Back to main menu

Email

Navigating global data compliance and regulations in 2024

Navigating legislation on data privacy can be like finding your way through a maze full of booby-traps. We’ve got the map to guide you and the data you need to know now. This post has been updated to reflect global and domestic updates as of January 2024.

PUBLISHED ON

PUBLISHED ON

Protection from loss, theft, and corruption – these are the goals of data privacy regulations.

Adhering to these regulations makes you a trusted sender but it takes resources to keep up with the evolving policies around data privacy. As a dedicated data processor ourselves, we respect every bit of data we touch, and this index will be your guide to existing global legislation and what to expect for the year ahead.

What is data compliance?

Data compliance is the process that determines legislation and governance to oversee data privacy. That’s a fancy way of saying data legislation tells you how to manage the data within your organization. Data regulations cover the access and management of data pertaining to:

  • Consumer privacy

  • Data security

  • Data storage requirements

  • How to handle unauthorized access and cybersecurity attacks

Data compliance covers nothing short of fundamental security rights, and there are a lot of angles we can look at – from the rights of the individual to the operation of businesses.

Why data compliance matters

We know firsthand that data is a complex business topic, but consumer data is much more than just information or numbers. There are human beings connected to every piece of data you obtain. That’s why it’s worth protecting and all more important that it does not get in the wrong hands.

Of course, that data is also very valuable to the companies that collect it, helping them grow their business and build better user experiences. Data legislation not only protects the privacy of everyday people but the security of an organization’s data assets.

In a survey conducted by Sinch Mailjet, it’s clear that GDPR has established itself as a necessity, but a substantial 25% of those surveyed were unsure of the specific data legislation that applied to them. There’s a lot to go through between countries and definitions but keep reading and we’ll set the record straight on these policies.

Graph showing which countries data is coming from.

Data and compliance: Parties involved

There are three distinct parties affected by data legislations; data subjects, data controllers, and data processors, each with their own role to play. Though these three players are each represented in all current data legislation, they are not represented in the same way for each.

Before we break down who has to follow which rules, let’s get some basic definitions out of the way.

Who are the data subjects?

Data subjects are individuals whose personal data is collected, stored, sold, or processed by a business or organization. As an email sender your data subjects are your subscribers, or anyone whose email address you store.

Legislation that represents the data rights of consumers first emerged in 2016 with the European Union’s (EU) General Data Protection Regulations (GDPR) (effective date in May 2018). In the U.S. there is currently no comprehensive federal data protection legislation. So far, only a handful of states have put forth their own legislation, including California, with the California Consumer Privacy Act (CCPA) which became effective in January of 2020.

Who are the data controllers?

Data controllers determine the purposes and means by which personal data is processed. If you are a company that collects and stores personally identifiable information (PII) and you have your own users/customers, then you are a data controller. You are also a data controller just by processing the data of your own employees. Data controllers are decision-makers that call the shots on how the data they collect is managed and used.

Who are the data processors

A data processor is the one who carries out the actual processing of the data. A good example of the data roles would be to consider your favorite ecommerce store. The users/customers are the data subjects, the store is the data controller managing the products, and a company like Mailgun is one of the data processors working with that company to enable their automated transaction emails.

You are not necessarily limited to one data role. Mailgun, for example, is a data processor when it comes to enabling automated email but we are also a data controller in terms of collecting and storing our customer’s own data, and a data controller in our partnership with our payment provider. There can also be sub-processors who process data for the data processor on behalf of the data controller.

Consumer privacy laws

Now that we’ve got the definitions out of the way, let’s talk about the data laws that may affect you.

There are a growing number of legislations out there, and depending on the specific laws, data subjects, controllers, and processors have varying rights. If you’re a U.S. based business, these are the three overall guiding rules that will likely affect you the most:

General Data Protection Regulation (GDPR)

The GDPR was the first significant legislation that focused on the protection of data rights by mandating transparency and restoring data control to the individual. The GDPR imposes hefty fines for violations and governs data use with the mentality that individuals loan their data to service providers as opposed to surrendering it upon signup. It seeks to ensure utmost protection to consumers.

Key facts to remember:

  • Effective since May 25, 2018.

  • It harmonizes data protection laws throughout the EU.

