GDPR stands for General Data Protection Regulation, a European Union law that regulates how organizations collect, use, and protect personal data. It applies to many businesses worldwide and requires transparency, security, and accountability when handling personal information.

If your website or app collects personal data, you’ve probably heard of the GDPR.

The General Data Protection Regulation is one of the most important privacy laws in the world.

It sets the rules for how organizations collect, use, and protect personal data. It came into force in May 2018 and applies to many companies both inside and outside the European Union.

If you offer services to people in Europe, track website visitors, or collect personal information such as email addresses or IP addresses, the GDPR may apply to you.

In this guide, we explain what the GDPR is, why it was introduced, and who it applies to. We also cover the key principles, legal requirements, user rights, and practical steps organizations can take to stay compliant.

An overview of GDPR

GDPR stands for General Data Protection Regulation.

It’s a European Union law that regulates how organizations handle personal data. The regulation sets clear expectations for how companies collect, process, store, and protect information about individuals.

The goal is simple: people should understand how their data is used and have control over it.

For organizations, this means being transparent about data practices, collecting only the information that is necessary, and protecting it properly.

What is the purpose of GDPR?

GDPR was introduced to strengthen privacy protections and modernize older European data protection laws.

The regulation focuses on several key objectives:

• Protect personal data from misuse or unauthorized access
• Give individuals greater control over their personal information
• Require organizations to be transparent about how they use data
• Create consistent privacy rules across EU member states

These goals help create more trust between businesses and the people who use their services.

Who does GDPR apply to?

Many organizations assume that GDPR applies only to companies based in Europe. In reality, the scope is broader. GDPR applies in the following situations:

For example, a company in the United States that sells products to EU customers or tracks EU website visitors may still need to comply with GDPR.

What counts as personal data?

Under the GDPR, personal data is any information that can identify a person, either on its own or when combined with other data. That includes obvious identifiers such as names, email addresses, and phone numbers, as well as less-obvious identifiers such as IP addresses, location data, or device IDs. In simple terms, if a piece of information could reasonably be used to figure out who someone is, it likely counts as personal data under the GDPR.

The seven principles of GDPR

The regulation is built around seven core principles that guide how organizations handle personal data.

Lawfulness, fairness, and transparency

Personal data must be processed legally, and users must understand how it is used.

Purpose limitation

Data must be collected for specific and legitimate purposes.

Data minimization

Organizations should collect only the data that is necessary.

Accuracy

Personal data must be accurate and kept up to date.

Storage limitation

Data should not be kept longer than necessary.

Integrity and confidentiality

Personal data must be protected against unauthorized access or loss.

Accountability

Organizations must be able to demonstrate compliance with these principles.

These principles form the foundation of GDPR compliance.

Legal bases for processing personal data

GDPR requires organizations to have a valid legal reason for processing personal data.

The regulation defines six possible legal bases.

• Consent from the user
• Performance of a contract
• Compliance with a legal obligation
• Protection of vital interests
• Public interest or official authority
• Legitimate interests of the organization

Consent is commonly used for marketing activities and cookie tracking, but it is not always required if another legal basis applies.

Key GDPR requirements for businesses

Organizations must implement several practical measures to meet GDPR obligations. These measures help organizations demonstrate accountability.

User rights under GDPR

One of the central goals of GDPR is to give individuals greater control over their personal data.

The regulation grants several rights to users.

• Right to be informed about how their data is used
• Right of access to the personal data that an organization holds about them
• Right to rectification of inaccurate data
• Right to erasure, also known as the right to be forgotten
• Right to restrict processing in certain situations
• Right to data portability between services
• Right to object to certain types of data processing
• Rights related to automated decision-making and profiling

Organizations must provide ways for individuals to exercise these rights.

Cross-border data transfers

GDPR also regulates the transfer of personal data outside the European Economic Area.

Data transfers are allowed only when certain safeguards are in place.

Examples:

• Countries recognized as providing adequate data protection
• Standard Contractual Clauses
• Binding Corporate Rules

These mechanisms ensure that personal data remains protected even when transferred internationally.

GDPR compliance strategies

Staying compliant with the GDPR isn’t bout ticking a single box. It requires clear processes for how your organization collects, uses, and protects personal data. While every business is different, most GDPR compliance strategies start with a few fundamental steps.

Organizations should focus on:

• Understanding what data you collect. Map the personal data your business collects, where it comes from, and how it is used.
• Identifying a legal basis for processing. Make sure every data processing activity has a valid legal basis under the GDPR, such as consent, contract, or legitimate interest.
• Being transparent with users. Clearly explain your data practices in an accessible privacy policy and provide users with meaningful information about how their data is handled.
• Managing consent properly. When consent is required, collect it in a clear and verifiable way and keep records of it.
• Respecting user rights. Put processes in place to respond to requests such as access, deletion, correction, or data portability.
• Protecting personal data. Implement appropriate technical and organizational security measures to safeguard the data you process.
• Keeping internal documentation. Maintain records of processing activities and review them regularly to ensure they stay accurate as your business evolves.

Together, these steps create a solid foundation for maintaining GDPR compliance as your organization grows.

A practical GDPR compliance framework

For many organizations, GDPR compliance becomes easier when it is approached through a structured framework. Instead of treating privacy as a one-time task, businesses should build processes that guide how personal data is collected, documented, and protected across the organization.

A practical GDPR framework typically includes the following steps:

• Understand what personal data you collect. Identify the types of personal data your organization collects, where it comes from, and how it is used.
• Define a legal basis for processing. Ensure each processing activity has a valid legal basis under the GDPR, such as consent, contractual necessity, or legitimate interest.
• Provide clear privacy information. Make your data practices transparent through accessible privacy policies and clear disclosures to users.
• Manage consent where required. Collect and store consent in a way that is verifiable, easy to withdraw, and properly documented.
• Keep records of processing activities. Maintain internal documentation that describes what data you process, why it is processed, and who it is shared with.
• Protect personal data. Implement appropriate technical and organizational measures to safeguard personal data.
• Review and update regularly. As your services, tools, and partners change, review your compliance setup to ensure it remains accurate and up to date.

Together, these steps help organizations build a practical and sustainable foundation for GDPR compliance.

GDPR fines and consequences of non-compliance

GDPR introduced significant penalties for organizations that fail to comply with the regulation.

In addition to financial penalties, authorities may issue warnings, conduct audits, or restrict certain data processing activities.

GDPR compliance checklist

Here’s a simplified checklist organizations can use as a starting point.

• Publish a clear and accessible privacy policy
• Identify the legal basis for all data processing activities
• Obtain consent when required
• Implement a compliant cookie banner if cookies are used
• Maintain records of consent and data processing
• Enable users to exercise their data rights
• Protect personal data with appropriate security measures
• Regularly review and update compliance practices

Why was the GDPR introduced?

GDPR was introduced to strengthen privacy protections and modernize older European data protection laws.

The regulation focuses on several key objectives.

• Protect personal data from misuse or unauthorized access
• Give individuals greater control over their personal information
• Require organizations to be transparent about how they use data
• Create consistent privacy rules across EU member states

These goals help create more trust between businesses and the people who use their services.

Frequently asked questions about GDPR

Does GDPR apply to businesses outside the EU?

Yes. GDPR can apply to organizations outside the EU if they offer goods or services to people in the EU or monitor their behavior, such as through website tracking or analytics.

Do small businesses need to comply with GDPR?

Yes. Business size does not automatically exempt you from GDPR. If you process personal data from people in the EU, the regulation may apply regardless of company size.

Do I need a Data Protection Officer (DPO)?

Only some organizations must appoint a DPO. This usually applies to public authorities or companies that process large amounts of sensitive data or monitor individuals at scale.

How long can personal data be stored under GDPR?

Personal data should only be kept for as long as it is necessary for the purpose it was collected. Organizations must define retention periods and delete or anonymize data when it is no longer needed.

Start simplifying GDPR compliance today

Aligning with GDPR compliance involves many moving parts. Understanding what data you collect, being transparent with users, managing consent, and keeping proper records all take time and attention. The good news is you don’t have to handle everything manually.

iubenda helps you simplify the process, from generating privacy and cookie policies to managing consent and documenting your data processing activities in one place. Start simplifying your GDPR compliance today, and spend less time worrying about regulations and more time building your business. Create a new project to get a free website compliance audit and recommendations for how to build your compliance setup.

Useful links

• Smart compliance for UK GDPR
• GDPR compliance for e-commerce (what online shops need to know)

The post Everything you need to know about GDPR appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Below, we break down the key provisions of the Act and how you can prepare. 

Key Features of the Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 brings a wide range of updates, not just to data protection law but also to emerging areas like smart data and digital verification services. The Act covers the following key areas:

1. Amendments to UK Data Protection and ePrivacy Laws

The Act updates the UK GDPR and the Data Protection Act 2018, including:

• More Special Category Data: Whilst additional categories have not been added yet, the Act provides for a new mechanism to introduce further classes of special category data by the secretary of state.
• Purpose Limitation: The Act extends the purpose limitation principle when processing is carried out for the public interest. A list of derogations deemed compatible with the original purpose or processing are introduced in the Act which range from protecting vital interests to complying with legal obligations.
• Data Subject Requests: The Act codifies ICO’s “stopping the clock” approach, where the clock on responding to reasonable and proportionate data subject requests within the set time frame, only starts to run once the identity of the requestor has been verified. 
• Complaints Process: The Act introduces a new right to complain directly to the controller pursuant to measures such as an electronic form. The controller is to acknowledge complaints within 30 days and have a clear process for handling data subject complaints. This right to complain should also be included in privacy notices.
• Automated Decision Making: The Act narrows the scope of the current restrictions on automated decision-making, since they will now be limited to decisions involving special category data. This is a major shift from the existing rules.
• Legitimate Interests: The Act whitelists certain activities, such as direct marketing, intra-group data transfers, and network security as legitimate interests. This facilitates the process for controllers to determine whether their data processing purpose will be considered as legitimate.
• International Transfers: The Act retains a risk-based approach to assessing adequacy for international data transfers, focusing on whether the data protection standards in another jurisdiction are “materially lower” than those in the U.K. with the introduction of a “data protection test“.
• Public Task: The Act clarifies that the public task condition applies only to tasks performed by the controller in the public interest and does not extend to tasks carried out by third parties.
• Research Clarifications: The Act clarifies how personal data can be used for research purposes, explicitly including “scientific research” and genealogical research. It opens up new opportunities for technological development and fundamental research that can reasonably be described as scientific.

2. Amendments to ePrivacy Laws

The DUA Act also introduces some changes to the ePrivacy Regulations:

• Charity Soft Opt-in: The soft opt-in for electronic marketing is extended to charities, enabling them to contact individuals for marketing purposes related to furthering their charitable objectives.
• Cookie and Tracking Technologies: Cookies used for analytics or website optimization are exempt from the requirement to obtain prior consent, as long as users are clearly informed beforehand about the use of such cookies and have a simple, free method to opt out. This may still mean that cookie consent pop-ups remain in use.
• Fines Alignment: The fines for ePrivacy breaches are now aligned with those under the UK GDPR, allowing for substantial penalties for violations.

3. Smart Data Framework

One of the most innovative aspects of the DUA Act is its establishment of a smart data framework. This framework aims to enable consumers and businesses to grant third parties access to their data, encouraging competition and the development of new products and services.

Key points include:

• Smart Data Schemes: Building on the Open Banking model, the Act facilitates schemes across various sectors, with the energy sector as an early target. These schemes will enable customers to share data (such as consumption patterns) for price comparisons or carbon reporting, spurring innovation.
• Obligations for Traders: Businesses that supply goods or services will be subject to new obligations under these schemes, including investment in IT infrastructure to support data sharing.

4. Digital Verification Services (DVS)

The Act introduces a framework for digital verification services (DVS), including electronic signatures and eID. This will enable a trust framework for DVS providers, ensuring they meet the required standards and can be certified and included in a statutory register.

• Public Authority Gateways: DVS providers will be able to interact with public authorities via secure information gateways, allowing for the use of certified DVS for tasks such as right-to-work or right-to-rent checks.
• Reduced Personal Data Collection: DVS will help reduce the need for businesses to collect personal data, minimizing risks for both businesses and individuals.

5. The Future of AI and Automated Decision-Making

With the amendments to research definitions and automated decision-making restrictions, the U.K. is positioning itself as a more flexible environment for AI development. These changes make the U.K. an attractive destination for AI innovation, especially given that the EU has introduced specific AI regulations that U.K.-based businesses will not need to adhere to. However, multinational businesses must remain mindful of the differences between U.K. and EU data protection laws when developing or deploying AI technologies.

The Act’s Impact on Business Operations

The Data (Use and Access) Act 2025 will require businesses to:

• Review Data Governance Practices: Businesses will need to reassess their data collection, processing, and sharing policies, particularly for research and AI development.
• Prepare for Digital Verification Services: Businesses relying on identity verification will need to familiarize themselves with the new DVS framework and adjust their systems accordingly.
• Monitor Smart Data Schemes: Traders in sectors like energy and finance should prepare for the potential obligations that will come with smart data schemes.
• Adapt to ePrivacy Changes: Businesses will need to review their cookie consent practices and ensure they comply with the new exemptions and requirements for clear information.

Penalties and Enforcement

As with GDPR, the Data (Use and Access) Act 2025 establishes significant penalties for non-compliance. Penalties for breaches of electronic marketing regulations and placement ofcookies are currently capped at £500,000. However, ePrivacy breaches will soon be subject to the Data Protection Act 2018 leading to severe fines up to 4% of global turnover or £17.5 million, whichever is higher.

Preparing for the DUA Act

Organizations should begin preparing for the full implementation of the Act by:

• Familiarizing themselves with the new rules on automated decision-making and research to better align with evolving AI development.
• Reviewing their data processing practices, particularly around smart data schemes and digital verification.
• Ensuring compliance with ePrivacy laws and data subject rights.

While substantial changes to data protection frameworks are not required immediately, organizations should stay informed and proactive to take full advantage of the Act’s provisions and ensure continued compliance.

Conclusion

The Data (Use and Access) Act 2025 marks a major step forward in the U.K.’s data protection and digital verification landscape. It aligns with international standards like the GDPR but also opens new avenues for innovation, particularly in AI, smart data, and digital verification services. Businesses should remain vigilant, staying up to date with secondary regulations and prepare for the upcoming changes that will impact their data handling practices.

The post The U.K. Data (Use and Access) Act 2025: What you need to know  appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Effective Date: July 31, 2025

The Minnesota Consumer Data Privacy Act (MCDPA) establishes new data privacy requirements for businesses operating in Minnesota or targeting residents of the state. This Act is designed to empower consumers with rights over their personal data while imposing specific obligations on entities handling such data.

Sensitive Data Definition

The MCDPA outlines specific types of personal data considered sensitive, including:

A “known child” refers to an individual under 13, where the data controller has actual knowledge or willfully disregards the fact that the individual is a child.

Applicability

The MCDPA applies to businesses that meet the following thresholds:

1. Control or process personal data of 100,000 consumers or more annually (excluding data processed solely for payment transactions).
2. Derive over 25% of their gross revenue from the sale of personal data and process/control personal data of 25,000 consumers or more.

Non-profits are generally subject to the MCDPA unless they are focused on detecting and preventing fraudulent insurance activities.

Other applicability exceptions include state entities, federally recognized tribes, and certain compliance activities related to legal or regulatory requirements.

Consumers’ Rights

The MCDPA grants Minnesota residents several rights related to their personal data:

Access Personal Data: Consumers can confirm whether their data is being processed and access it.

Correction of Data: Consumers can request the correction of inaccurate data.

Deletion of Data: Consumers can request deletion of their personal data.

Data Portability: Consumers can request their data in a portable format, especially when automated processing is involved.

Opt-Out Rights: Consumers can opt out of data processing for targeted advertising, data sales, and profiling used for decisions with legal or significant effects.

Rights in relation to Profiling activities: Consumers subject to profiling may:

• Challenge the profiling results.
• Request information on the reason behind profiling decisions.
• Review the data used in profiling and have it corrected if inaccurate.

Third-Party Disclosure: Consumers can request a list of third parties to whom their data has been disclosed.

Non-Discrimination: Consumers are protected from discrimination when exercising their rights.

Consumers can exercise their rights through a request submission without the need to create an account (although an existing account may be used). Parents or legal guardians can act on behalf of minors under 13. Consumers may also designate an authorized agent to opt out of targeted advertising and data sales on their behalf.

Requests must be fulfilled within 45 days, with an option for a 45-day extension. If a request is deemed excessive or unfounded, a reasonable fee may be charged.

Controllers’ Obligations

To comply with the MCDPA, businesses must:

Small businesses must obtain prior consent before selling sensitive data. Additionally, businesses must notify consumers of any material changes to privacy practices and give them an opportunity to withdraw consent.

Enforcement and Compliance

In case of disputes, controllers must provide instructions on how consumers can contact the Minnesota Attorney General to file complaints. Controllers must also maintain records of all consumer requests and responses.

To ensure compliance, businesses should regularly conduct data privacy assessments, especially for high-risk processing activities, and maintain documentation of their data protection measures.

The post Minnesota – Consumer Data Privacy Act (MCDPA) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Effective Date: July 1, 2025

The Tennessee Information Protection Act (TIPA) is a comprehensive state-level privacy law designed to provide consumers with greater control over their personal data. The law establishes specific rights for consumers and imposes certain obligations on businesses that handle personal data of Tennessee residents. Below is an overview of the Act’s key provisions and requirements.

Definition of Sensitive Data

TIPA defines “sensitive data” as a category of personal information that includes the following:

Applicability of the Act

TIPA applies to individuals or entities conducting business in Tennessee or offering products or services targeting Tennessee residents that meet the following criteria:

1. They exceed \$25,000,000 in revenue; and
2. They:

• Control or process personal information of at least 25,000 consumers and derive more than 50% of their gross revenue from the sale of personal data; or
• Control or process personal information of at least 175,000 consumers during a calendar year.

It is important to note that the Act does not apply to non-profit organizations.

Other limitations on applicability exist, including:

Consumers’ Rights

TIPA grants consumers the following rights:

1. The right to confirm whether a controller is processing their personal data and access it;
2. The right to obtain a copy of their personal data in a portable, readily usable format, allowing them to transmit the data to another controller;
3. The right to request the correction of inaccurate personal data;
4. The right to request the deletion of their personal data;
5. The right to opt out of the processing of their personal data for targeted advertising, sale of personal data, and profiling activities with legal or similarly significant effects;
6. The right not to be discriminated against for exercising opt-out rights.

Exercise of Rights

To exercise their rights, consumers may submit requests to controllers through the means described in the privacy notice. No account creation is required for submitting requests, although if the consumer has an existing account with the controller, the request may be submitted through that account. If the request is made on behalf of a child, the parent or legal guardian may submit the request.

Follow-Up by Controllers

Controllers are required to respond to consumer requests within 45 days. They must provide the requested information free of charge, up to twice per consumer within any 12-month period. In cases where requests are deemed manifestly unfounded, excessive, or repetitive, controllers may charge a reasonable fee to cover administrative costs.

Controllers must be able to authenticate consumer requests using commercially reasonable efforts and may request additional information from the consumer to verify the request. Controllers must also establish an appeal process, which should be clearly available, free of charge, and similar to the process for submitting consumer rights requests.

In the event an appeal is denied, controllers must provide an online mechanism or another contact method for consumers to submit complaints to the Tennessee Attorney General.

Controllers’ Obligations

TIPA imposes the following obligations on controllers:

Limit the collection of personal data: Controllers must limit the collection of personal data to what is adequate, relevant, and necessary in relation to the processing purposes disclosed to consumers;

Obtain consumer consent: Controllers must obtain consumer consent to:

• Process personal data for purposes that are not reasonably necessary or compatible with the purposes disclosed in the privacy policy;
• Process sensitive data, including sensitive data of a known child (which must comply with the Children’s Online Privacy Protection Act, COPPA);

Privacy notice requirements: Controllers must provide a clear, accessible, and meaningful privacy notice that includes:

• Categories of personal data processed;
• Purposes for processing personal data;
• Categories of personal data sold to third parties, if applicable, and the relevant categories of third parties;
• How consumers may exercise their rights, including the right to appeal;
• A clear disclosure of any sale of personal data or processing for targeted advertising, with an opt-out procedure;

Contract with processors: Controllers must enter into contracts with processors, ensuring compliance with the TIPA requirements.

Data protection assessments: Controllers must conduct and document data protection assessments for each processing activity that poses a heightened risk of harm to consumers, such as processing for targeted advertising or the sale of personal data.

Data security practices: Controllers must implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.

Universal Opt-Out Signals

The Act does not regulate the use of universal opt-out signals, meaning that businesses are not required to comply with such signals under TIPA.

The post Tennessee Information Protection Act (TIPA) Overview appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

When Can a Business Be Sued?

There should be a data breach

As we said, consumers can’t sue businesses for any violation of the Act, but only when certain conditions are met.

1. There has been a data breach, where the consumer’s nonencrypted and nonredacted personal information was stolen.
2. The data breach was a result of the business’s failure to protect personal information through security measures.

The business must process specific categories of personal information

Moreover, the business must also process specific categories of personal information to be sued. The Act specifies that to exercise the private right of action, the following information should be stolen in the data breach:

• The first name (or first initial) and the last name of the consumer;
• Combined with any of the following information:
  • Social security number.
  • Any unique identification number issued on a government document, such as a driver’s license number, tax identification number, passport number, military identification number, etc.
  • Financial account number, credit card number, or debit card number, combined with any required security code, access code, or password that would allow access to your account.
  • Medical or health insurance information.
  • Any unique biometric data used to identify a person, such as a fingerprint, retina, or iris image (this doesn’t include photographs, unless used for facial recognition purposes).

Businesses can “cure the violation” before being sued

Before suing, consumers must inform the business with a written notice, explaining which section of the Act was violated. Businesses have 30 days to respond and fix the issue.

If the business is able to fix the issue and gives its written statement that it has done so, consumers cannot sue the business. If, instead, the violation continues, consumers can proceed with the legal action.

What are the Consequences of the Private Right of Action under the CCPA?

A consumer may sue for either type of damages:

• Monetary damages that it suffered from the breach. For example, if the breach compromised the bank account information and led to monetary loss, the compensation would amount to the actual loss. Or
• Statutory damages range from $100 to $750 per violation. The amount of statutory damages is usually decided by the court.

Best Practices for Businesses to Avoid Legal Cases under the Private Right of Action

As a business, of course, you want to avoid getting sued. That’s why you shouldn’t overlook compliance with the CCPA.

Among other things, the CCPA requires you to take security measures to protect the personal information you collect and process. Even though the CCPA does not explicitly say what security measures you should apply, it talks about “reasonable security practices”.

Here are a few things you can do to safeguard your data:

• Encrypt your data. The first thing to do is to make the data difficult to decipher to external agents. Encrypted data needs an encryption key to be deciphered, so it’s an effective way to protect it.
• Limit access to your accounts. Give access to your accounts only to those who need it. By limiting access, you also limit the chances of unauthorized access.
• Use strong passwords and 2-FA. Remember to use strong passwords, different for each account. To make protection stronger, also implement 2-factor authentication, which requires a 1-time code to enter your account.
• Invest in your business’s security system and train your staff appropriately. Everyone in your company should know the basics of cybersecurity. You don’t want a security breach because of somebody’s lack of knowledge or carelessness.
• Assess your processing activities regularly. You should carry out audits and assessments regularly to determine whether there are aspects of your security practices that you can improve.

Learn more about the CCPA

---

Read also:

• What is CCPA? CCPA Compliance Guide
• CCPA compliance checklist
• CPRA: Intro to the CCPA 2.0 and how it affects you

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post A Guide to CCPA Private Right of Action appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Under the EU GDPR, individuals are granted several rights. One of these is the right to be informed.

In Articles 13 and 14 of the Regulation, it’s stated that individuals have the right to be informed of the collection and processing of their data, how this data is handled, and for which purposes.

The GDPR states that if the data is collected directly from the individual, they must be informed right away – that is, at the time of the collection.

If, instead, the data isn’t collected directly from the individual, they must be informed within a reasonable period, but at the latest after a month.

What is an Example of the Right to Be Informed?

One way in which the right to be informed is respected is through a privacy policy.

A privacy policy is a legal document that websites provide to inform users of the data they collect and process, and how this processing happens.

It’s a handy way to inform your users about your data processing activities because it’s usually easily accessible from every page of the website.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post What is the Right to Be Informed? appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Key Requirements for Compliance:

1. Clear Public Standards for Child Safety

Your app must have publicly available policies that explicitly prohibit Child Sexual Abuse and Exploitation (CSAE). These policies should be clearly stated in your app’s Terms of Service, Community Guidelines, or other user-facing documents.

2. In-App User Feedback Mechanism

A robust reporting system must be in place within your app to allow users to submit feedback, raise concerns, or report suspicious content. This system should be easy to access and use, ensuring that users can quickly flag potential safety issues.

3. Handling of CSAM (Child Sexual Abuse Material)

Your app must take immediate action when CSAE content is identified. This includes:

4. Compliance with Child Protection Laws

Apps must strictly adhere to all applicable child safety regulations, including:

5. Dedicated Child Safety Contact

A designated representative must be available to receive notifications from Google Play regarding any CSAE content found within your app. This contact must be equipped to:

Why Compliance Matters

Failure to meet these requirements can lead to severe consequences, including app removal from Google Play, legal action, and reputational damage. By proactively implementing these safety measures, developers not only align with platform policies but also contribute to a safer digital ecosystem for all users.

For further details, refer to Google Play’s official guidelines: 

• Google Play Policy on Child Safety
• Additional Information on Compliance

The post Child Safety Standards policy appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In this guide, we explain the difference between a data controller vs data processor and what are your duties in each case.

What is a Data Controller?

Under the GDPR, a data controller is defined as “any person or legal entity involved in determining the purpose and ways of processing the personal data.” In simpler terms, it’s the person or entity that decides what data should be collected and processed and why.

Duties of a Data Controller

In the eyes of the law, the controller is the main person responsible for GDPR compliance in his organization and the one who is liable in case of non-compliance. His duties are, among others:

• Ensuring that personal data is processed lawfully, fairly, and transparently, as the main principles of the GDPR require.
• Implementing the appropriate technical and organizational measures to comply with the GDPR and safeguard the data of its users.
• Providing the necessary documents to users – such as a privacy policy and a cookie policy.
• Maintaining documentation of processing activities, conducting Data Protection Impact Assessments for high-risk processing activities, and appointing a Data Protection Officer (DPO) if needed.

What is a Data Processor?

The GDPR defines the data processor as “any person or legal entity involved in processing personal data on behalf of the controller.” So, processors are basically entities chosen by the controller to handle part of the processing on their behalf.

The data controller and the data processor sign a contract – called Data Processing Agreement. This contract defines what the processor is responsible for and the conditions of the processing.

Duties of a Data Processor

While the main responsibility for compliance starts with the data controller, data processors still have duties and responsibilities, as outlined in Article 28 of the GDPR:

• They must abide by the Data Processing Agreement (DPA) and they can’t use the data collected for their own purposes.
• They must ensure that the highest security measures are met.
• They commit to confidentiality and assist the controller in meeting the legal obligations required by the GDPR.

This doesn’t mean that data processors aren’t liable for anything. For example, if a data subject believes that his data has been processed unlawfully, he can seek compensation from either the data controller or the data processor.

Is Google a Data Controller or Processor?

Like many website owners, you may use Google products on your website or in your organization. So, you may be wondering: is Google my data processor?

The answer is, it depends.

Google acts as a data controller when it comes to the data it collects and processes for its own purposes. Some of this data may also come from your website if you use tools like Google Ad Manager or YouTube.

Google states: “We operate as a controller because we regularly make decisions on the data to deliver and improve the product”.

In other cases, Google can act as your data processor. For example, if your organization uses Google Workspace or Google Cloud, Google is your data processor – meaning that they can’t process your data for their own purposes, and you’ll need to enter a Data Processing Agreement with them.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post Data Controller vs Data Processor: What’s the Difference? appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In this guide, we’ll explain the difference between personal and sensitive personal information, show you examples of sensitive information under different privacy laws, and give you tips on handling sensitive data.

What is Personal Information?

When we talk about personal information in the context of data protection laws, we generally refer to information that relates to an identified or identifiable individual. This definition also includes partial information that, when collected together, can lead to the identification of a person.

Examples of personal information are:

• Full name
• Email address
• Telephone number
• ID numbers
• Unique identifiers
• IP address

and more.

Even pseudonymized or encrypted data can be considered personal information, if the the encryption/anonymization is reversible.

What is the Difference Between Personal Information and Sensitive Personal Information?

As you understand, the main difference between personal information and sensitive personal information lies in their nature and risk level.

Personal information is any data that could lead to the identification of a person, and it’s generally considered lower risks. On the other hand, sensitive personal information includes data that, if disclosed, could cause harm or discrimination. For this reason, sensitive data is subject to stricter legal requirements and needs higher protection.

Sensitive Personal Information Under Different Privacy Laws

Though very similar, privacy laws around the world have different definitions of what is considered sensitive personal information. Let’s take a closer look.

The EU’s General Data Protection Regulation (GDPR)

The GDPR, defines sensitive data in Article 9 under “special categories of personal data”, as:

• Racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
• Genetic and biometric data, data concerning health, or a natural person’s sex life or sexual orientation.

The UK’s Data Protection Act 2018

The DPA 2018 sets out the framework for data protection law in the UK. According to the ICO, it sits alongside and supplements the UK GDPR. Its definition of special category data is the same as the GDPR (listed above).

US Privacy Laws

The California Privacy Rights Act (CPRA)

The CPRA is an amendment to the CCPA, which was initially developed to regulate the collection and sale of consumers’ personal information in California.

Amongst other things, a new category of protected data was introduced by the CPRA, sensitive personal information (SPI). This idea is similar to the GDPR’s special categories mentioned above and requires a higher level of protection.

The Virginia Consumer Data Protection Act (VCDPA)

The VCDPA is the privacy law in the Commonwealth of Virginia. It states that a business cannot process sensitive data concerning a consumer, without obtaining the consumer’s prior consent (opt-in).

It defines sensitive data as a category of personal data that includes:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
• The processing of genetic or biometric data for the purpose of uniquely identifying a natural person.
• The personal data collected from a known child.
• Precise geolocation data.

The Colorado Privacy Act (CPA)

The Colorado Privacy Act governs the processing of personal and sensitive data in the State of Colorado. Like in Virginia, consent (opt-in) is required before processing any sensitive data and controllers are required to conduct data protection assessments.

The definition of sensitive data under the CPA is very similar to the VCDPA :

• Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship, or citizenship status.
• Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual.
• Personal data from a known child.

The Brazilian Lei Geral de Proteção de Dados Pessoais (LGPD)

The LGPD identifies sensitive data as a special category of personal data. Sensitive data is any data related to racial or ethnic origin, religious belief, political opinion, health or sexual life data; or data that allows the unequivocal and persistent identification of the user, such as genetic or biometric data.

How to Handle Sensitive Data

If your business collects and processes sensitive data, you may need to take extra steps to make sure you’re storing them securely.

Here’s what you may need to do:

1. Make sure that you absolutely need the data

A key principle of data privacy laws is data minimization, that is limiting your processing to only the data you truly need for your purposes.

The first thing you need to do, before you start collecting sensitive data, is to have a precise idea of your processing activities. This step is useful because it clarifies exactly how you’re going to use the data. Keeping accurate records of your processing activities can help you here, because you can go back to them whenever you need to.

After going through your records, you will know the amount of data you need to fulfill your purposes, and how long you’ll need to store them.

If you’ve determined that you do need to process sensitive personal information, then continue to point 2.

2. Define what law applies to you and meet its specific requirements

Each privacy law has different requirements, even when it comes to sensitive information.

• For example, under the GDPR you need to fully inform your users that you collect their sensitive data, get explicit consent to be able to process it, appoint a Data Protection Officer (DPO), and carry out a Data Protection Impact Assessment (DPIA) if you also perform processing on a large scale.
• On the other hand, under the CPRA, you still need to fully inform your users that you collect their sensitive personal information, and you must provide a clear and visible link, “Limit the use of my Sensitive Personal Information”, on your homepage.

If you’re not sure what to do, the safest approach would be to follow the strictest requirements.

3. Provide the highest levels of security legally required

Storing personal data safely it’s key to compliance with privacy laws, especially when we talk about sensitive personal data.

Here are a few tips:

• Encrypt your data: Encrypted data is very difficult to decipher without the proper key. In this way, if a data breach were to happen, it would be difficult to understand what the data is about. Of course, remember to always keep your encrypted data and their encryption keys stored in different places, otherwise, the encryption is useless.
• Invest in your security system and train your staff: Everyone involved in the process should know how to handle sensitive data.
• Be careful when using external storage platforms: If you use external storage platforms like Google Drive or Dropbox, it is considered a best practice to add extra layers of security to your files before uploading them.
• Consider hiring a security expert, especially if you’re performing large-scale processing of sensitive data.

Conclusion

Sensitive personal information needs to be processed in the safest way possible, to avoid its unwanted disclosure. Remember that sharing this information could potentially lead to harm and discrimination, so make sure that you really need this data before starting to process it.

How iubenda can help

Complying with data protection laws can be challenging, but not with the right tools!

Here’s how iubenda can help if you’re processing sensitive data:

• Our Privacy and Cookie Generator makes it easy to add legally required disclosures and add information related to your assigned Data Protection Officer and much more.
• Our Register of Data Processing Activities also helps you to keep track of your processing activities and the purposes and legal bases attached to them, as legally required.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post Personal Information vs. Sensitive Personal Information appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

But what exactly is data privacy, and why should individuals and businesses care? In this guide, we’ll talk about the importance of data privacy, its role in compliance, and its value from a business perspective.

What is Data Privacy?

Data privacy refers to the practices that allow individuals to maintain control over their data and how this data is collected, shared, and used. Data privacy is about protecting the rights of individuals and deciding whether organizations can use their data.

Some key aspects of data privacy include:

• Transparency: Clear communication about how data will be used.
• Consent: Ensuring users agree to the collection and processing of their data.
• Control: Providing mechanisms for individuals to manage their data preferences.

Data privacy often goes hand in hand with data security. Data security focuses on protecting data from breaches and cyberattacks.

Why is Data Privacy Important?

From an individual‘s perspective, data privacy is important because it protects their rights as a data subject. Many countries around the world have data privacy laws that give individuals rights that businesses must respect.

For example, under the European General Data Protection Regulation (GDPR), individuals have the right to request the deletion of their data, access the data a business has on them, correct their data, and more.

On the other hand, for a business, data privacy can have several positive effects:

• It helps build customer trust: companies that are transparent about their data practices are more likely to be trusted by their users.
• It avoids legal repercussions: as data privacy requires compliance with data protection laws, the right approach can help companies avoid legal risks such as reputational damage, reprimands, or fines.
• It’s a competitive advantage: as we said, customers are more likely to trust a company that cares about their privacy. Data privacy can also help a company stand out from the competition.

The Role of Compliance in Data Privacy

One key component of data privacy is compliance with privacy laws.

Laws such as the General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA), or the Lei Geral de Proteção de Dados (LGPD) in Brazil give individuals rights over their personal data and require companies that collect that data to take data privacy and data security measures.

Some of these requirements include:

• Having clear legal documents that explain how the company collects and processes the data and how individuals can exercise their rights.
• Obtaining explicit consent from users before collecting their data or tracking their online behavior.
• Having strong security measures in place to prevent unauthorized access or data breaches.

and more.

If you collect personal data, and privacy laws apply to you (and they can apply to you even if you’re not in the country where they were issued) then you need to comply because the stakes are high!

The consequences of non-compliance can vary, but they often include damages to your reputation, reprimands, liability damages, and hefty fines. The GDPR, for example, is known for its huge fines, which can reach up to €20 million or 4% of the annual worldwide turnover (whichever is greater). In addition, under these laws, individuals can often sue companies and seek compensation for damages resulting from non-compliance.

How to Prioritize Data Privacy

Now we know why data privacy is important. But how do you prioritize it, in practice?

Whether you’re an individual trying to protect your privacy or a business needing to comply with privacy laws, there are some things that you can do to implement data privacy in your life.

How to Prioritize Your Privacy as an Individual

As an individual, your priority is to protect your data from misuse and have a clear idea of what data you share online.

The first step is to know your rights. Data privacy laws exist to protect you, and you can always send requests to businesses to exercise your rights.

For example, under GDPR you have the following rights:

• right of access;
• right to rectification;
• right to erasure;
• right to restrict processing;
• right to data portability;
• right to object;
• right not to be subject to a decision based solely on automated processing.

If a company uses a tool like the Data Subject Rights Management Tool, then sending a request will be really easy.

Then you need to be careful about the data you share and who you share it with. Cyberattacks are on the rise and becoming more common. If a site doesn’t seem trustworthy, or you don’t feel safe sharing certain information, don’t do it!

Finally, remember to follow security best practices, such as using strong passwords and updating them regularly, or enabling two-factor authentication for your accounts.

These simple steps will go a long way!

How to Prioritize Data Privacy as a Business

As a business, you’re twice as responsible for data privacy because you need to safeguard both your data and your users.

Starting with privacy by design and privacy by default in mind is a good approach.

• Privacy by design means that the protection of personal data is built into your system or service from the very beginning.
• Privacy by default, on the other hand, means that the default settings of your service or product should be those that provide the highest level of privacy.

In this way, you are already taking the right steps to minimize the risks associated with data collection and processing.

Another way to stay on top of issues is to conduct regular privacy audits. A privacy audit examines an organization’s data handling processes, including collection, storage, transfer, and deletion. It can be an effective tool to help you identify gaps or risks, define action plans to address them, and demonstrate compliance.

Conclusion

As you understand, data privacy is important because everything we do today revolves around data and digital environments. For individuals, it helps them feel more secure about their data and who they’re sharing it with. For businesses, it can help them build trust with their users and offer a competitive advantage.

How iubenda can help

As a business, navigating data privacy alone can seem like a daunting task. But not with the right tools!

iubenda is a compliance suite that can help you with compliance with privacy laws across multiple countries and legislations.

Here’s what we can help you with:

Generate your legal documents: with our Privacy and Cookie Policy Generator, you can easily create your legal documents starting from a database of +2400 pre-drafted clauses.

Obtain consent from your users: our Privacy Controls and Cookie Solution allows you to get explicit consent from your users, as legally required. Create your cookie consent banner, add it to your website, and record consents in a specific log.

Manage users’ requests: with our Data Subject Rights Management Tool, you manage users’ privacy requests from a single dashboard. Embed the tool on your website and users can directly submit their requests. You’ll be immediately notified, so to provide a prompt response.

You can access all these tools (and more) from a single, intuitive dashboard.

All you need to do is to create a free iubenda account and start with a scan of your website. You’ll receive a compliance report that highlights all the potential problems on your website and how to fix them.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post Why Is Data Privacy Important? A Guide for Individuals and Businesses appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

But what exactly is a data privacy certification? Which certifications are the best for professionals in different industries, such as lawyers or compliance officers? And how do you go about earning these credentials?

In this blog post, we’ll explore these questions and give you a detailed look at the world of data privacy certifications.

What is a Data Privacy Certification?

A data privacy certification is a credential that demonstrates a professional’s expertise in data protection laws, regulations, and practices. As organizations handle increasing volumes of personal data, the need for qualified professionals who understand privacy laws and compliance requirements has grown significantly.

These certifications typically require passing an exam, completing coursework, or meeting specific work experience criteria. Earning a data protection certification can demonstrate that you are able to manage and protect personal data, ensuring compliance with global privacy standards.

What is the CIPP Certification?

One of the most well-known privacy certifications is the Certified Information Privacy Professional (CIPP) offered by the International Association of Privacy Professionals (IAPP). The CIPP certification is globally recognized and is designed for professionals working in privacy, data protection, and compliance.

As a privacy professional, you can get different CIPP certifications based on geographic regions:

• CIPP/US: Focuses on privacy laws in the United States.
• CIPP/E: Covers European data protection laws, particularly the General Data Protection Regulation (GDPR).
• CIPP/C: Addresses privacy laws in Canada.
• CIPP/A: For professionals dealing with privacy in Asia.
• CIPP/CN: Focuses on privacy laws in China.

How Do You Get the CIPP Certification?

To obtain the CIPP certification, you must pass the CIPP exam. The exam consists of multiple-choice questions, and the content is based on the CIPP’s detailed Body of Knowledge (BoK), which covers areas such as:

• Privacy laws and regulations: GDPR, CCPA, HIPAA, and other privacy frameworks.
• Privacy governance and compliance: How to create and maintain a robust privacy program within an organization.
• Risk management: Identifying and mitigating data privacy risks.
• Data subject rights: Understanding individuals’ rights and obligations related to personal data.

Here you can take a look at the IAPP Body of Knowledge for CIPP/E, that is the Certification for European Laws. As you can see, the main topics are:

• Introduction to European Data Protection
• European Data Protection Law and Regulation
• Compliance with European Data Protection Law and Regulation.

Steps to Getting the CIPP Certification

1. Prepare for the exam

Start by studying the CIPP Body of Knowledge. Many candidates choose to attend IAPP training courses or purchase study materials to help them prepare for the exam. It’s essential to have a solid understanding of data protection regulations and privacy principles: IAPP suggests that you study for at least 30 hours before taking the exam.

Here you can find more information on how to prepare.

2. Take the exam

Once you feel ready, register for the CIPP exam through the IAPP website. IAPP offers computer-based certification exams at over 6,000 testing centers worldwide, or you can take them online via remote proctoring.

3. Pass the exam

To earn the certification, you must achieve a passing score on the exam. The passing score varies by region and exam concentration.

4. Maintain your certification

CIPP certifications are valid for two years. To maintain your certification, you’ll need to earn Continuing Privacy Education (CPE) credits. This ensures that you stay up to date with the latest privacy trends and legal developments.

How Much Does the CIPP Certification Cost?

The total cost of the certification may vary depending on how you choose to prepare and study. Let’s break down the main costs.

• Each CIPP exam costs $550,00. This means that if you take more than one exam, the cost will add up.
• The certification textbooks cost between $75,00 and $95,00, depending on whether you purchase the digital or print version of the book.
• If you’d like to attend online training to prepare for your exam, then you’d need to add $1,195 to follow the lessons. However, this is not mandatory.
• Finally, maintaining your certification will cost you $250,00 every two years.

Other Data Privacy Certifications

While the CIPP certification is one of the most popular privacy certifications, there are other options to consider based on your career goals and areas of expertise. Here are some additional data privacy certifications to explore:

Certified Information Privacy Manager (CIPM)

Also offered by the IAPP, this certification is ideal for professionals who want to demonstrate their ability to manage privacy programs within organizations. It focuses on privacy program management, data governance, and risk management.

Artificial Intelligence Governance Professional (AIGP)

IAPP also offers a certification that focuses on AI Governance. With the expansion of AI, companies need professionals who can take care of AI governance. This certification demonstrates that you can ensure safety and trust in the development and deployment of ethical AI and ongoing management of AI systems.

Certified Data Privacy Solutions Engineer (CDPSE)

This certification, offered by ISACA, is for professionals in technology or IT who want to demonstrate their expertise in implementing privacy solutions and designing privacy architectures.

Certified Information Systems Auditor (CISA)

Although broader in scope, this certification from ISACA also touches on data privacy and can be valuable for professionals working in IT auditing or compliance.

ISO/IEC 27001 Lead Implementer and Lead Auditor

ISO 27001 it’s not exactly a privacy certification for professionals, but rather for large enterprises and government agencies. It focuses on information security management systems (ISMS). While it’s more security-focused than privacy, the certification involves data protection as part of the overall framework for managing and securing sensitive information.

What’s the Best Data Privacy Certification?

The best data privacy certification for you depends on your career goals, industry, and level of experience. For privacy professionals, the CIPP certification is widely regarded as one of the most prestigious and comprehensive certifications available. However, if you’re an IT professional, the CDPSE certification may be a better fit, while compliance officers may prefer the CIPM.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post Data Privacy Certification: What It Is & How to Get Your CIPP Certification appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Nebraska is set to introduce significant data privacy protections for its residents with the enactment of the Nebraska Data Privacy Act (NDPA), effective January 1, 2025. This legislation is designed to give Nebraska residents control over their personal data while outlining specific obligations for businesses that handle consumer data. The NDPA joins the growing list of state-level privacy laws aimed at safeguarding consumer information and ensuring transparency in data practices.

Scope and Applicability

The NDPA applies to businesses that:

Important Note: Small businesses must still obtain consent from consumers if they wish to sell sensitive data. Additionally, the NDPA does not apply to non-profits. Certain exemptions apply, including state entities, higher education institutions, and businesses that deal with data regulated by federal laws such as health information under HIPAA.

Definition of Sensitive Data

Sensitive data under the NDPA includes the following categories:

A “known child” is defined as any individual whose age is known or willfully disregarded by the controller.

Consumer Rights Under the NDPA

Nebraska residents will be granted the following rights under the NDPA:

Exercising Consumer Rights

Consumers may exercise their rights through a request submission, clearly specifying the right(s) they wish to exercise. Businesses must provide two or more secure and reliable methods for consumers to submit their requests. No account creation can be required, though businesses may request that consumers with existing accounts use them for submitting requests. Additionally, parents or legal guardians can act on behalf of children, and authorized agents can submit opt-out requests on behalf of consumers. 

