Thanks to our most recent update, Termly’s Privacy Policy Generator now covers eight more data privacy laws:
- The Colorado Privacy Act (CPA)
- The Connecticut Personal Data Privacy Online Monitoring Act (CTDPA)
- Utah’s Consumer Privacy Act (UCPA)
- The Australia Privacy Act 1988
- The New Zealand Privacy Act 2020
- Quebec’s Law 25
- Switzerland’s Federal Act on Data Protection (FADP)
- The South Africa Protection of Personal Information Act (POPIA)
That means, in total, our generator accommodates 15 different data privacy laws from around the world.
Quick Summary of Termly’s Update: The 8 Laws
Our legal team, product engineers, and data privacy experts incorporated updates to our Privacy Policy Generator so it can help businesses comply with eight more data privacy laws:
- The Colorado Privacy Act (CPA)
- The Connecticut Personal Data Privacy Online Monitoring Act (CTDPA)
- The Utah Consumer Privacy Act (UCPA)
- The Australia Privacy Act 1988
- The New Zealand Privacy Act 2020
- Quebec’s Law 25
- Switzerland’s Federal Act on Data Protection (FADP)
- The South Africa Protection of Personal Information Act (POPIA)
These laws join the following legislation our generator and template can accommodate:
- The General Data Protection Regulation (GDPR)
- The UK GDPR
- The ePrivacy Directive (EU Cookie Law)
- The Amended California Consumer Privacy Act (CCPA)
- The California Online Privacy Protection Act (CalOPPA)
- The Virginia Consumer Data Protection Act (VCDPA)
- The Personal Information Protection and Electronic Documents Act (PIPEDA)
What Are the CPA, the CTDPA, and the UCPA?
The Colorado Privacy Act (CPA), the Connecticut Personal Data Privacy Online Monitoring Act (CTDPA), and the Utah Consumer Privacy Act (UCPA) are three different U.S. state data privacy laws.
While the CPA and the CTDPA entered into force on July 1, 2023, the UCPA enters into force on December 31, 2023.
The guidelines outlined by the CPA covers Colorado consumers, the CTDPA protects Connecticut residents, and the UCPA covers Utah consumers.
In the next sections, learn more about what businesses these laws impact.
CPA
You must comply with the CPA if you conduct business in Colorado or sell products and services to residents of the state and meet one (or more) of the following requirements:
- Processes or controls the personal data of 100,000 or more consumers annually
- Processes or controls the personal data of 25,000 or more consumers annually and derives revenue or receives discounts from the sale of personal data
Some of the legal obligations businesses under this law must meet include:
- Providing consumers with a reasonably accessible privacy policy that features specific information
- Describing consumer rights under the law and explaining how they can act on those rights
- Giving consumers a way to opt out of the sale of their data, targeted advertising, and profiling
CTDPA
You must comply with the CTDPA if you conduct business in or target products and services to residents of Connecticut and meet either of the following in the preceding calendar year:
- Processed or controlled personal data of 100,000 or more consumers
- Processed or controlled personal data of 25,000 or more consumers and earned more than 25% of your total revenue through the sale of personal data
Under this law, businesses must meet several legal requirements, which include:
- Presenting consumers with a clear, meaningful privacy policy that satisfies specific legal standards
- Obtaining consent from users before collecting any sensitive personal information
- Providing a way for consumers to act on their opt-out rights for particular processing activities, like targeted advertising
UCPA
You must comply with the UCPA if your business meets all three of the following thresholds:
- You conduct business in Utah or target services and products to Utah residents
- Your gross annual revenue is at least $25 million
- You process or control the personal data of at least 100,000 consumers or make more than 50% of your revenue from selling data and control or process the information of at least 25,000 consumers
The UCPA obligates businesses to:
- Present users with a comprehensive privacy policy
- Implement reasonable security measures to protect personal data
- Provide a way for consumers to opt out of certain types of data processing
How Termly Is Helping Our Users Comply With the CPA, the CTDPA, and the UCPA
We’ve updated portions of our Privacy Policy Generator and template to help our users comply with the CPA, the CTDPA, and the UCPA.
It now includes the appropriate sections, clauses, and information required by all three U.S. state privacy laws.
If you want to include any of these laws in your privacy policy, select ‘Yes’ when asked if you have consumers in the United States.
Current Termly customers receive an email whenever we update our generators explaining what steps to take to update their policies accordingly.
What Is the Australia Privacy Act 1988 and New Zealand Privacy Act 2020?
Australia and New Zealand each have comprehensive consumer data protection laws, the Australia Privacy Act 1988 and the New Zealand Privacy Act 2020.
These laws protect the personal data of residents of Australia and New Zealand by providing them with rights and control over how that information is collected, processed, and used.
Each law also describes specific requirements businesses must follow to legally use data from residents in either country.
In the next sections, learn more about who falls under these laws and what’s required of those covered entities.
Australia Privacy Act 1988
Your business must comply with the Privacy Act 1988 if you are an Australian government agency or your annual turnover exceeds $3 million (USD 2 million).
Protected consumers have the right to receive information about what data an entity collects about them, how they use it, and who they disclose it to, all of which impact privacy policies.