  • It affects any business that processes data of EU citizens regardless of where they reside.

Want to learn more about GDPR? Check out our post General Data Protection Regulation (GDPR): Why should you care?

California Consumer Privacy Act (CCPA)

The CCPA only protects the rights of individuals who are California residents. If you are already GDPR compliant, becoming CCPA compliant will not require significant additional effort.

Key facts to remember:

  • Effective since Jan. 1, 2020.

  • This legislation provides data protection rights for California residents.

  • The CCPA affects organizations that conduct business in California.

Want to learn more about CCPA? Check out our post California Consumer Privacy Act (CCPA): Why should you care?

Health Insurance Portability and Accountability Act (HIPAA)

HIPPA includes rules for emerging technologies to manage health data like email, digital payment providers, and telehealth services. 2022 brought proposed updates affecting protected health information (PHI), flow of information, and patient access rights. The HIPAA Privacy Rule aims to improve care coordination and data sharing (alongside the rise of telehealth) and will require extensive infrastructure updates and additional training for health care providers and business associates.

Key facts to remember:

  • Originally passed in 1996.

  • It protects the disclosure of personal health information.

  • HIPAA applies to covered entities and business associates within the United States, even with respect to non-United States citizens or residents.

Want to learn more about HIPAA? Check out our post HIPPA compliance and email: What you need to know

Comparing global data policies: reference table

GDPR, CCPA, and HIPAA are the big three when it comes to regulating individual consumer data, but they aren’t the only legislation, and operating without some of the other compliance standards can make it challenging to operate your business across borders.

We know that all this policy talk might be starting to feel a bit like a textbook. We’re not in the business of lecturing but we do have the facts. If you are unsure which data legislation applies to you, we've created a table that helps you get the knowledge fast.

Legi­sla­tion

Fine­s

Prot­ected data­ subj­ects

Affe­cted data­ cont­rollers and proc­essors

Legi­sla­tion

G­DPR: The EU’s­ Gene­ral Data­ Prot­ection Regu­lation

€20M­­ or 4% of annu­­al glob­­al turn­­over (whi­­chever is grea­­ter).

Any EU citi­zen whos­e pers­onal data­ is coll­ected, held­, or proc­essed by an orga­nization.

Glob­­al busi­­nesses that­­ proc­­ess pers­­onal data­­ of EU citi­­zens incl­­uding nonp­­rofits that­­ acce­­pt dona­­tions from­­ EU citi­­zens.

Fine­s

C­CPA: Cali­fornia’s Cons­umer Priv­acy Act

$100­­-$750 per cons­­umer per inci­­dent. $240­­0-$7500 per civi­­l viol­­ation.

Only­ resi­dents of Cali­fornia.

Busi­­nesses oper­­ating in CA that­­ have­­ reve­­nue of $25M­­ or more­­, or proc­­ess data­­ on 50,0­­00 resi­­dents or more­­.

Prot­ected data­ subj­ects

U­CPA Utah­ Cons­umer Priv­acy Act

Up to $750­0 per viol­ation.

An indi­vidual who is a resi­dent of Utah­ acti­ng in an indi­vidual or hous­ehold cont­ext.

Pers­ons or enti­ties doin­g busi­ness in the stat­e of Utah­ with­ an annu­al reve­nue of $25,­000,000 or more­, who eith­er proc­ess pers­onal data­ of 100,­000 or more­ cons­umers or deri­ve over­ 50% of thei­r gros­s reve­nue from­ the sale­ of pers­onal data­ whil­e cont­rolling or proc­essing pers­onal data­ of 25,0­00 or more­ cons­umers.

Affe­cted data­ cont­rollers and proc­essors

V­CDPA Virg­inia Cons­umer Data­ Prot­ection Act

Up to $750­0 per viol­ation enfo­rced by the stat­e atto­rney gene­ral.

Only­ resi­dents of Virg­inia.

Natu­ral and lega­l pers­ons cond­ucting busi­ness in VA who meet­ at leas­t one of thes­e requ­irements: Cont­rol or proc­ess pers­onal data­ of at leas­t 100,­000 VA resi­dents, or cont­rol and proc­ess pers­onal data­ of at leas­t 25,0­00 VA cons­umers and deri­ve 50% or more­ gros­s reve­nue from­ the sale­ of pers­onal data­ in a cale­ndar year­.