The NDPA also mentions the potential use of technology, such as links to websites, browser settings, or device-level controls, allowing consumers to opt out of targeted advertising or the sale of their personal data.

Follow-Up by Controllers

Businesses (controllers) must comply with consumer requests within 45 days of receipt. If more time is needed, businesses may extend the period by an additional 45 days, but consumers must be notified of the delay. Businesses must provide free of charge responses to consumer requests, but only twice per year per consumer. If a request is deemed manifestly unfounded, excessive, or repetitive, businesses may charge a reasonable fee to cover the administrative costs.

Controllers must be able to authenticate requests using commercially reasonable efforts and may ask for additional information if necessary. In the event of a denied request, controllers must provide consumers with the option to appeal.

Appeal Process

Controllers are required to establish an appeal process, which must be clearly available and similar to the process for submitting initial requests. If a consumer’s appeal is denied, the controller must provide a method for the consumer to contact the Nebraska Attorney General’s office to submit a complaint.

Controller Obligations Under the NDPA

Businesses (controllers) must comply with the following key obligations:

Limit Data Collection: Personal data must be collected only as long as adequate, relevant, and reasonably necessary for the purposes disclosed to consumers (data minimization).

Obtain Consumer Consent: Controllers must obtain consumers’ explicit consent to:

• Process personal data for purposes not necessary to nor compatible with those disclosed in the privacy notice.
• Process sensitive data.

Compliance with COPPA: For known children’s sensitive data, controllers must comply with the Children’s Online Privacy Protection Act (COPPA).

Privacy Notice Requirements: Controllers must provide a clear and accessible privacy notice that includes:

• Categories of personal data, including sensitive data, that the controller processes.
• Purposes for which the data is processed.

• How consumers can exercise their rights and appeal a decision.

• The categories of third parties with whom data is shared and categories of shared data.

• A description of how consumers may submit requests.

• Disclosure of any targeted advertising or the sale of personal data and indication of how to opt out.

Contracts with Data Processors: Controllers must enter into contracts with third-party processors to ensure they comply with the NDPA’s requirements.

Data Protection Assessments: Controllers must conduct data protection assessments for high-risk processing activities such as targeted advertising or processing of sensitive data.

Data Security: Controllers must implement and maintain reasonable administrative, technical, and physical security practices to protect personal data from unauthorized access.

Penalties and Enforcement

The Nebraska Attorney General’s Office will have exclusive authority to enforce the NDPA. Non-compliance with the law could result in significant penalties, and businesses will have 30 days to remedy violations after receiving written notice.

Conclusion

The Nebraska Data Privacy Act (NDPA) represents a significant shift in data privacy for the state, offering Nebraska residents greater control over their personal data while imposing clear obligations on businesses. As the law goes into effect on January 1, 2025, businesses must ensure compliance by updating privacy policies, implementing secure data handling practices, and establishing processes for consumer requests and appeals.

Taking proactive steps now will help businesses mitigate risks and demonstrate their commitment to protecting consumers’ privacy under the NDPA.

The post Nebraska Data Privacy Act (NDPA) Overview appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This guide provides an overview of the key requirements, definitions, and consumer rights under the Nevada Privacy Law.

Who Does the Law Apply To?

The Nevada Privacy Law applies, among others, to operators, generally persons who own or operate websites or online services for commercial purposes, collect and maintain personally identifiable information from Nevada consumers, and direct their activities toward Nevada.

Consumer Rights Under the Nevada Privacy Law

Right to Opt-Out of Sale: Nevada residents have the right to opt out of the sale of their personal information. Operators must establish a designated request address (e.g., an email address, toll-free number, or online form) for consumers to submit verified requests to opt out. Operators must respond within 60 days (with an optional 30-day extension, if necessary).

Transparency Requirements for Operators

Operators are required to provide a clear and accessible privacy notice on their websites or online services. This notice must include:

Definitions

Understanding the key terms is essential for compliance:

Enforcement and Penalties

Non-compliance with the Nevada Privacy Law may result in civil penalties of up to $5,000 per violation. Authorities may also seek injunctions to prevent further violations.

How to Comply with the Nevada Privacy Law 

Why Compliance Matters

Adhering to the Nevada Privacy Law not only avoids penalties but also builds trust with your consumers. Transparency and respect for privacy rights are critical in today’s regulatory landscape.

For more information or assistance in creating compliant privacy policies, visit iubenda’s Privacy Policy Generator.

The post Nevada Privacy Law Overview appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

New Hampshire is taking significant steps to enhance consumer privacy protections with the introduction of the New Hampshire Data Protection Act (NHDPA), set to take effect on January 1, 2025. 

The NHDPA aims to safeguard the personal data of New Hampshire residents and provides for clear rights and responsibilities for, respectively, consumers and businesses. This legislation marks a significant development in the growing landscape of state-led privacy laws.

Scope and Applicability

The NHDPA applies to businesses that:

1. Conduct business in New Hampshire or offer products or services targeted to New Hampshire residents; and
2. During a calendar year, either:

Important Note: The NHDPA does not apply to non-profits. It also excludes certain data governed by federal regulations, such as health data protected under HIPAA. Additionally, general exemptions apply, e.g. state entities and higher education institutions. Also, compliance with NHDPA’s requirements does not affect businesses’ need to comply with specific ordinances or provide products or services upon consumer request.

Definition of Sensitive Data

Sensitive data under the NHDPA includes:

Consumer Rights Under the NHDPA

New Hampshire residents are granted the following rights under the NHDPA:

Exercising Consumer Rights

Consumers may submit requests to exercise their rights through secure and reliable means, as detailed in the business’s privacy notice. No account creation is required for requests, though businesses may ask consumers with existing accounts to use them for submitting requests. Additionally, parents or legal guardians can submit requests on behalf of children, and guardians or conservators can act on behalf of individuals under guardianship or conservatorship. Consumers may also designate an authorized agent to submit opt-out requests.

Response to Consumer Requests

Businesses must respond to consumer requests within 45 days. If more time is needed, businesses may extend this period by an additional 45 days, but consumers must be informed of the delay. Information provided in response to consumer requests must be free of charge, at least for one request every 12 months. If a request is deemed manifestly unfounded, excessive, or repetitive, businesses may charge a reasonable fee to cover administrative costs. 

Controllers must authenticate consumer requests using commercially reasonable efforts and ensure that they can fulfill requests in a timely and secure manner.

Appeal Process

If a business denies a consumer’s request or provides an unsatisfactory response, consumers have the right to appeal. The appeal process must be easily accessible and similar to the process for submitting original requests. Businesses must respond to appeals within 60 days of receipt. 

If an appeal is denied, businesses must provide a mechanism (online or otherwise) for consumers to contact the New Hampshire Attorney General’s Office to file a complaint.

Controller Obligations Under the NHDPA

Businesses (controllers) must adhere to several key obligations:

Limit Data Collection: Only collect and process personal data that is adequate, relevant, and necessary for the disclosed processing purposes.

Obtain Consumer Consent: Controllers must obtain explicit consent for:

Consumers must also be able to easily withdraw consent, and businesses must cease processing personal data as soon as practicable, but no later than 15 days after receiving the revocation.

Privacy Notice Requirements: Controllers must provide a clear and accessible privacy notice that includes, among others:

Contracts with Processors: Controllers must ensure that any third-party processors align with the NHDPA. This may involve updating existing data processing agreements to reflect the NHDPA’s requirements.

Data Protection Assessments: Controllers must conduct data protection assessments for activities that pose a heightened risk of harm to consumers’ privacy, including processing sensitive data and selling personal data.

Data Security: Controllers must implement and maintain reasonable administrative, technical, and physical security measures to safeguard personal data.

Universal Opt-Out Mechanisms

By January 1, 2025, businesses will need to allow consumers to opt out of the sale of their personal data and targeted advertising through universal opt-out signals. This may involve adopting emerging technologies that make it easier for consumers to control how their data is used.

Penalties and Enforcement

The New Hampshire Attorney General’s Office will have exclusive authority to enforce the NHDPA. Non-compliance with the law can result in significant penalties, with businesses given 60 days to remedy violations after receiving written notice (until December 31, 2025).

How iubenda can help

The New Hampshire Consumer Data Protection Act is an important development in the state’s effort to protect consumer privacy. By providing clear rights for consumers and outlining strict obligations for businesses, the NHDPA helps ensure that personal data is handled responsibly and securely.

Businesses operating in New Hampshire must prepare for the January 1, 2025 effective date by revising privacy policies, implementing data security practices, and ensuring that consumers can easily exercise their rights. Taking proactive steps now will help mitigate risks and ensure compliance with the NHDPA when it takes effect.

The post New Hampshire Data Protection Act Overview appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

New Jersey is set to implement robust privacy protections for consumers with the enactment of the New Jersey Data Protection Act (NJDPA), effective January 15, 2025. The NJDPA provides comprehensive safeguards for personal data, aligning with the growing trend of state-led privacy initiatives and enhancing consumer rights in the digital age. 

This article provides a breakdown of the key provisions of the NJDPA, including its scope, consumer rights, and business obligations.

Scope and Applicability

The NJDPA applies to businesses that:

1. Conduct business in New Jersey or offer products or services targeting New Jersey residents; and
2. During a calendar year, either:

Important Note: Unlike some privacy laws, the NJDPA does not include a revenue threshold for applicability. It also applies to non-profit organizations but exempts state entities, along with certain types of data governed by federal laws (such as health information under HIPAA).

Definition of Sensitive Data

Consumer Rights Under the NJDPA

New Jersey residents will have the following rights under the NJDPA:

Exercising Consumer Rights

Consumers can submit requests to businesses using the methods specified in the privacy notice, without needing to create an account. For those with existing accounts, businesses may request that they use their accounts for submitting requests. Additionally, consumers can appoint an authorized agent to make opt-out requests on their behalf, including through universal opt-out signals (when such technology becomes available).

Controller’s Obligations to Consumers

Businesses (controllers) must:

Limit Data Collection: Only collect personal data that is relevant and necessary for the stated processing purposes.

Obtain Consent: Controllers must obtain explicit consent to process personal data for purposes not necessary to nor compatible with those originally disclosed, process sensitive data, or process personal data of individuals between 13 and 17 for purposes of targeted advertising, sale of personal data, or profiling.

Privacy Notice Requirements: Businesses must provide a clear and accessible privacy notice that includes, among others:

Contract with Data Processors: Businesses must ensure that their data processors are also aligned with NJDPA provisions.

Data Protection Assessments: Businesses must perform and document data protection assessments for activities that present a higher risk of harm to consumers’ privacy, such as the processing of sensitive data or the sale of personal data.

Security Practices: Businesses must implement reasonable data security measures to protect personal data from unauthorized access, both during storage and use.

Response to Consumer Requests

Businesses must respond to consumer requests within 45 days. If more time is needed, businesses may extend this period by an additional 45 days, but consumers must be informed of the delay. Information must be provided free of charge for one request per consumer every 12 months. If a request is manifestly unfounded, excessive, or repetitive, businesses may charge a reasonable fee to cover administrative costs.

Appeal Process

Consumers have the right to appeal decisions made by businesses regarding their requests. The appeal process must be easy to access and similar to the process for submitting the initial request. Businesses must respond to appeals within 45 days. If an appeal is denied, consumers can contact the New Jersey Division of Consumer Affairs to file a complaint.

Penalties and Enforcement

The New Jersey Attorney General will have exclusive authority to enforce the NJDPA. Businesses that fail to comply with the law will be subject to civil penalties, which could result in significant financial consequences. Until July 1, 2026, violators have 30 days to remedy any violations after receiving written notice.

Universal Opt-Out Mechanisms

By July 15, 2025, businesses will need to provide consumers with an option to opt out of the sale of personal data, targeted advertising, and profiling through universal opt-out signals.

How iubenda can help

The New Jersey Consumer Data Protection Act represents a major step toward protecting consumer privacy in the state. With its strong emphasis on transparency, consumer control over personal data, and business accountability, the NJDPA ensures that consumers in New Jersey can exercise their rights over their personal information. 

Businesses operating in New Jersey must begin preparing to comply with the law ahead of its January 15, 2025 effective date. This includes revising privacy policies, implementing data protection practices, and ensuring that consumer rights processes are in place.

Act now to mitigate compliance risks and demonstrate your commitment to consumer privacy under the NJDPA.

The post New Jersey Data Protection Act (NJDPA) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In this guide, we’ll explain the DPA meaning, when you need one, how to write a DPA, and give you a handy template that you can use for your Data Processing Agreements.

When do you need a DPA?

Most data protection laws require an agreement between a data controller and its processors:

• The European GDPR sets out this requirement in Article 28: Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller.
• The Swiss FADP also requires to assign the processing by contract (Article 9).
• The Brazilian LGPD states that the processor shall carry out the processing according to the instructions provided by the controller (Art.39), and that both controllers and processors should keep records of personal data processing operations (Art. 37).
• In the United States, different Privacy Laws apply at the state level, but the requirements around DPAs are generally consistent across the country. A DPA is generally required when a processor has access to and processes personal data on behalf of the controller.

So – no matter where you are based – if you’re a controller who needs to assign certain processes to a contractor, or you are the processor who needs to carry out the processing on behalf of the controller, you should likely sign a DPA agreement.

What to include in a GDPR Data Processing Agreement

As set out in Article 28 of the GDPR, a DPA contract should include:

The subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.

Let’s break it down to understand the DPA meaning better.

1. Identification of the Controller and the Processor

The first section should clearly identify the controller and the processor, and define their responsibilities in regard to the processing. By signing the DPA, the processor agrees to act only on the instructions of the controller.

2. Scope and purpose of processing

In this section, you should outline the scope of the agreement, that is what data processing activities the processor will handle on behalf of the controller and for what purpose.

Do not forget to include:

• The categories of personal data involved in the processing. (e.g. personally identifiable information, statistical or other usage data observed on the internet, customer history, payment data, etc.)
• The categories of data subjects involved (e.g., customers, potential customers, internet users, employees, etc.).
• The duration of the contract.

3. Technical and organizational measures

The processor agrees to process the data in accordance with the law and to apply all the security measures necessary to protect the data from misuse or breaches. The controller will review and approve the security measures applied by the processor.

You should also include the specific technical and organizational security measures that the processor must implement to protect personal data, such as encryption, access controls, or regular security audits and ensure that the processor provides sufficient guarantees to this effect.

4. Data transfer abroad

Specify whether data transfers abroad are allowed:

• If not, the processor agrees not to process personal data outside the agreed region (for example, the European Union).
• If yes, attach a list of the countries where the data will be transferred, what data processing activity will take place there, and what is the legal basis for the transfer.

5. Data Subjects rights

In this section, specify that the processor should help the controller respond to data subject requests (e.g., requests for data access, correction, deletion) and he must assist in fulfilling these requests promptly, following the controller’s instructions.

6. Further duties of the Processor

Besides complying with the requirements set out in the DPA agreement, the processor also commits to meet all applicable requirements according to law. For example, he must:

• Appoint a Data Protection Officer (DPO), or an EU Representative, if necessary.
• Carry out the processing in confidentiality and limit access to the data.
• Cooperate with the Supervisory Authority, when needed.

7. Sub-Processors

At the same time, the processor can outsource part of its activity to a sub-processor.

This section of the DPA specifies that sub-processors are subject to the same rules defined in the contract, but the processor may be considered responsible for their activity if the sub-processors fail to carry out their duties.

The processor should also include a list of all sub-processors that he intends to rely on.

8. Audits

The controller has the right to carry out audits on the activity of the processor, to check whether he’s complying with the DPA contract and following the law as required. The processor will not hinder the audits.

9. Data breach notification

The processor must promptly notify the controller of any data breaches. In the DPA, outline the procedure for such notifications, including the timeframe, information to be provided, and any assistance in responding to the breach.

10. Liability

This clause is very important to address potential problems. You should outline each party’s liability for data breaches or violations of the DPA.

11. Termination and consequences

Outline the conditions under which the DPA may be terminated and the procedure for the secure handling of data upon termination. Normally, all data processed by the processor on behalf of the controller must be deleted or returned further to the termination of the DPA unless the processor is legally obliged to retain storage of the personal data.

Who needs to sign a Data Processing Agreement?

As you understand from the DPA meaning, both the data controller and the data processor need to sign the Data Processing Agreement.

DPA Examples and Template

To have a clearer idea of how all these elements come together in a DPA, let’s take a look at a practical example.

As a SaaS business, we at iubenda had to create our Data Processing Agreement, which has become a binding part of our contractual relationship with our users. Click on the button below to open it:

You can use our document as a footprint for yours, or better, download our DOC template – that you can customize to your needs!

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post DPA (Data Processing Agreement): Meaning, What It Is, When You Need One appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Delaware Personal Data Privacy Act (DPDPA) is a comprehensive privacy law designed to protect the personal information of Delaware residents. 

This guide breaks down its major aspects, making it easier to understand what this law covers, who it applies to, and what rights it grants to consumers.

Who Does the DPDPA Apply To?

This law applies to businesses that operate in Delaware or offer products or services to Delaware residents and:

Note: There is no revenue threshold for businesses. Certain non-profits and state entities are exempt.

What Is Sensitive Data?

Sensitive data under the DPDPA includes:

Key Consumer Rights Under the DPDPA

Delaware residents are granted several rights under the DPDPA to control their personal data:

How Consumers Can Exercise Their Rights

To make exercising their rights simple and secure, the DPDPA outlines specific methods and protections for Delaware consumers. Here’s how consumers can take control of their data:

Request Process – Consumers can submit requests to businesses to, among others, access, correct, or delete their personal data. Each business covered by the DPDPA must set up a secure, reliable process for these requests, ensuring consumer privacy and security. This process, along with instructions, must be clearly explained in the business’s privacy notice, so consumers know exactly how to make their requests.

No Account Required – Consumers do not need to create an account to exercise their rights. However, if a consumer already has an account with the business, they may be asked to use that account to streamline the request process.

Authorized Agents – The DPDPA allows for flexibility in how requests are made, acknowledging that not all consumers can or will make requests on their own. For this reason, parents, legal guardians, or authorized agents can submit requests on behalf of others. This includes parents acting for their children, as well as guardians or conservators acting for those under their protection, like elderly family members or individuals with special needs.

These provisions make it straightforward for Delaware consumers to exercise their data rights, whether acting independently or through a trusted representative.

Business Responsibilities and Deadlines under the DPDPA

The DPDPA sets clear requirements and deadlines to ensure businesses handle consumer data responsibly. Key responsibilities include adhering to strict response timelines, obtaining consumer consent, and maintaining privacy and security protocols.

Response Time

Businesses have a set timeframe to respond to consumer requests under the DPDPA:

These deadlines help consumers receive timely information and resolutions to their requests.

Data Collection Limitations

Businesses are restricted in the data they can collect. Data collection must be limited to what is necessary and relevant for the specific purposes disclosed to consumers.

This limitation ensures that businesses only gather data essential for the purpose stated, minimizing unnecessary data collection and storage.

Consumer Consent

Obtaining consumer consent is central to DPDPA compliance:

By mandating consent, the DPDPA provides consumers with greater control over how their sensitive information is used.

Privacy Notice Requirements

Every business must provide a clear, comprehensive privacy notice that includes, among others:

1. Data Types: Categories of personal data the business processes.
2. Processing Purposes: Reasons why the data is processed.
3. Third-Party Sharing: Any third parties with whom the data is shared.
4. Consumer Rights: and relevant methods for consumers to exercise them.
5. Opt-Out Options: Methods for consumers to opt out of targeted advertising or data sales.

This privacy notice must be easily accessible to consumers, ensuring transparency in data handling practices.

Data Security

To protect consumer data, businesses must maintain security practices. Implement strong administrative, technical, and physical security measures to secure the confidentiality, integrity, and accessibility of personal data. These security requirements help prevent data breaches and unauthorized access to consumer information.

Honoring Universal Opt-Out Signals by 2026

Starting January 1, 2026, businesses must honor consumers’ universal opt-out signals to opt out of targeted advertising and data sales.

Consumers can opt out of targeted advertising or data sales through universal opt-out signals. This additional option allows consumers more control over their online privacy preferences and how their data is used in marketing.

The DPDPA is a landmark step for data privacy in Delaware, giving consumers more control and transparency over their personal information. By requiring clear consent, protection measures, and response timelines, Delaware aims to create a safer and more transparent data environment.

The post Delaware Personal Data Privacy Act (DPDPA) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Things like names, IP addresses, email, biometric data and more can fall under it. This depends on which law applies to you. Curious? Keep reading to learn more.

Examples of Personal Information

Privacy laws may define personal information in different ways. Below are examples of personal data in different categories. Each of these types of personal information can be used to identify or profile an individual in various ways.

Not every privacy law includes the same data under its definition of personal information. However, getting a general idea is still helpful — especially if you own a website or an app that processes users’ data.

1. Basic Personal Information

Basic personal information includes any information that can be used to identify an individual, such as:

• Full name.
• Home address.
• Email address.
• Phone number.
• Date of birth.
• Gender.
• Nationality.

You could collect this kind of data from a contact form, or through an order to your e-commerce.

You may think that something like nationality isn’t personal data per se. And you may be right, but you need to remember that context is important. In fact, if you can combine nationality with other data to identify a person, then that data needs to be protected – even if it’s partial.

2. ID Numbers

The identification numbers on personal documents are also considered personal information because, even though they’re random numbers, you can often identify someone by their ID. Some ID numbers that are personal information include:

• National ID number.
• Driver’s license number.
• Passport number.
• Social Security Number (SSN).
• Taxpayer Identification Number (TIN).
• Student or employee ID numbers.

3. Technical Identifiers

Technical identifiers include any data relating to a user’s devices and browsing behavior. This data is typically used to create a profile of the user, to provide analytics about a website, or to show personalized ads to the user.

• IP address.
• MAC address.
• Device IDs (e.g., mobile device unique identifier).
• Browser cookies.
• Geolocation data.
• Usernames or account IDs (e.g., online service user accounts).

4. Encrypted Data

Encrypted data is often considered personal information under privacy laws because encryption or pseudonymization can be reversible – thus allowing the identification of a person. Examples of encrypted data are:

• Hashed passwords.
• Encrypted emails.
• Encrypted credit card numbers.
• Encrypted medical records.
• Encrypted biometric data (fingerprints, facial recognition templates).

On the other hand, anonymized data isn’t considered personal data because the anonymization, if done properly, cannot be reversed.

