What You Should Know About Internet Privacy Laws

Jul 27, 2022

Responsible data management is a good business practice, and in some places, it is the law. Is your business in compliance with data privacy law?

Zach CapersSr Specialist Analyst
What You Should Know About Internet Privacy Laws

What we'll cover

The rise of internet privacy laws in 2018 came about due to the erosion of public trust by continual reports of massive data breaches, manipulative online marketing practices, and irresponsible data collection.  And the European Union’s General Data Protection Regulation (GDPR) and California’s California Consumer Privacy Act (CCPA) were just the beginning.

More states are beginning to launch their own data security laws to protect their constituents and hold businesses accountable for how they treat, collect, and use customer data.

A whopping 84% of marketers in GetApp’s recent privacy-focused marketers survey[*] stated that they felt their company was prepared to comply with new data privacy regulations. In the same survey, however, 67% of marketers incorrectly believe that the U.S. has a comprehensive federal privacy law.

Small businesses must endeavor to stay ahead of the data privacy curve by staying aware of current internet laws and regulations and anticipating those that are on the way.

In this article, we’ll catch you up on GDPR and CCPA amendments, upcoming state legislation, and other relevant regulations. We’ll also give you a list of recommendations to help your business stay in compliance and keep privacy policies up-to-date.

New, upcoming state legislation

The United States does not have a single comprehensive internet privacy law. However, the American Data Privacy and Protection Act (ADPPA),  proposed U.S. federal privacy legislation, could change that. If it is passed into law, it will supersede all state privacy laws. Until then, it’s up to individual states to pass legislation that protects customer data [1]. California was the first in this endeavor by passing CCPA in 2018. Since then, other states have followed suit in passing comprehensive consumer data privacy laws, including Colorado, Connecticut, Utah, and Virginia [2].

The Colorado Privacy Act, part of the Colorado Consumer Protection Act, acknowledges consumer’s rights to privacy and holds companies responsible in how they treat, manage, and use data. This act will go into effect July 1, 2023 [3].

Connecticut’s Personal Data Privacy and Online Monitoring Act gives consumers the right to access, correct, delete, and get a copy of personal data possessed by companies and opt out of having their data collected. It also establishes standards for responsible data practices. This act will go into effect July 1, 2023 [4].

Under Utah’s Consumer Privacy Act, consumers have the right to know what personal data businesses collect, what this data is used for, and whether the business sells this data. Consumers can also access and delete data collected and opt out of data collection. Effective date: December 31, 2023 [5].

Virginia's Consumer Data Protection Act applies to businesses that process the data of at least 100,000 customers or earn more than 50% of gross revenue from the sale of personal data. Like most other internet privacy laws, this law also gives consumers the right to access, correct, and delete their personal data possessed by companies and opt out of data collection. Effective date: January 1, 2023 [6].

Other states have passed data privacy legislation that address specific aspects of internet privacy, but are not considered comprehensive. These laws address individual issues of:

  • Broker registration (California [7] and Vermont [8])

  • Children’s online privacy (California [9] and Delaware [10])

  • E-reader privacy (Arizona [11], Delaware [10], Missouri [12], and California [13])

The General Data Protection Regulation (GDPR)

The GDPR is a European Union (EU) data protection law that went into effect on May 25, 2018. On July 20, 2018, it also became law in the European Economic Area (EEA), which comprises non-EU countries Iceland, Norway, and Liechtenstein.

The GDPR was enacted to regulate the collection, storage, and sharing of personal data on the internet. Data relevant to GDPR can include name, government ID number, browser cookies, IP addresses, location information, or social media: in other words, any data that identifies the user. It also governs data breach reporting and grants rights to data subjects.

Though it specifically protects users located in EU and EEA countries, GDPR’s ultimate scope extends around the globe. The regulation affects individuals, companies, and organizations anywhere in the world that process the data of users in the EU and EEA.

To be clear: GDPR is not concerned with citizenship. Rather it is concerned with users located in covered countries, whether they be citizens, visitors, or expats. Similarly, EU and EEA citizens are not protected by GDPR when conducting data transactions abroad.

This means that marketing your services, conducting transactions, and storing data relevant to users in these countries must all be done under the guidance of GDPR, or you risk the consequences.

Since GDPR passed in May 2018 to May 2022, more than 900 fines have been issued to companies who have violated GDPR, including Facebook, Amazon, Google, Whatsapp, and H&M [14]. Depending on the severity and frequency of violations, non-compliance with GDPR can result in steep fines, maxing out at 20 million euros or four percent of gross revenue, whichever is higher.

