There are several privacy and cookie consent laws around the world that Australian businesses need to be aware of if they have website visitors or customers in a particular region – even if they do not have a physical office there.
Many European countries have their own privacy legislation as well as the EU’s GDPR. When a European Union (EU) country has its own privacy legislation, both GDPR and the country’s own law apply. However, if there are conflicts between the two laws, GDPR takes precedence over the country’s own law.
Some of the most notable affecting Australian companies are expanded below, with a summary covering additional countries at the end of this post.
Bangladesh
Legislation: Data Protection Act 2022 (Draft)
Maximum fine: 500,000 BDT (Approximately $7,100 AUD) per violation
General Rule: Opt-in with no exceptions
The government released The Data Protection Act, 2022 for public comment in April 2022, but it has not yet reached the floor of Bangladesh’s Parliament.
The Act introduces consent requirements, data subject rights, data localisation requirements, and rules on cross-border data transfers, as well as a new independent agency to act as a data protection supervisory authority, called the Data Protection Office.
The Act prohibits processing without consent obtained prior to processing; consent must be ‘free, specific clear and capable of being withdrawn; minimal collection: ‘not excessive or unnecessary’; all data to be destroyed permanently when no longer needed for the purpose for which collected.
India
Legislation: Personal Data Protection Bill (PDPB)
Maximum fine: INR 5,00,00,00,000 (Approximately $90,500,000 AUD)
General Rule: Opt-out with exceptions
- Opt-in consent is required for the collection of sensitive personal information and for the transfer of sensitive personal information to a third party, whether in India or overseas.
Consent for sensitive personal data must be obtained in writing, through letter or fax or email.
Sensitive personal data is allowed to be collected with the consent of the individual and only if it essential and required for a lawful purpose connected with the body corporate’s functions.
The body corporate or any person on its behalf, prior to the collection of information including sensitive personal data, must provide an option to the provider of the information to not to provide the data or information sought to be collected.
Note that the information contained in this document should not be taken as legal advice, and Digital Balance recommends that you undertake your own legal investigation.
Malaysia
Legislation: Personal Data Protection Act (PDPA)
Maximum fine: MYR 300,000, and/or two years imprisonment (Approximately $100,000 AUD)
General Rule: Opt-in with no exceptions
The organization must obtain consent in any form as long as consent can be recorded and properly maintained by the organization. A data subject must be able to withdraw his/her consent to the processing of personal data via a written notice.
There is no specific guidance on the use of cookies.
Pakistan
Legislation: Personal Data Protection Bill 2021 (consultation draft)
Maximum fine: Rs. 2,500,000 (Approximately $13,000 AUD) per violation
General Rule: Opt-in with no exceptions
Pakistan currently has not enacted data protection legislation per se, however, the Prevention of Electronic Crimes Act, 2016 (“PECA 2016”) at present serves the same purpose to a certain extent.
A consultation draft of the Personal Data Protection Bill 2021 (“PDPB”) has been introduced by the Ministry of Information Technology and Telecommunications with a view to having it brought into law after public consultation, approval from both Houses of Parliament and receipt of assent from the President of Pakistan. This is likely to happen in 2023.
Under PDPB, the data controller can only process the personal data with consent of the data subject. The data controller is further required to inform the data subject about collection and use of their personal data.
Philippines
Legislation: Data Privacy Act of 2012
Maximum fine: Php4,000,000 (Approximately $110,000 AUD) and up to 6 years imprisonment.
General Rule: Opt-in, no exceptions
Consent must be: Freely given, Informed, Specific, and An Unambiguous indication of the data subject’s wishes.
- Processing is lawful if and to the extent that at least one of the following applies: Data subject’s consent,
- Processing necessary for the performance of a contract with the data subject, Necessary for compliance with a legal obligation,
- Necessary in order to protect the vital interests of the data subject,
- Necessary for the public interest or in the exercise of official authority, or
- Necessary for the controller’s or recipient’s legitimate interests, except where overridden by the interests of the data subject.
United States
There is no single principal data protection legislation in the United States. Instead, hundreds of laws enacted on both the federal and state levels serve to protect the personal data of U.S. residents.
At the federal level, the Federal Trade Commission Act (15 U.S. Code 41 ) broadly empowers the U.S. Federal Trade Commission (FTC) to bring enforcement actions to protect consumers against unfair or deceptive practices and to enforce federal privacy and data protection regulations. The FTC has taken the position that “deceptive practices” include a company’s failure to comply with its published privacy promises and its failure to provide adequate security of personal information, in addition to its use of deceptive advertising or marketing methods.
