06 April 2020
Complying with privacy law is crucial for any business operating online.
Due to the nature of online commerce and marketing, businesses often collect personal information from people in multiple legal jurisdictions. If you offer goods or services in a given country, you must obey the privacy laws of that country.
We've compiled information about the state of privacy law in some major markets worldwide. We'll be answering the following questions:
We've also provided links to English translations and further resources in each legal jurisdiction.
Australia's main privacy laws are:
The Privacy Act sets out the "Australian Privacy Principles" (APPs). Only "APP Entities" are required to comply with the Privacy Act. APP Entities include:
Any Australian business with an annual turnover below 3 million AUD if:
The Spam Act applies to any business sending commercial emails with an "Australian link." A commercial email has an Australian link if:
The Privacy Act defines "personal information" as:
"Information or an opinion about an identified individual, or an individual who is reasonably identifiable"
Personal information is also defined in another Australian Telecommunications (Interceptions and Access) Act 1979 (available here). It includes account information for phone and internet services and metadata about communications.
Australian law does not place strict rules on targeted advertising.
The Privacy Act doesn't specifically refer to cookies as a type of personal information, and consent is not required for setting cookies.
The Office of the Australian Information Commissioner (OAIC) states that cookies revealing "general information about your interests and the websites you've visited" would not constitute personal information or fall under the scope of the Privacy Act.
Australian law recognizes express and implied consent.
Express consent is not defined in the Privacy Act or the Spam Act. The OAIC defines express consent as being given "openly and obviously, either verbally or in writing."
Implied consent can arise when:
The main privacy law in Argentina is the Personal Data Protection Act (PDPA) (English version available here).
Much like EU privacy law, the PDPA applies to anyone processing personal information, regardless of the size of a business or its sector.
The law does not specifically state that it applies to businesses based outside of Argentina, but it does apply to all processing of personal information that takes place in Argentina.
The official English translation of the PDPA defines "personal data" as:
"Information of any kind referred to certain or ascertainable physical persons or legal entities."
There are no specific rules related to cookies or targeted advertising in Argentine law.
Express consent is required for all "treatment" of personal information, and it must be "given in writing, or through other similar means," unless the personal information is:
Part of a list consisting of:
The PDPA doesn't make reference to implied consent.
There are two main privacy laws in Brazil:
The LGPD applies to:
This means that the LGPD affects businesses based outside of Brazil if they offer goods and services to, or collect personal information from, people in Brazil.
The law applies to everyone who processes personal information, and uses the terms "controller" and "processor" in the same way as the GDPR.
The LGPD defines "personal data" as:
"Information regarding an identified or identifiable natural person."
Bear in mind that this is a recently-drafted law that takes inspiration from the GDPR. As such, this definition is likely to be interpreted broadly, and will encompass many types of directly and indirectly identifying types of information.
The LGPD does not specifically mention cookies or online identifiers. However, given the clear influence of the GDPR, it is possible that the definition of "personal information" will be interpreted to include data such as this.
The LGPD defines "consent" as:
"Free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose."
This is a similar definition to that found in the GDPR.
The LGPD does not recognize implied consent, but like the GDPR it does recognize "legitimate interests" as an alternative lawful basis for processing personal information.
Consent must be given in writing or via some other recorded means.
The LGPD requires data controllers to provide transparent information, particularly when requesting consent. The following information must be provided:
Canada's main privacy laws are:
PIPEDA applies to all private sector organizations, regardless of size. Provincial laws take priority in certain provinces but these are substantially similar to PIPEDA.
Recently, decisions by Canada's courts and its Office of the Privacy Commissioner (OPC) have made it clear that any foreign business with a clear and substantial link to Canada is covered by PIPEDA.
CASL applies to anyone sending commercial email to Canadian consumers.
PIPEDA defines personal information as:
"Information about an identifiable individual."
The OPC provides examples of personal information including ID numbers, income, and "intention to acquire goods or services."
CASL covers the installation of certain "computer programs," including cookies.