H­IPAA: Heal­th Insu­rance Port­ability and Acco­untability Act

Civi­l mone­tary pena­lties (CMP­) are impo­sed rang­ing from­ $100­ to $50,­000 per affe­cted PHI reco­rd, with­ a maxi­mum fine­ of $1.5­ mill­ion per inci­dent.

All medi­cal reco­rds and othe­r indi­vidually iden­tifiable heal­th info­rmation used­ or disc­losed by a cove­red enti­ty in any form­.

HIPA­A affe­cts heal­th care­ prov­iders, heal­th plan­s, and heal­th care­ clea­ringhouses, and Busi­ness Asso­ciates carr­ying out work­ on beha­lf of a cove­red enti­ty.

U­K GDPR­: Grea­t Brit­ain’s enac­tment of the GDPR­ afte­r Brex­it. The­ GDPR­ is reta­ined in dome­stic law as the UK GDPR­, but the UK has the inde­pendence to keep­ the fram­ework unde­r revi­ew.

The UK GDPR­ has two tier­s of fine­s; the stan­dard maxi­mum fine­ is £8.7­ mill­ion or 2% of the tota­l annu­al worl­dwide turn­over and the high­er maxi­mum fine­, £17.­5 mill­ion or 4% of the tota­l annu­al worl­dwide turn­over.

Gove­rns the proc­essing of pers­onal data­ from­ indi­viduals loca­ted with­in the Unit­ed King­dom.

The UK GDPR­ appl­ies to cont­rollers and proc­essors with­in the UK. It cove­rs orga­nizations base­d outs­ide the UK if thei­r proc­essing acti­vities rela­te to moni­toring, or offe­ring good­s or serv­ices to indi­viduals in the UK.

L­GPD: Braz­il’s Gene­ral Pers­onal Data­ Prot­ection Law

Up to 2% of the net turn­over of the econ­omic grou­p in Braz­il, in its last­ fisc­al year­, limi­ted to BRL 50 mill­ion (app­rox. USD 10.5­ mill­ion) per viol­ation.

Appl­ies to any natu­ral pers­on loca­ted in Braz­il whos­e data­ has been­ coll­ected or proc­essed, rega­rdless of wher­e the comp­any that­ coll­ects the data­ is loca­ted.

The LGPD­ appl­ies to any data­ proc­essing that­ take­s plac­e in Braz­il, for the purp­oses of offe­ring good­s and serv­ices or to proc­ess data­ of peop­le who are loca­ted in Braz­il.

P­IPEDA: Cana­da’s Pers­onal Info­rmation Prot­ection and Elec­tronic Docu­ments Act

Orga­nizations that­ comm­it offe­nses may be subj­ect to fine­s of up to CAD 100,­000.

PIPE­DA prot­ects the pers­onal info­rmation of indi­viduals. An indi­vidual does­ not have­ to be a Cana­dian citi­zen or a resi­dent of a spec­ific prov­ince.

PIPE­DA appl­ies to priv­ate-sector orga­nizations acro­ss Cana­da that­ coll­ect, use or disc­lose pers­onal info­rmation in the cour­se of a com­mercial acti­vity.

A­PPI: Japa­n’s Pers­onal Info­rmation Priv­acy Act

Up to 100,­000,000 Japa­nese yen ($90­7,715) or a crim­inal puni­shment of up to 1 year­ in pris­on.

The APPI­ aims­ to prot­ect the pers­onal data­ of Japa­nese citi­zens.

APPI­ appl­ies to all busi­ness oper­ators that­ hand­le the pers­onal data­ of indi­viduals in Japa­n. Rega­rdless if the comp­any is loca­ted with­in the coun­try.

P­IPL: Chin­a’s Pers­onal Info­rmation Prot­ection Law

The PIPL­ impo­ses a maxi­mum fine­ of up to 50 mill­ion Yuan­ (7.8­ mill­ion USD)­, or 5% of the annu­al reve­nue of the prec­eding fina­ncial year­.

The PIPL­ aims­ to prot­ect the righ­ts and inte­rests of indi­viduals, regu­late pers­onal info­rmation proc­essing acti­vities, and faci­litate reas­onable use of pers­onal info­rmation.

