The General Data Privacy Regulation (GDPR)
Your business must comply with the GDPR if it targets EU consumers and meets one of the following thresholds:
- It offers goods or services
- It monitors online behavior
It’s important to note that different privacy laws use unique definitions for personal information, each with slight variations in meaning.
The penalties for GDPR non-compliance are fines of up to 4% of your annual global turnover or €24 million ($23 million), whatever is highest.
The California Consumer Protection Act (CCPA)
Your business falls under the CCPA if it meets one of the following thresholds:
- It generates over $25 million in annual gross revenue
- It annually buys, receives, sells, or shares the personal information of 50,000 or more consumers (changing to 100,000 under the CPRA)
- It derives 50% or more of its annual revenue from the sale of personal consumer data
Under the law, you must inform users about the personal data you collect and how it’s processed.
The text of the CCPA defines personal data similarly to the GDPR but excludes publicly available information, like social media posts.
You must also provide a way for consumers to opt out of the sale of their data.
The penalties for CCPA non-compliance are fines of $2,5000 per violation or $7,500 per intentional violation.
The California Online Privacy Protection Act (CalOPPA)
The CalOPPA was adopted in 2004 and was one of the first data privacy regulations implemented in the United States. It set the standard for the presentation, wording, and implementation of privacy policies.
This law established the definition of personally identifiable information and introduced Do Not Track (DNT) requests for users to toggle data tracking preference settings online.
The penalties for CalOPPA non-compliance are fines of up to $2,500 per violation.
Children’s Online Privacy Protection Act (COPPA)
Any business marketing to children in the United States must follow strict rules and regulations following the Federal Trade Commission’s guidelines.
The penalties for COPPA non-compliance are fines of up to $40,000 per violation.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA covers ten fair information privacy practices companies must follow to do business in Canada and applies to all businesses, not just those operating online.
The penalties for PIPEDA non-compliance are fines of up to $100,000 CAD ($80,000 USD) from federal prosecution.