5. Sensitive Data

Finally, there is a category of personal information that requires a higher level of protection. This is sensitive information, which is information that could potentially expose the user to harm or discrimination if disclosed. Sensitive data includes:

• Health records (e.g., medical history, test results).
• Biometric data (e.g., fingerprints, iris scans).
• Financial information (e.g., bank account details, credit scores).
• Racial or ethnic origin.
• Religious or philosophical beliefs.
• Sexual orientation.
• Political opinions.
• Criminal records or security clearance information.

Privacy laws often forbid the processing of sensitive data, or allow it only if certain security measures and conditions are met and only if it’s really necessary to achieve the purposes set out in the privacy policy.

What is Not Considered Personal Information?

Considering all this, we understand that the definition of personal information does not include data that originally does not refer to an identified or identifiable person.

Examples of non-personal data are:

• company registration numbers;
• generic company email addresses, such as info@company.com;
• anonymized data.

Some privacy laws make a distinction between private and publicly available information.

• Generally, most U.S. State Laws do not consider publicly available information to be personal information. This means that data sourced from government records, media, or information made public by the individual may not be treated as personal information. However, definitions of what constitutes “publicly available” information vary across states, as you can see from this infographic by GreenbergTraurig. For example, California has a stricter interpretation, particularly regarding internet-sourced data.
• Instead, the EU Regulation, the GDPR, does not make this distinction and applies the same standards to both private and publicly available information.

What Constitutes Personal Information in All Jurisdictions

Now let’s take a closer look at the main privacy legislations around the world and their definitions of personal information and personal data.

“Personal Data” under the GDPR

Personal data within the context of the General Data Protection Regulation (GDPR) refers to any data that relates to an identified or identifiable living person. This includes pieces of information that, when collected together, can lead to the identification of a person.

Generally, the wording “personal information” has been used by US lawmakers and “personal data” by the GDPR, but essentially they relate to similar things.

Types of Personal Data

Under the GDPR, examples of personal data include (but are not limited to):

• names;
• health, genetic and biometric data;
• web data such as IP addresses;
• personal email addresses;
• political opinions;
• pseudonymized or encrypted data.

Examples of non-personal data include anonymized data, company registration numbers, and generic company email.

More information in our GDPR guide.

“Personal information” under US State Laws

CPRA (CCPA amendment)

Under the scope of the California Consumer Privacy Act (CPRA (CCPA amendment)), it is defined as: “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Other US State Laws

All the following laws – Virginia’s Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA) – define personal information similarly.

“Personal information” means any information that is linked or reasonably linkable to an identified or identifiable natural person. “Personal information” does not include de-identified data or publicly available information.

Types of Personal Information

Under US State Laws, examples of personal data can include, but are not limited to:

• identifiers such as a real name, postal address, IP address, email address, social security number, driver’s license number, passport number;
• commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
• internet activity information, including browsing and search history;
• biometric information;
• geolocation data;
• professional, educational or employment-related information.

More information in our Comparison guide.

“Personal Information” under PIPEDA

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), personal information involves “any factual or subjective information, recorded or not, about an identifiable individual”.

Types of Personal Information

Examples under PIPEDA include:

• age, name, ID numbers, income, ethnic origin, or blood type;
• opinions, evaluations, comments, social status; and
• employee files, credit records, loan records, medical records.

The draft of a new Consumer Privacy Protection Act (CPPA) for Canada is on its way. If approved, the CPPA would replace Part I of the PIPEDA. Read more here.

“Personal data” under Switzerland’s Federal Act on Data Protection (FADP)

In Switzerland’s FADP, personal data means any information relating to an identified or identifiable natural person. It encompasses a broad range of information about an individual:

• National identification numbers
• Contact details
• Medical information
• Employment records
• Religious and philosophical beliefs

More information here: FADP Updates – What You Need to Know.

“Personal data” under Brazil’s General Data Protection Law (LGPD)

Personal data within the context of the LGPD is any data that can be linked to an identified or identifiable individual. It is considered to be personal data any data that relates to an identified or identifiable individual, even partial data.

Examples of Personal Data:

• Names, addresses, and telephone numbers
• Photos or videos identifying individuals
• Medical information
• Employment data
• Behavioral information collected online

Read more here: What is LGPD and how do you become compliant?.

“Personal Information” under the Australian Privacy Act

According to the Australian Privacy Act and 13 Privacy Principles (APPs), it means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

• whether the information or opinion is true or not; and
• whether the information or opinion is recorded in a material form or not.

Types of Personal Information

The above definition is quite broad, and can include:

• IP addresses;
• Unique Device Identifiers (UDIDs) such as for a mobile phone or tablet;
• location information may also be covered because it can reveal user activity patterns and habits;
• other unique identifiers in specific circumstances.

More information in our Australian Privacy Laws guide.

How to Manage Personal Information

If you’re an individual looking for a way to manage your personal data, you need to know that privacy laws give you various rights that allow you to access, review, and delete the data a company has collected about you.

For example, under the EU GDPR, you have, among others:

• The right of access: you can access your personal information and request details on how it’s been processed.
• The right of rectification: you can ask to modify your data if it is inaccurate or incomplete.
• The right to erasure: you can request a business to delete the data they have about you.
• The right to object: you can object to certain activities in relation to your personal data.

You can learn more about your rights here.

How to Remove Your Information from Google

Search engines, like Google, may collect various pieces of information about you.

To see and manage the information Google has collected about you, you can go to the “Data & Privacy” section of your Google account.

From there, you’ll have a complete overview of the Google services you’re using and the data Google and third-party services are collecting about you. You can also download or delete this data.

If instead you’re looking to remove your personal information from the Search results, you’ll need to fill out the Removal request form. You can find more details in this guide by Google.

How to Manage Personal Information as a Business

If you own a website or an app, and you collect and process personal data, you need to meet specific requirements.

These requirements vary depending on the privacy law that applies to you – you can find out by taking this 1-minute quiz. But one thing you’ll probably need is a privacy policy.

A privacy policy is a document that outlines the data processing activities of your website. In other words, it explains to your users what data you’re collecting about them, why you need this data, and how you’re processing and protecting it.

Moreover, you must take all the necessary security measures to ensure the data you collect is protected from unauthorized access or misuse.

This means:

• Collect the least amount of data possible, only what you need to achieve the purposes stated in your privacy policy (principle of data minimization).
• Keep data anonymized or encrypted.
• Define internal policies for access to sensitive information.
• Back up the data.
• Define a plan of action in case of a data breach.

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post What is Personal Information Across Major Privacy Laws appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This right allows European consumers to withdraw from distance contracts—those made online or outside a physical store—without needing to provide a reason, creating a higher degree of consumer confidence and trust in online transactions.

Key Points of the Right of Withdrawal

Exceptions to the Right of Withdrawal

However, certain contracts are exempt from this right, here are a few examples:

Updates from the Omnibus Directive

The Omnibus Directive introduced nuances, particularly concerning digital content and services where there is no money transaction, but instead personal data is provided as consideration.

However, in this instance, the right of withdrawal may not apply, depending on whether the data processing is solely for contract performance or legal compliance.

Navigating the Regulations with iubenda

We know well that for online businesses, navigating these regulations can be daunting…

Luckily for businesses, iubenda provides an essential toolkit for ensring compliance with the EU’s consumer protection laws. 

By integrating iubenda’s solutions, businesses can easily adapt their online platforms to meet these legal requirements, ensuring a transparent and trustworthy environment for their European consumers.

How to find the related clauses

Within our Terms and Conditions Generator dashboard you can easily add these clauses in three simple steps:

First, add clauses:

Then, click on the Business model, payments and user rights tile:

Next, scroll down to User rights ― required by law or offered voluntarily by you, under the subheadingMandatory right of withdrawal for consumers in the EU click on the checkbox next to “Right of withdrawal” section (required by law for European consumers) and below that, click on the check box next to Applicability of withdrawal right → You offer goods or services that the right of withdrawal applies to.

Finally, scroll down to find the Exceptions drop down box.

Ensure your online business thrives in the European market by prioritizing compliance with the EU’s consumer protection laws. With iubenda, you can seamlessly integrate comprehensive legal solutions tailored to your needs, ensuring your operations align with the right of withdrawal requirements and beyond.

The post Understanding the Right of Withdrawal in the EU: A Guide for Online Businesses appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Directive 2019/770 is a pivotal regulation addressing the “supply of digital content and digital services,” highlighting the nuances of digital transactions, especially concerning personal data as a form of payment. 

For businesses operating within the B2C sector, whether online or offline, this directive delineates the obligations and rights tied to digital content and services provision. 

Digital Content and Services Explained

Under Directive 2019/770, ‘digital content’ is defined as data produced and supplied in digital form. This encompasses a wide array of digital products, from ebooks and music to online courses and software. ‘Digital service,’ on the other hand, refers to services enabling consumers to create, process, store, or access digital data, including services for sharing or interacting with data uploaded by users. This broad definition ensures that various consumer interactions with digital environments are covered, from cloud storage solutions to social media platforms.

The directive applies to B2C contracts for digital content or services provided against payment or the disclosure of personal data, except where data is strictly necessary for contract performance or legal compliance. This inclusion of personal data as a form of payment marks a significant shift in recognizing the value and implications of personal data in digital transactions.

The Special Case of Personal Data

With the increasing acknowledgment of personal data as a valuable asset, Directive 2019/770 stipulates that contracts involving digital content and services must offer certain guarantee rights, even when personal data serves as payment. This approach underscores the evolving nature of consumer rights and business responsibilities in the digital marketplace, where personal data often plays a crucial role in transactions.

Why Choose iubenda?

iubenda’s comprehensive solution addresses the challenges posed by the legal requirements of providing digital content and services, especially concerning personal data. By incorporating our tailored clauses into your terms and conditions, you safeguard your business against legal pitfalls and reinforce trust with your users. Our platform offers a seamless way to adapt to regulatory requirements, ensuring your digital services are not only compliant but also positioned for success in the digital economy.

Leverage iubenda’s expertise to navigate these waters confidently. Explore how our Terms & Conditions Generator can streamline compliance for your digital content and services. Secure your business’s future by prioritizing compliance! 

Directive 2019/770 states that contracts about the provision of digital content and digital services must provide for a certain set of guarantee rights also when the “payment” is not in the form of money or equivalent values, but personal data. 

We have a very useful clause in our Terms and Conditions Generator, that means (end) users are required to provide their personal data, in order to access or receive some products provided via the website or application.

How to find the related clause:

Within our dashboard you can easily add this clause in three simple steps:

First, add clauses:

Then, click on the Business model, payments and user rights tile:

Finally, scroll down to Purchasing process and under Payment options tick the box next to Additional statement if you require your users to provide their personal data. 

The post Navigating Digital Content, Services, and Personal Data with iubenda appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Let’s break down these changes in a way that’s easy to understand, focusing particularly on the updated Directive on Price Indication (98/6/EC) to illustrate how these amendments aim to empower consumers.

What is the Directive on Price Indication?

The Directive on Price Indication ensures that consumers are well-informed about prices when making purchases. It mandates that the selling price and the price per unit of measurement for products are clearly indicated, including value added tax and all other taxes. This applies to goods offered to consumers (B2C context), facilitating better decision-making through price comparison. 

It’s important to note that this directive covers only “goods” in the traditional sense, not digital content, services, or digital services.

Key Amendments Under the Omnibus Directive

One of the notable amendments to the Directive on Price Indication involves the rules around announcing price reductions.

Practical Implications for Consumers and Traders

For consumers, these changes mean more transparent pricing and easier comparison shopping, leading to better-informed purchasing decisions. 

For traders, the directive imposes stricter guidelines on how price reductions are communicated, ensuring that promotions are genuine and transparent.

The amendments brought by the Omnibus Directive, particularly to the Directive on Price Indication, mark a significant step towards improving consumer protection in the EU. 

By ensuring price transparency and fair presentation of price reductions, the EU aims to foster a more trustworthy and consumer-friendly marketplace. Whether you’re a shopper eager to find the best deals or a trader aiming to comply with the new regulations, understanding these changes is key to navigating the modernized landscape of consumer rights in the EU.

The post Obligations when announcing a price reduction: Understanding the Omnibus Directive appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This guide aims to simplify the complexities of these laws, focusing on the informational duties that businesses must fulfill.

The Role of Durable Mediums in Consumer Information

A key requirement under both EU and UK consumer law is that certain disclosures must be provided to consumers on a “durable medium.” 

This means a medium that allows information to remain accessible and unchanged for a period necessary for the purposes of the information. The most common and practical way to meet this requirement is by offering an option for consumers to download a PDF file containing all the mandatory disclosures.

Mandatory Disclosures: What You Need to Know

Businesses are required to inform consumers about various aspects of their products, services, or digital content. 

Here’s a breakdown of the essential information that must be communicated:

Providing Information on a Durable Medium

The most common practice for fulfilling the durable medium requirement is to first display all necessary information on the product page, shopping cart, or during the purchase process on the business’s platform. 

Following a purchase, businesses should then send an order confirmation email containing the same information, ensuring that consumers have a record of the details relevant to their purchase.

How iubenda Can Help

Compliance with EU and UK consumer law is not just about avoiding legal repercussions; it’s about building trust with your customers by ensuring transparency and safeguarding their rights. By providing all mandatory disclosures as outlined above, businesses can foster a better relationship with their customers and navigate the complexities of online sales with confidence.

iubenda facilitates compliance by enabling businesses to offer a downloadable PDF version of the Terms and Conditions (T&C) that govern transactions with customers. 

Within iubenda’s Terms and Condition Generator, clauses containing mandatory disclosures are clearly marked, guiding businesses to include all necessary information in their contracts. 

Please keep in mind that, some mandatory information cannot be included in T&C generator as it depends on the specific order or purchase placed by the end-user. It’s always the traders responsibility to verify that the website, app and/or business is compliant with all applicable mandatory provisions, and that using T&Cs created with our generator will help, but in some cases it might not be enough. 

Read more about it here, or start generating below.

The post Understanding Mandatory Online Sale Disclosures: A Guide for EU and UK Businesses appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This article delves into the intricacies of commercial guarantees in the EU, their implications for traders and consumers, and the legal framework surrounding them.

The Basics of Commercial Guarantees

Commercial guarantees are voluntary commitments offered by traders to consumers in the EU, going beyond the mandatory minimum 2-year legal guarantee. They are designed to provide an extra level of assurance and are often used as a marketing tool to attract customers. Importantly, these guarantees cannot diminish or replace the basic 2-year legal guarantee.

Types of Commercial Guarantees

Commercial guarantees may come in various forms, including:

Binding Nature of Commercial Guarantees

The terms of commercial guarantees are binding as per the conditions stated in the guarantee statement and associated advertising. If there’s a discrepancy between the two, the more favorable conditions for the consumer, as advertised, will prevail. This is valid unless any advertising corrections were made before the contract’s conclusion.

Requirements for Commercial Guarantee Statements

Commercial guarantee statements must adhere to specific requirements:

Legal Considerations and Recommendations

The implementation of commercial guarantees must be carefully managed. Traders should note that member states in the EU might have different rules regarding guarantees. Therefore, it is crucial to seek legal advice to ensure compliance with applicable laws in targeted countries. 

Businesses can refer to clauses related to user rights, payments, and after-sales services for basic understanding, but more thorough documentation is advisable.

Within our Terms and Conditions Generator dashboard you can easily add these clauses in three simple steps:

First, add clauses:

Then, click on the Business model, payments and user rights tile:

Finally, scroll down to add clauses related to guarantees and after sales services: 

Commercial guarantees in the EU represent a vital aspect of consumer protection and business operations. They offer additional assurance to consumers while providing traders with a tool to enhance customer satisfaction and trust. 

Understanding and adhering to the legal requirements of these guarantees is essential for both consumer protection and business success in the EU market.

The post Understanding Commercial Guarantees in the EU appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

For a comprehensive overview of what needs to be included in your accessibility statement, check out our guide on Understanding the Accessibility Statement. This article outlines key elements that should be covered to ensure compliance.

Additionally, if you’re operating within the European Union, the European Accessibility Act (EAA) introduces specific requirements for accessibility statements. To help you meet these standards, we’ve created a European Accessibility Act (EAA) Accessibility Statement Guide & Template that offers a practical framework for structuring your statement in accordance with the new legislation.

Web Content Accessibility Guidelines 

The World Wide Web Consortium created the WCAG set of guidelines to improve the accessibility of web content for individuals with disabilities. 

Globally, adhering to these guidelines is regarded as best practice and improves accessibility for all users.

EU Accessibility Legislation

Scope of Application

The European Accessibility Act (EAA) aims to improve accessibility to products and services for elderly individuals and persons with disabilities within EU Member States. This directive applies to economic operators both within and outside the EU that provide products or services within the EU.

Requirements

Annex I, Section III outlines the general accessibility requirements for all services covered by the EAA, including:

Transposition

• By 28 June 2025, Member States must transpose the EAA into national law.
• A transitional period will be provided until 28 June 2030, during which service providers may continue to use products that were lawfully used to provide similar services before this date.
• Service contracts agreed before 28 June 2025 may continue without alteration until they expire, but no longer than five years from that date.

Exemptions

The Directive does not apply to the following content of websites and mobile applications:

• pre-recorded time-based media published before 28 June 2025;
• office file formats published before 28 June 2025;
• online maps and mapping services, if essential information is provided in an accessible digital manner for maps intended for navigational use;
• third-party content that is neither funded, developed by, or under the control of, the economic operator concerned;
• content of websites and mobile applications qualifying as archives, meaning that they only contain content that is not updated or edited after 28 June 2025.

Further specific exceptions are:

• microenterprises (enterprises which employ fewer than 10 persons and which have an annual turnover not exceeding EUR 2 million or an annual balance sheet total not exceeding EUR 2 million);
• where compliance would lead to a “fundamental alteration” to a product or service of its basic nature;
• where compliance would result in the imposition of a disproportionate burden on the economic operators concerned.

UK Accessibility Regulations

Scope of Application

The UK legal framework for accessibility includes the Equality Act 2010, the Accessibility Regulations 2018 (No.2), and the Accessibility (Amendment) (EU Exit) Regulations 2022. These regulations mandate compliance with the Web Content Accessibility Guidelines (WCAG) 2.1 at Levels A and AA. 

Requirements

Make the Service Accessible

The Equality Act 2010 emphasizes the elimination of discrimination against persons with disabilities and minorities, covering all societal strata, including the young, elderly, pregnant individuals, disabled persons, and ensuring gender protection.

Accessibility Statement

Article 8 of the Accessibility Regulations mandates that public sector bodies provide an accessibility statement for their websites or mobile applications:

1. The statement must follow the model published by the Minister for the Cabinet Office and be regularly reviewed.
2. For websites, the statement must be accessible and published on the public sector body’s website.
3. For mobile applications, the statement must be accessible and available on the public sector body’s website or alongside the application download information.

The Accessibility Amendment Regulations also specify that compliance with the accessibility statement must align with WCAG Level A and AA criteria.

Enforcement Date

The requirements are currently in force.

Exemptions

Exemptions are allowed where compliance would impose disproportionate burdens. Such exemptions must be justified within the accessibility statement, detailing the reasons for non-compliance.

US Accessibility Standards

Scope of Application

The Americans with Disabilities Act (ADA) is the primary US law ensuring equal opportunities for people with disabilities. While the ADA originally focused on physical locations, recent legal interpretations have expanded its scope to include digital spaces. 

Requirements

Under Title III of the ADA, private entities must ensure that individuals with disabilities have equal access to their services.

The DOJ uses the Web Content Accessibility Guidelines (WCAG) as a benchmark for digital accessibility, although specific regulations are still under development. Recommendations by the DOJ’s Civil Rights Division to improve website accessibility include:

Enforcement Date

The ADA’s requirements are currently in force.

Exemptions

There are no specific exemptions detailed for digital accessibility under the ADA. However, compliance measures may vary based on the size and resources of the entity, and any undue burden must be justified. 

Websites should include any disproportionate burden justifications within their accessibility statements, explaining why certain accessibility measures may not be feasible.

Common Accessibility Requirements

Across all regions, a prominent requirement is the inclusion of an accessibility statement. This statement should outline the accessibility measures implemented and provide a way for users to report issues. It serves as both a declaration of compliance and a resource for users needing assistance.

Best Practices for Compliance

As digital accessibility becomes increasingly governed by international and national laws, understanding and implementing these standards is crucial for businesses operating across borders. 

By aligning with WCAG and adhering to local legislation, organizations can ensure inclusivity and accessibility for all users.

The post Understanding Accessibility Legislation: EU, UK, and US Perspectives appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Let’s have a look at what this means for us, especially for website owners.

Understanding the CIPA

Let’s start with the history, the CIPA was enacted back in 1967, aiming to prevent eavesdropping and wiretapping. It was all about keeping our private phone conversations safe from prying ears. 

Fast forward to today, and the landscape has changed dramatically. We’re no longer just worried about phone calls; our lives are lived online, from chatting with friends to filling out forms on various websites.

Recently, the CIPA has been reinterpreted to include online activities. Methods like: 

For example, if a website records your chat messages or keeps tabs on your form submissions without clear consent, they could be infringing on your privacy rights. 

Legal Challenges

Recent class action lawsuits have started targeting websites that use third-party tools, such as Meta Pixel, under CIPA and other wiretapping laws. These lawsuits generally claim that certain online data collection and sharing activities—especially those involving third-party technologies—are covered by these regulations.

A key focus is on the relationship between third-party service providers accessing information collected on websites and the unauthorized access to private communications. As case law evolves, courts have increasingly recognized the potential links between these technologies and privacy violations. Several claims have emerged related to the use of third-party tools like Meta Pixel. The allegations primarily focus on:

How can your website align with the CIPA?

So, what does this mean for businesses operating online? If you’re running a website, you need to be aware of how CIPA applies to you. Here are a few key considerations:

• User Communications: It’s All About Transparency: When your website records interactions—whether it’s chat messages, emails, or form submissions—you could be seen as intercepting communications. It’s crucial to remember that, under CIPA, all parties involved in a communication must consent to its recording. This means you need to be transparent with your users about what data you’re collecting and why.

• Session Replay Software: Proceed with Caution: Session replay tools can be a double-edged sword. They allow you to monitor user behavior on your site, which can help improve user experience. However, if you’re not upfront about this data collection, you could be in violation of CIPA. Ensure that your users know they are being monitored and obtain their consent before diving into their digital footprints.

Now that we’ve tackled some of the challenges, how can online businesses align with CIPA’s evolving interpretations?

By understanding CIPA and implementing best practices, we can ensure that our online experiences remain safe and respectful.

The post What you need to know about the California Invasion of Privacy Act (CIPA)  appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The “Omnibus” Directive 2019/2161 introduces specific information requirements for contracts concluded on online marketplaces. This guide is designed to help online marketplace providers understand and implement these requirements effectively to ensure compliance.

