Navigating global data compliance and regulations in 2024
Navigating legislation on data privacy can be like finding your way through a maze full of booby-traps. We’ve got the map to guide you and the data you need to know now. This post has been updated to reflect global and domestic updates as of January 2024.
PUBLISHED ON
Protection from loss, theft, and corruption – these are the goals of data privacy regulations.
Adhering to these regulations makes you a trusted sender but it takes resources to keep up with the evolving policies around data privacy. As a dedicated data processor ourselves, we respect every bit of data we touch, and this index will be your guide to existing global legislation and what to expect for the year ahead.
Table of contents
Who are the data subjects?
Who are the data controllers?
Who are the data processors
General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA)
Health Insurance Portability and Accountability Act (HIPAA)
Comparing global data policies: reference table
PCI Data Security Standard (PCI DSS)
SOC2 Type I and II Compliance
ISO standards
Domestic policy updates
Other countries currently creating policies
What is data compliance?
Data compliance is the process that determines legislation and governance to oversee data privacy. That’s a fancy way of saying data legislation tells you how to manage the data within your organization. Data regulations cover the access and management of data pertaining to:
Consumer privacy
Data security
Data storage requirements
How to handle unauthorized access and cybersecurity attacks
Data compliance covers nothing short of fundamental security rights, and there are a lot of angles we can look at – from the rights of the individual to the operation of businesses.
Why data compliance matters
We know firsthand that data is a complex business topic, but consumer data is much more than just information or numbers. There are human beings connected to every piece of data you obtain. That’s why it’s worth protecting and all more important that it does not get in the wrong hands.
Of course, that data is also very valuable to the companies that collect it, helping them grow their business and build better user experiences. Data legislation not only protects the privacy of everyday people but the security of an organization’s data assets.
In a survey conducted by Sinch Mailjet, it’s clear that GDPR has established itself as a necessity, but a substantial 25% of those surveyed were unsure of the specific data legislation that applied to them. There’s a lot to go through between countries and definitions but keep reading and we’ll set the record straight on these policies.
Data and compliance: Parties involved
There are three distinct parties affected by data legislations; data subjects, data controllers, and data processors, each with their own role to play. Though these three players are each represented in all current data legislation, they are not represented in the same way for each.
Before we break down who has to follow which rules, let’s get some basic definitions out of the way.
Who are the data subjects?
Data subjects are individuals whose personal data is collected, stored, sold, or processed by a business or organization. As an email sender your data subjects are your subscribers, or anyone whose email address you store.
Legislation that represents the data rights of consumers first emerged in 2016 with the European Union’s (EU) General Data Protection Regulations (GDPR) (effective date in May 2018). In the U.S. there is currently no comprehensive federal data protection legislation. So far, only a handful of states have put forth their own legislation, including California, with the California Consumer Privacy Act (CCPA) which became effective in January of 2020.
Who are the data controllers?
Data controllers determine the purposes and means by which personal data is processed. If you are a company that collects and stores personally identifiable information (PII) and you have your own users/customers, then you are a data controller. You are also a data controller just by processing the data of your own employees. Data controllers are decision-makers that call the shots on how the data they collect is managed and used.
Who are the data processors
A data processor is the one who carries out the actual processing of the data. A good example of the data roles would be to consider your favorite ecommerce store. The users/customers are the data subjects, the store is the data controller managing the products, and a company like Mailgun is one of the data processors working with that company to enable their automated transaction emails.
You are not necessarily limited to one data role. Mailgun, for example, is a data processor when it comes to enabling automated email but we are also a data controller in terms of collecting and storing our customer’s own data, and a data controller in our partnership with our payment provider. There can also be sub-processors who process data for the data processor on behalf of the data controller.
Consumer privacy laws
Now that we’ve got the definitions out of the way, let’s talk about the data laws that may affect you.
There are a growing number of legislations out there, and depending on the specific laws, data subjects, controllers, and processors have varying rights. If you’re a U.S. based business, these are the three overall guiding rules that will likely affect you the most:
General Data Protection Regulation (GDPR)
The GDPR was the first significant legislation that focused on the protection of data rights by mandating transparency and restoring data control to the individual. The GDPR imposes hefty fines for violations and governs data use with the mentality that individuals loan their data to service providers as opposed to surrendering it upon signup. It seeks to ensure utmost protection to consumers.