CASL states that businesses require "express consent" for setting cookies. Somewhat confusingly, however, express consent for cookies can be assumed if "the person's conduct is such that it is reasonable to believe that they consent to the program's installation."
Canadian privacy law recognizes express and implied consent.
Under PIPEDA, express consent must be requested when collecting sensitive personal information, processing personal information in a way that would fall outside of the individual's reasonable expectations, or where there is a "meaningful residual risk of significant harm."
Implied consent is most relevant to CASL. An individual may give implied consent to receive direct email marketing if:
A patchwork of criminal, civil, and regulatory laws govern privacy in China. Some important examples include:
Sector-specific laws also exist in the areas of healthcare, finance, and telecommunications.
All businesses will be covered to some extent by one or more of these laws.
The Personal Information Security Specification applies to "controllers": people or businesses that make decisions about the processing of personal information.
The CSL regulates "risks and threats arising both within and without the mainland territory of the People's Republic of China" and therefore covers businesses based outside of China.
The CSL defines "personal information" as:
"All kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person's identity"
It provides the following non-exhaustive list of examples:
In 2015, a Chinese appeal court heard a case brought against Baidu, the Chinese search engine. The claimant alleged that they had suffered emotional distress as a result of Baidu's use of tracking cookies.
Consent is an important basis for the processing of personal information in the CSL and the Specification.
The Personal Information Security Specification defines express consent as "a freely given, specific, clear, and unequivocal indication of the wishes of the well-informed personal information subject." Express consent is required when collecting sensitive personal information.
The two main EU privacy laws are:
These laws apply across the whole of the European Economic Area (EEA), which includes all EU Member States plus Iceland, Liechtenstein, and Norway.
Each EU Member State implements the laws slightly differently and has its own national privacy legislation. However, these national laws should not deviate significantly from the EU laws.
These laws apply across all sectors and to businesses of all sizes (although there are some exemptions to the GDPR for smaller businesses). Most of the GDPR's rules apply to "data controllers," which make decisions about how and why to process personal information.
EU privacy law applies explicitly to businesses based outside of the EU if they are offering goods or services to EU consumers or monitoring their behavior (including via the use of tracking cookies).
The GDPR defines "personal data" as:
"any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier [...]"
This is a very broad definition that can include anything from a person's name to information about their browsing history or device ID.
This means a website operator must place a "cookie banner" on its website and not set advertising cookies until the user has given their consent. Refusing consent to advertising cookies must not result in the user being denied access to a website or service.
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement"
The GDPR only recognizes express consent, and the standard is very high. Consent must be easy to withdraw and refusing to consent must not result in any detriment to the individual.
While there is no concept of implied consent under EU law, the lawful basis of "legitimate interests" does allow certain forms of personal information processing, including direct marketing, to take place on an "opt-out" basis.
As of March 2020, India has not yet enacted a general privacy law.
A major new privacy law, the Personal Data Protection Bill (PDPB) is currently going through the Indian legislature. The Bill would make sweeping changes to the state of privacy law in India. It is likely to pass, with some amendments, in 2020.
The PDPB defines "personal data" as:
"Data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information."
The PDPB doesn't make reference to cookies or targeted advertising. However, the broad definition of personal information is likely to be interpreted as including online identifiers such as cookies.
Under the PDPB, consent must be:
The Bill also specifically prohibits the denial of goods or services to an individual who refuses to give consent.
Consent under the PDPB is much like consent under the GDPR: implied consent is not recognized.
Japan's main privacy laws are:
The APPI applies to all private businesses. Government entities and certain other journalistic and religious organizations are exempt.
The APPI defines "personal information" as "information relating to a living individual." It divides personal information into two categories:
Japanese law does not specifically mention targeted advertising. However, it is possible that cookies and other online identifiers could fall under the definition of personal information.
Because the transfer of personal information requires consent under the APPI, it is possible that this would apply to third-party cookies, meaning that cookie banners would be necessary for certain types of targeted advertising.