The “Omnibus” Directive: Key Information Requirements

Before a consumer is bound by a distance contract, or any corresponding offer, on an online marketplace, providers of online marketplaces must present certain information in a clear and comprehensible manner, appropriate to the means of distance communication used. If you are an online marketplace provider and consumers are targeted, here’s what you need to provide:

Additional Guidance with iubenda

To help integrate these requirements seamlessly:

For more information on how to create your terms of use for your site/app

Read our guide on How to Generate a Terms and Conditions document

This guide aims to assist you in understanding and implementing the necessary changes to your online marketplace to comply with the latest the “Omnibus” Directive, ensuring a smoother, more transparent shopping experience for your consumers.

The post Implementing the “Omnibus” Directive for Online Marketplaces appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The EDPB’s Opinion: Key Takeaways 

According to the EDPB, if users are simply given the binary option to consent to the processing of their personal data for behavioral advertising purposes or to pay a charge, then these online platforms will typically be unable to meet the conditions for valid consent.

The EDPB recommends that large online platforms should not solely rely on offering paid alternatives as the standard approach. They should consider providing an ‘equivalent alternative’ that does not require payment. If a fee is charged for accessing this alternative service, platforms must also offer another option that is free of charge.

Ideally, this free option would not include behavioral advertising; instead, it is suggested that it would include less intrusive types of advertising that process personal data in a minimum or nonexistent way.

This alternative must entail no processing for behavioral advertising purposes and may for example be a version of the service with a different form of advertising involving the processing of less (or no) personal data, e.g. contextual or general advertising or advertising based on topics the data subject selected from a list of topics of interests. 

This recommendation is essential for guaranteeing that consent is legitimate and freely provided, preventing situations in which users feel pressured to give consent to data processing because there are no other viable options.

Assessing Valid Consent 

The EDPB indicated that the following criteria ought to be considered when determining valid consent:

Future EDPB Actions

The EDPB intends to communicate with stakeholders while developing guidelines that handle “consent or pay” models in a more thorough manner. The purpose of this upcoming guidance is to make it clearer how online platforms can use these models while still abiding by the law.

We will be monitoring the issuance of these guidelines and will keep you updated once published.

The post EDPB’s Opinion on “Consent or Pay” Models appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Background

In the United States, navigating the privacy laws can seem quite challenging. As of 2024, many states have set their own rules, creating a complicated landscape that can confuse consumers and businesses alike. 

Check to see if US state privacy laws apply to you. Take this 1-min quiz

The APRA was drawn up as a possible answer to these problems, with the goal of harmonizing privacy laws throughout the nation. The measure, which was first presented in early 2024, aims to support people’s right to privacy and make compliance easier for businesses.

In April 2024, the APRA remains a contentious issue in Congress. Discussions concerning its provisions are being actively engaged in by government officials, IT corporations, and privacy advocates, among other stakeholders. The outcome of these discussions will have a significant impact on how personal data is managed and safeguarded at the federal level.

Make complying with US state privacy laws easier using iubenda →

Does the American Privacy Rights Act Apply to Me? 

The act introduces a broad definition of covered entity and provides significant exclusions. The act specifically exempts small businesses to prevent overwhelming them with stringent requirements. 

Consumer Rights and Control under the APRA

Under the new act, consumers are empowered with several rights and legal provisions that enhance their control over personal data and provide avenues for recourse:

• Prohibition of compelled Arbitration: In situations when there is a substantial harm to privacy, the act forbids compelled arbitration, therefore addressing a major obstacle to the implementation of privacy laws. This gives customers the ability to sue in court, which may result in stronger enforcement of their right to privacy.
• Private Right of Action: Businesses that disregard the act’s requirements are subject to lawsuits from customers.

Executive Responsibility: What you need to know

The APRA includes a noteworthy section that focuses on executive responsibility.

It’s straightforward: companies handling data must appoint qualified personnel as their privacy or data security officers. These workers are experts with two primary responsibilities:

1. 1. To set up and maintain a robust data privacy and security program;

1. 1. Ensure that the company continuously follows all the privacy requirements laid out in the act. So, if the law changes, they’re the ones making sure the company adapts accordingly.

Data Management Principles

National Data Broker Registry: American Privacy Rights Act

A nationwide registration for data brokers is introduced by the APRA. In order to ensure that data brokers abide by strict privacy regulations and safeguard individuals from unauthorized data usage, the APRA established a national data broker registration. This registry is intended to provide much-needed transparency to the activities of data brokers.

Preemption of State Laws

State vs. Federal Jurisdiction: One noteworthy feature of the APRA is its preemption of state privacy laws currently in effect. This keeps causing considerable controversy, especially in areas like California that have robust privacy safeguards already in place. The act aims to create a consistent national privacy standard, though it has exceptions for certain sectoral regulations.

Effective Date and Implementation: American Privacy Rights Act

The APRA is a groundbreaking piece of privacy law in the United States that would take effect 180 days after its enactment. It addresses significant topics like executive responsibility, consumer rights, and legal enforcement mechanisms. Businesses and consumers alike must get ready for the changes that this could bring.

The post The Proposed American Privacy Rights Act: An In-Depth Look appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Below we highlight the key findings from the guidance

Key points for the ICO’s new fining guidance:

1. Transparency and Fairness: The guidance aims to shed light on the fining process, particularly the considerations the ICO takes in imposing fines. It provides businesses with transparency and a clearer understanding of what leads to fines and penalties and how they may be able to avoid those fines through compliance.
   • Detailed Criteria: Provides specific criteria used in assessing fines, aiming for predictability in enforcement.
   • Decision-Making Process: Outlines the procedural steps taken from violation detection to the final fining decision, emphasizing the role of fair and impartial review.
   • Right to Respond: Details the opportunities businesses have to respond to allegations before fines are imposed, ensuring a fair hearing.
2. Fining Criteria: It outlines the exact factors for calculating the fines. With the aim of making organizations fully aware of the financial consequences of noncompliance.
   • Severity and Duration: Takes into account both the severity and the duration of the breach, reflecting the extent of impact on data subjects.
   • Intentional or Negligent Breaches: Differentiates between breaches that are intentional or result from negligence, adjusting fines accordingly.
   • Mitigation Efforts: Considers whether the organization took steps to mitigate the damage, potentially reducing the fine.
3. Maximum Fines: Confirming the potential severity of penalties, the guidance underscores that fines can escalate to as much as £17.5 million or 4% of an organization’s total worldwide annual turnover, whichever is greater. This aligns with the strict sanctions under the General Data Protection Regulation (GDPR), emphasizing the importance of adherence to data protection laws.
4. Impact on Small and Medium-Sized Businesses (SMBs): Particularly relevant for SMBs, the guidance details a scaled approach to fines based on a company’s turnover. For businesses with a turnover of less than £2 million, such as micro enterprises, even minor infractions could result in fines up to £3,480. This tiered fining structure aims to balance the enforcement of data protection laws with the financial realities faced by smaller businesses, ensuring penalties are substantial yet fair.

How are the fines determined? 

The ICO now uses five steps to determine penalties:

The new guideline is a testimony to ICO’s efforts to enforce data protection laws stringently and calls on businesses to place importance on personal data security and privacy. For businesses, especially those under the SMB category, grasping the nuances of the guidelines can help massively when navigating the intricacies of compliance and avoiding fines.

The post Understanding the ICO’s New Fining Guidance appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This legislation aims to give Montana residents more control over their personal data, ensuring their privacy in a rapidly evolving digital world. 

What is Sensitive Data?

Under the MTCDPA, sensitive data refers to personal information that is more private and includes details such as:

Who Needs to Comply with the Montana Consumer Data Privacy Act?

The act applies to businesses operating in Montana or targeting its residents, with specific criteria:

Non-profits and certain other entities are exempt from this law.

Consumer Rights Under the MTCDPA

People of Montanan have the following rights regarding their data:

As a business operating under the Montana Consumer Data Privacy Act (MTCDPA), it is imperative to establish and communicate secure and reliable methods for consumers to exercise their privacy rights. This includes the submission of requests regarding their personal data without the necessity for them to create an account. However, if a consumer already has an account with your business, you are encouraged to facilitate the submission of requests through that account.

It is also important to acknowledge that parents and legal guardians have the right to submit requests on behalf of their children, ensuring their privacy is protected under the act.

Upon receiving a consumer request, your business is obligated to respond within 45 days. 
This timeframe may be extended under specific circumstances, provided that the consumer is notified of the extension and the reasons for the delay within such term. Furthermore, in the case of appeals against decisions made in response to their requests, your business must ensure that these are processed, and a conclusion is reached within 60 days.

Business Obligations Under the MTCDPA

See below for a more in-depth review of what this means for your business

1. Consent for Data Processing

Businesses are required to obtain explicit consent from consumers for several key activities:

2. Compliance with COPPA

Businesses must ensure that their data processing practices concerning children’s data comply with the Children’s Online Privacy Protection Act (COPPA). This involves obtaining verifiable parental consent before collecting, using, or disclosing personal information from children under 13 and adhering to COPPA’s stringent requirements for protecting children’s online privacy.

3. Privacy Notices

Businesses are required to provide detailed and accessible privacy notices that include:

4. Data Protection Assessments

For activities that present a heightened risk of harm to consumers (such as processing sensitive data, targeted advertising, and profiling), businesses must conduct and document data protection assessments. These assessments are crucial for identifying and mitigating risks to consumer privacy and data security.

5. Universal Opt-Out Recognition

Starting January 1, 2025, businesses will be required to recognize and honor universal opt-out signals from consumers electing to opt out of the sale of their personal data or targeted advertising. 

This means businesses must be technologically equipped to automatically process these opt-out requests without requiring further action from consumers.

The post Understanding the Montana Consumer Data Privacy Act (MTCDPA)  appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Article 25 of the GDPR

The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures.

Article 25 of the General Data Protection Regulation introduces the concepts of privacy by design and privacy by default, which are essential for ensuring data security from the very beginning of a product or service.

According to the GDPR, every project must be initiated with privacy and data protection in mind to minimize any associated risks. This is part of the broader principle of accountability, for which you should always adopt a problem-prevention approach, rather than repairing the damage later.

For this reason, it’s recommended to start with a risk assessment to identify any vulnerabilities that could expose users to breaches. Article 25 also outlines the criteria that the data controller must consider in order to comply with the principle of privacy by design:

• The nature of the processing, so how much it can affect users’ freedoms and rights.
• The state of the art, meaning the technology available within the company and on the market.
• The cost of implementation, which includes both monetary costs and the time and resources used.

Privacy by design: main requirements

The main requirements of privacy by design include:

• Data minimization: collect only the data strictly necessary for the service provided.
• Purpose limitation: use collected data only for the stated purposes and not for any other purpose.
• Built-in security: ensure that systems are designed with robust security measures to protect the data.
• Transparency: be clear about how data are collected, used, and protected (to be specified in a privacy policy).
• Proactive accountability: organizations must be proactive in preventing privacy risks.

What does privacy by default mean?

Privacy by default means that the default settings of any service or product should be those that offer the highest degree of privacy. This implies that, without explicit user action, the collection and sharing of personal data should be limited to the minimum necessary.

Privacy by default: main requirements

The main requirements of privacy by default include:

• Explicit consent: users must give explicit consent for any use of their data beyond basic functionality.
• Ease of privacy management: privacy-related settings should be easily accessible and understandable to users.
• Data protection from the start: personal data should be protected automatically without user intervention.
• Minimizing data retention: keep personal data only as long as strictly necessary.

In conclusion, privacy by design and privacy by default are critical concepts in the digital age to effectively protect users’ personal information. This is not just about regulatory compliance, but about a cultural shift towards a more respectful and privacy-conscious approach to digital technologies.

Read also

• The Ultimate Guide to GDPR Compliance
• What is a Privacy Policy and Do You Need One?
• Data Protection Impact Assessment (GDPR DPIA Template)

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post What is privacy by design and by default? appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The European Data Protection Board (EDPB) backs the EU Commission’s pledge for simplifying user consent and addressing cookie fatigue, with a strong focus on GDPR compliance.

On December 19, 2023, a pivotal meeting unfolded, bringing together the Commission, digital advertisers, consumer associations, and traders. Their collective aim was ambitious yet clear, to present the draft of the ‘cookie pledge principles‘.  

As we get ready for the finalization of these principles, iubenda is fully prepared to guide businesses towards compliance with these emerging standards.

Go to →  The news | A detailed overview

Understanding the Cookie Pledge 

The principles aim to simplify cookie management for consumers while ensuring their privacy and data protection rights.

Principle A: Consent and Essential Cookies 

• Essential cookies, which don’t require consent, shouldn’t be part of the consent request.
• The EU Commission recommends against mentioning legitimate interests in the primary layer of the cookie banner. Instead, it should be included in the following layers for better clarity and user understanding.

Principles B, C, and D: ‘Pay or Okay’ System:

Offer Clear Choices and Less Intrusive Advertising Alternatives

• Websites/apps should upfront disclose if their content is financed through advertising.
• Choices regarding trackers should be clear and easy to understand.
• An alternative to tracking-based advertising should be offered.

Principle E: Consent Specificity:

• Consent must be free, informed, and specific.
• Gatekeepers under the Digital Markets Act must offer less personalized alternatives to users.

For ensuring that consent is free, informed, and specific, and to comply with the Digital Markets Act, iubenda’s privacy controls and cookie solution can be customized and assist in meeting these requirements.

Principle F: Business Model Consent — Cookie Fatigue 

The principle emphasizes that once consumers consent to a specific business model, separate permissions for cookies employed within that model are no longer required. 

This streamlined approach is designed to alleviate ‘cookie fatigue‘, ensuring that the consent process is more effectively tailored to reflect consumer preferences and decisions.

Principle G: Duration of Consent: 

• The EU Commission suggests that, in cases where consent has been declined, there should be a one-year interval before repeating consent requests.
• Aims to reduce annoyance from frequent consent prompts.

Principle H: Application Settings: 

• The EDPB acknowledges software applications’ ability to enable users to control their cookie preferences.
• Endorses the use of settings that allow users to predefine their cookie preferences.
• Aims to make the consent process more straightforward by allowing preference presets.

iubenda’s Role in Simplifying Compliance

At iubenda, our mission has always been to simplify legal compliance for websites and apps. With the EU’s new cookie pledging principles on the horizon, our role becomes increasingly crucial. 

Our solutions are crafted to align with these new guidelines, providing a straightforward and efficient pathway for businesses to adhere to the latest legal standards in cookie consent management.

Didn’t find the answer you are looking for? Contact our support.

The post New Cookie Pledge Principles  appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Exemption from Consent

These cookies can be exempted from user consent if they adhere to specific criteria:

Cookies That Do Not Qualify for Exemption

The guide clearly specifies that analytics and audience measurement cookies, which are repurposed for other uses, do not qualify for the consent exemption.

List of Exempt Audience Measurement Cookies

The guide outlines a list of specific audience measurement cookies that are exempt from consent requirements. These include:

Ensuring Compliance and Transparency

For cookies exempted from consent, the AEPD mandates the following guarantees:

Ready to Ensure Your Website’s Compliance with Audience Measurement Cookies?

---

Discover How iubenda Can Help

Navigating the complexities of audience measurement cookies and data protection laws can be challenging.

But worry not – iubenda is here to simplify this for you. Our comprehensive suite of tools is designed to help you align with the AEPD’s guidelines and beyond.

What We Offer:

• Customized Cookie Solutions: Tailor your website’s cookie management to be compliant with the latest regulations.
• Automated Privacy Policy Generation: Create privacy policies that reflect the intricacies of data protection laws.

Don’t let compliance be a stumbling block for your website. Join the thousands of satisfied clients who trust iubenda for their compliance needs.

Take action now!

The post Understanding the Spanish DPA Guide on Audience Measurement Cookies appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Whether you’re a website owner, a privacy enthusiast, or simply a curious internet user, this guide will offer valuable insights into the world of cookies and digital privacy, all within the context of Austrian law and European Union regulations.

This guide simplifies the complexities surrounding cookies and data privacy, keep reading to find out more

1. What Exactly are Cookies?

In simple terms, cookies are data storage consisting of a name (or key) and a value. When you visit a website, the server can send cookies to be stored on your device or browser. These are managed by modern browsers and sent back to the server with each page visit. They vary in type, such as session or persistent cookies, and can be categorized by the domain they belong to (like first-party or third-party cookies).

2. Legal Framework for Cookies

In summary, cookies can be set without consent only if necessary to provide a service explicitly requested by the user. For all other cookies, consent is required. It’s crucial not to set non-essential cookies before obtaining this consent.

3. Complaining About Improper Cookie Use

You can lodge a complaint with the data protection authority if cookies lead to personal data processing as defined in the GDPR.

4. Are Cookies Personal Data?

Cookies aren’t inherently personal or non-personal data. It depends on the information they contain and how it’s combined. For instance, a cookie saving your language preference on a website isn’t personal data unless linked to your identity.

5. When are Cookies “Technically Necessary”?

Technically necessary cookies don’t require user consent. They are essential for services like session management, form entries, or saving consent status. However, services tracking user behavior across sites or devices need consent.

6. What is a Cookie Banner, and is it Required?

A cookie banner pops up on a website to obtain consent for setting cookies. You require one if your site uses non-essential cookies.

Need a Cookie Banner for Your Website? 

---

Our cookie banner solution meticulously adheres to the necessary requirements. It guarantees:

• no unnecessary cookies are set without consent; 
• clear and informed consent mechanisms, no pre-selected options; and 
• an effortless process for both giving and revoking consent. 

We prioritize transparency and ease of use, ensuring that not giving consent is as straightforward as giving it, without any subtle pressures or unfair nudging. 

Trust our solution for a compliant, user-friendly cookie management experience. Explore the effectiveness of our cookie banner today →

7. Effective Consent and Cookie Banners

The design of a cookie banner should facilitate clear, voluntary, and informed consent. It should be as easy to refuse consent as it is to give it, with no unfair practices or pre-checked boxes.

8. Distinct Button Colors in Cookie Banners

While no specific color is mandated for consent buttons, they should be designed to ensure clear visibility and equal prominence.

9. The “Pay or Okay” Model

In the context of the “Pay or Okay” system, the DSB has provided the first clear guidelines. The DSB conditionally accepts the use of a cookie wall, but with specific qualifications: 

Understanding the “Pay or Okay” Model 

---

The “Pay or Okay” model offers a unique choice to website visitors: either pay for content access or consent to cookies. This approach, must strictly adhere to data protection laws and be implemented in a fair and reasonable manner. 

Learn more about the “Pay or Okay” model in our Simplifying Cookie Consent: The European Commission’s Approach article here →

10. Informing Visitors About Cookie Use

It is necessary to inform visitors about the use of technical cookies, regardless of whether they process personal data or not, as outlined by the guidelines.

Stay Compliant with Cookie Policies: Learn How with Our Solution

---

It’s essential for website owners to inform visitors about the use of cookies, particularly non-essential ones. This transparency isn’t just good practice; it’s a legal necessity. 

If your website is using any type of cookies, you’ll likely need a cookie policy. Are you looking for an effective way to communicate your cookie policy and ensure compliance? Learn more here →

11. Fulfilling Information Obligations for Cookie Use

Provide essential information on the first level, like in a cookie banner, and detailed information, like in a privacy policy. This should include the identity of the data controller, processing purposes, legal basis for processing, and withdrawal methods.

Create a Comprehensive Privacy Policy with iubenda’s Expertise

---

Meeting the information obligations for cookie use is a critical aspect of website management. This involves presenting in-depth information in your privacy policy. 

iubenda’s tools can guide you through the process of crafting a thorough and compliant privacy policy, covering the necessary elements like the data controller’s identity, processing purposes, legal bases, and methods for withdrawing consent. 

Discover how iubenda can help you build a robust privacy policy here →

12. Using Industry Standards or Cookie Consent Tools

These can be used, but ensure they comply with data protection laws. Don’t use them unquestioningly.

13. Responsibility for Cookies on Your Website

If you decide to use cookies on your site, you’re considered responsible for the data processing, especially if personal data is involved.

The post The Austrian Data Protection Authority’s FAQs on Cookies and Privacy appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Using a Google CMP for Consent Mode v2

Google strongly recommends the use of a certified CMP for Consent Mode v2. A Google-certified CMP makes the implementation faster, easier, and provides all the necessary technical support. It also ensures more flexibility for the future, as upgrades will happen automatically or with very little effort on your side.

Set up your CMP in minutes

Create your consent banner

Create your consent banner, select your applicable laws, and our CMP will automatically align its behavior with the proper requirements. You can also customize the banner to your needs: colors, fonts, display style, banner position, language, and more.

Enable Auto-blocking

Our CMP allows you to automatically block cookie scripts from running before you obtain your users’ consent. The auto-blocking feature already includes support for Google Consent Mode: just enable it, and you’re all set!

Embed

Embedding is as simple as copying and pasting an HTML code snippet onto your website, and you are done. Your cookie consent banner and Google Consent Mode integration are ready to go. You can also choose other embedding options, such as our plugins or Google Tag Manager template.

The post What’s the Digital Markets Act (DMA) and how will it affect you? appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

What’s happening? Both the European Parliament and European Council have approved a groundbreaking set of rules called the Data Act. It’s all about fair access to and use of data.

Why It Matters: This new law is set to make the EU a front-runner in our data-driven world. It aims to unleash economic potential, boost data trading, and open up new market opportunities. Find out all you need to know below

Background of the Data Act

Proposed by the European Commission on February 23, 2022, the Data Act has been crafted to address the evolving challenges and opportunities in the digital data market. It represents a concerted effort to balance the interests of various stakeholders in the digital domain, from individual users to large corporations.

On November 9, 2023, the Members of the European Parliament adopted the Data Act, a significant legislative step aimed at reshaping the digital landscape in the European Union. Garnering a majority of 481 votes in favor, the Act is set to ensure fairness in the digital environment, stimulate a competitive data market, and make data more accessible. 

This adoption was followed shortly afterward by the European Council’s on November 27, 2023.

What is the Data Act?

As explained in our previous blog post, the Data Act aims to “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all”. 

At its core, the Data Act includes several key elements:

Enforcement and Penalties 

EU Member States are required to designate supervisory authorities to enforce the Data Act. They are also tasked with defining penalty rules for any infringements, ensuring these penalties are effective, proportionate, and dissuasive. Additionally, EU data protection authorities will oversee the application of certain chapters of the Act, particularly concerning personal data protection.

What is in it for Small and Medium-sized Enterprises?

The Data Act is a big win for small and medium-sized businesses (SMEs) as it guards them against unfair contract terms. It identifies certain contract clauses as unfair, especially if they give one company too much control, like the power to interpret contract terms on their own. If a clause is considered unfair, it won’t apply to European businesses, including SMEs.

Moreover, the European Commission is working on creating recommended contract templates that are fairer and more balanced, particularly helpful when dealing with larger companies that have more negotiating power. To make this happen, an independent group of experts specializing in business-to-business (B2B) data sharing and cloud contracts will help the Commission. This ensures that SMEs can negotiate data sharing deals on a more equal footing.

What is in it for people and businesses?

The Data Act significantly benefits both individuals and businesses by giving them greater control over their data, especially data generated from connected products like smart appliances or industrial machinery. Currently, it’s often unclear who owns or can use this data, with many manufacturers claiming exclusive rights to it.

Under the Data Act, people and businesses will have enhanced data portability rights, allowing them to easily copy or transfer data across different services. This is particularly relevant for data from smart objects, machines, and devices. For example, a car owner could share data from their vehicle with an insurance company, and this aggregated data could be used to improve digital services like traffic management or identifying accident-prone areas.

Next Steps and Implementation

Official Publication: The regulation will soon be published in the EU’s official journal and will come into effect 20 months later.

New Product Requirements: Certain provisions, particularly regarding new products, will apply 32 months after the regulation comes into force.

In summary, the Data Act is a landmark legislation aimed at enhancing data access and fairness, protecting user rights, and fostering innovation in the EU’s digital market. As the EU prepares for the formal adoption and implementation of the Data Act, understanding its nuances becomes crucial for businesses, consumers, and digital stakeholders. 

Stay informed and engaged as the Data Act ushers in a new era of digital fairness and innovation in the European Union.

The post Understanding the European Union’s Data Act appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

On October 19, 2023, the DSB found Google LLC in violation of the General Data Protection Regulation (GDPR) due to a lack of transparency in their data processing practices related to Google Fonts.

Background

The DSB’s investigation was prompted by inquiries it received concerning warning letters sent to numerous companies. These letters, sent by a lawyer, raised concerns about the integration of Google Fonts on company websites and sought to recognize a claim for damages. Many companies were asked to submit cease and desist declarations.
To get to the bottom of these issues, the DSB initiated an investigation into Google LLC’s data processing methods when it comes to Google Fonts.

Findings of the DSB

The DSB’s investigation into Google Fonts and its data processing practices revealed important findings:

When Google Fonts are (re)loaded through a Google server, data is transmitted to either Google LLC or Google Ireland Limited. However, if the fonts are locally integrated on a server, data transfer does not follow this procedure.

Information Obligation

Google did not fully meet its information obligation under Articles 12(1) and 13 of the GDPR. This is because IP addresses can, depending on the individual case, be considered personal data.

Outcomes and Implications

Based on these findings, the DSB concluded that these observations apply specifically to the Google Fonts product of Google LLC. Any changes to Google Fonts’ data processing practices following the completion of the investigation could potentially alter these conclusions.

This decision by the Austrian DSB serves as a reminder of the importance of transparency and compliance with GDPR regulations in the digital age. It also highlights the need for companies to review their data processing practices, especially when integrating third-party services like Google Fonts, to ensure they are in compliance with data protection laws. Failure to do so can result in legal consequences, as demonstrated by this case. Companies must stay vigilant and up to date with data protection regulations to protect both their users’ privacy and their own legal standing.

Sign up for iubenda’s Privacy and Cookie Policy to Ensure GDPR Compliance!

---

Are you concerned about the recent GDPR violation related to data processing via Google Fonts? Don’t risk your company’s reputation and legal standing. Ensure transparency and compliance with data protection laws by signing up for iubenda’s Privacy and Cookie Policy generator today.

Key Benefits:

• Stay GDPR compliant: Avoid costly penalties and legal consequences.
• Gain user trust: Demonstrate your commitment to transparency and data privacy.
• Easy customization: Craft policies that align with your unique business operations.
• Expert guidance: Access a wealth of resources and support to navigate complex legal requirements.

Get Started with iubenda Today!

The post GDPR Violation: Lack of Transparency in Data Processing via Google Fonts appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Texas legislature recently passed HB 4, known as the Texas Data Privacy and Security Act (TDPSA).

On June 18, 2023, Texas marked a significant legislative milestone by becoming the 10th state to adopt a comprehensive privacy law. Following the likes of Colorado, Virginia, Utah, and Connecticut, here’s everything you need to know about Texas’ new privacy law

The Journey of HB 4

Passed on May 28 via a conference committee, the bill was signed into law by Gov. Greg Abbott on June 18. Texas’ bill is set to be effective from July 1, 2024, ahead of some other states.

A comparison with other state laws shows some unique features in the Texas bill, with Virginia’s legislation serving as its primary foundation.

What are the Key Features of HB 4?

1. Coverage Thresholds: Unlike other states that base their applicability on monetary values, Texas has introduced a novel three-factor applicability standard.
2. Opt-out Mechanisms:By January 1, 2025, there’s a requirement for the acknowledgment of universal opt-out mechanisms.
3. Opt-in and Opt-out Provisions: The bill mandates opt-in consent for sensitive data collection and processing, along with opt-outs for targeted advertising, data sales, and profiling.
4. Data Protection Measures: These include data protection assessments, clauses on “dark patterns,” and a notable 30-day cure provision.

Definition of Sensitive Data Under the TDPSA

The TDPSA categorizes sensitive data extensively, including personal details that reveal racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship status, genetic and biometric data for identification, data collected from children, and precise geolocation data.

Who does TDPSA apply to?

Texas new data privacy law has set a new standard by establishing the following criteria for entities that:

With the signing of the Texas Data Privacy and Security Act into law on June 18, 2023, businesses, policymakers, and consumers eagerly anticipate its enforcement, as Texas cements its position on data privacy. The law, while echoing some existing provisions, definitely charts new territories, emphasizing the state’s commitment to safeguarding its residents’ data privacy.

Consumer Rights Under the TDPSA

Consumers are granted several rights, including the right to access, correct, delete their personal data, receive a portable copy of their data, opt-out of certain processing activities, and not be discriminated against for exercising their rights.

Exercise of Rights and Controller Obligations

Consumers can exercise their rights at any time, and controllers must respond within 45 days. Controllers are required to establish secure methods for consumers to submit requests, obtain consent for processing sensitive data, and provide clear privacy notices. Additionally, starting January 1, 2025, controllers must enable consumers to opt-out of targeted advertising and data sales through browser settings or device configurations.

The post Texas New Data Privacy Law TDPSA: Everything you need to know appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This move follows similar steps by states like Colorado, Virginia, Utah, and Connecticut, but Oregon’s got its unique points.

Who’s covered by the Oregon Consumer Privacy Act? 

The law applies to businesses operating in Oregon or providing products or services to residents of Oregon that:

Note: Non-profit businesses get an extra year (until July 1, 2025) before this applies to them.

Who’s Not Covered Oregon Consumer Privacy Act?

• The law skips over employment-related or B2B data.
• Health information gets a pass, especially if it is subject to the Health Insurance Portability and Accountability Act (HIPAA) rules.
• Data that is processed under federal laws like the Fair Credit Reporting Act or the Driver’s Privacy Protection Act isn’t part of this.
• If the data is public or has no personal identifiers, it’s exempted.

What Should Businesses (Controllers) Do?

• Clearly tell consumers what data they’re collecting and why. If they’re using it for targeted ads, they must mention it.
• Let consumers access or delete their data or correct it if it’s wrong.
• If businesses want to use the data differently than they said, or if it’s sensitive, they need the consumer’s clear OK. Consumers should also be able to take back this consent anytime.
• July 1, 2026, businesses must recognize “Global Privacy Control” signals from browsers like Chrome, which allow users to opt out of data sales or targeted ads.
• Businesses need to do risk checks when using data in ways that might harm consumers.

What About Those Processing the Data? 

People or businesses processing data on behalf of others (called “processors”) need to:

User Rights under the Oregon Privacy Law

Oregonian consumers can:

What Does “Consent” Mean here? Consent means a consumer clearly says “yes.” Tricks or confusing methods to get consent aren’t allowed. Also, doing nothing isn’t seen as saying “yes.” To profile, serve ads, or sell data of 13 to 15-year-olds, businesses need clear consent.

Enforcement and Penalties under the Oregon Privacy Law 

Starting July 1, 2024, only the Oregon attorney general can act on violations. Businesses could face a fine of up to $7,500 for each mistake. But, businesses get a 30-day window to fix things before any penalty.

By next year, businesses will have to be ready for 11 privacy laws. While many elements are common, each state law has its quirks. Companies should plan now, especially if they deal with sensitive data or do target advertising, to ensure they’re on the right track.

The post Oregon Consumer Privacy Act: Overview appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Iowa has formally joined the ranks of US states adopting comprehensive data privacy legislation, with the Iowa Consumer Data Protection Act (ICDPA) set to take effect on January 1, 2025. This legislation aims to safeguard the personal data of over 3 million Iowa residents and align with privacy practices seen in other states such as Colorado, Virginia, Utah, and Connecticut.

This guide provides a breakdown of the ICDPA, covering its scope, key definitions, consumer rights, and business responsibilities.

Scope and Applicability

The ICDPA applies to entities that:

1. Conduct business in Iowa or offer products or services targeted at Iowa residents; and
2. During a calendar year, either:

Important Note: Unlike some state privacy laws, there is no revenue threshold for applicability. The ICDPA does not apply to non-profits, certain state entities, higher education institutions, or data covered under specific federal laws (e.g., HIPAA).

Definition of Sensitive Data

Sensitive data under the ICDPA includes:

Key Consumer Rights Under the ICDPA

Iowa residents have the following rights under the ICDPA:

How Consumers Can Exercise Their Rights

Request Process:
Consumers must submit requests through the methods specified by the business in its privacy notice. Businesses cannot require consumers to create an account to submit a request; however, if a consumer has an existing account, businesses may ask them to use it for submissions.

Authorized Agents: Parents and legal guardians can submit requests on behalf of children or other individuals.

Appeal Process:
Businesses must have an appeal process similar to the request process, and responses to appeals must be provided within 60 days. If an appeal is denied, businesses must provide a mechanism (e.g., an online link) for consumers to contact the Iowa Attorney General’s office.

Business Responsibilities and Deadlines

Processing of Sensitive Data:
Businesses cannot process sensitive data without giving clear notice and allowing consumers to opt out. The processing of children’s data must align with the Children’s Online Privacy Protection Act (COPPA) and requires opt-in consent.

Privacy Notice Requirements:
Businesses must provide an accessible and comprehensive privacy notice that includes:

Data Security:
Controllers must adopt reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data.

Contracts with Processors:
Businesses must enter into agreements with data processors that align with ICDPA compliance standards. This may involve updating existing data processing addendums to include references to the ICDPA.

Enforcement and Penalties

Enforcement:
The Attorney General has exclusive enforcement authority. Businesses have 90 days to cure any violations after receiving written notice.

Penalties:
Non-compliance can result in civil penalties of up to $7,500 per violation, payable to the consumer education and litigation fund.

Exemptions

The ICDPA exempts certain data and entities, such as:

The Iowa Consumer Data Protection Act marks a significant step in state-led data privacy initiatives, providing consumers with enhanced rights and requiring businesses to adopt rigorous privacy practices. 

To ensure compliance, entities must update their privacy policies, data processing agreements, and consumer response procedures well ahead of the January 1, 2025, enforcement date.

The post Newly Enacted Iowa Consumer Data Protection Act (ICDPA) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Bridge, also known as the UK Extension to the EU-US Data Privacy Framework, ensures a seamless flow of personal data between the UK and the US while upholding the highest privacy standards.

Key Takeaways

Understanding Data Bridges

Think of a ‘data bridge‘ as a green light, the recognition that the level of data protection offered by the country of destination, the US in this specific case, is ‘adequate‘. In other words, data can safely flow to that country, without further measures being required, as it offers a sufficient level of protection, comparable to that of the UK. 

The establishment of the Bridge embodies the UK’s dedication to nurturing global ties. 

The Bridge is designed with the rigorous standards of UK GDPR at its heart and its benefits range from boosting business growth and pivotal research to spurring innovation and enhancing consumer services.

About the Data Privacy Framework

Privacy Matters

The establishment of the Bridge stands as a testament to the unwavering commitment to UK GDPR standards. 

As US entities come under the Bridge, they are now required to adhere to UK GDPR’s stringent norms. While this bridge paves the way for more streamlined data transfers, UK companies remain tethered to domestic data protection regulations, guaranteeing unparalleled protection for individuals’ personal data.

This UK-US data bridge fosters a stronger relationship between the two nations while ensuring that individual privacy and data protection standards remain uncompromised. 

The post UK-US Data Bridge: A New Era for Secure Data Transfers appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In this post, we’ll give you all the background information needed to answer the questions above and get a clear understanding of GDPR applied to the US. We also provide an actionable checklist for US companies, including detailed steps that they may need to take in order to comply (and avoid fines!). Let’s get started!

For a recap overview, take a look at this video:

How can the GDPR affect US companies?

As we’ve demonstrated above, it’s a mistake to think that, since the GDPR is a European regulation, it doesn’t affect US businesses at all.

Overall, it is strongly recommended for US companies to assess their data processing activities and consult legal experts to determine if compliance to the GDPR in the US is required in their specific situation.

Penalties for non-compliance to GDPR in the US can be significant. They can be monetary, or not:

• Fines can go up to EUR 20 million (€20m) or 4% of the annual worldwide turnover (whichever is greater).
• Equally concerning are the other potential sanctions: official reprimands (for first-time violations), periodic data protection audits and liability damages.

Take this 1-min quiz to find out which laws are relevant to you!

Did you know you can comply with both US Privacy Laws and the GDPR at the same time?

---

With iubenda, simply select which region you are based in, then where your users are based, and our solution does the rest! It suggests a configuration that will allow you to comply with all applicable regulations.

Scan your site now and try it for free

GDPR in the US: Main Requirements

As a US-based business, here are the main GDPR requirements you must follow.

Have a lawful basis

Before you can collect or process any personal data, the GDPR mandates that you have at least one lawful basis for doing so. These lawful bases are:

• The user has given consent for one or more specific purposes.
• The data processing is necessary for the performance of a contract or in order to take steps prior to entering the contract.
• Other legal bases include: the processing is necessary for fulfilling a legal obligation OR protecting the vital interests of a person OR for performing a task carried out in the interest of the public OR for the legitimate interests of the data controller or third party.

You must identify and document the lawful basis for each specific data processing activity you undertake.

Make legally required disclosures via your privacy policy

GDPR compliance in the US requires you to provide your users with a privacy policy, where you include all the details regarding your data processing activities.

Under the GDPR, your privacy policy should at least include:

• Who is the site/app owner?
• What data is being collected and how?
• What is the Legal basis for the collection?
• Why are you collecting the data?
• Are there any third parties involved in the processing? If yes, what are they?
• Do you transfer data abroad? If yes, what security measures are in place to safeguard the data?
• What rights do users have? How can they exercise them?
• How will you notify your users of any changes in the policy?
• The effective date of the policy.

Remember to add your privacy policy where it’s easily accessible, for example in the footer of your website. You can learn more here: What is a Privacy Policy and Do You Need One?

Acquire verifiable consent

While US legislations typically allow the collection and processing of personal data without obtaining the user’s prior consent, the GDPR requires that you collect “freely given, specific, informed and explicit” consent through a clear “opt-in”, or positive action.

This essentially means that before collecting any of the individual’s personal data on your site via cookies or via a form for example, you must ask for their consent. This mechanism must be unambiguous; “opt-out” mechanisms like pre-ticked boxes are forbidden.

You should also grant users the right to withdraw consent. It must be as easy to withdraw consent as it is to give it. To learn more about the rights of European residents under the GDPR, read this guide.

Your consent forms must be straightforward, easy to understand and conspicuous. Individuals should actively opt in.

Keep clear records related to the consent

Consent, under the GDPR, is paramount. The regulation requires meticulous record-keeping related to what information was disclosed, how the consent was obtained (e.g. via a website form), and when it was obtained.

Companies need to maintain clear consent records that can prove that individuals provided informed consent. This adds a complex administrative layer but is essential for compliance.

As you can imagine, this is not an easy task! That’s why we recommend using a Consent Database.

Assess cross-border data transfers between the EU and the US

GDPR in the US allows data transfers of EU residents’ data outside of the European Economic Area (EEA) only when certain set conditions are met.

Under GDPR requirements, the country or region the data is being transferred to must have an “adequate” level of personal data protection by EU standards, or where not considered adequate, transfers may still be allowed under the use of standard contractual clauses (SCCs) or binding corporate rules (BCRs).

A decision was taken on the EU-US Data Privacy Framework on July 10, 2023 and declared that the United States is recognized as providing an adequate level of protection to its European Union (EU) counterpart. Consequently, personal data can now flow freely from the EU to US self-certified companies without the need for additional safeguards.

Appoint a Data Protection Officer (DPO)

If you’re based outside the EU, you may still need a European representative to ensure your company is complying with the GDPR. This person is called a Data Protection Officer, or DPO, and is in charge of ensuring that personal data is processed following the applicable data protection rules.

However, the appointment of a DPO is not always mandatory, it depends on the scale and nature of data processing activities. Specifically, you need to appoint a DPO when:

• There is large-scale regular and systematic monitoring of users (for example, processing with video surveillance systems).

• The processing is carried out by a public authority (except for courts or independent judicial authorities).
• The organization is performing complex operations with user data (in particular sensitive user data).

Are you selecting a DPO? Here’s what to look for.

Carry out a Data Protection Impact Assessment (DPIA)

For data processing activities that are likely to result in high risks to individuals, the GDPR requires a Data Protection Impact Assessment (DPIA) to be carried out. This is an assessment that evaluates how personal data is processed and how to mitigate risks to data subjects.

This involves identifying the nature, scope, context, and purpose of the data processing, assessing the risks to individuals, and identifying measures to mitigate those risks.

GDPR Compliance Checklist for US Companies

Here’s a practical checklist to help you navigate GDPR compliance as a US-based business.

So, how can you get started right away and check most of the boxes above in just a few minutes?

How iubenda can help with GDPR in the US

Reading all this can be quite overwhelming. We get it. It’s technically and legally complex.
But, fear not, we know exactly what you need.

iubenda provides comprehensive attorney-level compliance software solutions that can help you comply with GDPR in the US.

Full GDPR compliance, but not only! Make your websites and apps compliant with the law across multiple countries and legislations.

Be safe and lower the risk of fines: we built our solutions with the strictest regulations in mind.

100% customizable: generate your own privacy policy and customized consent banner!

Comply with US and European laws simultaneously

Global compliance is just one click away.
With iubenda’s Privacy Controls and Cookie Solution, generate a customizable location-based consent banner.
The right consent parameters, text, privacy policy link and language will apply to the right users automatically. Yes, it’s that easy!

About us

GDPR compliance for your site, app and organization

www.iubenda.com

The post GDPR in the US: a GDPR Checklist for US Companies appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The bill introduces an online protective shield, imposing strict requirements on social media companies and granting extensive safeguards to children, primarily. This includes, among others, the removal of harmful and age-inappropriate content, making the internet safer for everyone. Keep reading for a summary of the new Online Safety Bill

 Embracing Comprehensive Security

 Enhanced Protections

 Sculpting a Safer Tomorrow

“A game-changing piece of legislation,”

remarked Technology Secretary Michelle Donelan, highlighting its crucial role in elevating the UK to the zenith of online safety. Prioritizing children’s online experience and their mental health, the OSB ensures swift retribution against digital malefactors and the eradication of content deemed illegal offline.

 Industry’s Proactive Stance

Enforced Proactivity: The law mandates platforms to rigorously enforce protective measures, validate age limits, and streamline avenues for reporting discrepancies.

 Empowering Citizens

The legislation grants internet users the power to control their digital experience, allowing adults to sift through content they deem harmful.

Ensuring Legal Fidelity: It requires platforms to honor their commitments made via terms and conditions and to efficiently implement user protective measures.

 Combatting the Online Abuse Spectrum

This legislation excels by addressing a multitude of online abuses, including those against women and girls, and simplifies legal proceedings for non-consensual sharing of intimate imagery. Advocates applaud the bill as a crucial first step in shielding women and girls from digital abuse.

 Broadening Horizons

The bill’s scope has been further expanded to tackle content showcasing animal cruelty and torture displayed to UK users, even if perpetrated abroad, reflecting the government’s vision for a universally safer online environment.

 Ofcom at the Helm

Dame Melanie Dawes, Ofcom Chief Executive, welcomes this significant breakthrough, emphasizing its contribution to a safer digital existence for UK citizens.

Enforcement and Dialogue: Ofcom is primed to uphold the new laws and will commence discussions on the expectations from tech firms immediately after Royal Assent of the bill.

Final Reflections

The Online Safety Bill marks a colossal advancement in online safety legislation. It beautifully intertwines empowerment and stringent responsibility, delivering unparalleled protection and emerging as a paradigm in combating online harmful activities and abuses.

This transformative bill, enriched by the collaborative spirit of diverse stakeholders, is shaping a secure and dignified digital realm, signaling the termination of the lawless era of the internet.

The post The Online Safety Bill: A Leap Towards a Safer Digital United Kingdom appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In 2018, California became the first state to pass comprehensive data privacy legislation with the California Consumer Privacy Act (CCPA). However, just two years later, the state passed the California Privacy Rights Act (CPRA), which significantly amends and expands upon the CCPA.

CCPA vs CPRA, What’s the Difference?

The CPRA builds on the protections provided by the CCPA, but it introduces new requirements for businesses. Here are a few key differences:

• The CPRA has a broader scope than the CCPA.
• The CPRA adds new categories of sensitive personal information, such as health data and precise geolocation.
• The CPRA enhances consumer rights, adding the right to correct inaccurate information and the right to limit the use and disclosure of sensitive personal information.
• The CPRA imposes additional requirements on businesses, such as the obligation to conduct regular risk assessments and to submit annual privacy audits to the California Privacy Protection Agency (CPPA).

Let’s now dive into each point to get a better understanding of CCPA vs CPRA.

CCPA vs CPRA Scope

To put it shortly, the scope of the CPRA is broader than the CCPA. 

The CCPA regulations only applies to businesses that meet certain criteria, such as those with annual gross revenue of over $25 million. While the CPRA (CCPA amendments) applies to businesses of all sizes that process personal data of California residents and meet certain thresholds.

Not sure if the CPRA applies to you?

---

Do this free 1-min quiz to find out

Sensitive Personal Information

The CPRA introduced a different category of protected data to the mix: sensitive personal information (SPI). This idea is quite similar to Article 9 of the General Data Protection Regulation (GDPR), which asks for a higher level of data protection for the sensitivity of personal information. New categories of sensitive personal information include:

CCPA vs CPRA: Consumer Rights

The CCPA amendments, the CPRA, enhances consumer rights. 

While the CCPA regulations grants consumers the right to know what personal information businesses collect and the right to request deletion of that information, the CPRA adds new rights:

Creation of the California Privacy Protection Agency

Another major change is the creation of a new enforcement agency, the California Privacy Protection Agency (CPPA), which will have more resources and power to enforce the privacy laws. 

The CCPA regulation was enforced by the state attorney general’s office, while the CPRA gives the CPPA sole authority to enforce the law and impose fines for violations.

Businesses’ Obligations

In terms of businesses’ obligations, the CPRA imposes additional requirements on businesses, such as:

The CPRA also establishes a new category of “contractors” who work with businesses and must comply with certain privacy requirements.

The CCPA amendments, The CPRA Compliance

CCPA vs CPRA: Navigating the changing data privacy landscape in California can be daunting, but understanding the differences between the CCPA and the CPRA is crucial for protecting your personal data. 

Businesses and consumers alike should have already familiarized themselves with the new legislation and have taken the necessary steps to comply with its requirements.

The post CCPA vs CPRA: Key Differences You Need to Know appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In this article, we’ll take you through everything you need to know about the UK’s PECR (Privacy and Electronic Communications Regulations).

The ePrivacy Regulation will not automatically form part of UK law – or sit alongside the UK GDPR – as the UK has left the EU.

Do the Privacy and Electronic Communications Regulations apply to me?

PECR applies to businesses, organizations, and individuals that process personal data in the context of electronic communications services, including but not limited to:

• Websites and online services that use cookies or similar technologies.
• Marketing companies that send electronic marketing communications, such as telemarketing calls, faxes, emails, and text messages.
• Companies that offer location-based services, such as GPS and Wi-Fi positioning services.
• Providers of electronic communications services, such as internet service providers and mobile network operators.
• Businesses that use electronic communication systems, such as email and instant messaging, to process personal data.

If you operate in any of these areas, or process personal data in the context of electronic communications services, it is likely that the PECR applies to you.

Consequences of non-compliance

The ICO has a range of enforcement powers to ensure that businesses and organizations comply with PECR, including:

1. Monetary penalties: The ICO can impose monetary penalties of up to £500,000 for serious breaches, such as sending unsolicited direct marketing communications or failing to obtain consent for the use of cookies.
2. Enforcement notices: The ICO can issue enforcement notices requiring businesses and organizations to take specific actions to comply, such as obtaining consent for the use of cookies or ceasing to send unsolicited direct marketing communications.
3. Prosecution: In severe cases, the ICO can bring criminal proceedings against businesses and organizations for breaches, such as sending unsolicited direct marketing communications.
4. Audits and investigations: The ICO can carry out audits and investigations to assess your compliance, and can use this information to take enforcement action where necessary.

The ICO takes a risk-based approach to enforcement, and will generally focus its efforts on the areas of highest risk to privacy and where there is evidence of significant harm to individuals.

ICO published a quarterly update on the action they have taken to enforce PECR.

How to comply with PECR?

What you need	How to do it
Obtain valid consent (with a cookie banner!)	Get set up with a fully customizable banner
Have a clear privacy and cookie policy about your data processing practices	Generate your privacy and cookie policy
Respect individuals’ rights to opt-out of direct marketing	See our step-by-step breakdown

*Please note: Organizations must also appoint a Data Protection Officer and implement appropriate technical and organizational measures to secure personal data processed for electronic communications. They may also need to carry out regular privacy impact assessments (PIAs) and keep detailed records of their data processing activities.

The post PECR: Everything you need to know appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This article unpacks the complexities of the DMA, including its objectives, who it applies to, and what companies designated as “gatekeepers” are required to do.

What is the Digital Markets Act?

The DMA introduces a regulatory framework for platforms that function as gatekeepers in the digital economy. These are platforms that:

The core aim of the DMA is to prevent these gatekeepers from imposing unfair conditions on businesses and end users. It also seeks to ensure that critical digital services are open and accessible. For example, gatekeepers must allow users to easily uninstall pre-installed apps and ensure business users can access performance data related to advertising campaigns.

Who is Subject to the DMA?

Not all companies are subject to the DMA’s regulations. Only companies designated as gatekeepers by the European Commission must comply with its provisions. The designation is based on three main criteria:

Companies meeting these criteria can present arguments to rebut their designation, and the Commission can also designate companies based on qualitative assessments.

Obligations for Gatekeepers: The Dos and Don’ts

Gatekeepers are required to:

• Allow users to uninstall pre-installed apps or modify default settings.
• Provide performance data to advertisers.
• Offer interoperability for messenger systems and more.

They are prohibited from:

• Using data of business users to compete with them.
• Unfairly ranking their own products over those of third parties.
• Imposing their services on app developers.

Next Steps for Designated Gatekeepers

Upon designation, gatekeepers have six months to comply with the DMA and provide a compliance report. Immediate obligations include establishing a compliance function and reporting on intended mergers or acquisitions.

Failure to comply can result in fines up to 10% of the company’s global turnover, or even up to 20% for repeated offenses. In extreme cases, additional remedies like forced divestitures may be applied.

The European Commission has released a standard template for the compliance report that gatekeepers, such as Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft, must submit under the Digital Markets Act. This report should be thorough and transparent, encompassing all fundamental platform services. Its purpose is to enable the Commission to assess whether these gatekeepers are adhering to the DMA regulations. Gatekeepers need to complete and submit this compliance report within six months of their designation, with subsequent annual updates required.

FAQs

How Will Messenger Services Become More Compatible?

The DMA will force the gatekeepers to make their messaging platforms work smoothly with others. However, this only happens if smaller service providers ask for it. After a gatekeeper is officially designated, they have six months to make simple features, like individual text messaging, compatible with other services. More advanced features like group messages or video calls will be phased in over two to four years.

It’s crucial to note that smaller service providers aren’t required to make their platforms compatible in return. Also, users have the freedom to choose whether they want to use this cross-service functionality. The DMA assures that this change won’t compromise security or data encryption.

Are Access Conditions to Digital Services Fair and Equal?

The DMA will make sure that big tech firms provide fair and unbiased access to digital marketplaces like app stores. They have to publicize their access conditions, and if there are disagreements, an alternative way to resolve disputes must be provided.

Why Investigate Big Tech Companies?

The European Commission has launched investigations into companies like Microsoft and Apple to ascertain whether they qualify as gatekeepers under the DMA. 

Some of these investigations are to challenge the companies’ own assertions that they shouldn’t be considered as gatekeepers, despite meeting the criteria. Another line of inquiry is to examine specific operating systems like iPadOS to see if they act as essential pathways between businesses and consumers.

How Does DMA Differ from the Digital Services Act (DSA)?

The DMA and DSA are two different pieces of legislation with distinct goals. 

While both could apply to a single service, the DMA focuses on creating fair competitive conditions in digital markets, and the DSA is more concerned with the responsibilities and rights of users and online platforms. However, they can complement each other in specific areas like regulating online ads.

Who Will Make Sure Companies Follow DMA Rules?

The European Commission has the responsibility to ensure that the DMA is followed across all EU member states. However, it will work closely with national agencies and courts to monitor compliance.

Can Individuals Seek Damages for Unfair Practices?

Yes, if a company fails to follow the DMA’s rules, people can take them to court in their home country to seek compensation.

Existing competition laws can handle some issues, but they aren’t equipped to deal with the unique challenges posed by digital markets. That’s where the DMA comes in, offering a more focused approach to regulating large tech companies.

What’s the Legal Foundation for DMA?

The DMA operates under Article 114, which is designed to ensure a smoothly functioning single market across the EU.

Is DMA Ready for Future Tech Changes?

The DMA is designed to be adaptable. The European Commission has the power to update the rules as technology evolves, ensuring the regulations remain relevant and effective.

The post Understanding the Digital Markets Act: A Comprehensive Guide appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Are you a publisher targeting users in Switzerland? Starting July 2024, it’s essential to integrate a certified CMP compliant with the TCF. This change to an opt-in model is crucial to maintain proper ad display and protect your revenue streams. Learn more →

The new Federal Act on Data Protection (FADP) entered into force on September 1, 2023. On February 3, 2025, the Swiss Federal Data Protection and Information Commissioner (FDPIC) released additional guidelines on data processing using cookies and similar technologies.

Does it apply to you?

The FADP applies to the processing of personal data with effects in Switzerland. This means that you need to comply if:

• your business operates in Switzerland; or
• your business, regardless of its location, targets and processes the personal data of Swiss users.

What are the risks of non-compliance?

Non-compliance is punishable by fines of up to CHF 250,000.

How iubenda can help

Privacy and Cookie Policy Generator

The new FADP requires you to provide your users with an up-to-date Privacy Policy that includes all the information necessary for users to assert their rights and ensure transparent processing of their data.

With our Privacy and Cookie Policy Generator, you can provide the required disclosures in one click!

Privacy Controls and Cookie Solution

If you use cookies or similar technologies, the FADP requires you to:

• inform your users about the use of cookies and similar technologies;
• provide your users with an easily accessible way to exercise their right to opt out.

The post The new Swiss Federal Act on Data Protection came into force on September 1st, 2023 appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

How to Comply with GDPR: GDPR Compliance Checklist

Achieving GDPR compliance is crucial for organizations handling personal data.

---

By adhering to this GDPR compliance checklist, you can enhance your data protection practices and ensure legal and ethical handling of personal information. Stay proactive in your compliance efforts to safeguard individuals’ privacy rights and maintain a trustworthy reputation in the digital landscape.

GDPR Checklist Overview

About us

GDPR compliance for your site, app and organization

www.iubenda.com

See also

• The Biggest GDPR Fines to Date
• How does GDPR affect B2B companies
• CCPA vs GDPR: what’s the difference?

The post GDPR Compliance Checklist: 15 things to know appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

What is a GDPR audit?

A GDPR data audit refers to a comprehensive evaluation of an organization’s data protection practices. The goal of this audit is to ensure compliance with the General Data Protection Regulation, introduced in 2018 to safeguard EU citizens’ data privacy rights.
A GDPR data audit looks at an organization’s data handling processes, including collection, storage, transfer, and deletion. To meet GDPR audit requirements the audit process should also examine whether the processing is really needed, and whether it is lawful. In fact, the organization must adhere to the 7 GDPR principles such as lawfulness, purpose limitation and data minimization.
During a GDPR audit, you will assess your organization’s data procedures, including your ability to satisfy the rights of data subjects, to handle a data breach or to have appropriate security measures in place for protecting the data. You might find some things to improve in order to be fully compliant!
Finally, a GDPR audit also reviews an organization’s accountability and governance structures, looking at designating a Data Protection Officer (DPO) or how data protection impact assessments (DPIAs) are conducted.

The objective of a GDPR audit is to help an organization identify gaps or risks in their data practices, define action plans to fix those, and demonstrate compliance to regulators, thereby reducing the risk of hefty fines and reputational damage resulting from non-compliance.

Are audits required by GDPR?

Internal data audits are not explicitly mandated by the GDPR. However, doing a GDPR compliance audit is strongly recommended and a good practice that many companies undertake because the regulation places such a strong emphasis on taking responsibility for what you do (accountability).

That’s why audits are an essential measure to implement in an organization in order to ensure compliance with the GDPR’s principles and obligations. They help you take a look at your current practices and procedures, to see if they are in line with the requirements of the GDPR.

How to do a GDPR data audit?

Performing a GDPR data audit involves a systematic review of an organization’s data processing activities. Begin by identifying and documenting all data processes, including the types of personal data collected, purposes and legal justifications, and third-party sharing. Assess the legal basis for each processing activity and ensure data minimization by collecting only necessary data. Evaluate the integrity and security measures in place to protect personal data from unauthorized access or alteration.
From an organizational standpoint, consider the appointment of a Data Protection Officer (DPO) and involve them in the data protection audit. Review privacy policies and notices to ensure they are up-to-date and compliant with latest requirements. Also assess procedures for handling data subject rights, security measures and maintain comprehensive records of data processing activities, as well as of consents obtained.
You can also consider implementing training programs to educate employees about data protection obligations. Keep monitoring and improving processes to adapt to changing technology and regulations.

How often should a GDPR audit be conducted?

A GDPR audit should be done regularly to make sure a company follows the rules for protecting people’s personal information. It’s like a check-up to ensure everything is in order. While the GDPR doesn’t say exactly how often these audits should happen, it’s smart to do them at least once a year. Some businesses might need to do a GDPR compliance audit more often, especially if they handle a lot of personal data or if they make big changes to how they use this data.

What is the scope of a data protection audit?

A data protection audit looks at how a company handles personal information to make sure they’re following the law and protecting people’s privacy. This audit checks many things:

• Policies and Procedures: It reviews the rules and steps the company has set up to protect data.
• Data Processing Activities: It examines how the company collects, uses, stores, and gets rid of personal data.
• Risk Management: It evaluates how the company identifies and deals with risks to personal data.
• Training and Awareness: It checks if employees know about data protection and if they’re trained to keep data safe.
• Compliance with Rights: It makes sure the company respects people’s rights, like letting them see their data or delete it.
• Data Security: It looks at how the company keeps data safe from unauthorized access or leaks.

By covering these areas, the audit helps ensure that companies are doing their best to protect personal data, as required by laws like the GDPR.

GDPR Audit Template

A GDPR audit template is a useful tool that helps companies check if they’re following the rules for protecting personal data. It’s like a checklist or a guide that points out what you need to look at to make sure you’re handling personal information correctly. This template can save time and make sure you don’t miss any important steps during your audit.

The GDPR template usually includes sections on:

• Identifying Information: You start by listing out what kind of personal data you collect, why you need it, and how long you keep it.
• Data Processing and Consent: It asks you to describe how you use the data, how you got permission from people to use their data, and if you’re doing it in a legal way.
• Data Sharing: This part looks at who else gets to see the personal data you have, like other companies or countries, and if those shares are safe and legal.
• Data Security: It checks the measures you have in place to protect data from being lost, stolen, or accessed without permission.
• Rights and Requests: The template helps you ensure you’re ready to handle requests from people who want to see their data, correct it, or delete it.
• Training and Awareness: Finally, it reminds you to train your staff on data protection and to keep them informed about the importance of privacy.

By using a GDPR audit template, you can systematically review and improve your data protection practices, ensuring compliance with GDPR requirements and protecting your company from potential fines and legal issues.

For a detailed data audit, find our concise GDPR Audit Checklist in the following sections to ensure comprehensive GDPR compliance.

What Sort of Data Am I Looking For in a GDPR Audit?

When conducting a GDPR audit, you’re looking for specific types of data that fall under the regulation’s protection. This includes:

1. Personal Data: Any information related to an identifiable person. This could be names, email addresses, phone numbers, or even IP addresses.
2. Sensitive Data: This refers to special categories of personal data that need more protection. Examples include racial or ethnic origin, political opinions, religious beliefs, biometric data for identification, health information, and sexual orientation.
3. Data Processing Activities: You’re also looking for details on how personal data is collected, stored, used, and shared within your organization. This includes consent records, data processing agreements, and any cross-border data transfers.
4. Security Measures: Information on how personal data is protected in your organization, such as encryption, access controls, and security policies.
5. Compliance Documentation: This includes your privacy policy, data protection impact assessments (DPIAs), and any records of data breaches or responses to data subject requests.

Understanding the types of data and activities involved in your organization’s operations is crucial for conducting a thorough GDPR audit. This knowledge helps ensure that all aspects of data protection are covered, from collection to deletion, safeguarding the rights of individuals and maintaining compliance with GDPR regulations.

To sum up:

Your GDPR Audit Checklist

An audit can seem like a daunting task to tackle. That’s why we found it useful to break it down to different focus areas that you should take a look at within your organization during a data audit. Let’s get started!

#1 Lawful Basis and Transparency

Make sure to have a legal basis for processing data.

If as an organization you process personal data, the GDPR (Article 6) requires you to have a legitimate reason to do so (called legal basis).

When performing your GDPR audit, make sure to have valid reasons for processing all the data you collect. This ties into another important GDPR principle called data minimization, which is worth mentioning here.

This concept states that you should only gather personal information that is directly relevant and essential to achieving a particular objective. You should also only keep the data for as long as is required to fulfill that objective.

Legal bases chosen by businesses MUST legitimately apply. If they do not, harsher penalties could be given.

Meet disclosure and transparency requirements with a privacy policy.

The GPDR requires you to be transparent on your data collection practices and duly inform your users. This is typically done via a privacy policy.

This legal document should state the ways in which your website or app collects, processes, stores, shares and protects user data, the purposes for doing so and the rights of the users in that regard.

It should be easily understandable, clear, and up-to-date.

To see what a privacy policy should look like, check out our privacy policy template.

#2 User Rights

Do you know the GDPR User Rights? Ensure systems are in place to honor Data Subject Rights.

These rights, typically referred to in the GDPR as “data subject rights” are a core part of GDPR compliance. Making sure you understand what each means, and that you have the technical and procedural capacity to fulfil them is critical.

In an effort to ensure individuals have control over their own data, the regulation allows individuals to take some steps toward the personal data businesses have on them.

It has granted them a list of 8 data subject rights:

• right to be informed,
• right of access,
• right to rectification,
• right to erasure,
• right to restrict processing,
• right to data portability,
• right to object,
• rights related to automated decision-making and profiling.

Of course, just knowing the 8 rights is not enough. You need to have processes in place to actually follow through on them. For example, you need to be able to fulfill Data Subject Access Requests (DSAR), which is a written request individuals can send you to receive more information or exercise their rights. The request should be fulfilled without undue delay and, at the latest, within one month of receiving it.

Relying on Consent? Keep GDPR-compliant consent records.

Because consent under the GDPR is such an important issue, it’s mandatory that you keep clear records and that you’re able to demonstrate that the user has given consent; should problems arise, the burden of proof lies with the data controller, so keeping accurate records is vital.

The records should include:

• who provided the consent;
• when and how consent was acquired from the individual user;
• the consent collection form they were presented with at the time of the collection;
• which conditions and legal documents were applicable at the time that the consent was acquired.

We recommend using a Consent Management Platform for easily keeping records.

#3 Accountability and Governance

Consider appointing a Data Protection Officer (DPO).

The Data Protection Officer (DPO) is an expert in data protection law. Their role is to help the data controller or processor set up, apply and monitor a data protection strategy in line with GDPR legal requirements.

The DPO should also have knowledge of IT process management, data security, and other important matters related to handling personal and sensitive data.

The GDPR requires designation of a DPO in the following cases:

• Where there is large-scale regular and systematic monitoring of users;
• Where the processing is carried out by a public authority (except for courts or independent judicial authorities);
• Where the organization is performing complex operations with user data (in particular sensitive user data).

The decision to appoint a DPO depends not only on the number of employees but also on the nature of the data processing activities. If your organization does not fall into these categories, appointing a DPO is not mandatory.

Want to know what to look for when choosing your DPO? Read our guide here!

If based outside the EU, appoint an EU-representative.

You have to appoint an EU-representative established in one of the EU countries your users are based in if you are based outside of the EU and:

• are offering goods or services (even for free) to EU-based users; or
• are monitoring their behavior as far as it’s taking place within the EU.

The EU-representative can be a natural or legal person.

The EU-representative handles all inquiries, requests, or claims from individuals or supervisory authorities against the controller. They forward any such inquiry, along with related information, to the controller.

They also assist the controller with GDPR compliance, including reporting data breaches and cooperating with supervisory authorities. However, the controller, not the representative, is ultimately responsible for data processing activities. The EU-representative also has their own obligations, such as maintaining records of processing activities.

The GDPR requires you to appoint the EU-representative “in writing”. Check out our standard appointment agreement template.

Set up Data Processing Agreements with your Processors.

Under the GDPR, a processor is defined as any person or legal entity involved in processing personal data on behalf of the controller.

What is a Data Processing Agreement then, and when is it needed? This document certifies your processor agrees to handling the data on your behalf in a lawful way, in line with your requirements and GDPR’s requirements.

The agreement must be put in writing – including in electronic form (GDPR Article 28). It defines roles and responsibilities regarding data processing. Processors must follow controllers’ instructions, implement security measures, and cooperate on inquiries and actions.

However, big companies that are well-known processors like Mailchimp, often already have a Data Processing Agreement linked to their Terms. When you sign up for their services, you then agree to these Terms. Here is Mailchimp’s Data Processing Addendum.

In short, if you have processors that handle data on your behalf, you should have this agreement in place.

The GDPR introduces joint liability (Article 82) for controllers and processors regarding third parties. If data subjects believe their data was unlawfully processed, they can seek compensation from either party, who can then seek recourse from the other.

#4 Data Security

Follow GDPR Security Principles.

You can read all about the 7 GDPR principles here.

In short, you should:

• be responsible for the data you collect;
• collect the minimum data possible (only what is necessary for the purpose) and delete the one you no longer need;
• store data for the shortest time needed to meet your purposes.

Be clear on your internal security protocols.

The GDPR requires companies to implement “appropriate technical and organizational measures” for data security.

Some technical measures include encryption, firewalls, access controls (especially when you have multiple employees handling personal data). You should also have strong security systems and educate staff on data protection.

Also make sure to have a pre-defined process in place to notify authorities in case of data breaches or sensitive data exposures.

Perform a Data Protection Impact Assessment.

Under Article 35 of the GDPR, a Data Protection Impact Assessment or DPIA is requiredwhen your data processing activities could pose a high risk to the rights and freedoms of users, for example when it comes to large-scale of sensitive data.

It’s a process for analyzing and minimizing the risks associated with personal data processing.

The DPIA process should be recorded in writing. Take a look at our DPIA template here.

Snapshot: GDPR Compliance Checklist

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

The post GDPR Audit Checklist appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Act will take effect on July 1, 2024, giving businesses just over a year to prepare for compliance.

This article provides an overview of the key provisions of the Texas Data Privacy and Security Act and its implications for businesses and consumers.

Who does the Texas Data Privacy and Security Act apply to? 

The Texas Data Privacy and Security Act differs from existing state privacy laws in its broad scope, as it does not provide for any revenue or data processing volume thresholds. It applies to companies and individuals who: 

1. conduct business in Texas or produce products or services consumed by Texas residents;
2. process or sell personal data; and 
3. does not fall within the definition of small business, as defined by the United States Small Business Administration

Please note: As anticipated, the act does not include a data-processing volume and revenue threshold, making it applicable to most Texas businesses. However, small businesses*, as defined by the U.S. Small Business Administration (SBA), are exempted from certain provisions. 

Consumer rights under the TDPSA

The Texas Data Privacy and Security Act grants several rights to consumers regarding their personal data. 

These rights provide consumers with greater control over their personal data and its use by businesses.

Rules for the processing of personal data under the TDPSA

The act imposes restrictions on the collection and processing of personal data by controllers. 

Sensitive data, including information such as race, ethnicity, religion, genetic or biometric data, and precise geolocation, can only be processed with the consumer’s consent.