Key facts to remember:
Effective since May 25, 2018.
It harmonizes data protection laws throughout the EU.
It affects any business that processes data of EU citizens regardless of where they reside.
Want to learn more about GDPR? Check out our post General Data Protection Regulation (GDPR): Why should you care?
California Consumer Privacy Act (CCPA)
The CCPA only protects the rights of individuals who are California residents. If you are already GDPR compliant, becoming CCPA compliant will not require significant additional effort.
Key facts to remember:
Effective since Jan. 1, 2020.
This legislation provides data protection rights for California residents.
The CCPA affects organizations that conduct business in California.
Want to learn more about CCPA? Check out our post California Consumer Privacy Act (CCPA): Why should you care?
Health Insurance Portability and Accountability Act (HIPAA)
HIPPA includes rules for emerging technologies to manage health data like email, digital payment providers, and telehealth services. 2022 brought proposed updates affecting protected health information (PHI), flow of information, and patient access rights. The HIPAA Privacy Rule aims to improve care coordination and data sharing (alongside the rise of telehealth) and will require extensive infrastructure updates and additional training for health care providers and business associates.
Key facts to remember:
Originally passed in 1996.
It protects the disclosure of personal health information.
HIPAA applies to covered entities and business associates within the United States, even with respect to non-United States citizens or residents.
Want to learn more about HIPAA? Check out our post HIPPA compliance and email: What you need to know
Comparing global data policies: reference table
GDPR, CCPA, and HIPAA are the big three when it comes to regulating individual consumer data, but they aren’t the only legislation, and operating without some of the other compliance standards can make it challenging to operate your business across borders.
We know that all this policy talk might be starting to feel a bit like a textbook. We’re not in the business of lecturing but we do have the facts. If you are unsure which data legislation applies to you, we've created a table that helps you get the knowledge fast.
Legislation | Fines | Protected data subjects | Affected data controllers and processors |
---|---|---|---|
Legislation | |||
GDPR: The EU’s General Data Protection Regulation | €20M or 4% of annual global turnover (whichever is greater). | Any EU citizen whose personal data is collected, held, or processed by an organization. | Global businesses that process personal data of EU citizens including nonprofits that accept donations from EU citizens. |
Fines | |||
CCPA: California’s Consumer Privacy Act | $100-$750 per consumer per incident. $2400-$7500 per civil violation. | Only residents of California. | Businesses operating in CA that have revenue of $25M or more, or process data on 50,000 residents or more. |
Protected data subjects | |||
UCPA Utah Consumer Privacy Act | Up to $7500 per violation. | An individual who is a resident of Utah acting in an individual or household context. | Persons or entities doing business in the state of Utah with an annual revenue of $25,000,000 or more, who either process personal data of 100,000 or more consumers or derive over 50% of their gross revenue from the sale of personal data while controlling or processing personal data of 25,000 or more consumers. |
Affected data controllers and processors | |||
VCDPA Virginia Consumer Data Protection Act | Up to $7500 per violation enforced by the state attorney general. | Only residents of Virginia. | Natural and legal persons conducting business in VA who meet at least one of these requirements: Control or process personal data of at least 100,000 VA residents, or control and process personal data of at least 25,000 VA consumers and derive 50% or more gross revenue from the sale of personal data in a calendar year. |
HIPAA: Health Insurance Portability and Accountability Act | Civil monetary penalties (CMP) are imposed ranging from $100 to $50,000 per affected PHI record, with a maximum fine of $1.5 million per incident. | All medical records and other individually identifiable health information used or disclosed by a covered entity in any form. | HIPAA affects health care providers, health plans, and health care clearinghouses, and Business Associates carrying out work on behalf of a covered entity. |
UK GDPR: Great Britain’s enactment of the GDPR after Brexit. The GDPR is retained in domestic law as the UK GDPR, but the UK has the independence to keep the framework under review. | The UK GDPR has two tiers of fines; the standard maximum fine is £8.7 million or 2% of the total annual worldwide turnover and the higher maximum fine, £17.5 million or 4% of the total annual worldwide turnover. | Governs the processing of personal data from individuals located within the United Kingdom. | The UK GDPR applies to controllers and processors within the UK. It covers organizations based outside the UK if their processing activities relate to monitoring, or offering goods or services to individuals in the UK. |
