United States

The Children's Online Privacy Protection Act (COPPA), is an important law in the United

States. It aims to protect privacy of children under 13 years of age, specifically from the
collection of their personal information online. It works by providing the parents of those
children with more control over the collection. This legislation also applies to general
audience websites that cater to people of all ages, but also might be used by those under 13
years old, especially if those websites collect personal information from other websites or
online services that cater to children.

 Violation- If your company is found in violation of the rules of COPPA, it can

be fined by the courts for an amount up to $41,484 dollars for each individual
violation.
Other factors will also come into play regarding the severity of penalties. These
factors are things like:
1. The egregiousness of the violation
2. Any previous violations
3. How many users (children) were involved in the violation
4. The size of the company
5. How the information was used and/or shared.

European Union

The General Data Protection Regulation (GDPR) is a robust privacy law that was created by
the European Union (EU) in 2016 and became effective in 2018. It was designed to replace
the 1995 Data Protection Directive as of the 25th of May, 2018.

The purpose of the GDPR is to update digital security for the citizens of the EU by giving
them a higher level of control on the personal information they share online. Though the
GDPR is a law originating from the EU, it applies to businesses all over the world. If there's
even the slightest chance that your website might collect the personal information of someone
from one of the EU member states, then you're required to comply. The GDPR implements
newer areas of focus, such as privacy rights, data security, data control and governance.
  Definition of Personal Data- The term is defined in Art. 4 (1). Personal data are any
information which are related to an identified or identifiable natural person. The data
subjects are identifiable if they can be directly or indirectly identified, especially by
reference to an identifier such as a name, an identification number, location data, an
online identifier or one of several special characteristics, which expresses the
physical, physiological, genetic, mental, commercial, cultural or social identity of
these natural persons.
 Violation- Violators of GDPR may be fined up to €20 million, or up to 4% of the
annual worldwide turnover of the preceding financial year, whichever is greater. The
fines imposed by the GDPR under Article 83 are flexible and scale with the firm. Any
organization that is not GDPR compliant, regardless of its size, faces a significant
liability.  Article 82 gives data subjects the right to seek compensation from
organizations that cause them material or non-material damage as a result of a GDPR
infringement.

Canada

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a law that

was introduced in Canada back in April 2000, with the aim to govern private sector
organizations regarding their collection of consumer personal information. PIPEDA aims
to provide more strength and security to consumers when they share their personal
information through e-commerce and online businesses.

In order to be compliant with PIPEDA, there are 10 fair information principles that you must
adhere to. These are:

1. Accountability
2. Identifying purposes
3. Consent
4. Limiting collection of information
5. Limiting use, disclosure and retention of information
6. Accuracy
7. Safeguards
8. Openness
 9. Individual access
10. Challenging compliance

Under PIPEDA, organizations are legally required to gain consent to the collection, use and
disclosure of any user information prior to the collection. They must also provide individuals
with their product or service, regardless of whether they consent to that collection.

 Definition of Personal Data- Under PIPEDA, personal information includes any

factual or subjective information, recorded or not, about an identifiable individual.
This includes information in any form, such as:

1. age, name, ID numbers, income, ethnic origin, or blood type;

2. opinions, evaluations, comments, social status, or disciplinary actions; and
3. employee files, credit records, loan records, medical records, existence of a dispute
between a consumer and a merchant, intentions (for example, to acquire goods or
services, or change jobs).

 Violation- Violation of PIPEDA can lead to a court action brought by individuals or

by the Office of the Privacy Commissioner (OPC). The Act does not create an
automatic right to sue for violations of the law's obligations. Instead, PIPEDA follows
an ombudsman model in which complaints are taken to the Office of the Privacy
Commissioner of Canada. The Commissioner is required to investigate the complaint
and to produce a report at its conclusion. The responding organization cannot take the
matter to the courts, because the report is not a decision and PIPEDA does not
explicitly grant the responding organization the right to do so.

Brazil

The Brazilian General Data Protection Law (LGPD) creates a new legal framework for the use of
personal data in Brazil, both online and offline, in the private and public sectors. It’s important to
note that the country already has more than 40 legal norms at the federal level that directly and
indirectly deal with the protection of privacy and personal data. The LGPD will replace and
enhance these sectoral frameworks, which were sometimes in conflict with one another. Apart from
GDPR’s six bases for lawful processing, the LGPD also lays out some additional, more specific
bases. The Brazilian law introduces four new options, including the conducting of research
studies, medical procedures, protection of credit and judicial proceedings. If you already
operate in compliance with GDPR, then you already meet the lion’s share of the obligations
imposed by LGPD. However, there are important differences you’ll have to address, including a
shorter time period for processing data subject requests and additional lawful bases for data
processing. Nevertheless, it seems that in the case of LGDP, consent will also be the most suitable
grounds for marketing and sales activities.

 Definition of Personal Data- Any data, isolated or aggregated to another, that may allow
the identification of a natural person or subject them to a certain behaviour (interpretation
possible from an integrative reading of the text). In this time of big data, which allows the
rapid correlation of large, structured and unstructured databases, virtually any data can
eventually be considered personal, therefore subject to the law.
 Violation- The different agents involved in data processing — the controller and the
processor — can be jointly and severally liable for information security incidents
and/or improper and unauthorized use of the data or for non-compliance with the law.
Administrative sanctions may be applied by authority in case of violation of LGPD.
Among the sanctions, there are notices and fines, that may vary from 2 percent of the
company's, group's or conglomerate's turnover in Brazil in its last fiscal year, limited
in total to R 50,000,000.00 (fifty million reais) per infraction. There is also the
possibility of daily fine to compel the entity to cease violations.

Chile

The new law amending the Chilean Constitution was published on June 16, 2018. It establishes the
protection of personal data as a constitutional right. Through this amendment, personal data
protection was established as an autonomous right. Here you can find the most important facts
about the new Chilean law. The bill regulates the processing of personal data performed by
individuals and organizations, both public and private. The application of the law excludes some
scenarios, such as:

 processing of data performed by the media only in regards to exercise of the freedom of
press, and
 processing of data performed by individuals in regards to their personal activity
However, it’s debatable whether the law will apply to foreign organizations that process the data of
Chileans pursuant to established contracts.

 Definition of Personal Data- The new law specifies the scope of personal data. The bill
establishes that an identifiable individual is any person whose identity can be determined,
directly or indirectly, by information combined with other data, in particular by an
identifier, such as an ID number.
 Violation- The Law establishes a general rule under which both non-monetary and
monetary damages that result from wilful misconduct or negligence in the processing
of personal data shall be compensated. In those cases, the amount of compensation
shall be established reasonably by the civil judge, considering the circumstances of
the case and the relevance of the facts.  Breaches of data protection caused by
improper processing of data may eventually lead to fines determined by the Law.
Fines are viewed and determined in a summary procedure.