Contributed by Jared Wall1
The Holiday season is over, the New Year is here, and your company is data-compliant. Right…?
While probably not at the top of your New Year’s to-do list, ensuring that your company follows applicable data privacy regulations is crucial if you have an online presence. As technology and changing consumer habits have allowed companies access to more consumer data than ever, data privacy is becoming an increasingly popular area of regulation worldwide. As of March 2022, 157 countries have enacted data privacy laws2 and older regulations are being updated or replaced. For instance, the California Privacy Rights Act (CPRA), passed by California voters in 2020, became effective on January 1, 2023. The CPRA amends California’s Consumer Privacy Act (CCPA), passed in 2018, and creates, among other items, new requirements for certain businesses.3
Unfortunately, with 157 data privacy laws and counting enacted across the globe, uniformity is unlikely. While laws may model one another, they often include variations in implementation. This can make compliance more challenging for companies that may operate under the jurisdictions of several different data privacy laws.
Another potential pitfall is that certain data privacy laws could be applicable even if your company is not actively operating in the enacting jurisdiction. For example, the European Union’s General Data Protection Regulation (GDPR) protects data belonging to EU citizens and residents. Because the GDPR protects the data, it applies to any organization that “processes” such data, whether they are based in the EU or not. The EU refers to this provision as an “extra-territorial effect,” and Article 3 of the GDPR outlines what actions bring companies under the GDPR’s authority.4
A common theme among the growing number of data privacy regulations is notifying consumers about what data is collected, how it is collected, and how the company uses the data. As such, that is a good place to start a compliance review. Understanding what data your company collects and why it is collected is a good step to becoming compliant. The rest depends on various factors and the potential applicability of 157 data privacy regulations and counting.
1Jared Wall is the Associate General Counsel for Sea Foam International, Inc.
2Greenleaf, Graham, Now 157 Countries: Twelve Data Privacy Laws in 2021/22 (March 15, 2022). (2022) 176 Privacy Laws & Business International Report 1, 3-8, UNSW Law Research, Available at SSRN: https://ssrn.com/abstract=4137418
3See, generally, Title 1.81.5 California Consumer Privacy Act of 2018 [ § §1798.100 – 1798.199.100].
4For more information visit: https://gdpr.eu/companies-outside-of-europe/#:~:text=The%20GDPR%20does%20apply%20outside,%E2%80%9Cextra%2Dterritorial%20effect.%E2%80%9D.