Privacy laws worldwide require companies to obtain a certain degree of consent from users before collecting and using their private data. Common examples include a cookie pop-up or a privacy notice.
Major regulations, known as privacy laws, include the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA). These laws specify the legal requirements for websites to inform users about data use and their rights.
GDPR for General Data Protection Regulation
Implemented on May 15, 2018, the GDPR regulates how companies use and process personal data within the European Union, including responsibilities for safeguarding this data. It applies to any company dealing with EU residents’ data, regardless of the company’s location. The GDPR is strict about the requirements for data controllers and is notably broad in defining user privacy data, setting rigorous principles for obtaining consent and protecting collected data. For instance, Recital 32 outlines the conditions for valid consent:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
CCPA for General Data Protection Regulation
The CCPA, effective from July 1, 2020, along with the California Privacy Rights Act (CPRA), which started in January 2023, are the most influential privacy legislations in the US. They are extraterritorial, meaning that any company processing the data of people located in California must comply with these laws:
Consumers have the right to object to (opt out of) the processing of their data at any time, otherwise companies can share or sell that personal data
Companies must provide a clear “Do not sell (or share) my personal information” link on their website
Companies must provide a clear, up to date description of consumers’ rights
Consumers have the right to know who collects or sells their data, how it’s used, and request it be deleted or not sold
reference and resources
Consent Management Platforms now exist to help businesses comply with data privacy regulations. They offer interpreted laws and ready-to-use API and software tools. For example, resources are available from one of the popular consent management platforms, Usercentrics:
usercentrics | 8 of the leading consent management platforms of 2024
usercentrics | The EU’s General Data Protection Regulation (GDPR) – an overview
usercentrics | Cookie Consent Management for Enterprises in accordance with GDPR
usercentrics | What is a privacy notice and why do you need one?