Despite these heavy consequences for violating GDPR, less than half (45%) of marketers say they are very or extremely familiar with GDPR. Twenty-nine percent say they are somewhat familiar, and 26% say they are not very familiar or not familiar at all [*].

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

CCPA was passed on June 28, 2018 and went into effect on January 1, 2020. It is designed to enhance the digital privacy rights of Californians [15]. In a sign that data privacy is not necessarily a partisan issue, the CCPA was passed unanimously by California’s legislature.

Considering the state’s national policy influence and the fact that it is home to many of the world’s top tech companies, the legislation altered the data privacy landscape in the United States and created a  framework other states are using to develop their own legislation. Much like GDPR, the CCPA grants several data rights for denizens of California.

Data rights under the California Consumer Privacy Act

  • The right to know what data a business collects.

  • The right to delete personal information in a business’s possession.

  • The right to opt out of data collection.

  • The right to non-discrimination if one chooses to exercise CCPA rights.

While GDPR applies to all processors of data, CCPA applies only to for-profit businesses that do business in California and fall under any one of the following three categories:

  • Annual gross revenues exceeding $25 million.

  • Fifty percent or more of annual revenues result from the selling of consumer data.

  • Buys, sells, receives, or shares the personal information of 50,000 or more consumers, devices, or households annually for commercial purposes.

CCPA penalties can reach $7,500 per violation, which adds up quickly: The mishandling of only 134 records could result in a $1 million fine. Additionally, the CCPA provides for individual and class action lawsuits against offending companies.

The California Privacy Rights Act (CPRA) was approved by California voters in November 2020. This act expands the scope of the state’s data privacy laws, letting consumers prevent businesses from sharing their data, correcting their data, and limiting businesses’ use of sensitive data, such as geolocation, race, religion, sexual orientation, health or genetic information, and protecting electronic communications privacy. Under this act, businesses that violate internet privacy laws for consumers under the age of 16 face tripled maximum penalties [16].  The CRPA also established the California Privacy Protection Agency (CPPA), which is the first agency in the U.S. to be established that is solely dedicated to enforcing laws surrounding consumer data privacy.

ePrivacy Regulation (ePR)

Commonly referred to as the Cookie Law, the EU’s ePrivacy Regulation (ePR) is intended to sit alongside GDPR. This new regulation will eventually replace the EU’s ePrivacy Directive (EPD), which was passed in 2002 and amended in 2009. The EPR was planned to be passed in 2018, along with the GDPR, but lawmakers have not yet been able to reach consensus on what this new law should look like. This new regulation will make ePrivacy legally binding through the EU, while the directive left it up to EU countries to make it part of their national law [17].

The existing directive is partially responsible for the ubiquitous cookie consent forms that you encounter all over the internet. The regulation, which has yet to be passed,  will also regulate electronic communications such as unsolicited emails and text messages.

The lead up to ePR has unfolded with less publicity compared to GDPR, but its rules will upend the current ad revenue-based business model of vast swaths of online companies and complicate the metrics used by most websites to target customers.

The legislation will limit the use of most cookies and require that users give explicit consent prior to their installation. Users will also be able to choose which types of cookies may or may not be installed.


Cookie consent form on Spanish music festival Primavera Sound’s website (Source)

Cookies are baked into your browser

A browser cookie is a small file that web pages store on your device. There are many types of cookies, including:

Session cookies

Session cookies are temporary and removed when a user leaves the website or closes their browser. These cookies do not collect information from the user and are generally intended to maintain website functionality from page to page. For example, session cookies allow you to keep an item in your online shopping cart without logging in. These cookies will not be subject to ePR regulations.

Persistent cookies

Persistent cookies, conversely, do not disappear after a user leaves a website. These cookies stay attached to the user's device until they expire or are manually deleted. They allow a site's web server to recognize you and keep you logged in each time you return to a website. Also known as permanent cookies, persistent cookies are also used to develop metrics such as movement through a website, frequency of return, and time spent on page. This helps site operators understand their visitors, customize advertisements, and make better decisions about site design. These cookies will be subject to ePR regulations.

Third-party cookies

Third-party cookies covertly glom on to your browser through everything from banner ads to social media buttons. These cookies are used by advertisers to follow you around the internet and build a detailed user profile. Third-party cookies are why you get inundated with advertisements for French hotels on one website soon after searching for flights to Paris on another. These cookies will be subject to ePR regulations.

