www.azpirantz.com | 02 Table of Contents 1. The Importance of Privacy Law Compliance in 2025.........................................03 2. Key Global Privacy Laws and Regulations (2025)................................................04 3. Common Principles Across Global Privacy Laws................................................08 4. Best Practices for Staying Compliant (and Ahead) in 202...............................12 5. Conclusion: From Compliance to Trust.....................................................................16 www.azpirantz.com | 03 The Importance of Privacy Law Compliance in 2025 Why does compliance with privacy laws matter so much? For one, the penalties for non-compliance are steep. Under the EU’s General Data Protection Regulation (GDPR), fines can reach up to €20 million or 4% of global annual turnover for serious violations. In the United States, the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), allow fines of up to $2,500 per violation (or $7,500 for intentional violations). Beyond fines, companies risk lawsuits, enforcement actions, and damage to their reputation and customer trust. A single data breach or compliance failure can erode consumer confidence; conversely, strong privacy practices can be a competitive advantage. Surveys show that a large majority of consumers are more willing to trust companies that are transparent and careful with personal data, making compliance not just a legal checkbox but a business imperative. www.azpirantz.com | 04 Key Global Privacy Laws and Regulations (2025) Privacy laws vary by country or region, but certain frameworks stand out due to their broad influence and stringent requirements. 1. European Union: GDPR and ePrivacy Directive The EU’s General Data Protection Regulation (GDPR) is often considered the world’s strictest and most comprehensive data privacy law. Enforced since May 25, 2018, the GDPR harmonizes data protection rules across all EU member states and applies to any organization (worldwide) that processes personal data of EU residents. • Applies to any organization processing EU residents data, globally. • Key rights: Access, correction, deletion (right to be forgotten), data portability. • Obligations: Explicit consent, breach notification (within 72 hrs), DPO appointment. • Penalties: Up to €20M or 4% of global turnover. • ePrivacy Directive governs cookies/online tracking, requires informed consent. • Cookie banners are mandatory; users must be able to reject non-essential cookies. • ePrivacy Regulation (ePR) pending to update the 2002 directive. • UK GDPR mirrors EU GDPR post-Brexit with slight ongoing reforms. www.azpirantz.com | 05 2. United States: CCPA/CPRA + State-Level Patchwork In the absence of a single federal data protection law in the U.S., privacy regulation has been led by states, most prominently California. The California Consumer Privacy Act (CCPA), effective since 2020, was a landmark law granting Californians rights over their personal information. • At least 14 U.S. states have enacted their own privacy laws (e.g., VA, CO, CT, UT, IA). • 2025 rollouts: IA, DE, NH (Jan), TN (July); recent: OR, MT; upcoming: MD, IN. • Common rights: Access, deletion, opt-out of targeted ads/sale, reasonable security. • Penalties often reach $7,500 per intentional violation. • Sectoral laws like HIPAA and COPPA continue to apply separately. 3. Brazil: Lei Geral de Proteção de Dados (LGPD) Brazil’s LGPD (General Data Protection Law), which took effect in September 2020, is a comprehensive privacy law closely modeled on the EU GDPR. • Core principles: Consent, purpose limitation, data minimization. • Rights: Access, correction, deletion, portability. • DPO appointment is required in most cases. • ANPD (national authority) gained enforcement power in 2021. • Fines: Up to 2% of Brazilian revenue or BRL 50M (~$10M USD). • Influenced other Latin American privacy frameworks. 4. China: Personal Information Protection Law (PIPL) China’s data protection regime has rapidly tightened in recent years. The centerpiece is the Personal Information Protection Law (PIPL), in effect since November 1, 2021; the first comprehensive national-level privacy law in China. • Applies to any entity processing data of Chinese residents. • Broad definition of personal info; lawful basis (mainly consent) required. • Rights: Access, correction, deletion, informed processing. • Data localization for sensitive/high-volume data. • Explicit consent needed for cross-border transfers and third-party sharing. • Fines: Up to 50M RMB or 5% of annual revenue; personal executive liability possible. • Example: Didi fined $1.2B in 2022 for privacy violations. 