PIPL­ requ­irements cove­r all comp­anies hand­ling the data­ of Chin­ese citi­zens, whet­her they­ are a dome­stic or inte­rnational busi­ness, and whet­her larg­e or smal­l.

Data security standards

We can’t give you a data policy article without talking about these: PCI DSS, SOC2, and ISO are data compliance standards. While these often overlap with the global legislation we’ve covered, there are separate compliance entities that govern them.

These data security standards are essentially audits that result in compliance certifications. Once obtained, these standards let data controllers know that an organization is a responsible partner.

As a responsible data processor, we pursue ISO and SOC2 to prove our security. Learn more about Sinch Mailgun security and compliance in our Trust Center.

Working with organizations that have achieved these standards can save you the trouble of needing to obtain them yourself. For example, Mailgun doesn’t need to be PCI compliant because we sub processor the payment services, and partner with payment processors that are respecting their own obligations.

Let’s learn a bit more about these standards.

PCI Data Security Standard (PCI DSS)

The PCI DSS is about creating confidence and security when processing payments. This standard is governed by the PCI Security Standards Council and is a set of security standards formed in 2004 by Visa, Mastercard, Discover Financial Services, JCB International, and American Express. It protects cardholder data and authentication data for individuals and reduces the risk of data breaches.

The PCI DSS has four main objectives:

  1. Protect stored cardholder data.

  2. Use and regularly update antivirus software or programs.

  3. Restrict access to cardholder data by business need-to-know.

  4. Track and monitor all access to network resources and cardholder data.

SOC2 Type I and II Compliance

System and Organization Controls (SOC) are internal reports that provide proof of security. Technology service providers like Mailgun voluntarily get this certification to prove their security processes can be trusted. Another audit-based compliance standard, SOC2, holds providers accountable for their data processing methods and cyber security controls.

Mailgun has SOC2 Type I & II, which are stringent and comprehensive reports that test the effectiveness of security controls and ensure they’re working.

  • SOC 2 Type I: Tests to ensure email security controls are in place (you need this for Type II).

  • SOC 2 Type II: Tests to ensure controls are in place and they are working effectively.

ISO standards

ISO standards establish baseline securities. If every country had different approaches to security best practices, it would be nearly impossible for companies to create security infrastructure. The solution is a shared international standards body which manages compliance by consensus. The International Organization for Standardization (ISO) has developed and published 25K standards since 1947 (Mailgun has achieved two).

ISO compliance proves you can handle different scenarios and control variables that help protect data and prevent malicious cyberattacks, data breaches, and other security disasters. These standards can also be specific. For example, ISO27701 is a rare certification within the email space containing 40 privacy controls that are closely mapped to GDPR standards.

From the information we've shared, you may think that existing legislation covers just about everything but that’s not the way the cookie crumbles. In truth, there are many more policies coming down the pipeline.

What are the limitations of compliance laws?

As you can tell from our very large table early in this post, not all data legislation is created equal. Currently, data compliance is regulated by individual countries ­– and in the U.S. by individual states – and that can make things muddy for establishing effective business practices. Here are the main things to keep in mind:

  • Data jurisdiction: Where your company exists doesn’t necessarily matter. Data jurisdiction is determined more by where your data subjects are located.

  • Data impact: Not all organizations are large enough to be represented in legislation. For example, in California the CCPA only affects you if you process data on 50,000 residents or more.

  • Penalties: There is no consistency regarding how violations are fined. Some will charge a total percentage of net turnover, while others charge per affected subject for each violation.

Data regulations heading into 2024

Data policy isn't just changing, it’s changing fast.

In the U.S., an Executive Order was signed by President Biden in early October 2022, implementing the European Union-U.S. Data Privacy Framework, which takes us closer to fixing cross border data transfer protections.

As of July 10, 2023 the European Commision adopted its adequacy decision for the EU-U.S. Data Privacy Framework. What does this mean? This adoption signifies that the United States provides an adequate level of protection for the personal data of EU citizens transferred through US organizations.

Learn more: Learn more about the requirements and adoption process for businesses for the Data Privacy Framework (DPF) Program here.

