5 Important Data Privacy Laws: CCPA, HIPAA, GDPR, GLBA, and LGPD

5 Important Data Privacy Laws: CCPA, HIPAA, GDPR, GLBA, and LGPD

1 Star2 Stars3 Stars4 Stars5 Stars (8 votes, average: 5.00 out of 5)

Are you wondering whether your business falls under any of the major five privacy laws, or what the penalties are for non-compliance? Let’s find out!

If you collect, use, share, or process your customers’ data in any way, then data privacy laws are something you must not ignore. Being slapped with a non-compliance penalty because you don’t abide by a data privacy law can jeopardize your business’s financial stability and could even lead to the imprisonment of your employees. Most countries have laws to deal with their citizens’ data privacy and protection, and also to set accountability in an event of a data breach, cyber attack, or unauthorized access of the data.

In this article, we summarize five important data privacy laws and the penalties for non-compliance. We’ll go over each privacy law individually, giving you an overview of what the laws are, who they impact, and other critical info you should know.

Data Privacy Law 1: California Consumer Privacy Act (CCPA)

Data privacy law graphic: A statue of Lady Justice with "Privacy Law" documentation in the background.

CCPA is a state law passed to protect the privacy of Californian residents. It entitles Californians to know how their personal information is used, sold, transferred, or disclosed, and to withdraw their consent for the data to be used in the future. They can also sue companies if they become victims of a data breach due to the company not following reasonable security practices to protect their information.

Don't make the same mistakes

Yahoo, Equifax, Home Depot,

LinkedIn, and Ericsson did!

Get our free 15-point checklist and

avoid the same costly pitfalls.

Please Select Your Country
  • Afghanistan
  • Albania
  • Algeria
  • Andorra
  • Angola
  • Antigua & Deps
  • Argentina
  • Armenia
  • Aruba
  • Australia
  • Austria
  • Azerbaijan
  • Bahamas
  • Bahrain
  • Bangladesh
  • Barbados
  • Belarus
  • Belgium
  • Belize
  • Benin
  • Bermuda
  • Bhutan
  • Bolivia
  • Bosnia Herzegovina
  • Botswana
  • Brazil
  • Brunei
  • Bulgaria
  • Burkina
  • Burundi
  • Cambodia
  • Cameroon
  • Canada
  • Cape Verde
  • Central African Rep
  • Chad
  • Chile
  • China
  • Colombia
  • Comoros
  • Congo
  • Congo {Democratic Rep}
  • Costa Rica
  • Croatia
  • Cuba
  • Curaçao
  • Cyprus
  • Czech Republic
  • Denmark
  • Djibouti
  • Dominica
  • Dominican Republic
  • East Timor
  • Ecuador
  • Egypt
  • El Salvador
  • Equatorial Guinea
  • Eritrea
  • Estonia
  • Eswatini
  • Ethiopia
  • Fiji
  • Finland
  • France
  • Gabon
  • Gambia
  • Georgia
  • Germany
  • Ghana
  • Greece
  • Grenada
  • Guatemala
  • Guinea
  • Guinea-Bissau
  • Guyana
  • Haiti
  • Honduras
  • Hungary
  • Iceland
  • India
  • Indonesia
  • Iran
  • Iraq
  • Ireland {Republic}
  • Israel
  • Italy
  • Ivory Coast
  • Jamaica
  • Japan
  • Jordan
  • Kazakhstan
  • Kenya
  • Kiribati
  • Korea North
  • Korea South
  • Kosovo
  • Kuwait
  • Kyrgyzstan
  • Laos
  • Latvia
  • Lebanon
  • Lesotho
  • Liberia
  • Libya
  • Liechtenstein
  • Lithuania
  • Luxembourg
  • Macedonia
  • Madagascar
  • Malawi
  • Malaysia
  • Maldives
  • Mali
  • Malta
  • Marshall Islands
  • Mauritania
  • Mauritius
  • Mexico
  • Micronesia
  • Moldova
  • Monaco
  • Mongolia
  • Montenegro
  • Morocco
  • Mozambique
  • Myanmar
  • Namibia
  • Nauru
  • Nepal
  • Netherlands
  • New Zealand
  • Nicaragua
  • Niger
  • Nigeria
  • Norway
  • Oman
  • Pakistan
  • Palau
  • Panama
  • Papua New Guinea
  • Paraguay
  • Peru
  • Philippines
  • Poland
  • Portugal
  • Qatar
  • Romania
  • Russian Federation
  • Rwanda
  • St Kitts & Nevis
  • St Lucia
  • Saint Vincent & the Grenadines
  • Samoa
  • San Marino
  • Sao Tome & Principe
  • Saudi Arabia
  • Senegal
  • Serbia
  • Seychelles
  • Sierra Leone
  • Singapore
  • Slovakia
  • Slovenia
  • Solomon Islands
  • Somalia
  • South Africa
  • South Sudan
  • Spain
  • Sri Lanka
  • Sudan
  • Suriname
  • Sweden
  • Switzerland
  • Syria
  • Taiwan
  • Tajikistan
  • Tanzania
  • Thailand
  • Togo
  • Tonga
  • Trinidad & Tobago
  • Tunisia
  • Turkey
  • Turkmenistan
  • Tuvalu
  • Uganda
  • Ukraine
  • United Arab Emirates
  • United Kingdom
  • United States
  • Uruguay
  • Uzbekistan
  • Vanuatu
  • Vatican City
  • Venezuela
  • Vietnam
  • Yemen
  • Zambia
  • Zimbabwe