5. India: Digital Personal Data Protection Act (DPDPA) India, the world’s second most populous country, enacted its first comprehensive privacy law in 2023. The Digital Personal Data Protection Act (DPDPA) took effect on August 11, 2023, after years of draft bills and debates following a 2017 Indian Supreme Court ruling that recognized privacy as a fundamental right. • Introduces terms: Data Fiduciaries (controllers), Data Principals (individuals). • Core principles: Lawfulness, purpose limitation, minimization, accuracy, security. www.azpirantz.com | 06 www.azpirantz.com | 07 • Rights: Access, correction, grievance redressal. • No “sensitive” category yet; all personal data treated equally. • Establishes Data Protection Board of India; draft rules released in 2025. • Fines: Up to ₹250 crore (~$30M USD). • Proactive compliance needed due to India’s massive digital user base. Other Notable Privacy Frameworks • Canada (PIPEDA): Consent-driven; 10 Fair Information Principles; reform underway. • Japan (APPI): Updated in 2017 & 2020; GDPR-aligned with breach notification. • Australia (Privacy Act 1988): Reform proposals include stronger rights, penalties. • South Korea (PIPA): Strict rules with enforcement; GDPR-style obligations. • Singapore (PDPA): Consent-based; includes DNC registry, breach notification. • Africa: Laws in Nigeria (NDPR), Kenya (DPA); AU’s Malabo Convention proposed. • Turkey (KVKK): GDPR-inspired; in force since 2016. • South Africa (POPIA): Effective since 2021; GDPR-influenced structure. www.azpirantz.com | 08 Common Principles Across Global Privacy Laws Despite differences in scope and enforcement, global privacy laws are built on common foundational principles and individual rights. 1. Consent and Lawful Processing • Laws require lawful basis for processing personal data—most emphasize clear, affirmative user consent. • GDPR prohibits pre-ticked boxes/implied consent. • Brazil’s LGPD and India’s DPDPA demand free, informed, specific consent. • Sectoral laws like COPPA require verifiable parental consent for minors. • Some frameworks accept alternatives: contractual necessity, legal obligation, vital interests, or legitimate interests (e.g., GDPR) with transparency. 2. Transparency and Notice • Organizations must inform individuals what data is collected, why, how it's used, with whom it’s shared, and user rights. • CCPA mandates detailed, annually updated privacy policies. • PIPEDA includes transparency as a core Fair Information Principle. • Applies to cookies and trackers (e.g., ePrivacy Directive). • Includes breach notifications where required. • Openness ≠ optional—secrecy is non-compliance. www.azpirantz.com | 09 3. Purpose Limitation and Data Minimization • Data should be collected only for specific, legitimate purposes. • Must not be reused in incompatible ways. • Data minimization: collect only what's necessary. • Principles codified in GDPR, LGPD, DPDPA. • Businesses must regularly audit collection forms/databases to avoid excess retention. 4. Data Quality and Accuracy • Personal data must be accurate and current. • Individuals have the right to correction or rectification. • Even when not mandated, data accuracy reduces legal and reputational risk. 5. Storage Limitation • Don’t keep data longer than necessary for its purpose. • GDPR formally enshrines this; other laws mandate retention policies. • U.S. state laws may require disclosure of retention periods. • -imely deletion = reduced breach exposure. 6. Security Safeguards and Breach Notification • All laws demand appropriate technical and organizational safeguards. • GDPR: Encryption, access controls, breach response plans. www.azpirantz.com | 10 • CCPA: Penalizes weak data protection. • GDPR requires 72-hour breach notification; PIPEDA mandates it for “real risk of significant harm.” • Breach preparedness = encryption + policies + incident response playbook. 7. Individual Rights Empowering users is central. Common rights include: • Right of Access: Request a copy of personal data (e.g., GDPR SARs—respond within 30 days). • Right to Deletion (Erasure): Data removal on request, e.g., GDPR, LGPD, CCPA. • Right to Correction: Fix inaccurate or outdated data. • Right to Portability: Transfer data in a usable format (GDPR, others). • Right to Object/Opt-Out: Refuse processing—e.g., for marketing (GDPR) or data sale (CCPA/CPRA). • Right to Restrict Processing: Limit use during disputes or investigations. • Rights on Automated Decisions: Under GDPR, users can challenge profiling/automated decisions (AI relevance rising). Businesses must have authenticated workflows to receive, verify, fulfill, and document rights requests across systems. www.azpirantz.com | 11 8. Accountability and Governance Compliance ≠ enough; must demonstrate it (GDPR’s accountability principle). Requires: • Documentation (e.g., Records of Processing Activities). • DPIAs for high-risk data uses. • Privacy training across teams. • Regulators expect proof—not promises. GDPR mandates DPOs in specific contexts; others recommend privacy officers as a best practice. 