Data Privacy Regulations provide consumers with rights and place security obligations on companies that collect personal data. These laws cover many issues, such as how to obtain consent for marketing purposes or how best to utilize information collected for such use.

Data protection laws differ based on your location and industry. To remain compliant, it is vital that you adhere to those that apply directly to you and your business.


Companies falling within the definition of a financial institution under GLBA must abide by its data protection and privacy regulations, with some exceptions provided for. Furthermore, this Act mandates companies establish an extensive compliance program.

The GLBA establishes what constitutes personal financial information and requires businesses to give consumers clear notice of their privacy policies and practices. Furthermore, consumers have an option of not sharing their data with third-parties.

Financial institutions that fail to abide by the GLBA’s privacy rules face fines of up to $100,000 per violation and could face criminal prosecution as a result of this law. Aside from legal penalties, compliance also helps companies strengthen their brand reputation and build customer trust.


CCPA (California Consumer Privacy Act) is a California privacy law designed to safeguard consumers’ personal data. Organizations must act as responsible custodians of this consumer data whether collected “externally” from customers or internally from company workers and job applicants, otherwise huge fines could result.

Under federal law, businesses are legally mandated to disclose to their consumers proactively about any consumer rights that exist for them and how much personal data is collected and utilized for. They also must keep an accounting of how often consumer personal information is sold or shared between businesses.

Companies must offer consumers an opt-out mechanism that is easy to implement, and must not discriminate against those exercising their CCPA rights.


The GDPR requires businesses to be responsible for the personal data that they process, from making sure their information is accurate and up-to-date to taking security measures such as encryption or pseudonymization. Furthermore, this regulation outlines six legal bases for processing personal data while mandating that businesses only gather what data is necessary.

This regulation emphasizes transparency and makes clear that customers must give their consent freely, with companies required to use clear, intelligible language when asking for it. Furthermore, people may easily withdraw their consent. Furthermore, its extraterritorial scope means it applies to all European Union citizens whether inside or outside of Europe and requires companies appoint data protection officers and report issues to Supervisory Authorities when needed.


The PDPA strikes an effective balance between individual privacy rights and data utilization for national security situations. Furthermore, the Act allows the processing of personal data during medical emergencies involving individuals while upholding high privacy standards. Finally, organisations are obliged to give individuals access to their own personal data within one year after being requested by an individual to do so.

The PDPA requires every organization to appoint and publish contact details of a grievance officer, while emphasizing data minimization and purpose limitation so businesses only use consumer data for legitimate interests. Furthermore, consent management plays an integral part of its requirements: data fiduciaries must obtain explicit, informed and unambiguous consent from customers before using their data for any purpose.

Kenya’s Data Protection Act

The Kenyan Data Protection Act contains provisions regulating the collection, handling, transfer and destruction of personal information. Furthermore, it restricts how sensitive personal data can be used while also mandating that any breaches in data security be reported immediately.

Its provisions are modeled on EU’s GDPR and require valid, clear, and informed consent from data subjects. Furthermore, data controllers or processors must keep a log of their processing activities and make this available on request from data subjects.

Kenya law mandates that any transfer of personal data outside Kenya be done so on the basis of one of three legitimate interests: