April 30, 2023 ↘︎

Global cookie consent and privacy legislation

There are several privacy and cookie consent laws around the world that Australian businesses need to be aware of if they have website visitors or customers in a particular region – even if they do not have a physical office there.

Many European countries have their own privacy legislation as well as the EU’s GDPR. When a European Union (EU) country has its own privacy legislation, both GDPR and the country’s own law apply. However, if there are conflicts between the two laws, GDPR takes precedence over the country’s own law.

Some of the most notable affecting Australian companies are expanded below, with a summary covering additional countries at the end of this post.

Bangladesh

Legislation: Data Protection Act 2022 (Draft)
Maximum fine: 500,000 BDT (Approximately $7,100 AUD) per violation

General Rule: Opt-in with no exceptions

The government released The Data Protection Act, 2022 for public comment in April 2022, but it has not yet reached the floor of Bangladesh’s Parliament.

The Act introduces consent requirements, data subject rights, data localisation requirements, and rules on cross-border data transfers, as well as a new independent agency to act as a data protection supervisory authority, called the Data Protection Office.

The Act prohibits processing without consent obtained prior to processing; consent must be ‘free, specific clear and capable of being withdrawn; minimal collection: ‘not excessive or unnecessary’; all data to be destroyed permanently when no longer needed for the purpose for which collected.

India

Legislation: Personal Data Protection Bill (PDPB)
Maximum fine: INR 5,00,00,00,000 (Approximately $90,500,000 AUD)

General Rule: Opt-out with exceptions

  • Opt-in consent is required for the collection of sensitive personal information and for the transfer of sensitive personal information to a third party, whether in India or overseas.

Consent for sensitive personal data must be obtained in writing, through letter or fax or email.

Sensitive personal data is allowed to be collected with the consent of the individual and only if it essential and required for a lawful purpose connected with the body corporate’s functions.

The body corporate or any person on its behalf, prior to the collection of information including sensitive personal data, must provide an option to the provider of the information to not to provide the data or information sought to be collected.

Note that the information contained in this document should not be taken as legal advice, and Digital Balance recommends that you undertake your own legal investigation.

Malaysia

Legislation: Personal Data Protection Act (PDPA)
Maximum fine: MYR 300,000, and/or two years imprisonment (Approximately $100,000 AUD)

General Rule: Opt-in with no exceptions

The organization must obtain consent in any form as long as consent can be recorded and properly maintained by the organization. A data subject must be able to withdraw his/her consent to the processing of personal data via a written notice.

There is no specific guidance on the use of cookies.

Pakistan

Legislation: Personal Data Protection Bill 2021 (consultation draft)
Maximum fine: Rs. 2,500,000 (Approximately $13,000 AUD) per violation

General Rule: Opt-in with no exceptions

Pakistan currently has not enacted data protection legislation per se, however, the Prevention of Electronic Crimes Act, 2016 (“PECA 2016”) at present serves the same purpose to a certain extent.

A consultation draft of the Personal Data Protection Bill 2021 (“PDPB”) has been introduced by the Ministry of Information Technology and Telecommunications with a view to having it brought into law after public consultation, approval from both Houses of Parliament and receipt of assent from the President of Pakistan. This is likely to happen in 2023.

Under PDPB, the data controller can only process the personal data with consent of the data subject. The data controller is further required to inform the data subject about collection and use of their personal data.

Philippines

Legislation: Data Privacy Act of 2012
Maximum fine: Php4,000,000 (Approximately $110,000 AUD) and up to 6 years imprisonment.

General Rule: Opt-in, no exceptions

Consent must be: Freely given, Informed, Specific, and An Unambiguous indication of the data subject’s wishes.

  • Processing is lawful if and to the extent that at least one of the following applies: Data subject’s consent,
  • Processing necessary for the performance of a contract with the data subject, Necessary for compliance with a legal obligation,
  • Necessary in order to protect the vital interests of the data subject,
  • Necessary for the public interest or in the exercise of official authority, or
  • Necessary for the controller’s or recipient’s legitimate interests, except where overridden by the interests of the data subject.

United States

There is no single principal data protection legislation in the United States. Instead, hundreds of laws enacted on both the federal and state levels serve to protect the personal data of U.S. residents.

At the federal level, the Federal Trade Commission Act (15 U.S. Code 41 ) broadly empowers the U.S. Federal Trade Commission (FTC) to bring enforcement actions to protect consumers against unfair or deceptive practices and to enforce federal privacy and data protection regulations.  The FTC has taken the position that “deceptive practices” include a company’s failure to comply with its published privacy promises and its failure to provide adequate security of personal information, in addition to its use of deceptive advertising or marketing methods.

California

Legislation: California Consumer Privacy Act (CCPA)
Maximum fine: USD $7,500 (Approximately $11,000 AUD) per violation

General Rule: Opt-out

The California Consumer Privacy Act (CCPA) regulates the collection and sale of personal information of California residents no matter where they are located. It requires businesses to provide consumers with certain rights, including the right to know what personal information is being collected about them, the right to request deletion of their personal information, and the right to opt-out of the sale of their personal information.

To comply with the CPRA, a “Do Not Sell or Share My Personal Information” link or button must be provided on the homepage of the website.

Granular opt-outs from specific sales of personal information may be provided to consumers as long as the global opt-out button is more prominent.

The business must be able to detect and honor Global Privacy Control (GPC) signals. When the GPC is detected, all third-party non-essential cookies that are involved in the sale or sharing of personal information must be opted-out immediately.

New York

Legislation: The New York State Stop Hacks and Improve Electronic Data Security (SHIELD) Act
Maximum fine: USD $5,000 (Approximately $7,500 AUD) per violation

General Rule: Opt-out no exceptions

While the SHIELD Act does not specifically require cookie consent, it does require businesses to implement reasonable data security measures and to notify affected individuals in the event of a data breach.

The SHIELD Act applies to any person or business that owns, licenses, or maintains computerized data that includes the private information of a New York State resident. “Private information” is defined as a combination of an individual’s name along with other identifying information such as a social security number, driver’s license number, or account number.

Vietnam

Legislation: Various
Maximum fine: Unclear

General Rule: Opt-in

In Vietnam, the right to privacy and personal secrets is a constitutional right. However, Vietnam does not have a consolidated piece of legislation on the protection of personal data. Instead, rules and regulations on personal data protection can be found in several laws, including general laws such as the Civil Code 2015 (November 24, 2015) (‘the Civil Code’); the Law on Cyber Information Security No. 86/2015/QH13 (19 November 2015) (‘LCS’); and several sectoral laws.

Currently, the Ministry of Public Security is drafting a decree on personal data protection (“Draft Decree”) which will impose additional obligations. The Ministry of Public Security held a conference to study guiding documents and legal documents on cyber security, on March 20 2023.

Additional legislation

JurisdictionLaw/ActMaximum fine per voilation/notification
(Local Currency)
Fine
(approx. AUD)
General ruleExemptionsLink to
Legislation
AndorraLaw 29/2021, of October 28, qualified for the protection of personal data (BOPA no. 119, 17/11/2021)€ 100,000$160,000Opt-inNoneLink
ArgentinaPersonal Data Protection Act No. 25,326 (PDPA)50,000,000 ARS$370,000Opt-inNoneLink
Armenia Law of the Republic of Armenia of 13 June 2015 No. 49-ZR on the Protection of Personal Data27,500,000 AMD$107,000Opt-inNoneLink
BangladeshData Protection Act 2022500,000 BDT$7,100Opt-inNoneLink
BrazilGeneral Data Protection Law (LGPD)Up to 2% of the company’s revenue in Brazil or up to 50,000,000 BRL$14,000,000Opt-inNoneLink
CanadaPersonal Information Protection and Electronic Documents Act (PIPEDA)Up CAD 100,000$109,000Opt-in with-exceptionsConsent can be opt-out (implied) in strictly defined circumstances. In making this determination, organizations need to take into account the sensitivity of the information and the reasonable expectations of the individual, both of which will depend on context.

Opt-in (express) consent, however, is required for collections, uses or disclosures of personal information which generally involves the sensitive personal information, is outside the reasonable expectations of the individual, and/or create a meaningful residual risk of significant harm to data subjects.
Link
ChileAct on the Protection of Personal Data5,000 Unidades Tributarias Mensuales (approx. 270,855,000 Chilean Peso)$500,000Opt-inNoneLink
ChinaCybersecurity Law of the People’s Republic of ChinaRMB 100,000$21,800Opt-inNoneLink
ColombiaLaw 1581/2012 Data Protection Law2,000x minimum legal monthly salaries (approx. COP2,601,212,000)$807,000Opt-inNoneLink
Czech RepublicAct No. 110/2019 on personal data processingCZK 5,000,000$330,000Opt-inNoneLink
DenmarkDanish Data Protection Act (DPA)DKK 30,000,000$6,500,000Opt-inNoneLink
EstoniaPersonal Data Protection Act300 fine units (approx. EUR 1,200)$2,000Opt-inNoneLink
European UnionGeneral Data Protection Regulation (GDPR)EUR 20,000,000 or 4% of global turnover, whichever is higher$32,000,000Opt-inNoneLink
Hong KongPersonal Data (Privacy) Ordinance (PDPO)HK$100,000 and 2 years imprisonment, plus HK$2,000 per day of continued contravention)$19,000Opt-out with exeptionsOpt-in consent is required if you change the purpose of the use of the personal data.

Opt-in consent is required for the use of the personal data for direct marketing purposes.
Link
IndiaPersonal Data Protection Bill (PDPB)INR 5,00,00,00,000$90,500,000Opt-out with exeptionsOpt-in consent is required for the collection of sensitive personal information and for the transfer of sensitive personal information to a third party, whether in India or overseas.Link
Indonesia  Personal Data Protection Law2% annual revenue or sales of the data controller Opt-inNoneLink
JapanAct on the Protection of Personal Information (APPI)¥100,000,000$1,400,000Opt-in with-exceptionsOpt-out consent can be relied upon for the transfer of personal information to third parties.
Personal information refers to information relating to a living individual that can identify specific individuals. The opt-out mechanism is not available for Personally Referrable Information (PRI) or Sensitive Personal Information (SPI).
Link
MalaysiaPersonal Data Protection Act (PDPA)MYR 300,000, and/or two years imprisonment.$100,000Opt-inNoneLink
MexicoFederal Law for the Protection of Personal Data held by Private Parties320,000 days of minimum wage (approx. 66,380,800 pesos)$5,300,000Opt-out with exeptionsOpt-in consent is required for the processing of financial or economic data.

Opt-in consent is required for the processing of sensitive personal data.
Link
New ZealandThe Privacy Act 2020NZD $10,000$9,300Opt-inNoneLink
NigeriaNigeria Data Protection Regulation (NDPR) 20192% of  annual turnover or 10,000,000 Naira whichever is higher$32,500Opt-inNoneLink
PakistanPersonal Data Protection Bill 2021 (draft)Rs. 2,500,000$13,000Opt-inNoneLink
PhilippinesData Privacy Act of 2012Php4,000,000 and up to 6 years imprisonment$110,000Opt-inNoneLink
SingaporePersonal Data Protection Act (PDPA)If annual turnover in Singapore exceedes S$10,000: 10% of the organisation’s turnover in Singapore, otherwise S$1,000,000$1,200,000Opt-out with exeptionsOpt-in consent is required for direct marketing purposes.Link
South KoreaPersonal Information Protection Act (PIPA) KRW 50,000,000 or imprisonment for up to five years$57,000Opt-inNoneLink
Sri LankaData Protection ActLKR 10,000,000$44,000Opt-inNoneLink
TaiwanPersonal Data Protection Act 2015NT 500,000$24,500Opt-inNoneLink
ThailandPersonal Data Protection Act (PDPA)THB 5,000,000$218,000Opt-inNoneLink
UKData Protection Act 2018Up to £17,500,000 or 4% of global turnover, whichever is higher$32,000,000Opt-inNoneLink
US – CaliforniaCalifornia Consumer Privacy Act (CCPA)USD $7,500$11,000Opt-outNoneLink
US – New YorkNew York State Stop Hacks and Improve Electronic Data Security (SHIELD) ActUSD $5,000$7,500Opt-outNoneLink
VietnamVarious legislationUnclear Opt-inNoneLink

To ensure compliance with the upcoming changes in privacy laws, it is essential for companies to prepare a consent mechanism on their websites. If you haven’t done this yet, Digital Balance can assist you in exploring options from our partners such as Ensighten, OneTrust, Tealium, and other vendors, and help you with the implementation process.

Moreover, we suggest that you conduct a review of your existing data collection methods and privacy policies. While we cannot provide legal advice, we can assess the potential impact of your policies on data collection for analytics and marketing purposes. Contact us and a member of our team will be in touch.

Note that the information contained in this document should not be taken as legal advice, and Digital Balance recommends that you undertake your own legal investigation.

The content and advice contained in this post may be out of date. Last updated on April 30, 2023.
DB logo
DB logo
DB logo