The Three Hottest Privacy Regulations in the World

Privacy regulations continue to evolve and expand, forcing organizations around the world to transform their data and privacy practices in tandem. While it’s clear some regulations have received significant media coverage up to and through their adoption, others have seemingly passed below the radar of newsworthiness even though their impacts are significant for organizations globally.

Some believe that their organization is prepared if they’ve examined and worked to establish processes to deal with the implementation of the EU’s General Data Protection Regulation (GDPR), especially given the EU law is seen as a model for many regulations. However, new regulations are not necessarily closely adopting it. Some regulators are choosing to expand on its provisions while others are loosely adopting the framework, taking a completely different approach, and even diverging from it in significant ways.

Three laws exemplify the cutting edge of privacy regulations now in place around the world.

California Privacy Rights Act (CPRA) – aka CCPA 2.0

California continued its aggressive pursuit of privacy rights by passing the CPRA in its last election. As outlined in a previous blog post prior to its passing, regulators continue to draw inspiration from GDPR by expanding the prior California Consumer Protection Act (CCPA) in a number of significant ways. There are several updates that have been more challenging for organizations to comprehend and act on in their incident response processes and plans.

For example, the law creates a significant expansion in the scope of liability for data breaches. Consumers can initiate private, individual lawsuits for data breaches that exposed both email addresses and passwords as well as any associated second-tier authentication and/or recovery security questions and answers. This is a significant change for many companies and has yet to be recognized by many, given these are not the kinds of data more typically associated with personally identifiable information (PII).

In addition, far too many organizations have waited until after a data breach to put cybersecurity defenses into place. CPRA dictates specifically that post-breach remediation actions like this are no longer an acceptable path to avoid liability, fines, and lawsuits for the data breach. CPRA requires companies to have reasonable security procedures in place. Particularly given that the definition of “reasonable” is subjective, this has created a burden for those organizations to prove their cybersecurity programs appropriately match their risk and resources.

The creation of the California Privacy Protection Agency by the law is expected to generate a large increase in regulatory oversight of organizations holding Californians’ data. While it is bootstrapped with initial funding, it is financed by its own work, such as through the fines it imposes on violators of the regulation. As a result, the agency is expected to act and expand quickly, potentially matching the size of privacy enforcement teams at the US federal level.

Given the size of California’s economy, its population, and the number of technology companies headquartered or hosting systems and significant amounts of data in the state, once this law fully comes into effect in less than two years it will apply to a huge number of organizations globally.

Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD)

Brazil’s LGPD, its General Personal Data Protection Law, became effective somewhat under the radar of global organizations early last year. The regulators in Brazil, much like those in California, were heavily influenced by the GDPR, as we highlighted in our previous blog post highlighting privacy lessons learned in 2020. For example, it hews heavily in the same direction in areas like data subject rights, defining nearly the same fundamental rights as EU citizens are given by GDPR.

That said, the law stands on its own in several ways. For example, it has an expanded legal basis for data processing, allowing organizations to use personal data for a wider variety of reasons, including protecting a person’s credit. Additionally, the law does not specifically define personal data, instead making numerous references to its meaning. Some believe this could potentially make its eventual coverage and the related enforcement more expansive than that of the GDPR.

Furthermore, the law is significantly vague when it comes to data breach notification timelines. While GDPR requires breach notification within 72 hours, LGPD’s notification requirements are only defined as being within a “reasonable timeframe.” While some have seen this as a relaxed requirement, given its subjectivity it could be enforced in different ways over time by regulators in the country. This has created some uncertainty for organizations attempting to achieve readiness for the regulation.

Overall, Brazil’s law, like most others, is enforced on organizations holding Brazilian citizens’ data, regardless of the geography of the organization itself. While organizations that are fully prepared for GDPR are generally on the way to being prepared for LGPD, the differences require some additional forethought.

Virginia’s Consumer Data Privacy Act (CDPA)

The most recent on this list, the state of Virginia in the United States passed its privacy law in March. Its changes are the most major for a state since California passed the aforementioned CPRA. Like most other privacy regulations, the CDPA is enforced on organizations irrespective of their geographic presence, and even further regardless of their size or profit-bearing status.

A key similarity between CDPA and other data privacy laws is its requirement that organizations are responsible for the use of their data by their vendors and third parties. In the case of CDPA, it explicitly requires a contract between an organization and its other vendors and partners using its data. The law outlines many specific requirements that must be covered in the contract between the parties. It also outlines a 30-day remediation timeframe in which organizations must deal with their violations, and if they do not, they can be fined by the state Attorney General’s office. These fines, like those in CPRA, will directly support the office enforcing the regulation.

There are some major differences between the new Virginia law and others. First, organizations are only impacted if they are processing over 100,000 consumers in Virginia, or 25,000 if the organization makes a majority of its gross revenues from the sale of data. In addition, it only affects consumer-facing businesses. From a notification perspective, it provides for notification timelines “without undue delay” of up to 45 days with the possibility of a similar-length extension, a stark contrast to CPRA and LGPD.

Another major difference from California’s laws is that Virginia has exempted a large number of organizations covered by other privacy regulations. This includes organizations with data covered by the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Fair Credit Reporting Act. In addition, the CDPA does not include a private right to action, nor does it provide its constituents a means to obtain a list of third parties an organization has shared their personal data with within the prior year.

Given these abundant exemptions, the law is seen as much more business friendly than many other privacy regulations. However, given the act does not go into effect until 2023, it’s very possible it will receive an update and expansion in the same vein as California’s two acts being passed in quick succession. While Virginia’s economy isn’t as large as that of California, it’s business-friendly nature and highly educated talent pool has made it a common choice for tech companies expanding nationwide as well as global corporations looking to establish a headquarters within the United States.

Evolving Regulatory Landscape

Many regulations are in the works throughout the United States and across the world. In the United States, Washington state’s Privacy Act nearly passed, with regulators hung up on primarily on the private right to action but poised to go above and beyond both GDPR and California’s requirements in other areas. Globally, India’s Personal Data Protection Bill (PDPB) is likely the most impactful law coming next, given it covers such a large population of the world and given the influence of its tech population. While the bill is aligned in more than a few ways with GDPR, some believe it’s being designed to specifically enforce stringent controls on companies outside India.

Privacy requirements will continue to expand at a breakneck pace. Organizations can no longer rely on paper incident response plans and privacy policies built from high-level templates. As outlined here, regulators are no longer accepting reactive approaches nor a head-in-sand mentality when it comes to data breach response. Standards are changing quickly, and regulators and their constituents have demonstrated repeatedly that are not afraid to rapidly push updates and expansions to their laws to enforce the use of best practices.

In addition, most privacy regulations are leaving much of the subjectivity in the hands of their enforcement agencies which are funded by their own enforcement actions. Gartner predicts that by 2024, more than 80% of organizations worldwide will be subject to privacy and data protection regulations. This has increased the risk of major impacts to organizations if they don’t focus specifically on the data privacy aspects of their incident response program.

Prescient organizations are accepting this reality and building dynamic privacy programs that stay ahead of this ever-changing environment. The BreachRx incident response management platform is designed to help incident response teams transform their processes and easily exceed these dynamic regulatory requirements. Our software as a service platform allows organizations to operationalize privacy incident response, making their plans specific and actionable so they’re ready for the next incident they face.