Americas DPAs
INTRODUCTION
Data Protection Authorities (DPAs) involves understanding the entities responsible for safeguarding individuals' privacy and enforcing data protection laws within a given jurisdiction. DPAs play a crucial role in overseeing compliance with regulations, addressing privacy concerns, and ensuring the responsible handling of personal data by organizations.
Data Protection Authorities (DPAs) for North America:
Americas:
This region typically includes North, Central, and South America. It covers a wide range of economies, cultures, and languages, with the United States and Brazil being the largest economies.
The Americas is divided into North America (NA or NORAM) and Latin America (LATAM).
North America 2 countries:
United States
- Authority: Federal Trade Commission (FTC)
- The FTC is the only federal agency with both consumer protection and competition jurisdiction in broad sectors of the economy. The FTC pursues vigorous and effective law enforcement; advances consumers’ interests by sharing its expertise with federal and state legislatures and U.S. and international government agencies; develops policy and research tools through hearings, workshops, and conferences; and creates practical and plain-language educational programs for consumers and businesses in a global marketplace with constantly changing technologies.
- Official Website: FTC
U.S. States That Have Enacted Their Own Data Protection And Privacy Laws
Laws:
Electronic Communications Privacy Act (ECPA)
- Regulates electronic communications and protects privacy of electronic communications.
Gramm-Leach-Bliley Act (GLBA)
- Regulates financial institutions' handling of customer information.
Telephone Consumer Protection Act (TCPA)
- Governs telemarketing practices and protects against unsolicited calls.
CAN-SPAM Act
- Law governing emails and other messages from commercial entities.
California:
- Law: California Consumer Privacy Act (CCPA)
- CCPA grants California residents rights to control their personal data, allowing access, deletion, and opting out of data sales. The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This landmark law secures new privacy rights for California consumers
- Official Website: CCPA
New York:
- Law: Stop Hacks and Improve Electronic Data Security (SHIELD) Act
- The SHIELD Act significantly strengthens New York’s data-security laws by expanding the types of private information for which companies must provide consumer notice in the event of a breach.
- Official Website: SHIELD
Nevada:
- Law: Nevada Revised Statutes (NRS) Chapter 603A
- It mandates secure destruction of records, implementation of security measures, and encryption for payment card data. The chapter defines liability for breaches and allows for alternative encryption methods. It also outlines disclosure requirements for breaches to ensure transparency and protection of sensitive information.
- Official Website: NRS 603A
Massachusetts:
- Law: Massachusetts Data Security Law (201 CMR 17.00)
- 201 CMR 17.00 establishes minimum standards to be met by persons who own or license personal information about a resident of the Commonwealth of Massachusetts in connection with the safeguarding of personal information contained in both paper and electronic records, to insure the security and confidentiality of customer information in a manner fully consistent with industry standards.
- Official Website: 201 CMR 17.00
Washington:
- Law: Washington Privacy Act (SB 5376)
- The Act was developed to protect a consumer’s sensitive health data from being collected and shared without that consumer’s consent. Washington’s concern for the urgent need to enhance privacy protections for health data is widely shared: 76% of Washingtonians express support for the My Health My Data Act.
- Official Website: SB 5376
Texas:
- Law: Texas Privacy Protection Act (HB 4390)
- This legislation aimed at safeguarding individuals' privacy rights within the state. Enacted to regulate the collection, use, and sale of personal data, the law imposes strict requirements on businesses handling sensitive information. HB 4390 includes provisions for transparency regarding data practices, granting consumers more control over their personal information..
- Official Website: HB 4390
Illinois:
- Law: Biometric Information Privacy Act (BIPA)
- This law is a crucial piece of legislation designed to protect individuals' biometric data privacy rights. Enacted to regulate the collection, storage, and use of biometric information, such as fingerprints or facial scans, the law imposes stringent requirements on organizations handling such data.
- Official Website: BIPA
Colorado:
- Law: Colorado Privacy Act (CPA)
- The Colorado Privacy Act (CPA) is a pivotal legislation established to protect the privacy rights of individuals within the state. It regulates the collection, processing, and storage of personal data by businesses, aiming to enhance transparency and accountability in data practices. The CPA grants consumers greater control over their personal information, allowing them to access, correct, and delete their data held by companies.
- Official Website: CPA
Virginia:
- Law: Virginia Consumer Data Protection Act (VCDPA)
- This law grants consumers’ rights for obligations on businesses data transparency, security, and individual privacy. This new law provides Virginia residents certain rights for personal data collected by businesses under conditions outlined in the law.
