Skip to content

Major Privacy Laws Overview: GDPR, ePrivacy, CCPA/CPRA and Other Global Regulations

Privacy law shapes how analytics systems collect, process, and store data. The global landscape is fragmented but converging around a common set of principles.

GDPR: The European Standard

The General Data Protection Regulation entered force on May 25, 2018. It set new standards for personal data protection in the EU and became a global reference.

Key Principles

Extraterritorial scope. GDPR applies to any organization processing EU residents' data, regardless of where the company sits.

Lawful bases. GDPR lists six bases for processing:

  • Explicit consent
  • Performance of a contract
  • Legal obligation
  • Vital interests
  • Public-interest tasks
  • Legitimate interests of the controller

Subject rights:

  • Access
  • Rectification
  • Erasure ("right to be forgotten")
  • Restriction of processing
  • Data portability
  • Objection
  • Rights related to automated decision-making

Impact on Analytics

Requirements for Analytics Systems

  • Explicit consent before setting cookies
  • Minimization of collected data
  • Pseudonymization and anonymization where possible
  • Limited retention periods
  • Deletion on request

ePrivacy Directive and the Future Regulation

The ePrivacy Directive (2002/58/EC), known as the "Cookie Law," complements GDPR for electronic communications.

Current Requirements

Cookie consent. Informed consent is required before placing or reading cookies, except for technically necessary cookies.

Communication metadata. Protection extends to metadata: time, location, parties involved.

Expected Changes

The forthcoming ePrivacy Regulation aims to:

  • Cover OTT services (WhatsApp, Skype)
  • Simplify cookie consent through browser settings
  • Strengthen metadata protection
  • Match GDPR penalties (up to 4% of global turnover)

CCPA/CPRA: California

The California Consumer Privacy Act (CCPA) entered force on January 1, 2020. The California Privacy Rights Act (CPRA) expanded it from January 1, 2023.

Scope

The law applies to commercial organizations that:

  • Conduct business in California
  • Collect personal information of California residents
  • Meet at least one criterion:
  • Annual gross revenue exceeds $25 million
  • Process data of 100,000+ consumers (CPRA)
  • Derive 50%+ of revenue from selling personal information

Consumer Rights

Right to know. Consumers can request information about which categories of personal data are collected, used, disclosed, or sold.

Right to delete. Consumers can require deletion of their personal information, with exceptions.

Right to opt out of sale. Sites must show a "Do Not Sell or Share My Personal Information" link.

Right to non-discrimination. Businesses cannot punish consumers who exercise their rights.

CPRA Additions

CPRA Extensions

  • California Privacy Protection Agency (CPPA) created
  • "Sensitive personal information" category introduced
  • Right to correct inaccurate information
  • Right to limit use of sensitive data
  • Mandatory risk assessments for high-risk operations

Other US State Laws

Virginia CDPA

Virginia's Consumer Data Protection Act requires companies to:

  • Obtain explicit consent for processing sensitive data
  • Conduct data protection assessments for certain processing
  • Provide rights of access, deletion, correction, and portability

Colorado CPA

The Colorado Privacy Act includes:

  • Universal Opt-Out Mechanism
  • Rules for profiling and automated decisions
  • Data minimization obligations

Connecticut CTDPA

The Connecticut Data Privacy Act focuses on:

  • Protection of minors' data
  • Data protection assessments
  • Right to opt out of targeted advertising

LGPD: Brazil

Lei Geral de Proteção de Dados (LGPD) entered force in August 2020. It unified 40 sectoral regulations.

Broad definition of personal data. Any information that directly or indirectly identifies a person.

Ten lawful bases. GDPR has six. LGPD adds bases like credit protection, exercise of rights in judicial proceedings, and protection of life or physical safety.

ANPD. The National Data Protection Authority oversees enforcement and issues guidelines.

PIPEDA: Canada

The Personal Information Protection and Electronic Documents Act rests on 10 fair information principles.

Key Principles

Accountability. Appoint someone responsible for compliance.

