Module 5

Gramm-Leach-Bliley Act (Financial Modernization Act of 1999)

A U.S. law requiring financial institutions to disclose how they share and protect private customer data.

Children's Online Privacy Protection Act (COPPA)

A U.S. law that protects the online data of children under the age of 13.

Health Insurance Portability and Accountability Act (HIPAA)

A U.S. law that protects the privacy of health-related information about individuals used by health care providers, health insurers, health care clearinghouses and business associates.

General Data Protection Regulation (GDPR)

A comprehensive law dealing with data protection and privacy that went into effect in the EU and the European Economic Area (EEA) in 2018. It also applies to the transfer of personal data outside the EU and EEA.

Lei Geral de Proteção de Dados (LGPD)

Brazil's first law to provide a comprehensive framework regulating the use and processing of all personal data, which fully went into effect on August 1, 2021.

Personal Information Protection Law (PIPL)

China's first comprehensive law on the protection of personal data. The legislation went into effect on November 1, 2021.

OECD Guidelines

In 1980, the Organisation for Economic Co-operation and Development (OECD) and Council of Europe developed Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which are widely accepted by many government organizations. Updated in 2013, these guidelines represent perhaps the most widely accepted and circulated set of internationally agreed upon privacy principles.

The Privacy Shield

In 2016, the EU-U.S. Privacy Shield was adopted to replace the EU-U.S. Safe Harbor Agreement, allowing for the legal transfer of personal data between the EU and U.S. in the absence of a comprehensive adequacy decision for the United States. In July 2020, the Court of Justice of the European Union, in the case Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (called "Schrems II"), ruled to immediately invalidate the EU-U.S. Privacy Shield. The ruling noted that the U.S. still had several shortcomings with the protection of personal data and therefore violated the GDPR.

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

The California Consumer Privacy Act (CCPA) is a state statute within the U.S. that regulates how businesses handle the personal information of California residents. The CCPA was signed into law in 2018 and went into effect on January 1, 2020. The California Privacy Rights Act (CPRA), which amends and expands the CCPA, took effect on December 16, 2020, but will not become fully operative until January 1, 2023.

U.S. Privacy Act of 1974

U.S. law establishing a Code of Fair Information Practices on federal agencies' collection, maintenance, use and dissemination of personally identifiable information.