California
Legislation: California Consumer Privacy Act (CCPA)
Maximum fine: USD $7,500 (Approximately $11,000 AUD) per violation
General Rule: Opt-out
The California Consumer Privacy Act (CCPA) regulates the collection and sale of personal information of California residents no matter where they are located. It requires businesses to provide consumers with certain rights, including the right to know what personal information is being collected about them, the right to request deletion of their personal information, and the right to opt-out of the sale of their personal information.
To comply with the CPRA, a “Do Not Sell or Share My Personal Information” link or button must be provided on the homepage of the website.
Granular opt-outs from specific sales of personal information may be provided to consumers as long as the global opt-out button is more prominent.
The business must be able to detect and honor Global Privacy Control (GPC) signals. When the GPC is detected, all third-party non-essential cookies that are involved in the sale or sharing of personal information must be opted-out immediately.
New York
Legislation: The New York State Stop Hacks and Improve Electronic Data Security (SHIELD) Act
Maximum fine: USD $5,000 (Approximately $7,500 AUD) per violation
General Rule: Opt-out no exceptions
While the SHIELD Act does not specifically require cookie consent, it does require businesses to implement reasonable data security measures and to notify affected individuals in the event of a data breach.
The SHIELD Act applies to any person or business that owns, licenses, or maintains computerized data that includes the private information of a New York State resident. “Private information” is defined as a combination of an individual’s name along with other identifying information such as a social security number, driver’s license number, or account number.
Vietnam
Legislation: Various
Maximum fine: Unclear
General Rule: Opt-in
In Vietnam, the right to privacy and personal secrets is a constitutional right. However, Vietnam does not have a consolidated piece of legislation on the protection of personal data. Instead, rules and regulations on personal data protection can be found in several laws, including general laws such as the Civil Code 2015 (November 24, 2015) (‘the Civil Code’); the Law on Cyber Information Security No. 86/2015/QH13 (19 November 2015) (‘LCS’); and several sectoral laws.
Currently, the Ministry of Public Security is drafting a decree on personal data protection (“Draft Decree”) which will impose additional obligations. The Ministry of Public Security held a conference to study guiding documents and legal documents on cyber security, on March 20 2023.
Additional legislation
Jurisdiction | Law/Act | Maximum fine per voilation/notification (Local Currency) | Fine (approx. AUD) | General rule | Exemptions | Link to Legislation |
Andorra | Law 29/2021, of October 28, qualified for the protection of personal data (BOPA no. 119, 17/11/2021) | € 100,000 | $160,000 | Opt-in | None | Link |
Argentina | Personal Data Protection Act No. 25,326 (PDPA) | 50,000,000 ARS | $370,000 | Opt-in | None | Link |
Armenia | Law of the Republic of Armenia of 13 June 2015 No. 49-ZR on the Protection of Personal Data | 27,500,000 AMD | $107,000 | Opt-in | None | Link |
Bangladesh | Data Protection Act 2022 | 500,000 BDT | $7,100 | Opt-in | None | Link |
Brazil | General Data Protection Law (LGPD) | Up to 2% of the company’s revenue in Brazil or up to 50,000,000 BRL | $14,000,000 | Opt-in | None | Link |
Canada | Personal Information Protection and Electronic Documents Act (PIPEDA) | Up CAD 100,000 | $109,000 | Opt-in with-exceptions | Consent can be opt-out (implied) in strictly defined circumstances. In making this determination, organizations need to take into account the sensitivity of the information and the reasonable expectations of the individual, both of which will depend on context. Opt-in (express) consent, however, is required for collections, uses or disclosures of personal information which generally involves the sensitive personal information, is outside the reasonable expectations of the individual, and/or create a meaningful residual risk of significant harm to data subjects. | Link |
Chile | Act on the Protection of Personal Data | 5,000 Unidades Tributarias Mensuales (approx. 270,855,000 Chilean Peso) | $500,000 | Opt-in | None | Link |
China | Cybersecurity Law of the People’s Republic of China | RMB 100,000 | $21,800 | Opt-in | None | Link |
Colombia | Law 1581/2012 Data Protection Law | 2,000x minimum legal monthly salaries (approx. COP2,601,212,000) | $807,000 | Opt-in | None | Link |