- Official Website: VCDPA
Oregon:
- Law: Oregon Consumer Information Protection Act (OCIPA)
- This is pivotal legislation designed to safeguard the privacy rights of individuals in the state. It sets forth regulations governing the collection, use, and protection of personal data by businesses, aiming to bolster transparency and accountability in data practices..
- Official Website: OCIPA
Michigan:
- Law: Personal Data Protection Act (PDPA)
- The Personal Data Protection Act (PDPA) provides a baseline standard of protection for personal data in Singapore. It complements sector-specific legislative and regulatory frameworks such as the Banking Act and Insurance Act..
- Official Website: PDPA
New Jersey:
- Law: New Jersey Consumer Data Privacy Act (NJCDPA)
- This regulates data collection, processing, storage, security, and use, mandating companies to obtain explicit consumer opt-in for personal data collection or processing. It focus on internet privacy and data security investigations on behalf of the Division of Consumer Affairs and the State of New Jersey and bring actions for damages and amended business/industry protocols.
- Official Website: NJCDPA
Minnesota:
- Law: Minnesota Privacy Act (MPA)
- It regulates the collection, use, and dissemination of personal data by businesses, aiming to enhance transparency and accountability in data practices. The MPA grants consumers rights to access, correct, and delete their personal information held by companies, empowering them with greater control over their data.
- Official Website: MPA
Utah:
- Law: Utah Consumer Privacy Act (UCPA)
- This law provides consumers the right to access and delete certain personal data maintained by certain businesses and opt out of the collection and use of personal data for certain purposes.
- Official Website: UCPA
Oklahoma:
- Law: Oklahoma Computer Data Privacy Act
- The act prohibits businesses from sharing personal data to third parties unless it is necessary to provide a requested good or service or for security purposes or fraud detection and denying service or altering prices or services based on a consumer's rights granted in the measure.
- Official Website: Oklahoma Computer Data Privacy Act
New Hampshire:
- Law: New Hampshire Privacy Act
- This laws exist to ensure that government is open and that the public has access to appropriate information obtained and held by the government. At the same time, the State recognizes that personal information collected by the State should be used only for the purpose for which it is collected.
- Official Website: New Hampshire Privacy Act
Hawaii:
- Law: Hawaii Consumer Privacy Protection Act (HCPPA)
- It establishes regulations governing the collection, use, and disclosure of personal data by businesses, with the aim of enhancing transparency and accountability in data practices. This law empowers consumers by granting those rights to access, correct, and delete their personal information held by companies
- Official Website: HCPPA
South Carolina:
- Law: South Carolina Consumer Privacy Protection Act (SCCPPA)
- Mandates businesses to safeguard personal information and prevent data breaches in the state.
- Official Website: No Website available
Rhode Island:
- Law: Rhode Island Consumer Privacy Act (RICPA)
- Grants residents’ rights to control their personal data, allowing access, deletion, and opting out of data sales, correction of data.
- Official Website: No Website available
Maryland:
- Law: Maryland Personal Information Protection Act (MPIPA)
- MPIPA is a privacy law that requires businesses to protect consumers' personal information.
- Official Website: No Website available
Delaware:
- Law: Delaware Online Privacy and Protection Act (DOPPA)
- This Act amends Delaware’s probate code by adding a new section to provide restricted access to a decedent’s safe deposit box located in a financial institution and held in the decedent’s sole name, for the limited purpose of retrieving the decedent’s last will and declaration of last remains.
- Official Website: DOPPA
Connecticut:
- Law: Connecticut Act Concerning Data Privacy Breaches
- The Connecticut Act Concerning Data Privacy Breaches is a crucial piece of legislation aimed at addressing data breaches and protecting the privacy of individuals within the state. Enacted to regulate the handling of personal information by businesses, the act mandates prompt notification to affected individuals and appropriate authorities in the event of a data breach.
- Official Website: Connecticut Data Privacy Breaches
Arizona:
- Law: Arizona Data Breach Notification Law
- Arizona law mandates prompt notification to individuals by businesses and government entities following a security breach compromising personal information. Specifics include content, timing requirements, definitions of personal information, and penalties for non-compliance.
- Official Website: Arizona Data Breach Notification Law
Kentucky:
- Law: Kentucky Consumer Data Protection Act (KCDPA)
- Grants residents’ rights to control their personal data, allowing access, deletion, and opting out of data sales, correction of data.