Contact details collected on InfoSec Insights may be used to send you requested information, blog update notices, and for marketing purposes. Learn more...

Whether a business is located in California, any other state, or even overseas, if it deals with Californians’ personal information and meets the requirements, it must follow CCPA’s guidelines.

CCPA guidelines cover businesses that meet at least ONE of the following requirements:

  1. Takes $25 million or more annually in gross revenue
  2. Collects, buys, or sells personal data of more than 50,000 people
  3. More than half of income is generated through the sale of personal data

Other key points of CCPA

Under CCPA, companies:

  • Can’t discriminate against a user who uses their CCPA rights
  • Must provide a “Do Not Sell My Personal Information” link on the home page that gives users the option to use their right to prevent companies from selling their data
  • Can’t request to sell or disclose the data for 12 months after the user has withdrawn their consent
  • Must implement a procedure to acquire the consent of parents or guardians to use the data of children under 13 years of age

CCPA Non-Compliance Penalties

CCPA non-compliance leads to penalties between $100 to $750 per violation and per Californian, or according to actual damages, whichever is greater. Plus, if the violation is unintentional, the fine is up to $2,500. For each intentional violation, the fine comes with a nasty price tag of up to $7,500.

Data Privacy Law 2: Healthcare Insurance Portability and Accountability Act (HIPAA)

This data privacy law affects all businesses that handle patients’ personal information. According to HIPAA, these organizations must have appropriate safeguards in place to protect patient’s data against reasonably anticipated threats, such as unauthorized use or disclosure of the data, or hazards to the integrity of protected health information (PHI).

Anyone dealing with PHI is affected by HIPAA. For example:

  • Healthcare institutions
  • Hospitals
  • Private healthcare providers
  • Insurance companies
  • IoMT (internet of medical things) device vendors
  • Pathological labs
  • Research institutes that use patients’ data for R&D
  • Pharmacies
  • Third-party data processors that use patients’ data for analysis, storage, or transfer

HIPAA Non-Compliance Penalties

Intentional disclosure of PHI attracts fines up to $50,000 with a possible prison term of one year. PHI obtained in a deceptive way (false pretenses) can lead to a fine of up to $100,000 and up to five years of imprisonment. And PHI sold, transferred, or used for commercial gain can result in fines up to $250,000 and a 10-year prison term.

Data Privacy Law 3: General Data Protection Regulation (GDPR)

GDPR applies to any business that collects, receives, stores, transmits, uses, or processes personal data of people residing in any of the 27 European member states, regardless of the business’s physical location. It also covers travelers, refugees, and immigrants. Companies must take appropriate technical and organizational measures to protect Europeans’ personal data from being breached. Under GDPR, data breach means the data is stolen, altered, destroyed, lost, or disclosed to or accessed by unauthorized individuals while it is transmitted, stored, or processed.

All Europeans have the right to register complaints with the supervisory authority (SA) situated near their residence or place of work. The SA then informs the complainants of the status of their complaint.

When obtaining the consent of data subjects, websites must follow The European Data Protection Board (EDPB)’s guidelines to be GDPR compliant. According to these guidelines:

  • Websites must have a cookie consent banner
  • Cookie banners must not have pre-checked checkboxes
  • “Cookie walls” are not allowed. That means the website can’t deny users access to the website if they don’t accept cookies
  • Users must give explicit consent on the cookie banner — consent is not given by users if they simply scroll or browse your site.