LGPD: Brazil’s General Personal Data Protection Law | Up to 2% of the net turnover of the economic group in Brazil, in its last fiscal year, limited to BRL 50 million (approx. USD 10.5 million) per violation. | Applies to any natural person located in Brazil whose data has been collected or processed, regardless of where the company that collects the data is located. | The LGPD applies to any data processing that takes place in Brazil, for the purposes of offering goods and services or to process data of people who are located in Brazil. |
PIPEDA: Canada’s Personal Information Protection and Electronic Documents Act | Organizations that commit offenses may be subject to fines of up to CAD 100,000. | PIPEDA protects the personal information of individuals. An individual does not have to be a Canadian citizen or a resident of a specific province. | PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity. |
APPI: Japan’s Personal Information Privacy Act | Up to 100,000,000 Japanese yen ($907,715) or a criminal punishment of up to 1 year in prison. | The APPI aims to protect the personal data of Japanese citizens. | APPI applies to all business operators that handle the personal data of individuals in Japan. Regardless if the company is located within the country. |
PIPL: China’s Personal Information Protection Law | The PIPL imposes a maximum fine of up to 50 million Yuan (7.8 million USD), or 5% of the annual revenue of the preceding financial year. | The PIPL aims to protect the rights and interests of individuals, regulate personal information processing activities, and facilitate reasonable use of personal information. | PIPL requirements cover all companies handling the data of Chinese citizens, whether they are a domestic or international business, and whether large or small. |
Data security standards
We can’t give you a data policy article without talking about these: PCI DSS, SOC2, and ISO are data compliance standards. While these often overlap with the global legislation we’ve covered, there are separate compliance entities that govern them.
These data security standards are essentially audits that result in compliance certifications. Once obtained, these standards let data controllers know that an organization is a responsible partner.
As a responsible data processor, we pursue ISO and SOC2 to prove our security. Learn more about Sinch Mailgun security and compliance in our Trust Center.
Working with organizations that have achieved these standards can save you the trouble of needing to obtain them yourself. For example, Mailgun doesn’t need to be PCI compliant because we sub processor the payment services, and partner with payment processors that are respecting their own obligations.
Let’s learn a bit more about these standards.
PCI Data Security Standard (PCI DSS)
The PCI DSS is about creating confidence and security when processing payments. This standard is governed by the PCI Security Standards Council and is a set of security standards formed in 2004 by Visa, Mastercard, Discover Financial Services, JCB International, and American Express. It protects cardholder data and authentication data for individuals and reduces the risk of data breaches.
The PCI DSS has four main objectives:
Protect stored cardholder data.
Use and regularly update antivirus software or programs.
Restrict access to cardholder data by business need-to-know.
Track and monitor all access to network resources and cardholder data.
SOC2 Type I and II Compliance
System and Organization Controls (SOC) are internal reports that provide proof of security. Technology service providers like Mailgun voluntarily get this certification to prove their security processes can be trusted. Another audit-based compliance standard, SOC2, holds providers accountable for their data processing methods and cyber security controls.
Mailgun has SOC2 Type I & II, which are stringent and comprehensive reports that test the effectiveness of security controls and ensure they’re working.
SOC 2 Type I: Tests to ensure email security controls are in place (you need this for Type II).
SOC 2 Type II: Tests to ensure controls are in place and they are working effectively.
ISO standards
ISO standards establish baseline securities. If every country had different approaches to security best practices, it would be nearly impossible for companies to create security infrastructure. The solution is a shared international standards body which manages compliance by consensus. The International Organization for Standardization (ISO) has developed and published 25K standards since 1947 (Mailgun has achieved two).
ISO compliance proves you can handle different scenarios and control variables that help protect data and prevent malicious cyberattacks, data breaches, and other security disasters. These standards can also be specific. For example, ISO27701 is a rare certification within the email space containing 40 privacy controls that are closely mapped to GDPR standards.
From the information we've shared, you may think that existing legislation covers just about everything but that’s not the way the cookie crumbles. In truth, there are many more policies coming down the pipeline.
What are the limitations of compliance laws?