- Official Website: KCDPA
North Carolina:
- Law: North Carolina Identity Theft Protection Act (NCITPA)
- The North Carolina Identity Theft Protection Act (NCITPA) is a significant piece of legislation designed to combat identity theft and protect consumers' personal information within the state. This act outlines requirements for businesses and organizations to safeguard sensitive data and mitigate the risk of unauthorized access or disclosure.
- Official Website: NCITPA
New Mexico:
- Law: New Mexico Data Privacy Act (NMDPA)
- It prohibits businesses from requiring a consumer's social security number as a condition for purchasing or leasing goods, services, or products.
- Official Website: No Website available
Wisconsin:
- Law: Wisconsin Data Privacy Act (WDPA)
- Grants residents’ rights to control their personal data, allowing access, deletion, and opting out of data sales, correction of data.
- Official Website: WDPA
Kansas:
- Law: Kansas Privacy and Data Security Act (KPDSA)
- The Kansas Privacy and Data Security Act (KPDSA) encompasses regulations related to privacy and data protection within the state of Kansas.
- Official Website: KPDSA
Iowa:
- Law: Iowa Consumer Privacy Act (ICPA)
- The Iowa Consumer Privacy Act (ICPA) is a state-level data privacy law enacted to safeguard the rights and personal data of Iowa residents. It requires businesses to adhere to specific regulations regarding data handling and consumer privacy.
- Official Website: ICPA
Alabama:
- Law: Alabama Data Breach Notification Act (ADBNA)
- The Alabama Data Breach Notification Act (ADBNA), aims to protect the privacy of Alabama residents by requiring certain entities to promptly notify affected individuals when a data breach occurs.
- Official Website: ADBNA
Arkansas:
- Law: Arkansas Personal Information Protection Act (APIPA)
- The APIPA grants consumers the right to know what personal information is being collected about them. Consumers can request the deletion of their personal data and opt out of the sale of their data.
- Official Website: No Website available
Mississippi:
- Law: Mississippi Data Breach Notification Act (MDBNA)
- The MDBNA covers the unauthorized acquisition of electronic files or data containing personal information (PI) of Mississippi residents. It applies to businesses operating in Mississippi that handle PI. Entities must promptly notify affected individuals of security breaches.
- Official Website: No Website available
West Virginia:
- Law: West Virginia Personal Data Protection Act (WVPDPA)
- The bill establishes a framework for controlling and processing personal data in West Virginia. It puts limitations on collecting personal data and requires strict security measures. Consumers are granted rights to access, correct, delete, and obtain a copy of their personal data.
- Official Website: No Website available
Vermont:
- Law: Vermont Data Broker Regulation (VTDBR)
- The Vermont Data Broker Regulation (VTDBR) is a significant piece of legislation aimed at regulating the practices of data brokers operating within the state. Enacted to address concerns regarding the collection, use, and dissemination of personal data by data brokers, the law mandates transparency and accountability in their operations.
- Official Website: VTDBR
North Dakota:
- Law: North Dakota Personal Data Protection Act (NDPDPA)
- It aims to protect consumer privacy by addressing data protection. Inspired by the California Consumer Privacy Act, the original proposal closely resembled a bill under consideration in Washington State. .
- Official Website: No Website available
South Dakota:
- Law: South Dakota Data Breach Notification Law (SDBNL)
- The South Dakota Data Breach Notification Law (SDBNL) is legislation designed to protect individuals' personal information by requiring organizations to promptly notify affected individuals and appropriate authorities in the event of a data breach.
- Official Website: SDBNL
Wyoming:
- Law: Wyoming Personal Data Privacy Act (WPDPA)
- Act mandates genetic testing companies to inform individuals about the collection, storage, sharing, and usage of genetic data, applying to any business collecting genetic information from Wyoming residents.
- Official Website: WPDPA
Nebraska:
- Law: Nebraska Financial Data Protection and Consumer Notification of Data Security Breach Act (NFDPCNDSBA)
- Law that requires individuals and businesses to notify the Attorney General's Office of a security breach under certain circumstances.
- Official Website: No Website available
Montana:
- Law: Montana Consumer Privacy Act (MCPA)
- It applies to companies conducting business in Montana, targeting products or services to Montana residents, or processing the personal data of at least 50,000 state residents. Excluding commercial and employment contexts, MCDPA covers sensitive data, including racial/ethnic origin, religious beliefs, health information, sexual orientation, and genetic or biometric information.
