Privacy Regulation Roundup

5 Downloads

Get Instant Access
To unlock the full content, please fill out our simple form and receive instant access.

This Privacy Regulation Roundup summarizes the latest major global privacy regulatory development, announcements, and changes. This report is updated on a monthly basis. For each relevant regulatory activity, you can find actionable Info-Tech analyst insights and links to useful Info-Tech research that can assist you with becoming compliant. Regulatory activities are ordered by their effective date.


Connecticut Passes Privacy Bill

Canada USA Europe APAC Rest of World

Type: Regulation
Effective Date: July 1, 2023

Summary: Connecticut has signed Senate Bill 6, “An Act Concerning Personal Data Privacy and Online Monitoring” into law. This is expected to be effective on July 1, 2023. Like other privacy regulations, Connecticut’s Data Privacy Act (CTDPA) covers businesses that:

  • Conduct business in the state or sell products/services to residents of the state.
  • Control/process the data of 100,000 customers (excludes personal data controlled/processed solely to complete a transaction) or control/process the data of 25,000 or more customers and derive over 25% of their gross revenue from the sale of personal data.

The CTDPA mirrors the consumer rights, business obligations and exceptions of California’s CPRA (California Privacy Rights Act), Virginia’s VCDPA (Virginia Consumer Data Protection Act), Colorado’s CPA (Colorado Privacy Act), and Utah’s UCPA (Utah Consumer Privacy Act). It adopts the definition of “sale,” which is the exchanges of personal data for monetary or “other valuable considerations.” The CTDPA also requires organizations to obtain opt-in consent from children under 16 years of age before selling their personal data. The law will be enforced by the Attorney General of Connecticut and penalties will be up to $5,000 per willful violation. The attorney general also has the authority to impose equitable remedies pursuant to the CUTPA, including restitution, disgorgement, and injunctive relief.

Analyst Perspective: Organizations that fall in the scope of Connecticut’s Data Privacy Act (CTDPA) will have 14 months to update their privacy policies to reflect the Act’s provisions. Policy updates must include data minimization guidelines, consent policies with regards to data collection, processing, and transfer, a clear definition of sensitive and personal data, and an effective mechanism for processing Data Subject Access Request (DSAR). Organizations can also leverage on the Children’s Online Privacy Protection Act to be deemed compliant with the parental consent obligation required under the CTDPA. It is particularly important for organizations to have a working understanding of CTDPA and how it applies to them, how they can comply, and how they can avoid regulatory inquiry.

Analyst: Iris Akwetey, Senior Research Analyst – Security, Privacy, Risk & Compliance

More Reading:


Virginia Makes Amendments to the VCDPA

Canada USA Europe APAC Rest of World

Type: Regulation
Effective Date: January 1, 2023

Summary: Virginia has made a few amendments to the Virginia Consumer Data Protection Act (VCDPA) ahead of its January 1, 2023, effective date. The State has added new exemptions to the “Right to Delete” provision of the Act. These exemptions include opting consumers out of processing their personal data for any purpose except for some exemptions pursuant of the chapter. The second amendment repeals the Consumer Privacy Fund and provides that, “all civil penalties, expenses, and attorney fees collected pursuant to this chapter shall be paid into the state treasury and credited to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund.” The third amendment is the addition of political organization to the definition of “nonprofit organization” that is exempt from taxation under section 501(c)(3) of the Internal Revenue Code. All these changes are effective January 1, 2023.

Analyst Perspective: To comply with the VCDPA, organizations must start tailoring their policies to reflect best practices and transparency. Their policies must include instructions for controllers to opt consumers out of processing their personal data for targeted advertising, sale, or profiling at their request. They should consider the risk of reputational damage, consumer distrust, and monetary penalties that may come as a result of non-compliance. Organizations that identify as political organizations should now prepare to comply with the VCDPA as “Non-Profit Organization” and their privacy policy must reflect the criteria as such. Finally, organizations must start training stakeholders who are involved in the collection, processing, storing, or transferring of personal data to promote the knowledge and compliance of these changes.

Analyst: Iris Akwetey, Senior Research Analyst  – Security, Privacy, Risk & Compliance  

More Reading:


The Digital Services Act (DSA)

Canada USA Europe APAC Rest of World


Type: Regulation
Announcement Date: April 23, 2022

Summary: In December 2020, the European Union (EU) Commission proposed the Digital Services Act (DSA) and the Digital Markets Act (DMA) as a reform of the EU digital space. DSA goals are to achieve a safe and accountable online environment. These rules are applied to intermediary services where the obligations depend on their role, size, and impact on the online ecosystem. Online intermediary services are any entity that connects EU businesses and EU customers online even if they are not established in the EU. The intermediary services, for instance, have an obligation to provide transparency reporting. The next role is the hosting services, which have an obligation to provide information to users. Inside hosting services is the online platform’s role with an obligation for transparency, and a subset of this role is the exceptionally large online platforms with more than 10% of the 450 million consumers in the EU that have the obligation for risk management and crisis response. DSA has penalties of up to 6% of global turnover and repeated violations results in a ban on operating in the EU single market.