As you can tell from our very large table early in this post, not all data legislation is created equal. Currently, data compliance is regulated by individual countries – and in the U.S. by individual states – and that can make things muddy for establishing effective business practices. Here are the main things to keep in mind:
Data jurisdiction: Where your company exists doesn’t necessarily matter. Data jurisdiction is determined more by where your data subjects are located.
Data impact: Not all organizations are large enough to be represented in legislation. For example, in California the CCPA only affects you if you process data on 50,000 residents or more.
Penalties: There is no consistency regarding how violations are fined. Some will charge a total percentage of net turnover, while others charge per affected subject for each violation.
Data regulations heading into 2024
Data policy isn't just changing, it’s changing fast.
In the U.S., an Executive Order was signed by President Biden in early October 2022, implementing the European Union-U.S. Data Privacy Framework, which takes us closer to fixing cross border data transfer protections.
As of July 10, 2023 the European Commision adopted its adequacy decision for the EU-U.S. Data Privacy Framework. What does this mean? This adoption signifies that the United States provides an adequate level of protection for the personal data of EU citizens transferred through US organizations.
Learn more: Learn more about the requirements and adoption process for businesses for the Data Privacy Framework (DPF) Program here.
This recent adoption follows the Safe Harbor Framework (invalidated in 2015) and the EU-US Privacy Shield Framework (invalidated in 2020) that were both overturned by European courts.
Domestic policy updates
It’s likely that federal data laws are imminent for the U.S., especially if the DPF Program holds, that will be comparable to Europe’s GDPR and make data policies between the U.S. and the EU more seamless. While we don’t have a timeline yet for federal policies, here are the states planning to introduce policies as of 2024.
Signed laws
The Oregon Consumer Privacy Act goes into effect July 1, 2024
Texas data privacy and security act goes into effect July 1, 2024
Montana consumer data privacy act goes into effect October 1, 2024
The Delaware Personal Data Privacy Act goes into effect January 1, 2025
The Iowa Consumer Data Protection act goes into effect Jan 1, 2025
New Jersey legislation goes into effect January 15, 2025
Tennessee information protection act goes into effect July 1, 2025
The Indiana consumer data protection act goes into effect January 1, 2026
States with legislation in committee
Wisconsin
Minnesota
Missouri
Michigan
Ohio
Kentucky
Maine
Vermont
Massachusetts
New York
Pennsylvania
North Carolina
Wisconsin
States with legislation introduced
Nebraska
Once all the above states have active legislation, roughly 50% of the country will be operating with data policies of varying degrees while the other half of states currently have no bills introduced.
Other countries currently creating policies
These countries are developing legislation that we may see finalized in 2024 or within the next couple of years.
Australia
Australia’s updated Privacy Act addressing digital concerns and enhances online privacy and other measures. The bill (proposed in 2021) will give effect to the Australian Government's commitment to strengthen the Privacy Act 1988. It enables the introduction of a binding online privacy code for social media and certain other online platforms, increases penalties and enforcement measures, and aims to bring data policies for Australia closer in-line with standards established by the GDPR. In February 2023, Australia’s Attorney-General's Department released a final report on its review of the Privacy Act, presenting over 100 proposed reformations to the act to update it for the digital age. The Government is expected to introduce legislative amendments sometime in 2024.
India
India’s Personal Data Protection Bill (PDPB) was proposed in 2019 and was recently withdrawn (As of August. 2022) with stark criticism from stakeholders that believed the bill would give the government too much power over the data of its citizens. New legislation was approved by the president of India in August 2023 and the Digital Personal Data Protection Act is expected to come into force in June 2024.
No matter how policy evolves, we’ll be keeping a close eye on the effects and changes so we can continue to keep your data safe.
Data compliance matters at Mailgun
Data represents people, and at Mailgun we respect people.
It’s no surprise that data – an endless resource – takes a lot of explanation and research to understand. As a data controller in technology, no one knows this better than us. If the links in this post don’t direct you to the information you need, or if you want to know more about how Mailgun manages your data, check out our data and compliance guide.
Learn about email security and compliance
Email security and compliance
Email security isn't easy. But you need to protect your business, brand, employees, and subscribers. Find out about the benefits of continually improving email security and compliance from our industry experts. It's yours to explore. No form filling required.