- Official Website: MCPA
Maine:
- Law: Maine Act to Protect the Privacy of Online Customer Information (MAPPOCI) The Maine Act to Protect the Privacy of Online Customer Information (MAPPOCI) prohibits internet service providers (ISPs) from using, disclosing, selling, permitting access to, or providing access to customers' personal information.
- Official Website: MAPPOCI
New Hampshire:
- Law: New Hampshire Data Security Breach Notification Act (NHDSBNA)
- The New Hampshire Data Security Breach Notification Act (NHDSBNA) is a significant piece of legislation designed to protect individuals' personal information in the event of a data breach. Mandates businesses holding personal information to assess the risk of misuse, notify the data owner or licensee of unauthorized access, and inform all affected consumers nationwide.
- Official Website: No Website available
Hawaii:
- Law: Hawaii Consumer Privacy Protection Act (HCPPA)
- The HCPPA applies to businesses in Hawaii and aims to protect consumer privacy. Key provisions include data reidentification rules, privacy notices, security measures, and consumer rights (such as access, correction, and limiting data processing).
- Official Website: No Website available
South Carolina:
- Law: South Carolina Insurance Data Security Act (SCIDSA)
- The South Carolina Insurance Data Security Act (SCIDSA) is legislation aimed at enhancing cyber security and protecting sensitive information within the insurance industry. The act's purpose is to establish standards for data security and standards for the investigation of and notification to the director of a cybersecurity event.
- Official Website: SCIDSA
Rhode Island:
- Law: Rhode Island Identity Theft Protection Act (RIITPA)
- The Rhode Island Identity Theft Protection Act (RIITPA) is a significant piece of legislation aimed at combating identity theft and protecting consumers' personal information within the state. It requires certain entities, including municipal and state agencies, and individuals handling personal information, to implement risk-based information security measures and notify affected individuals in case of a security breach.
- Official Website: RIITPA
Maryland:
- Law: Maryland Personal Information Protection Act (MPIPA)
- It’s also known as Maryland’s Data Breach Notification Law. Key provisions include data protection rules, notification obligations for security breaches, and an expanded definition of personal information to include biometric data. Compliance with the MPIPA is essential for safeguarding privacy and responsible data handling in Maryland.
- Official Website: No Website available
Alaska:
- Law: Alaska Personal Information Protection Act (APIPA)
- The APIPA is an Alaskan state law designed to safeguard personal information. It includes provisions for breach notification, credit report freezes, and restrictions on social security numbers, proper record disposal, and identity theft petitions. The University of Alaska adheres to these standards to protect students’ and staff members’ personal data..
- Official Website: APIPA
Indiana:
- Law: Indiana Data Breach Notification Law (IDBNL)
- The Indiana Data Breach Notification Law (IDBNL) is a crucial piece of legislation designed to protect individuals' personal information in the event of a data breach. Enacted to address the increasing prevalence of data breaches, the law mandates that businesses and other entities promptly notify affected individuals and appropriate authorities when a breach occurs.
- Official Website: IDBNL
Louisiana:
- Law: Louisiana Database Security Breach Notification Law (LDSBNL)
- Under this law, businesses and entities must notify any Louisiana resident whose unencrypted “personal information” was, or is reasonably believed to have been, acquired by an unauthorized person due to a "security breach"1. The law emphasizes prompt notification to affected individuals, allowing them to take necessary precautions in the event of a data breach.
- Official Website: LDSBNL
Oklahoma:
- Law: Oklahoma Data Breach Notification Act (ODBNA)
- Compels those managing computerized data, irrespective of ownership, to promptly notify the owner or licensee in case of a security breach, covering unauthorized access and potential harm to confidential information such as medical records, financial data, and personally identifiable information (PII)
- Official Website: No Website available
Tennessee:
- Law: Tennessee Data Security Breach Notification Law (TDSBNL)
- Requires businesses to notify affected residents of a breach without unreasonable delay, a personal data breach is a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
- Official Website: No Website available
Canada
- Authority: Office of the Privacy Commissioner of Canada (OPC):
- The Privacy Commissioner of Canada is an Agent of Parliament whose mission is to protect and promote privacy rights. The Office of the Privacy Commissioner of Canada (OPC) oversees compliance with the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private-sector privacy law.
- Official Website: Office of the Privacy Commissioner of Canada
Alberta:
- Authority: Office of the Information and Privacy Commissioner of Alberta
- Responsible for overseeing information and privacy matters- protecting privacy rights, providing information on privacy issues, and ensuring compliance with privacy legislation.
