently Consent is required A controller must not The following

California Virginia Consumer Colorado Colorado EU General Data

* indicates that this

Anonymous, De-identified, Pseudonymous, or Aggregated Data

retain, sell, or exclude “de- individual with

California Virginia Consumer Colorado Colorado EU General Data

* indicates that this

Protection Act obtain parental data” as (i) personal

California Virginia Consumer Colorado Colorado EU General Data

California Virginia Consumer Colorado Colorado EU General Data

* indicates that this

Mandatory a “controller” is the

“contractors” to purposes and means

Data Protection Assessments

California Virginia Consumer Colorado Colorado EU General Data

* indicates that this

Not currently Yes, for the following Yes

California Virginia Consumer Colorado Colorado EU General Data

Enforced by the Enforced by the Colorado Attorney Enforced by the

Private Right of Action

Limited private None None Yes

Penalties and Damages

California Virginia Consumer Colorado Colorado EU General Data

* indicates that this

Up to $2,500 for Up to $7,500 for each Violations would be Administrative fines

Yes, 30 days for None Yes, the Act None

California Virginia Consumer Colorado Colorado EU General Data

* indicates that this

California Virginia Consumer Colorado Colorado EU General Data

* indicates that this

California Virginia Consumer Colorado Colorado EU General Data

* indicates that this

California Virginia Consumer Colorado Colorado EU General Data

* indicates that this

Article 55, unless

California Virginia Consumer Colorado Colorado EU General Data

* indicates that this

California Virginia Consumer Colorado Colorado EU General Data

* indicates that this

You might also like