Czech Republic | Act No. 110/2019 on personal data processing | CZK 5,000,000 | $330,000 | Opt-in | None | Link |
Denmark | Danish Data Protection Act (DPA) | DKK 30,000,000 | $6,500,000 | Opt-in | None | Link |
Estonia | Personal Data Protection Act | 300 fine units (approx. EUR 1,200) | $2,000 | Opt-in | None | Link |
European Union | General Data Protection Regulation (GDPR) | EUR 20,000,000 or 4% of global turnover, whichever is higher | $32,000,000 | Opt-in | None | Link |
Hong Kong | Personal Data (Privacy) Ordinance (PDPO) | HK$100,000 and 2 years imprisonment, plus HK$2,000 per day of continued contravention) | $19,000 | Opt-out with exeptions | Opt-in consent is required if you change the purpose of the use of the personal data. Opt-in consent is required for the use of the personal data for direct marketing purposes. | Link |
India | Personal Data Protection Bill (PDPB) | INR 5,00,00,00,000 | $90,500,000 | Opt-out with exeptions | Opt-in consent is required for the collection of sensitive personal information and for the transfer of sensitive personal information to a third party, whether in India or overseas. | Link |
Indonesia | Personal Data Protection Law | 2% annual revenue or sales of the data controller | Opt-in | None | Link | |
Japan | Act on the Protection of Personal Information (APPI) | ¥100,000,000 | $1,400,000 | Opt-in with-exceptions | Opt-out consent can be relied upon for the transfer of personal information to third parties. Personal information refers to information relating to a living individual that can identify specific individuals. The opt-out mechanism is not available for Personally Referrable Information (PRI) or Sensitive Personal Information (SPI). | Link |
Malaysia | Personal Data Protection Act (PDPA) | MYR 300,000, and/or two years imprisonment. | $100,000 | Opt-in | None | Link |
Mexico | Federal Law for the Protection of Personal Data held by Private Parties | 320,000 days of minimum wage (approx. 66,380,800 pesos) | $5,300,000 | Opt-out with exeptions | Opt-in consent is required for the processing of financial or economic data. Opt-in consent is required for the processing of sensitive personal data. | Link |
New Zealand | The Privacy Act 2020 | NZD $10,000 | $9,300 | Opt-in | None | Link |
Nigeria | Nigeria Data Protection Regulation (NDPR) 2019 | 2% of annual turnover or 10,000,000 Naira whichever is higher | $32,500 | Opt-in | None | Link |
Pakistan | Personal Data Protection Bill 2021 (draft) | Rs. 2,500,000 | $13,000 | Opt-in | None | Link |
Philippines | Data Privacy Act of 2012 | Php4,000,000 and up to 6 years imprisonment | $110,000 | Opt-in | None | Link |
Singapore | Personal Data Protection Act (PDPA) | If annual turnover in Singapore exceedes S$10,000: 10% of the organisation’s turnover in Singapore, otherwise S$1,000,000 | $1,200,000 | Opt-out with exeptions | Opt-in consent is required for direct marketing purposes. | Link |
South Korea | Personal Information Protection Act (PIPA) | KRW 50,000,000 or imprisonment for up to five years | $57,000 | Opt-in | None | Link |
Sri Lanka | Data Protection Act | LKR 10,000,000 | $44,000 | Opt-in | None | Link |
Taiwan | Personal Data Protection Act 2015 | NT 500,000 | $24,500 | Opt-in | None | Link |
Thailand | Personal Data Protection Act (PDPA) | THB 5,000,000 | $218,000 | Opt-in | None | Link |
UK | Data Protection Act 2018 | Up to £17,500,000 or 4% of global turnover, whichever is higher | $32,000,000 | Opt-in | None | Link |
US – California | California Consumer Privacy Act (CCPA) | USD $7,500 | $11,000 | Opt-out | None | Link |
US – New York | New York State Stop Hacks and Improve Electronic Data Security (SHIELD) Act | USD $5,000 | $7,500 | Opt-out | None | Link |
Vietnam | Various legislation | Unclear | Opt-in | None | Link |
To ensure compliance with the upcoming changes in privacy laws, it is essential for companies to prepare a consent mechanism on their websites. If you haven’t done this yet, Digital Balance can assist you in exploring options from our partners such as Ensighten, OneTrust, Tealium, and other vendors, and help you with the implementation process.
Moreover, we suggest that you conduct a review of your existing data collection methods and privacy policies. While we cannot provide legal advice, we can assess the potential impact of your policies on data collection for analytics and marketing purposes. Contact us and a member of our team will be in touch.
Note that the information contained in this document should not be taken as legal advice, and Digital Balance recommends that you undertake your own legal investigation.