5 Privacy Trends for 2025: What to Watch For
Heraclitus said that “The only constant in life is change,” but...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: July 25, 2023
Published: August 3, 2022
Over 260 pages.
Over 50,000 words.
Chock full of words like, “pseudonymization,” “dactyloscopic data,” and “derogation.”
It’s the text of the General Data Protection Regulation (GDPR), and it’s not reader-friendly. Even worse — there are dozens of other privacy laws with different requirements and technicalities, but equal complexity. And if you don’t understand the ins and outs of these different regulations, you could find yourself facing million-dollar fines.
Nobody should have to read the full texts of multiple data privacy laws just to figure out how to become compliant. To help businesses get to compliance more quickly, we took a look at the main characteristics common to most data privacy laws.
Before we dive into the actual components you’ll come across in a data privacy law, it’s important to understand the basic tenets that underlie modern data privacy laws.
As the first law of its kind, the GDPR has become a model for other data privacy laws. It lays out seven principles that describe the intention behind the GDPR’s specific guidance. As stated by the UK’s Information Commissioner’s Office (ICO), the principles “don’t give hard and fast rules, but rather embody the spirit of the general data protection regime.”
If you internalize these principles, you’ll also have internalized the intention behind most modern data privacy laws.
Now that you’re familiar with the basic principles underlying most data privacy laws, let’s jump into the specific components you’ll come across in different laws.
It isn’t a matter of whether your headquarters is based out of a region with a data privacy law or not — you might still be subject to one. These laws have specific criteria that govern which organizations are subject or exempt to their regulations.
Generally, this will depend on:
For example, Utah’s UCPA applies to businesses that earn over $25 million in revenue per year and conduct business in Utah or provide products or services targeted to Utah residents. In addition, businesses must meet one of the following additional threshold criteria before they are subject to the UCPA:
The exact figures differ from law to law, but most follow a similar pattern.
Data privacy laws will clearly define who and what they protect. Typically, laws will refer to a “consumer,” “resident,” or a “data subject.” For the most part, these definitions will be fairly intuitive: data privacy laws are meant to protect the real people who reside within a certain region, so that’s who “consumer” or “data subject” refers to. To be safe, however, it’s always best to look up the section of the law that defines the different terms it uses — every law will have a section dedicated to definitions.
Most data privacy laws will refer to “personal information” when discussing how businesses need to treat consumers’ data. However, the meaning of “personal information” can vary from law to law. Generally, personal information is data that can be used to identify or can be reasonably associated with a consumer.
Obviously, this would include information like a person’s name and address. But different laws can also include other information you might not have considered under the definition of personal information. For a particularly weird example, the CPRA includes “olfactory,” information in its definition of personal information — so if you wanted to keep a database on how your consumers smell, forget about it.
Notably, there are exceptions to what constitutes personal information as well. Generally, data privacy laws will exempt aggregated data or de-identified data. Aggregated data refers to data from groups of people that lack any personally identifiable information, like website visits, bounce rates, and the like. De-identified data is similar, but refers to data for which all personally identifiable information has been removed.
Some data privacy laws include an additional category of personal information: sensitive personal information. This includes information like social security numbers, consumers’ precise location, genetic data, and more.
Data that falls under this category requires special treatment from businesses, such as requiring explicit opt-in consent prior to processing, special disclosures and notices, permitting consumers to ask that businesses limit the use of their sensitive information, and so on.
Every data privacy law requires you to have a consumers’ consent before collecting and processing their personal information. But the laws differ in how they define consent and what getting consent looks like.
Broadly, there are two kinds of consent: opt-in and opt-out.
Laws like the GDPR require that consumers opt-in to data collection. So, when a consumer visits an EU website for the first time, that business might ask for their consent in a cookie banner. If the consumer doesn’t click “Accept,” then the business can’t drop cookies on the consumers’ browser and, as a result, can’t track their behavior.
Other laws require opt-out consent. Businesses under an opt-out law might present a banner with no accept or reject button whatsoever and notify the consumer that by continuing to use the website, they are consenting to cookies.
If your business has a website, and you want to make it compliant with data privacy laws, then identifying whether you need opt-in or opt-out consent is probably the first thing you should look for. Enforcement agencies tend to look at cookies first since they are a clear and simple way to determine whether a business is in compliance or not.
Data privacy laws also list out the specific rights that consumers have in regards to their data. This typically includes consumers’ right to know certain things, such as the right to know whether their personal data is being shared or sold and with whom, as well as consumers’ access rights.
Access rights, also known as data subject access rights (DSARs), give consumers the right to make certain requests of businesses. This can include accessing their personal information that the business has collected, requesting that their data be deleted or amended, that businesses stop collecting their data, and more.
If your business collects personal information from consumers, then you probably share or sell that data with third parties. They could be software vendors, international partners, client organizations, and other groups.
Data privacy laws generally say that if you provide consumer data to a third party, then you’re still liable for what that third party does with the consumer data. It doesn’t matter if you do everything right; if the third party mishandles the consumer data, you’ll be the one on the hook.
Many data privacy regulations provide recommendations for how businesses should handle data transfers, such as by putting certain contractual agreements in place. There is also guidance on how to handle international transfers since you might transfer data from a region with one data privacy law to a region with another law or no privacy law whatsoever. The GDPR, in particular, is known for having strict requirements for international data transfers.
Being respectful of your consumers’ data privacy rights isn’t just the ethical and compliant thing to do; it’s also a cost-saver. Data privacy laws list out the fines and penalties businesses can expect to incur if they are noncompliant. GDPR noncompliance, for instance, can result in fines as high as 20 million euros or up to 4% of turnover, whichever is higher.
This may or may not be described in the actual text of the law itself, but it’s essential for businesses to be aware of which authorities are enforcing the law. In the EU, each country has its own data protection authority that handles enforcement in that country; California has the CPPA; and many other states rely on the Attorney General for enforcement.
Notably, some data privacy laws also allow for what’s called a “private right of action.” That means individual citizens can sue organizations if they break the law. Typically, this right is limited to specific sorts of noncompliance, such as if certain information is exposed in a data breach as a result of a business's noncompliance.
If you can identify the guidance for these key components in your relevant data privacy law, you’ll have an excellent foundation for becoming compliant. But that’s just the start.
The actual work of implementing a data privacy program can be just as complex as interpreting a data privacy law. Fortunately, we’ve recorded a webinar that covers how to build a privacy program, even if data privacy compliance is still relatively new for you and your organization.
Some more good news: Even if you don’t fully have your head wrapped around data privacy yet, there are solutions that can handle the minutiae for you. If you don’t know how your organization is going to go about getting cookie consent, vetting third-party vendors for their data privacy practices, or managing DSARs, tracking down a compliance platform that works for your organization will be time well spent.
As a first step in your compliance journey, schedule a demo of Osano. We keep over 750,000 websites compliant with 50+ data privacy laws. As a result, those businesses don’t have to learn the nitty-gritty of all those data privacy laws, and they don’t have to worry about noncompliance ever again.
Several US state privacy laws came online in 2023 — are you ready for their enforcement dates? Use this action plan to make sure you're company is in compliance.
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.