The APPI doesn't define consent. Consent is required for the collection of sensitive personal information and for the transfer of personal information to third parties.
Under the ASCT, consent is required for marketing emails, unless they are sent alongside transactional emails.
Nigeria's main privacy laws are:
The Nigerian Data Protection Regulation applies to anyone processing the personal information of people in Nigeria, including businesses based outside of Nigeria.
The NDPR defines "personal data" as:
"Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier."
This is virtually identical to the definition of personal information under the GDPR.
The definition is accompanied by an extensive list of examples, including:
These examples clearly show that this is intended as a very broad interpretation of personal information.
The NDPR defines "consent" as:
"Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
This is virtually identical to the definition of consent under the GDPR. There is no concept of implied consent under the NDPR.
Consent is not explicitly required for setting cookies, however it would appear to be the only appropriate lawful basis for doing so. Unlike the GDPR, the NDPR lacks a lawful basis of "legitimate interests."
There are two main privacy laws in South Africa:
The POPI Act looks set to be enforced from April 2020 after many years of delay (the law passed in 2013).
The POPI Act will apply to all South African businesses, and businesses based outside of South Africa that process personal information inside South Africa. There is an exception for foreign businesses that "forward personal information through South Africa."
The POPI Act defines "personal information" as:
"Any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information."
The POPI Act defines consent as:
"A voluntary, specific and informed expression of will."
This is a form of express consent. The POPI Act does not recognize implied consent.
The main privacy laws in the UK are:
The DPA is the UK's implementation of the EU GDPR. Large sections of the Act refer to the GDPR and simply transpose the GDPR directly into the UK's national law. Other parts make specific exemptions and modifications that apply exclusively to the UK.
The PECRs are the UK's implementation of the EU ePrivacy Directive. They are substantially very similar to the ePrivacy Directive but, like the DPA, it applies specifically to the UK. The PECRs regulate online and telephone marketing.
The DPA and PECRs apply to all businesses processing the personal information of people in the UK. This includes businesses based outside of the UK if they are offering goods or services to UK consumers, or engaged in targeted marketing campaigns that involve UK consumers.
The UK also transposed the GDPR into its national law upon leaving the EU. There are no plans to amend or revoke the GDPR at this stage.
The DPA refers to the definition of personal information provided in the GDPR.
The PECRs contain the same rules on targeted advertising as found in EU law.
The DPA contains the same consent requirements as the GDPR.
Unlike most jurisdictions, the US does not have a general privacy law. Some important sector-specific federal privacy laws include:
The main definition of personal information in US federal law comes from COPPA:
"Individually identifiable information about an individual collected online, including:
- a first and last name;
- a home or other physical address including street name and name of a city or town;
- an e-mail address;
- a telephone number;
- a Social Security number;
- any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or
- information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph"
COPPA requires businesses to earn express, verifiable parental consent from parents before processing the personal information of a child under 13.
HIPAA permits a covered entity to obtain consent for disclosing health information, but it does not actually require the entity to do so.
COPPA prohibits the use of tracking cookies where children under the age of 13 are concerned, unless the business has obtained verifiable parental consent.
The State of California has several powerful privacy laws, including:
One or more of these laws will impact on any business whose website is accessible in California. This includes businesses based outside of the US.
CalOPPA defines "personally identifiable information" as one of the following categories of identifier:
The CCPA defines "personal information" as:
"Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
This is arguably the broadest definition of personal information found in any privacy law in the world.
Under the CCPA, certain uses of cookies may qualify as a "sale" of personal information. In this case, a business must offer consumers the right to opt-out.
None of the four laws mentioned above requires a business to earn consent for the processing of personal information, with one exception.
Under the CCPA, a business must earn consent from a minor aged between 13-16 before they can sell the minor's personal information. If the minor is aged under 13, the business must earn parental consent.
Businesses must grant consumers over 16 the right to opt-out of the sale of their personal information.
California's "Shine the Light" and "Online Eraser" laws both require businesses to explain the consumer rights granted under these laws.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.