The U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act

The Clarifying Lawful Overseas Use of Data Act (CLOUD) became law on March 23, 2018 and significantly impacts privacy law in the United States. The CLOUD Act establishes procedures for U.S. companies that offer electronic data services (e.g., cloud-based data storage companies, Software-as-a-Service providers) to turn data stored in other countries over to U.S. authorities.

This issue was central to the widely followed-and now moot-Supreme Court case U.S. v. Microsoft Corp (Ireland). In that case, the U.S. government was seeking private emails of Microsoft customers that were stored on servers located in Ireland [18].

Under the CLOUD Act, a warrant can be issued by the United States government, or the governments of qualifying countries that have entered into a reciprocal data sharing agreement, for a service provider’s customer and subscriber data stored abroad. This presents potential conflicts for companies that must adhere both to GDPR and the CLOUD Act.

For example, a U.S. citizen living in Spain who uses an American cloud service that stores data on servers in Poland causes that company to be subject to both regulations simultaneously. And while the act includes a provision to quash a warrant under specific conditions, it is yet to be seen how that will play out in practice.

The CLOUD Act has been the subject of controversy since its late inclusion in an omnibus spending bill without a hearing or debate. Concerns have been voiced that it pushes the limits of Fourth Amendment protections and that its reciprocal data sharing agreements might allow countries with poor human rights records to obtain information about political dissidents.

Recommendations to ease compliance

Even if your small business is not currently affected by GDPR or state privacy legislation, we recommend that you view it as a roadmap for compliance with the array of regulations it will inspire. This will help your company gain a competitive advantage over others that will be caught off guard when these laws inevitably arise.

Adopting sensible consent management practices and enhancing customer or user privacy can be a marketable feature that shows consumers you care about their data and will go above and beyond to ensure it’s protected.

Get a jump on the future of data privacy with these recommendations:

  • Consider conducting a privacy impact assessment to audit your data to determine what type of consumer data you collect, where it is stored, and who can access it [19].

  • Factor regulations such as GDPR and the CLOUD act into decisions to adopt cloud-based data storage and consider storing regulated data onsite.

  • Choose customer relationship management (CRM) software that is GDPR-compliant. This will allow you to more easily manage customer data in ways relevant to emerging regulations.

  • Consider your use of cookies for tracking, advertising, and retargeting practices and deploy a cookie consent form that links to your privacy policy.

  • Hire or designate a data protection officer who can guide your company through the dynamic world of internet privacy law.

  • Ease consent management by employing software designed specifically to maintain GDPR compliance.

Additional resources about data management and compliance

Survey Methodology

GetApp’s 2022 Privacy-Focused Marketers Survey was conducted in April 2022 among 299 U.S. respondents to study marketer actions, attitudes, and reactions toward data privacy. Respondents were screened to work full-time in marketing, advertising, sales, or IT departments and have some level of involvement in marketing-related activities.


1. The State of Consumer Data Privacy Laws in the U.S., The New York Times

2. State Laws Related to Digital Privacy, National Conference of State Legislatures

3. The Colorado Privacy Act,

4. Connecticut’s Personal Data Privacy and Online Monitoring Act,

5. S.B. 227 Consumer Privacy Act, Utah State Legislature

6. SB 1392 Consumer Data Protection Act, Virginia's Legislative Information System

7. TITLE 1.81.48. Data Broker Registration, California Legislative Information

8. Title 9: Commerce and Trade, Vermont General Assembly

9. Privacy Rights for California Minors in the Digital World, California Legislative Information 

10. Online and Personal Privacy Protection, The Delaware Code Online

11. Privacy of user records; violation; classification; definition, Arizona State Legislature

12. Disclosure of library records, definitions, Missouri Revisor of Statutes

13. ARTICLE 1. General Provisions, California Legislative Information

14. 30 Biggest GDPR Fines So Far (2020, 2021, 2022), Tessian

15. California Consumer Privacy Act of 2018, California Legislative Information

16. Proposition 24, California Legislative Information

17. Cookies, the GDPR, and the ePrivacy Directive,

18. United States v. Microsoft Corp., 584 U.S. (2018), Justia, Supreme Court

19. Privacy Impact Assessments, U.S. Department of Homeland Security

About the author

Zach Capers

Sr Specialist Analyst
Zach Capers is a senior analyst at GetApp, covering IT security, data privacy, and emerging technology trends. A former internal investigator for a Fortune 50 company and researcher for the Association of Certified Fraud Examiners (ACFE), his work has been featured in publications such as Forbes, Business Insider, and Journal of Accountancy.
Visit author's page