GDPR Non-Compliance Penalties

GDPR non-compliance fines can be up to €10,000,000, or up to 2% of the organization’s total worldwide annual turnover for the preceding financial year, whichever is higher. For some severe data breaches, the penalty amount can be up to €20,000,000, or up to 4% of total worldwide annual turnover, whichever is higher. 

Data Privacy Law 4: The Gramm-Leach-Bliley Act (GLB Act or GLBA)

This United States federal security law covers all financial institutions in the US including banks, insurers, financial product firms, brokerage firms, investment advisors, tax preparers, loans and credit organizations, and accountants. GLBA contains rules on how financial institutes collect, protect, use, and share their customer’s personal and financial information. It covers data stored in physical documents and electronic or other mediums.

Customers can withdraw their consent at any time and prevent financial institutes from using, sharing, or retaining their information. The Federal Trade Commission (FTC) has the authority to audit security measures, and privacy policies to make sure everything is GLBA compliant. 

The three key components of the GLBA are:

  1. Privacy and data usage: Financial institutions must give users written privacy policy notices before collecting data and must disclose who has access to it, how they are going to use the data, and whether they’ll share information with unaffiliated third parties.
  2. Protection: Financial institutions must take appropriate steps to protect customers’ data from anticipated threats and data breaches. GLBA also requires each organization to appoint at least one person to be accountable for the entire security infrastructure development and testing.
  3. Data collection: GLBA forbids the practice of pretexting (manipulating or tricking customers into disclosing sensitive information) or using false pretenses to obtain information or consent.

GLBA Non-Compliance Penalties

Companies can attract non-compliance fines up to $100,000 for each violation. Individuals (employees) can receive fines up to $10,000, and prison terms of up to five years.

Data Privacy Law 5: General Personal Data Protection Law (LGPD)

Lei Geral de Proteção de Dados Pessoais (LGPD), known as the General Personal Data Protection Law in English, is a Brazilian statutory law for data privacy and protection and combines 40 preexisting Brazilian laws. LGPD covers:

  • Individuals residing in Brazil, irrespective of their nationality
  • Organizations situated in Brazil
  • Organizations situated outside Brazil but collecting or receiving Brazilians’ data
  • Foreigners whose data is collected or received inside Brazilian territories

Just like GDPR, LGPD has a clear definition of terms such as data breach, controller, processor, consent, etc. Check out this page for LGPD definitions

 These are the nine rights given to covered users according to LGPD’s Article 18:

  • Ability to receive confirmation of data processing
  • Access to the data and the ability to update incomplete, inaccurate or outdated information
  • Ability to Anonymize, block, or delete unnecessary data
  • Portability of data to another service or product provider
  • Allowing covered individuals to consent to the deletion of their personal data
  • Informing users about which public and private entities are using their data
  • Informing users about what can happen if they refuse to give consent
  • Enabling users to revoke their consent

LGPD Non-Compliance Penalties

For LGPD non-compliance, companies must pay fines of up to 2% of annual revenue, or up to up to a total maximum of R$50 million per violation — approximately €7.9 million or $9.2 million (rates as per Sept. 29, 2021).

Our Two Cents on the Consequences of Not Abiding By Data Privacy Laws

When we talk about the consequences of non-compliance, it is not just the direct losses an organization has to bear in the form of financial penalties. Non-compliance will also result in many other indirect negative effects as well such as:

  • Damage to your relationships with customers and partners
  • Damage to your reputation
  • Lost revenue and future sales
  • Lengthy and expensive legal battles
  • High shopping cart abandonment rate due to trust issues

Sooner or later, you must hire a full-time employee who understands legal compliance or employ a third-party MSPs or compliance partner. Non-compliance penalties can be fatal to a business and can trigger many adverse ripple effects.

Wrapping Up Data Privacy Laws

Whether you have a multi-billion business or a tiny start-up, as soon as you collect or receive a users’ personal information, you come on to the radar of one or another data privacy law. It might be a local state law, federal law, or international one.

If you’re running a multinational company, you’ll have to abide by many other countries’ data privacy laws as well, making compliance more complicated. Being compliant will cost you the salaries of compliance staff or fees of third-party service providers, but non-compliance will cost you way more, including financial and reputation loss.

About the author

Medha is a regular contributor to InfoSec Insights. She's a tech enthusiast and writes about technology, website security, cryptography, cyber security, and data protection.