Additionally, consumers can request to stop receiving unwanted direct marketing and make complaints about organizations they believe mishandled their information.
New Zealand Privacy Act 2020
You’re subject to following the New Zealand Privacy Act 2020 if you collect or hold personal information about New Zealand consumers.
Under this law, consumers have the right to know what personal data businesses collect from them and why and how the data gets used, which is achievable by posting a privacy statement (a.k.a. privacy policy).
In total, 13 information privacy principles govern how covered businesses and organizations can collect, handle, and use the personal data of protected New Zealand consumers.
The privacy policy obligations fall under the first four principles dictating data collection.
How Termly Is Helping Our Users Comply with the Australia Privacy Act 1988 and New Zealand Privacy Act 2020
To help Termly customers comply with the Australia Privacy Act 1988 and/or the New Zealand Privacy Act 2020, we updated our Privacy Policy Generator to include the required details outlined by both laws.
When using the generator, select the appropriate checkboxes to denote that you want your policy to comply with the Australian and New Zealand regulations.
You’ll see these options pop up during the ‘Review Your Privacy Policy’ section.
Our current Termly customers receive emails about changes we make to our compliance tools, including directions for updating their policies accordingly.
What Is Quebec’s Law 25?
Quebec’s Law 25 is the comprehensive data protection law that protects the personal data of residents of the province of Quebec.
You must comply with this law if you offer goods or services in Quebec and collect personal data, regardless of where your business is located.
It explicitly requires businesses to publish a “confidentiality policy” (aka privacy policy) using clear, straightforward language.
In addition, businesses must appoint a Data Protection Officer and perform privacy impact assessments.
How Termly Is Helping Our Users Comply with Quebec’s Law 25
We’ve added the appropriate sections to our privacy policy generator so businesses can choose to comply with Quebec’s Law 25. The language used is written in a simple, straightforward manner to meet the standards of the law.
To add this law to your policy, simply select that checkbox denoting that you have users in Canada.
Later, you can verify that your policy includes the provisions in the ‘Review Your Privacy Policy’ section.
What Is the Swiss FADP?
Switzerland’s Federal Act on Data Protection is the leading data privacy regulation in the country.
It was recently amended to better align Swiss data privacy law with the GDPR, allowing the country to maintain its status as an adequate country for data transfers.
Any business that provides goods or services in Switzerland and collects data of any natural persons in the region must comply with this law.
Under this law, you’re required to provide a privacy notice to consumers about any data processing activities you perform.
How Termly Is Helping Our Users Comply With the Swiss FADP
To help our users comply with the Swiss FADP, we added the appropriate details to our Privacy Policy Generator during the last update.
When asked where your users are located, ensure you select ‘Yes’ to the question, “Do you have users in the EU, UK, Switzerland, Iceland, Liechtenstein, or Norway?”
You can verify that the FADP sections were added to your policy at the end during the Review Your Privacy Policy’ section.
What Is POPIA?
The Protection of Personal Information Act, or POPIA, is the comprehensive consumer data protection law in South Africa.
You must comply with POPIA if your company processes personal data and is located in South Africa or if you’re located elsewhere but make use of processing within the country (including both automated or non-automated means).
Under this regulation, consumers have the right to be informed about the personal data collected about them, which is achievable by providing a comprehensive privacy policy.
Covered entities must also have a legally compliant reason for processing personal data, which mirrors the legal basis described by the GDPR.
In addition, consumers can request to access, correct, destroy, or delete their data and opt out of certain processing activities, either entirely or for specific purposes.
How Termly Is Helping Our Users Comply With POPIA
To help our customers easily add POPIA requirements to their privacy policies, we’ve added relevant clauses and information to our Privacy Policy Generator.
When answering questions in the ‘Review Your Policy Coverage’ section, select the POPIA checkbox.
If you’re a current Termly customer, you’ll receive an email covering the changes we make to our compliance tools, including directions for updating your policies accordingly.
Termly Is Always Up To Date
Our mission is to help simplify privacy compliance for businesses of all sizes, which means ensuring our products keep up with new, existing, changing, and emerging data privacy laws.
We regularly update our policy generators and consent solutions to account for as many relevant data privacy laws and regulations as possible that may impact our customers.
Our legal team and data privacy experts back all changes.
Plus, we inform our users about these necessary updates by sending out informative emails, creating press releases, and publishing support articles.
While we currently account for 15 major data privacy regulations, we promise to keep improving our offerings by incorporating other pieces of legislation as they enter into action.
Summary
Thanks to the hard work of our legal team and product engineers, our Privacy Policy Generator can now help you comply with a total of 15 significant data privacy regulations.
You can expect that number to continue to grow and adapt, along with data privacy laws that keep getting introduced and enacted around the world.
More about the author
Written by Etienne Cussol CIPP/E, CIPM
Etienne is an Information Privacy professional and compliance analyst for Termly. He has been with us since 2021, managing our own compliance with data protection laws and participating in our marketing researches. His fields of expertise - and interest - include data protection (GDPR, ePrivacy Directive, CCPA), tracking technologies (third-party cookies, fingerprinting), and new forms of privacy management (GPC and the Google Privacy Sandbox). Etienne studied International Economic Affairs at the University of Toulouse, and graduated with a Masters in 2017. More about the author