Analyst Perspective: Organizations must now consider and identify which DSA role applies to them and adapt the corresponding new obligations. DMA is a complement to DSA, which applies to gatekeepers. If you are designated as a gatekeeper, then you must also adapt the DMA. Gatekeepers are companies that have “strong economic position, strong intermediation position, and durable position in the market.” DMA is based on platform-to-business (p2b) rules, i.e. “transparency, dispute resolution and monitoring.” DMA has penalties and fines of up to 10% of global turnover, and for repeated violations up to 20% of such turnover with periodic penalty payments of up to 5% of the average daily turnover. DMA is immediately effective once adopted within six months. DSA and DMA are tools proposed by the EU Commission to regulate digital services, which will impact users, businesses, and platforms. The foundational spirit is to better protect online consumers as in the offline world. The consequence is that online platforms must establish transparency and accountability, as in the offline world too, where the greater the size, the greater the responsibilities. Furthermore, competitiveness and innovation will grow as the online single market is more open to all players including small and medium-size enterprises.

Analyst: Ida Siahaan, Research Director Security, Privacy, Risk & Compliance

More Reading:


Quebec’s Bill 64 Effective Date to Start on September 22, 2022

Canada USA Europe APAC Rest of World

Type: Regulation
Effective Date: September 22, 2022

Summary: Quebec passed a new privacy law Bill 64 aiming at better protecting personal information. This law aligns better with PIPEDA and GDPR (General Data Protection Regulation); compliance will be simple if your business is already following these guidelines. Quebec Bill 64 adds additional requirements, including clarifications on the collection of consent, data privacy impact assessments, and individual data privacy rights in the public and private sector. The Bill applies to the businesses that aare headquartered in Quebec or who have Quebec residents visiting their websites. The provisions will come into effect in September of 2022, 2023, and 2024, with most coming into effect on September 22, 2023. Failing to comply could result in monetary penalties in three categories: administrative penalties, criminal fines, and right of private action for individuals who suffer injury due to violations of Bill 64.

Analyst Perspective: If your organization’s headquarters is in Quebec or you have Quebec residents visiting your websites, start checking your compliance with the new law and planning for changes. Complying with GDPR and PIPEDA is great but not enough, and organizations must familiarize themselves with the content of this provision to aid compliance. Organizations must establish, implement, and publish policies and practices that best describe how they manage the use of consumer’s personal data. They must also develop a strong data governance process to assist consumers to exercise their privacy rights. Organizations must double check which provisions are due at which date, prioritize those coming into effect this September if they do not already meet these requirements, and work toward training their staff and service providers on how to implement this Bill.

Analyst: Maggie Zeng, Research Specialist – Security, Risk, and Compliance

More Reading:


New Global CBPR Forum for Data Transfer by APEC

Canada USA Europe APAC Rest of World

Type: Announcement
Announcement Date: April 21, 2023

Summary: On Thursday, April 21, 2022, Canada, Japan, the Republic of Korea, the Philippines, Singapore, Chinese Taipei, and the United States of America announced the establishment of the Global Cross-Border Privacy Rules Forum (CBPR). The establishment of the Global CBPR Forum is to promote global trust in the digital economy through the free transfer of data over international borders while protecting consumer data. The Forum intends to establish the Global Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) Systems that will recognize organizations that put in place high-standard privacy protections and ensure effective controls and safeguards are in place when participating organizations transfer data globally. Member countries intend for this forum to be interoperable with other data protection and privacy frameworks. Non-APEC jurisdictions can join this forum if they accept to abide by the principles and objectives.

Analyst Perspective: Organizations with international operations, especially in APEC countries, must complete a gap analysis of their compliance policies and procedures in terms of the Global Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) Systems and certifications before attempting to transfer consumer data globally. Certifications for the Global CBPR or PRP must be applied through a third-party “accountability agent” who must be recognized by one of the APEC economies. Organizations that have approved accountability agents and certifications under the APEC CBPR or PRP Systems may consider themselves to be complying as their certificates will automatically be recognized under the new Global CBPR Forum. A periodic review of an organization’s data protection and privacy standards will go a long way to ensuring you are in compliance.

Analyst: Iris Akwetey, Senior Research Analyst – Security, Privacy, Risk & Compliance

More Reading:


If you have a question or would like to receive these monthly briefings via email, submit a request here.

Related Content

Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019