Privacy notice and data protection assessments under the TDPSA

The Texas Data Privacy and Security Act requires controllers to provide a reasonably accessible and clear privacy notice to consumers, outlining, among others:

If controllers perform the sale of sensitive data, they are required to provide an appropriate disclosure to consumers. 

For certain types of data processing, data controllers must complete data protection assessments. 

Enforcement and penalties under the TDPSA

The Texas Attorney General is the sole enforcement and investigative authority for the Texas Data Privacy and Security Act.

Before bringing an action against an alleged violator, the Attorney General must provide a 30-day cure period for the violation. After the cure period, the Attorney General may impose penalties of up to $7,500 per violation, as well as seek injunctive relief and attorney’s fees.

The post Texas Data Privacy and Security Act (TDPSA): A Comprehensive Look at the New Privacy Law appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Consumer data has become more and more valuable for companies, and therefore widely available and used. Strong regulations had to be put in place for safeguarding individuals’ personal data.

Probably the most known and robust one is the General Data Protection Regulation (GDPR), which set the pace for the digital ecosystem in the Europe and the rest of the world – fuelling the emergence of more global privacy regulations.

In this comprehensive GDPR summary, we’ll simplify and explain key points and provisions you should be aware of. We also provide practical resources for your own GDPR compliance.

GDPR Summary: The Most Important Points

GDPR Overview

First things first, What Does GDPR Mean?

GDPR stands for “General Data Protection Regulation”.

When was it enacted? The GDPR is a regulation enacted by the European Union that became fully enforceable on May 25th, 2018. It is the most robust and strictest privacy law to date.

What is it? At its most basic, the GDPR specifies how personal data should be lawfully processed, collected, used, protected or interacted with in general. It primarily safeguards personal data, promoting transparency and accountability in how companies handle this information.

Where does it apply? The GDPR can apply to you whether your organization is based in the EU or not. More on this in our dedicated section.

Does the GDPR apply to businesses outside of the EU and UK? Do this free 1-min quiz to see if you’re exempt or not.

What Is a Summary of GDPR Provisions?

The main provisions of the GDPR focus on protecting individuals’ rights and instituting better data handling practices.

Here are the major takeaways from the regulation:

1. Definition of personal data: It is defined as pieces of information that, when collected together, can lead to the identification of a person. Typically: names; health, genetic and biometric data; web data such as IP addresses; personal email addresses; political opinions.
2. Disclosure requirements: This is typically done via a privacy policy. This legal document should state the ways in which your website or app collects, processes, stores, shares and protects user data, the purposes for doing so and the rights of the users in that regard.
3. Consent: If as an organization you process personal data, the GDPR requires you to have a valid reason to do so (called legal basis). If consent is your legal basis, before collecting any personal data, you will have to obtain explicit (clear and affirmative) user consent and keep records of this consent.
4. Organizational measures: You must honor user rights and requests, as well as implement organizational measures (assessments, appointing a person responsible for privacy) and keep the data safe when stored.

Want more detail on GDPR provisions? You’ll find what you’re looking for in our full legal guide.

When Does the GDPR Apply?

In brief, the GDPR applies when:

• an entity’s base of operations is in Europe (this applies whether the processing takes place in Europe or not);
• an entity not established in Europe offers goods or services to people in Europe; or where
• an entity is not established in Europe, but it monitors the behavior of people who are in Europe.

*Remember, If you are based in the EU, you must apply GDPR standards to all users (not only to users in the EU)!

GDPR Summary: Legal Bases

Data can only be processed if there’s at least one legal basis for doing so. The legal bases are:

• The user has given consent for one or more specific purposes (often the safest bet and the legal basis that many businesses choose).
• The data processing is necessary for the performance of a contract or in order to take steps prior to entering the contract.
• The processing is necessary for fulfilling a legal obligation to which the data controller is subject.
• The processing is necessary for protecting the vital interests of the user or of another person.
• The processing is necessary for performing a task carried out in the interest of the public or as contained under the official authority given to the data controller.
• The processing is necessary for the legitimate interests of the data controller or third party, except where overridden by the interests, rights and freedoms of the user, in particular where the user is a child.

Legal bases chosen by businesses MUST legitimately apply. If they don’t, data protection authorities have stated that harsher penalties could be given.

What are the GDPR Data Subject Rights?

Data subject rights, a cornerstone of GDPR, provide individuals with control over their personal data.
Here’s a GDPR data subject rights overview:

• Right to Be Informed
• Right of Access
• Right to Rectification
• Right to Erasure
• Right to Restrict Processing
• Right to Data Portability
• Right to Object
• Rights on Automated Decision-Making and Profiling

Rules for GDPR Consent

GDPR Summary of Requirements: Under GDPR rules, if you’re using people’s data based on their consent, you must ensure they agree in a way that can be confirmed and non-ambiguous:

Express consent (directly mentioned under the GPDR), also known as explicit or direct consent, occurs when someone explicitly agrees to the collection, use, or sharing of their personal data. In this particular case, the user must take an active action to consent, for example by clicking on “Accept” or “Allow”.

Youcan’t use complicated terms when asking for consent. Your terms and privacy policies must be clear and understandable, making sure users know what they’re agreeing to and what it means for them.

For children, you need to get approval from a parent or guardian, unless the service is a counselling or prevention service. You should use existing technology to check that the person giving consent is indeed the child’s legal guardian.

The GDPR doesn’t allow pre-ticked boxes.

You must be clear about why you’re collecting data and consent must be freely given and obvious. It should be as easy to remove consent as to give it.

Article 9 GDPR Summary: Special Categories of Personal Data

Under Article 9, the GDPR recognizes certain categories of personal data as “special” due to their sensitive nature. They are defined in the official text as:

• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade union membership;
• genetic data;
• biometric data (i.e. fingerprints, face recognition, DNA, etc.);
• data concerning health;
• data concerning a natural person’s sex life or sexual orientation.

See some examples and learn what you should do as a company in this guide.

Key Highlights of GDPR: 7 Principles

Lawmakers made it simple. There are 7 GDPR principles (read more about each here):

1. Lawfulness, Fairness, and Transparency: Data must be processed lawfully, fairly, and in a transparent manner.
2. Purpose Limitation: Data should be collected for specified, explicit, and legitimate purposes.
3. Data Minimization: You must collect the minimum data possible, only what’s necessary for your purpose.
4. Accuracy: Personal data must be accurate and up-to-date.
5. Storage Limitation: Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
6. Integrity and Confidentiality: Process and keep the data with appropriate security measures.
7. Accountability: Keep a “full and extensive” documentation of all your activities.

Penalties for Noncompliance

The General Data Protection Regulation (GDPR) has set a precedent for stringent data protection standards, emphasizing the critical nature of compliance. Organizations found in violation of GDPR face significant penalties, which serve as a deterrent against lax data protection practices and underscore the gravity of data privacy in the digital age.

Scale of Penalties

Penalties for noncompliance can be substantial, serving as a wake-up call for organizations to prioritize data protection. Fines can reach up to €20 million or 4% of the annual global turnover of the preceding financial year, whichever is higher.

Criteria for Determining Fines

The determination of fines is not arbitrary but is based on several factors, including the nature, gravity, and duration of the infringement. Considerations include:

The GDPR In Practice: Tips and Tools For Businesses

The Case of Marketing and the GDPR

Most marketing activities a business has, like signing up via a form and receiving emails/newsletters or displaying ads (with the use of cookies), imply the collect and use of personal data.

In simple terms, the GDPR says that:

• Leads, customers and partners need to explicitly confirm that they want to be contacted. They must give their consent. For example, pre-ticked checkboxes or any other type of consent by default are not allowed.
• Customers should have a specific right to withdraw consent; it must, therefore, be as easy to withdraw consent as it is to give it. A straightforward example of this would be the unsubscribe link of an email.
• You need to be able to prove that you’ve collected consents lawfully, in a way that’s GDPR-compliant.

Setting up GDPR-compliant forms can be tricky. Take a look at some examples.

Measures to Take as an Organization

Apart from all that has been outlined before, other major internal measures organizations should put in place to be compliant with the GDPR are the following:

Appoint a Data Protection Officer (DPO): The DPO is a person in charge of ensuring that personal data (of employees, customers, etc.) is processed following the applicable data protection rules. In general, this requirement applies when a company processes a significant amount of personal data.
Follow this guide on choosing your DPO

Perform a Data Protection Impact Assessment (DPIA): Helps to identify and minimize data protection risks. It’s required by the GDPR when the processing can involve significant risks to the rights and freedoms of individuals (e.g. for sensitive personal data, new technologies, or large-scale processing activities).
Check out this DPIA template

Tackle Your GDPR Compliance Now

We did our best to break down the information for you in this GDPR summary. We hope you found it easy to follow and understand, and will go through our additional resources in case you need to dive in a specific topic.

We agree to say that GDPR compliance is not entirely straightforward. It requires a lot of thinking and a lot of your time:

1. It’s tricky both from a legal and technical standpoint to implement the measures listed above. Luckily, there are privacy management software that can greatly help. Check out our compliance solution, iubenda.
2. You might also feel like there’s a lot of things to do. For this, we’ve reduced the information to a 15-point GDPR compliance checklist.
3. Still a bit lost?

Find out your website’s compliance rate.

---

Scan your site now

The post GDPR Summary: Key Points You Need to Know appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In this article, we will give you an overview of the EU Whistleblower Directive, and discuss the steps companies need to take to ensure compliance. 

What is the EU Whistleblower Directive? 

The EU Whistleblower Directive, introduced in September 2019, aims to enhance whistleblower protection across the EU. It expands the scope of whistleblowing by defining who can report, what can be reported, where to report, and why. This directive holds companies accountable for any retaliatory actions against whistleblowers, posing new challenges for businesses operating in the EU.

Who Does It Apply To? 

It also covers local authorities serving over 10,000 people. Even companies based outside the EU but employing over 50 workers within the EU need to comply.

Complying with the Directive

To comply with the EU Whistleblower Directive, companies must meet certain obligations:

Penalties for Non-Compliance

Each member state determines the penalties for non-compliance with the directive. Companies that fail to comply may face financial penalties, damage to their reputation, and legal consequences. 

It is important for organizations to review their existing policies and practices to align with the directive and mitigate potential risks.

What do I need to do?

To ensure your company is fully prepared and aligned with the requirements of the EU Whistleblower Directive, take proactive steps today. Review your existing policies, implement robust internal mechanisms for reporting, educate your employees about their rights and options, and establish effective anti-retaliation measures.

Did you know iubenda has a tailored made tool for the EU Whistleblower Directive?

---

This tool helps keep you compliant with a secure channel for submitting and managing whistleblower reports. Maintain an easy-to-use reporting form for employees and other stakeholders, and manage the whole process from an all-in-one dashboard.

Click here to learn more!

The post The EU Whistleblower Directive: Stronger Protections for Reporting EU Law Violations appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In this article, we provide an overview of the main policies and technical amendments, along with a detailed timeline to assist all stakeholders in implementing TCF 2.2.

• What’s different with IAB’s Transparency and Consent Framework 2.0 vs. 2.2?
  • TCF v2.2 Main Policy Amendments
  • TCF v2.2 Technical Specifications Updates
• Implementation Timeline

What’s different with IAB’s Transparency and Consent Framework 2.0 vs. 2.2?

TCF v2.2 Main Policy Amendments (New Policy v. 4.0)

The IAB’s Transparency and Consent Framework (TCF) has undergone significant updates and improvements from version 2.0 to version 2.2. These updates address feedback received on the previous version while aiming to meet the needs of all stakeholders in the digital advertising value chain. Let’s explore the key differences between TCF 2.0 and TCF 2.2:

Legal Basis: In TCF 2.0, Vendors had the option to declare reliance on both consent and legitimate interest as the legal basis for purposes 2 to 10. However, in TCF 2.2, legitimate interest is no longer an acceptable legal basis for purposes 3, 4, 5, and 6. Therefore, for these purposes, Vendors can now only rely on consent.

User-Friendly text: TCF 2.2 introduces improved names, descriptions, and explanations of purposes and features. Instead of complex legal language, users are provided with easy-to-understand explanations and real-life examples, making it simpler for them to understand the implications of their consent.

New purpose 11: Purpose 11 (Use limited data to select content) is intended to cover processing activities such as the selection and delivery of non-advertising content based on real-time data (e.g., information about the page content or non-precise geolocation data), and controlling the frequency or order in which content is presented to a user. It does not cover the creation or use of profiles to select personalized content.

Additional Vendor Information: In TCF 2.2, Vendors are required to provide additional details about how they process data. This information includes: 

Users will have access to this information, helping them make more informed decisions about their data.

Transparency of Vendor Numbers: Consent Management Platforms (CMPs) are now obligated to display the total number of Vendors seeking a legal basis on the first screen of their interfaces and the total number of Vendors for each purpose on the secondary layers. This transparency offers users a clear understanding of the entities involved in data processing.

Specific Requirements to Facilitate Consent Withdrawal: TCF 2.2 emphasizes the importance of user control by requiring Publishers and CMPs to ensure that users can resurface the CMP interface (e.g. from a floating icon or a footer link available on each webpage etc.) and withdraw their consent easily. If the initial consent request presented to users contains a call to action that enables user to consent to all purposes and Vendors in one click (such as “Accept all”), an equivalent call to action should be provided when users resurface the CMP interface as to withdraw consent to all purposes and Vendors in one click (such as “Reject all”).

Do all these changes require re-establishing the legal basis for all users? 

---

No, the new TCF Policies do not require re-establishing legal bases and therefore do not require CMPs to resurface the interface. TCF v2.2 brings further standardization of the minimum information and choices that should be provided to users over the processing of their personal data. Publishers should review the information they provide in their CMPs interfaces in addition to the minimum standard information required under TCF v2.1, and make a case-by-case determination whether re-establishing legal bases is necessary taking into account their specific needs, the context in which they operate and their local Data Protection Authority’s requirements.

TCF v2.2 Technical Specifications Updates

Apart from the policy amendments, TCF 2.2 also brings about technical specification updates:

1. Saying goodbye to getTCData: Vendors will now use event Listeners (where applicable) to implement the Framework. It’s a more streamlined and efficient way of doing things.
2. The GVL version has been bumped up to version 3 to include additional Vendor information:

These updates in TCF 2.2 aim to enhance user understanding, improve transparency, and provide clearer guidelines for Vendors, Publishers, and CMPs. The framework seeks to strike a balance between privacy protection and enabling targeted advertising in the evolving digital advertising landscape.

Implementation Timeline

Please take note of the following deadlines for implementation:

30 June 2023: Vendors must update their GVL registration with the new required information, including any previously updated information. Use the updated GVL registration portal, which now includes new registration fields for TCF 2.2. If you cannot see your existing data in the portal, clear your cache or log in using a different browser.

10 July 2023 (Reminder): CMPs must host their scripts on a domain other than consensu.org subdomains, as specified in the notification.

31 July 2023: Vendors must complete a TCF Compliance Assessment form and submit it through the GVL registration portal as part of the updated TCF Compliance programs.

20 November 2023 (end of implementation period): Both CMPs and Vendors are required to implement the new policies and specifications by this date. Compliance will be verified by IAB Europe as part of their regular monitoring of live installations. CMPs can use the CMP Validator Chrome Extension, which includes all the requirements of TCF 2.2, to ensure compliance.

The post Transitioning to TCF 2.2: What You Need to Know appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This means that as a business, you’re likely to process personal data. Therefore, you must consider whether the GDPR applies to you from a territorial perspective.

It’s not easy. That’s why we compiled this short guide with all that you need to know + examples. Of course, we always recommend consulting a legal professional for understanding your specific situation. Let’s dive in!

In this post, we explain:

• What is the GDPR?
• Who is subject to GDPR (aka GDPR Article 3)?
• Who does the GDPR not apply to?
• Examples

GDPR Applicability: What is the GDPR?

The GDPR is a European regulation that became fully enforceable on May 25th, 2018. It is the most robust and strictest privacy law to date, and applies to the processing of personal data.

At its most basic, it specifies how personal data should be lawfully processed, collected, used, protected or interacted with in general.

GDPR’s main provisions include:

• having a valid legal basis for processing personal data;
• in many cases, before processing any personal data, obtaining explicit user consent and keeping records;
• honoring your users’ rights and requests;
• implementing organizational privacy measures and keeping user data safe.

A bit confused with European Privacy Laws? Check out this quick recap here!

Who is subject to GDPR (aka GDPR Article 3)?

GDPR Article 3 sets out the conditions of territorial applicability, or in non-legalese, who is subject to the GDPR.

In short, the GDPR can apply where:

• an entity’s base of operations is in the EU
  • this applies whether the processing takes place in the EU or not;

or

• an entity not established in the EU offers goods or services to people in the EU
  • even if the offer is for free;
  • the entity can be government agencies, private / public companies, individuals and non-profits;

or where

• an entity is not established in the EU, but it monitors the behavior of people who are in the EU
  • provided that such behavior takes place in the EU.

GDPR Applicability: Examples

When GDPR Does Not Apply

1. Is a Japanese-based company subject to the GDPR if it processes personal data related to the selling of goods and services to Japanese users only?

No! Because…

• the controller (or processor) is not based in Europe;
• processing relates to the selling of goods/services, but does not target European users.

GDPR Applicability For US Companies

The GDPR is meant to protect European users, and therefore it can extend to foreign businesses too.

You might be wondering if the GDPR applies to you as a US-based company. It depends on many different circumstances, but if you are targeting European users, then yes it may apply to you and you must comply. If you aren’t, the law should not apply to you.

The post Understanding GDPR Applicability: Does it Apply to You? appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We know it can get quite complicated! That’s why we’ve complied a quick guide for you with everything you need to be aware of. Let’s dive in!

GDPR Data Storage Requirements

How should GDPR data be stored?

There are a few specific requirements you must follow when you want to store data and be compliant with the GDPR.

First, data storage needs to be in line with the main principles of GDPR, including:

• data minimization: you should collect the minimum amount of data necessary for the purpose;
• integrity and confidentiality: keep your users’ data safe, protected from unlawful processing or accidental loss, destruction or damage;
• storage limitations: set a time limit (the shortest possible!). After that, erase or review the stored data.

Learn more about data security here.

Here are some additional and important guidelines by the European Data Protection Board:

Personal data collected should not be stored if it is not necessary for the purpose of the processing;
Limit the retention period to what is necessary for the purpose;
Delete or anonymize data by default when no longer necessary:
the length of the period of retention depends on the purpose of the processing in question;
the controller should have systematic procedures for data deletion or anonymization embedded in the processing.

GDPR Data Storage Checklist

1. GDPR Data Retention Policy

After having mapped and categorized all the data collected, the data retention policy is an internal assessment that defines for each processing activity what data is stored, for how long, where, and what happens when it’s no longer needed.

It is important to regularly review this policy, as well as update data retention periods.

Find out the best practices for setting up a data retention policy here.

2. Risk Mitigation

The controller, processor or person in charge of data privacy in your company should evaluate the risks inherent in the processing. For this, publishing a Data Protection Impact Assessment (or DPIA) is recommended.

A Data Protection Impact Assessment is a process that can help you analyze and minimize the risks connected to the processing of personal data.

Take a look at our DPIA template in this guide!

3. Implementation of Appropriate Measures

Under the GDPR, a main obligation that applies to you as a business is the implementation of appropriate measures and necessary safeguards for respecting data protection principles, and data subjects’ rights.

These measures usually include:

• Encryption and pseudonymisation – two technical security measures that are specifically recommended by the regulation. With encryption, even if data is compromised, it’s unreadable and unusable;
• Access controls – this means ensuring that only authorized personnel can access personal data and continuously review access permissions;
• Employee training – to make sure employees are trained on main data protection and storage practices.

Curious to learn more about GDPR requirements?

---

Here are 5 things you need to do now to comply with GDPR

The post GDPR Data Storage: What Businesses Need to Know appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Let’s take a look at 5 key concepts that you must implement as a company to collect data in an ethical, and most importantly, legally compliant way.

1. Data Minimization

Data minimization is the idea of collecting and retaining only the minimum amount of personal information necessary to achieve a specific business purpose.

This means that as a business, you should avoid collecting excessive information that is not relevant to your operations.

According to data minimization standards set by the GDPR (the most robust privacy law to date), personal data must be: “adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed”.

Data minimization is an important point in privacy ethics because it establishes a standard for companies to limit and question the amount of information they handle: is this data really useful?

2. Data Privacy Ethics and Consent

In an effort to give control over personal data back to individuals, consent is fundamental. It means you must obtain an explicit permission (called opt-in) of an individual before collecting, using, sharing or disclosing their personal information.

You should also provide a means to withdraw consent (from a mailing list, for example), which is called opt-out, as well as clear instructions for doing so.

• Opt-in example: when a user in the EU visits a website for the first time, he has to accept or refuse the use of cookies by this website via a cookie banner.
• Opt-out example: the unsubscribe link at the bottom of a newsletter email.

Consent is a legal requirement under most privacy regulations. It’s a complex topic, though. That’s why you should take a look at our comprehensive guide on the different types of consent!

3. Data Privacy Ethics: Clarity and Unambiguity

Have you ever heard of dark patterns?

Dark patterns are where design elements are used to influence people’s decisions and trick them into doing things they didn’t mean to do. They are typically used for getting user consent on a banner or a form.

Some misleading tricks can include the following:

• The banner or form has pre-ticketed boxes;
• Buttons have different colors or sizes;
• Withdrawing consent is not as easy as giving it.

Dark patterns are not only unethical, but in many cases illegal! In the EU, the Digital Services Act (DSA) states that the use of deceptive designs is forbidden. California’s CPRA has also banned dark patterns.

4. Ethics of Data Collection – Transparency

Transparency goes hand in hand with disclosure and information obligations. It’s quite simple: you must inform users of your data collection practices!

This is usually done with a clear privacy policy, mandatory under most privacy laws. Apart from being straightforward, your policy must be easily accessible – from your website’s footer, for instance.

This means that having ambiguous, lengthy, or legally-technical privacy documents would be unethical, first, but also non-compliant. Click here for a privacy policy example!

Remember that the right to be informed is the first of the 8 GDPR Data Subject Rights.

5. Privacy Ethics and Data Security

Another step in ethics and privacy is to make sure data is safe and protected after it has been collected.

Companies usually use and store important data and, therefore, are required to have adequate data security safeguards to protect it from unauthorized access, use, disclosure, or destruction.

You have already heard about various data breaches, or even sensitive data exposures. Due to its nature, sensitive personal information must be handled with even greater caution and is usually subject to specific processing conditions.

Learn more about What Is Considered Sensitive Personal Information.

The post Data Privacy Ethics: Top 5 Legal Obligations For Businesses appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In this article, we define what data security and privacy are, what differentiates them, and the reasons why they matter.