This recent adoption follows the Safe Harbor Framework (invalidated in 2015) and the EU-US Privacy Shield Framework (invalidated in 2020) that were both overturned by European courts.

Domestic policy updates

It’s likely that federal data laws are imminent for the U.S., especially if the DPF Program holds, that will be comparable to Europe’s GDPR and make data policies between the U.S. and the EU more seamless. While we don’t have a timeline yet for federal policies, here are the states planning to introduce policies as of 2024.

Signed laws

The Oregon Consumer Privacy Act goes into effect July 1, 2024

Texas data privacy and security act goes into effect July 1, 2024

Montana consumer data privacy act goes into effect October 1, 2024

The Delaware Personal Data Privacy Act goes into effect January 1, 2025

The Iowa Consumer Data Protection act goes into effect Jan 1, 2025

New Jersey legislation goes into effect January 15, 2025

Tennessee information protection act goes into effect July 1, 2025

The Indiana consumer data protection act goes into effect January 1, 2026

States with legislation in committee

  • Wisconsin

  • Minnesota

  • Missouri

  • Michigan

  • Ohio

  • Kentucky

  • Maine

  • Vermont

  • Massachusetts

  • New York

  • Pennsylvania

  • North Carolina

  • Wisconsin

States with legislation introduced

Nebraska

Once all the above states have active legislation, roughly 50% of the country will be operating with data policies of varying degrees while the other half of states currently have no bills introduced.

Other countries currently creating policies

These countries are developing legislation that we may see finalized in 2024 or within the next couple of years.

Australia

Australia’s updated Privacy Act addressing digital concerns and enhances online privacy and other measures. The bill (proposed in 2021) will give effect to the Australian Government's commitment to strengthen the Privacy Act 1988. It enables the introduction of a binding online privacy code for social media and certain other online platforms, increases penalties and enforcement measures, and aims to bring data policies for Australia closer in-line with standards established by the GDPR. In February 2023, Australia’s Attorney-General's Department released a final report on its review of the Privacy Act, presenting over 100 proposed reformations to the act to update it for the digital age. The Government is expected to introduce legislative amendments sometime in 2024.

India

India’s Personal Data Protection Bill (PDPB) was proposed in 2019 and was recently withdrawn (As of August. 2022) with stark criticism from stakeholders that believed the bill would give the government too much power over the data of its citizens. New legislation  was approved by the president of India in August 2023 and the Digital Personal Data Protection Act is expected to come into force in June 2024.

No matter how policy evolves, we’ll be keeping a close eye on the effects and changes so we can continue to keep your data safe.

Data compliance matters at Mailgun

Data represents people, and at Mailgun we respect people.

It’s no surprise that data – an endless resource ­– takes a lot of explanation and research to understand. As a data controller in technology, no one knows this better than us. If the links in this post don’t direct you to the information you need, or if you want to know more about how Mailgun manages your data, check out our data and compliance guide.

Learn about email security and compliance

Email security and compliance

Email security isn't easy. But you need to protect your business, brand, employees, and subscribers. Find out about the benefits of continually improving email security and compliance from our industry experts. It's yours to explore. No form filling required.

Related readings

Data processing: methods in the madness

It’s a mad, mad world of data that we live in, but if you know how to harness its power, data can fuel everything from your SEO to your scalability. Understanding data processing...

Read More

California Consumer Privacy Act (CCPA): Why should you care?

There’s been an ongoing gold rush, not for precious metals, but for personal consumer data. For a while, this highly valuable resources was up-for-grabs with minimal or non...

Read More

Why you shouldn’t count on the ADPPA and Privacy Shield 2.0

There’s been a lot of buzz around bipartisan U.S. legislation that may eventually become a federal law on data privacy protection. Plus, the U.S. and EU have come to an agreement...

Read More

Popular posts

Email inbox.

Email

5 min

Build Laravel 11 email authentication with Mailgun and Digital Ocean

Read More

Mailgun statistics.

Product

4 min

Sending email using the Mailgun PHP API

Read More

Statistics on deliverability.

Deliverability

5 min

Here’s everything you need to know about DNS blocklists

Read More

See what you can accomplish with the world's best email delivery platform. It's easy to get started.Let's get sending
CTA icon