- Official Website: Office of the Information and Privacy Commissioner of Alberta
British Columbia:
- Authority: Office of the Information and Privacy Commissioner for British Columbia
- It oversees privacy matters, promotes awareness, and ensures compliance with privacy legislation within the province.
- Official Website: Office of the Information and Privacy Commissioner for British Columbia
Ontario:
- Authority: Office of the Information and Privacy Commissioner of Ontario
- Its mandate includes protecting privacy rights, promoting transparency, and ensuring compliance with privacy legislation within the province.
- Official Website RL: Office of the Information and Privacy Commissioner of Ontario
Québec:
- Authority: Commission d'accès à l'information du Québec (CAIQ)
- Its responsibilities include safeguarding privacy rights, regulating access to information, and ensuring compliance with relevant legislation within the province.
- Official Website: Commission d'accès à l'information du Québec
Latin America (LATAM):
Argentina:
- Authority: Agencia de Acceso a la Información Pública (AAIP)
- The AAIP has developed four programs with the objective of strengthening transparency policies in public management, access to information and protection of personal data.
- Official Website: Agencia de Acceso a la Información Pública
Brazil:
- Authoity: Autoridade Nacional de Proteção de Dados (ANPD)
The National Data Protection Authority (ANPD) oversees personal data protection, LGPD regulation, implementation, monitoring, interpretation, and the establishment of standards, also ensuring compliance with commercial and industrial secrets under the LGPD framework. - Official Website: Autoridade Nacional de Proteção de Dados
Chile:
- Authority: Subsecretaría de Economía y Empresas de Menor Tamaño
- This entity oversees matters related to the economy, policies and regulations concerning smaller businesses, and may have a role in privacy and data protection
- Official Website: Subsecretaría de Economía y Empresas de Menor Tamaño
Colombia:
- Authority: Superintendencia de Industria y Comercio (SIC)
- Responsible for overseeing industry and commerce. It plays a crucial role in enforcing laws related to competition, consumer protection, and data privacy.
- Official Website: Superintendencia de Industria y Comercio
Mexico:
- Authority: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI)
- INAI oversees compliance with laws related to transparency, freedom of information, and data protection, playing a crucial role in safeguarding privacy rights and promoting accountability in the handling of personal information by public and private entities.
- Official Website: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales
Uruguay:
- Authority: Agencia de Protección de Datos Personales (APDP)
This agency oversees and regulates matters related to the protection of personal data, ensuring compliance with data protection laws, and safeguarding individuals' privacy rights in the country. - Official Website: Agencia de Protección de Datos Personales
Guatemala:
- Authority: Superintendencia de Administración Tributaria (SAT)
- The Superintendencia de Administración Tributaria (SAT) in Guatemala is primarily responsible for tax administration and revenue collection. It may not serve as the primary authority for general data protection matters.
- Official Website: SAT Guatemala
Honduras:
- Authority: National Directorate of Data Protection
- The Honduran National Constitution safeguards habeas data, granting individuals the right to access records affecting personal honor and family privacy, with a key goal of data protection being the security and safeguarding of public information.
- Official Website: No Website available
Nicaragua:
- Authority: Nicaragua may not have a specific data protection authority
- Nicaragua does not have a specific data protection authority. The country's constitution protects the right to privacy, and the law aims to protect the personal information of individuals and legal entities.
- Official Website: No Website available
El Salvador:
- Authority: Superintendencia de Competencia (SC)
- The Competition Superintendency (SC) of El Salvador protects, promotes and guarantees competition. Its objective is to ensure fair play between companies and benefit consumers and economic efficiency.
- Official Website: Superintendencia de Competencia
Costa Rica:
- Authority: Agencia de Protección de Datos de los Habitantes (PRODHAB)
- The Residents' Data Protection Agency (Prodhab) is a public institution in Costa Rica that regulates and supervises the country's databases. It is attached to the Ministry of Justice and Peace.
- Official Website: PRODHAB
Panama:
- Authority: Autoridad Nacional de Transparencia y Acceso a la Información (ANTAI)
- The National Authority for Transparency and Access to Information (ANTAI) of Panama is the governing authority for compliance with the Transparency Law. ANTAI also supervises conventions, agreements, commitments, provisions, treaties, programs and any other national and international issue regarding prevention against corruption.
- Official Website: ANTAI
Cuba, the Dominican Republic, Haiti, and island countries and territories specific data protection authorities may not be readily available in some of these regions.