9. Cross-Border Data Transfers Internet = borderless, but data is not. • GDPR allows transfers only to adequate jurisdictions or via SCCs/BCRs. Brazil (LGPD), Japan (APPI), China (PIPL) require: • Consent or safeguards for transfers. • In some cases, localization or security assessments (e.g., China). • EU-U.S. Data Privacy Framework (2025) reinstated; contractual clauses still advised. • Best practice: Map your data flows and apply legal transfer mechanisms. www.azpirantz.com | 12 Best Practices for Staying Compliant (and Ahead) in 2025 Achieving compliance with privacy laws is not a one-time project but an ongoing process. Given the rapid emergence of new regulations in 2025 and beyond, organizations should take a proactive and systematic approach to data privacy. 1. Map and Know Your Data • Start with a full data inventory: What do you collect, from whom, where does it go, and how is it stored? • Identify systems, vendors, and cross-border flows. • This step reveals which laws apply to you—e.g., if you process EU data, GDPR applies even outside the EU. Knowing your data lifecycle is fundamental to applying purpose limitation and minimization principles. 2. Update Privacy Notices and Policies • Create clear, accessible privacy policies that reflect current data practices. • Include: data categories, purpose, third-party access, cookie use, user rights, contact details. Must comply with legal obligations under GDPR, CCPA, CalOPPA, etc. • Review and update at least annually, or with any major data use change. • Transparency builds trust and compliance www.azpirantz.com | 13 3. Implement Consent Mechanisms • Use consent banners for cookies (ePrivacy), opt-in checkboxes for newsletters, etc. • Consent must be freely given, informed, specific, and granular—no bundled choices or pre-checked boxes. Allow easy withdrawal and track consents (especially for sensitive data). • Use Consent Management Platforms (CMPs) to automate at scale. 4. Enable and Honor Individual Rights Requests • Set up user-friendly channels (web forms, emails like privacy@yourdomain.com) for data requests. • Train staff to respond within legal timeframes (e.g., 30 days under GDPR). Be prepared to search, delete, correct, or export user data from all systems. • Include deletion propagation to vendors and third parties. 5. Adopt Data Minimization and Privacy by Design • Collect only what’s necessary, and default to privacy-friendly settings. • Do not build features first and retrofit compliance later, “bake it in,” do not bolt it on. • For sensitive or high-risk processing, conduct Data Protection Impact Assessments (DPIAs). Do you really need location or contacts from that app? If not, do not collect them. www.azpirantz.com | 14 6. Secure Your Data (Defense in Depth) • Implement layered technical controls: encryption, access control, firewalls, intrusion detection. • Complement with organizational safeguards: strong passwords, phishing awareness, secure transfers. • Incident Response Plan is essential, practice it! • GDPR requires breach notification within 72 hours; others have similar rules. • Security is not optional; it is a duty of care. www.azpirantz.com | 15 Conclusion: From Compliance to Trust Complying with global privacy laws isn’t just about avoiding fines, it is about respecting individuals and earning trust. From GDPR to PIPL and DPDPA, today’s data regulations share a common purpose: empower users and hold organizations accountable. Privacy-first businesses do not wait for enforcement, they design for trust. When privacy is embedded into product design, governance, and organizational culture, companies adapt faster, act more ethically, and stand out in a crowded market. Key Takeaways • Stay informed. • Be user-centric. • Treat privacy as a business enabler, not a blocker. “Privacy governance is not a one-time project, it is a strategic function that enables trust, compliance, and performance.” At Azpirantz, we help organizations design governance models that are resilient, responsive, and right-sized for their needs. Whether you are launching a privacy program or optimizing an existing one, the right governance structure can elevate both compliance and credibility. Until then, ask yourself: • Who drives privacy in your organization today? • Are your privacy decisions agile and aligned with business objectives? • Can your leadership confidently report on your privacy posture? READY TO ENHANCE YOUR DIGITAL RESILIENCE? Follow us for daily tips! *This content has been created and published by the Azpirantz M arketing Team and should not be considered a professional advice For expert consulting and professional advice, please reach out to sales@azpirantz.com