A landmark document in the history of human civilisation, the Universal Declaration of Human Rights (UDHR) was drafted in 1948 in Paris by representatives from diverse national, cultural and legal backgrounds. Translated into over 500 languages, it outlines fundamental human rights that should be universally protected. The UDHR is a long and fascinating read, but we will emphasise one particular UDHR article that relates to the right to individual privacy:  

Article 12 of the Universal Declaration of Human Rights states:

“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

What laws exist to protect consumer data?

Thankfully, governments across the world are starting to take data privacy extremely seriously. The often well publicised string of devastating data breach incidents in the past several years has resulted in the implementation of new, stricter rules about how companies are gathering, storing and handling consumer data. In the EU, the General Data Protection Regulation (GDPR), came into force in 2018 and thereby, constituted a landmark that shook practices across industries to its core. It improved on the old privacy rules by adding stricter requirements for IT procedure documentation, requiring risk assessments to be performed under certain conditions, notifying both consumers and the authorities whenever a breach occurs, and in general forcing businesses to minimise their consumer data requirements.

Two years later, in 2020 the California Consumer Privacy Act (CCPA) became effective. Very similar to the GRPR, it has a similarly big positive effect on consumer data protection — not just in the state of California (where many tech companies like Facebook and Google are located), but across the entire United States.    

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in both the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. Its aim is to enhance the control and rights of individuals (formally called data subjects in the GDPR) who are located in the EEA over their personal data. It covers provisions and requirements related to the processing of personal data of those individuals (i.e. data subjects) and applies to any enterprise processing EEA individuals's data — regardless of its location and the data subjects' citizenship or residence.

What are the 7 principles of GDPR? (Privacy laws in Europe)

The General Data Protection Regulation (GDPR) served as a major revision of the previously established privacy rules and pressured European companies to update (and in some cases completely overhaul) their operations. Many businesses had to alter their product designs, services and branding. Today, these seven key GDPR principles communicate the spirit and thought process behind data processing best practices:

1. Lawfulness, fairness and transparency 

Businesses processing personal data must have a good reason for doing so. GDPR terms this principle ‘lawfulness’. Valid reasons for processing data include:

  • The user has given consent.  
  • Businesses must do it to make good on a contract.
  • It is necessary to fulfil a legal obligation.
  • For protection of vital interests of a natural person.
  • It is a public task done in the public interest.
  • The company can prove it has legitimate interest and it’s not overridden by data subject’s rights and interests.

The concept of fairness means companies shouldn’t purposely withhold information about what or why they’re collecting data. In other words, users shouldn’t be surprised if they find out how their data is used. Fairness means the company won’t mishandle or misuse the data it collects.

Transparency means being clear, open, and honest with data subjects about and why and how they’re processing the personal data of consumers.

2. Purpose limitation

The second principle means that private data is “collected for specified, explicit, and legitimate purposes only”. In other words, a company’s purpose (reason) for processing consumer data must be clearly communicated in a privacy notice that pops up onscreen. If at some point in the future the business wants to use data they’ve collected for a new purpose that is incompatible with the originally stated purpose, the company must ask specifically for consent.

3. Data minimisation

Companies must only collect the smallest amount of data they’ll need to complete their business purposes. For example, if a company wants to gather subscribers for its email newsletter, it should only ask for data that is necessary to send out a newsletter. Requesting other personal data (phone numbers or home addresses, for example) not directly related to sending out emails is forbidden.

4. Accuracy 

It’s up to the company to ensure the accuracy of the data it collects and stores. The company must take care in correcting, updating or erasing incorrect data that comes in.  

5. Storage limitation

The company has to justify the length of time it’s keeping each piece of data on its servers. This is usually done via pre-determined data retention periods. Under GDPR, companies must implement a standard time period after which they will anonymise any data that isn’t being actively used.  

6. Integrity and confidentiality

Companies should maintain the integrity and confidentiality of the data they collect. It is inferred that this practice will keep the data secure from internal or external threats, effectively protecting it from unauthorised or unlawful processing, accidental loss or damage.

7. Accountability 

Of course, any organisation can assure the GDPR regulators that it is strictly following all these new rules even when it isn’t. That’s why a certain level of accountability is required. Companies must keep logs and documentation as proof of their compliance.  Supervisory authorities are free to request that this evidence be presented at any time.  

What is the California Consumer Privacy Act  (CCPA)?

The California Consumer Privacy Act (CCPA) applies to California-based, for-profit entities that collect personal consumer data, which effectively means all large tech companies in and around the Silicon Valley offering online products or services. Strongly modelled after Europe’s GDPR set of principles, it is part of a global trend pushing companies toward greater accountability with regard to gathering, storing and handling consumer data. While there are subtle differences between the CCPA and the GDPR, the similarities are far stronger. Both give individual users certain rights to how their personal information is collected and used. Both encourage transparency and require businesses to report data breaches to their consumers.  

The CCPA encourages California-based companies to provide stronger privacy and greater transparency of their services and of the data they collect. Furthermore, the CCPA gives Californians the right to:  

  • Know what personal information is being collected
  • Access the collected personal information and request it be deleted
  • Know whether their personal information is being shared, and if so, with whom
  • Opt-out of the sale of their personal information
  • Have equal service and price, whether or not they choose to exercise their privacy rights

In addition, the CCPA prohibits businesses from selling the personal information of consumers aged 13–16 (unless the consumer opts-in). For consumers under the age of 13, consent from a parent or guardian is required.