As the world is becoming more digital than ever, new data privacy laws are being introduced, and some old ones are being amended. With every passing year, these data privacy laws are getting more stringent.
These laws are a shield for consumers against the exploitation of their data. But, as much as these laws are advantageous for the consumers, the opposite may be true for businesses.
Not only the small businesses but the global giants such as Amazon have been impacted by these laws for violation. For example, in July 2021, Amazon got fined a whopping $886.6 million for violating GDPR, one of the stringent data privacy laws.
Although the big businesses usually face significant penalties, these laws are more intense for the small and fledgling businesses.
These hefty fines may just be of similar nature as their operational costs for the already-established businesses. But, in contrast, these fines can be a significant setback for small and fledgling businesses.
That’s why you must have an eagle’s eye over the changes happening in these laws. Even the subtlest negligence can expose you to a colossal amount of penalty.
However, even an eagle’s eye may miss a modest detail sometimes. The legal text of these laws is so lengthy that a subtle change becomes a needle in the haystack.
But, you don’t need to worry because we are also on the lookout for these amendments. So, if they may have escaped your eyes, our eyes are there to catch them.
So, in this article, we will first have a sneak peek at the basics. After that, we will let you know of the data privacy laws that you must comply with in 2022.
Let’s find if you are already compliant or need to be.
What is data privacy, and why is it important?
In today’s world, data privacy is a necessity. With so many companies collecting personal data from their users, it’s vital to ensure that it isn’t misused. Let alone the misuse, you must obtain a user’s consent before even using their data.
Data privacy is a human right that everyone should have. A person has the right to know, allow, or restrict the use of their data by companies that collect it.
Companies need to be very careful about their data collection and removal to ensure they comply with the law and do not abuse their customers’ right to privacy.
So far, many territorial and international laws have been introduced to protect data privacy.
To name a few, California Privacy Rights Act (CPRA), Virginia’s Consumer Data Protection Act (CDPA), General Data Protection Regulation (GDPR) are some of the renowned data privacy laws. To know more about each, read this article that sums them up in simple terms.
Data privacy is crucial because it facilitates freedom of expression, speech, and choice—the three fundamental human rights. If people can’t express themselves freely, the businesses won’t be able to deliver to their needs and wants.
Then, there comes the element of trust between the businesses and their customers. If it isn’t maintained, customers will limit interaction with businesses.
Also, there remains a risk of data theft. In the process of collecting and distributing users’ data, if it reaches malicious hands, the users’ may face huge losses.
It all sums up to one conclusion that data privacy is crucial for every human. It isn’t a favor to your customers, but every human’s fundamental right.
Stringent Data Privacy Laws in 2022 You Must Comply with
1. General Data Protection Regulation (GDPR)
We have kept this law at the top because if you have visitors from the European Union (EU) to your website, you have to comply with it regardless of your location. So whether you are operating from Asia or America, this law may follow you everywhere.
General Data Protection Regulation (GDPR) is counted in the robust data privacy laws in the world enforced to date. It is a law by the European Union (EU) that mandates all businesses to comply with it if they are collecting any EU resident’s data.
For instance, you are a clothing brand based in Asia, but you sell worldwide. If an EU customer has just visited your online store, and you’ve collected their data, you are then mandated to comply with GDPR.
The basic GDPR requirements that you must comply with are as under:
A. Processing data
The data processing must be lawful, fair, and transparent. To elaborate, businesses must process users’ data only for a legitimate purpose. Also, the users must be informed of the processing of their data transparently.
B. Data subject rights
It is a users’ right to be informed, if they ask, about what data the company has retained and what is to be done with it. Also, the user has the right to ask for the elimination of data from the company’s database and any amendment to it.
The subject also has the right to restrict the processing of their data and lodge a complaint against them.
The subject user’s consent must be asked whenever a company wants to process their data for a purpose that isn’t legitimate. In addition, after getting the consent, it must be documented.
Even after that, the user has the right to withdraw from it. For the children below the age of 16, this consent must be asked from their parents.
D. Data breach
Sometimes, a data breach is inevitable, and every online business is at its risk. So, if a severe data breach has occurred, the company must inform the regulator and the user whose data has been breached within 72 hours.
GDPR also mandates the companies that fall under its law to ensure awareness of basic GDPR requirements to each employee. For example, they must be aware to ensure the users’ privacy protection, and they must also be able to identify if a data breach has just occurred.
2. California Consumer Privacy Act (CCPA)
Unlike GDPR that focuses on collecting, processing, and use of data, California Consumer Privacy Act (CCPA) emphasizes the sale of users’ data to third parties.
CCPA applies to the companies that collect and sell data of California residents.
The basic CCPA requirements that you must comply with are as under:
A. Processing data
The company must know the kind of personal information they collect and process it in a way that is accessible to users upon request and erasable.
B. Data sources
CCPA mandates the company to verify the sources from which they buy the data of California residents. It is an offense in the eyes of CCPA to operate on the stolen data.
C. Customer requests
Companies must create at least two easy ways for the customers to make requests regarding their data. These ways may be request forms, and you must place the links to these forms on your website’s homepage.
Also, there must be an explicit option with the text “don’t sell my personal information” on the request forms.
The companies must add a description of California residents’ rights. They must be well-informed of their rights under CCPA. Some of these rights are:
- They can ask and obtain the record of their personal information by a company
- They can ask a company to delete their data
- They can restrict a company to sell their data
- They can sue a company for abuse of their rights
3. Virginia Consumer Data Protection Act (CDPA)
Virginia Consumer Data Protection Act (CDPA) was formulated in March 2021, and it will come into effect in 2023. So, in the meantime, you must make yourself compliant with it if it applies to you.
Every business that operates in Virginia or sells products and services to Virginia must comply with Virginia’s CDPA.
The basic CDPA requirements that you must comply with are as under:
A. Processing data
The law requires companies to be transparent with processing, collecting, and using customers’ data.
B. Use of data
The law limits the use of data by companies. The use must be legitimate, adequate, and relevant to the purpose the data is being collected for.
C. Safeguard data
The onus of ensuring confidentiality, integrity, and accessibility of users’ collected data lies upon the companies that collect it.
D. Sign data processing agreements
If another party uses the collected data on your behalf, you must sign a data processing agreement that binds them to abide by all the aforementioned elements.
E. Consumers’ rights
The law provides the following rights to the Virginia residents, and you are mandated to ensure their provision:
- Right to access
- Right to delete
- Right to amend
- Right to appeal
- Right to data portability
- Right to opt-out
Are you compliant with all of these laws? If no, then better be; otherwise, you may soon show up on their radar of regulators and be imposed a hefty fine.
Businesses, individuals and corporations alike must stay up-to-date with these changes in data privacy laws so that they are complying with them fully and not standing to lose out financially due to any negligence on their part.
The year 2022 is now upon us. So if your business handles consumers’ data, you need to comply with data privacy laws 2022.A failure to do so could result in a hefty fine, as well as a loss of company reputation.
About the Author
Saifullah Napar is a writer working in this field for the past three years. He has been writing on topics such as business technology, blockchain, fintech, and digital marketing. (LinkedIn)