Identifying purposes. State purposes at or before collection.

Consent. Required for collection, use, or disclosure.

Limiting collection. Only what is necessary for stated purposes.

Comparison

AspectPIPEDAGDPRCCPA/CPRA
ExtraterritorialityLimitedFullLimited
PenaltiesUp to CAD 100,000Up to 4% of turnover$2,500-7,500 per violation
Right to deletionNoYesYes
Data portabilityRecommendedMandatoryNo

POPIA: South Africa

The Protection of Personal Information Act entered force on July 1, 2021.

Information Officer residency. The Information Officer must be a South African resident, which creates requirements for international companies.

Direct marketing. Strict opt-in rules for electronic communications.

PDPA: Asia

Singapore PDPA

Singapore's Personal Data Protection Act balances protection and business:

  • Consent with exceptions for legitimate interests
  • Do Not Call Registry for telemarketing
  • Breach notification requirements

Thailand PDPA

GDPR-inspired Thai PDPA:

  • Extraterritorial scope
  • DPO requirements
  • Strict cross-border transfer rules

Sectoral Laws

HIPAA: Health

The US Health Insurance Portability and Accountability Act sets standards for protected health information.

For analytics on healthcare sites:

  • Avoid collecting Protected Health Information through analytics
  • Use Business Associate Agreements with analytics providers
  • Apply encryption and other security controls

COPPA: Children

The Children's Online Privacy Protection Act requires:

  • Verifiable parental consent for children under 13
  • Specific privacy notices
  • Restrictions on data collection from children

Impact on Analytics

Sites aimed at children, or knowingly collecting children's data, must:

  • Disable behavioral targeting
  • Minimize data collection
  • Implement age verification

Practical Compliance

Technical Measures

Privacy by Design:

  • Build protection into the architecture from day one
  • Default to data minimization
  • Use pseudonymization and encryption

Consent Management:

graph TD
    A[Visitor enters site] --> B{Consent obtained?}
    B -->|No| C[Show consent banner]
    B -->|Yes| D[Check categories]
    C --> E{User selected}
    E -->|Accept all| F[Set all cookies]
    E -->|Customize| G[Granular choice]
    E -->|Reject all| H[Necessary cookies only]
    G --> I[Set selected cookies]
    D --> J[Load appropriate scripts]

Organizational Measures

Documentation:

  • Records of Processing Activities (RoPA)
  • Regular Privacy Impact Assessments
  • Subject request response procedures
  • Incident response plan

Training:

  • Regular employee training
  • Designated data protection officers
  • Privacy culture across the organization

International Strategy

Apply the strictest requirements to all users.

  • Simpler technical implementation
  • Lower non-compliance risk
  • May limit functionality

Adapt to each jurisdiction.

  • Maximum functionality where allowed
  • Complex implementation
  • Requires accurate location detection

Baseline protection plus extensions for strict regions.

  • Balance between complexity and functionality
  • Reasonable cost
  • Flexible for future changes

We have explored the global landscape and its impact on analytics. Statable supports the major regulations through technical and organizational controls.

The architecture provides flexible consent management, automatic regional rules, and tools for subject rights, so webmasters focus on analytics, not legal complexity.

About AI participation in writing articles

This article, like many others on our site, was created, written and proofread by a team of developers. Of course, not without the participation of AI assistants. We don't hide this and believe that modern systems are already quite good at handling simple tasks and, relatively speaking, writing an article about Viewport yourself is quite strange. It won't come out significantly better and will take a lot of time. But providing basic understanding to beginner webmasters is necessary. Of course, after the article is written by assistants - there's always proofreading, and this is where not one or two people participate, and only after that the article is published.

Ready to ensure full compliance with global data protection requirements?

Sign up for free testing of our platform and gain access to analytics tools developed with all modern privacy standards in mind.

Ready to take control of your web analytics? Try Statable free for 30 days — no credit card required, full feature access, GDPR-compliant by default. Start your free trial or view a live demo.