Privacy regulations overview

This document provides an overview of the different privacy regulations supported by Adobe Experience Cloud.

Through the use of Adobe Experience Platform Privacy Service, Experience Cloud supports access and delete requests based on the following regulations:

APA (Australia)
The Australia Privacy Act (Privacy Act) promotes and protects individuals’ privacy and regulates how Australian Government agencies and organization handle personal information. The Privacy Act includes principles that apply to private sector organizations. For example, individuals are afforded the right to understand why the personal information is being collected and how it will be used, the ability to access, erase their data, and correct personal information.
CPA (Colorado)
The Colorado Privacy Act (CPA) provides Colorado consumers additional insight into what personal data controllers collect, share, and sell, and how that data is used. The CPA protects the personal data of Colorado residents when they act in an individual or household context. These rules detail the technical specifications for one or more universal opt-out mechanisms. These mechanisms clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data.
CCPA (California)
The California Consumer Privacy Act (CCPA) enhances privacy rights and consumer protection for residents of California, United States. The CCPA provides new data privacy rights to California residents. They include the right to access and delete their personal data, to know whether their personal data is sold or disclosed (and to whom), and the right to opt out of having their data sold to third parties.
CPRA (California)
The California Consumer Privacy Rights Act (CPRA) expands and amends portions of the California Consumer Privacy Act (CCPA). The CPRA establishes a new baseline for consumer data privacy in California by increasing consumer rights and expanding the type of data covered through a broader definition of sensitive personal information. In addition, the CPRA established the California Privacy Protection Agency, a new agency dedicated to implementing and enforcing data privacy rules.
CTDPA (Connecticut)
The Connecticut Data Privacy Act is a comprehensive consumer privacy law for Connecticut residents and grants them certain rights over their personal data. It also establishes responsibilities and privacy protection standards for data controllers that process their personal data. The CTDPA protects a Connecticut resident acting as an individual or in a household context. The CTDPA grants them the following rights: to access, correct, delete, obtain a copy, or opt-out of the sale; processing; or profiling of their personal data.
GDPR (European Union)
The General Data Protection Regulation (GDPR) introduced several new data privacy rights for members of the European Economic Area (EEA), including the Right to Access and the Right to be Forgotten. These rights mean that any person living in the EEA whose personal data has been collected by your business can request to access or delete their data at any time.

The United Kingdom (post-Brexit) has its own version of the regulation, UK-GDPR, which provides its citizens with the same rights as the EEA version.
HIPAA (United States of America)
The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law created to improve healthcare efficiency, improve health insurance portability, and to protect the privacy of patients and health plan members. Under HIPAA, individuals have the right to access and amend their information and obtain copies of their medical records or health information. Covered entities and business associates of covered entities must follow the HIPAA regulations.
LGPD (Brazil)
The Lei Geral de Proteção de Dados (LGPD) aims to regulate the treatment of personal data of all individuals or natural persons in Brazil. The LGPD gives Brazil citizens the rights to access and delete their personal data, to know whether their personal data is sold or disclosed (and to whom), and the right to opt out of having their data sold to third parties.
MHMDA (Washington)
The Washington My Health My Data Act enhances privacy rights for consumers regarding their health data. It mandates disclosures, consumer consent, and deletion rights for health data, and prohibits the sale of health data without authorization. Additionally, the Act makes it unlawful to use geofencing around healthcare facilities.
New Zealand Privacy Act
The New Zealand Privacy Act controls how agencies can collect, use, disclose, store, and give access to the personal information of New Zealand citizens and organizations. In 2020, the latest version of the act introduced significant updates to these privacy laws. The updates include new offenses, increasing fines, mandatory notifications for data breaches, and increasing the powers of the Privacy Commissioner.
PDPA (Thailand)
The Personal Data Protection Act (PDPA) was introduced to safeguard Thai data owners from the illegal collection, use, or disclosure of their personal data. Inspired by the European Union’s GDPR, the regulation grants Thai citizens the right to request access to, or the deletion of, their stored personal data.
UCPA (Utah)
The Utah Consumer Privacy Act creates the right for a consumer to know what personal data a business collects, how the business uses their personal data, and whether the business sells their personal data. Consumers can require the business to delete or stop selling their personal data.
VCDPA (Virginia)
The Virginia Consumer Data Protection Act (VCDPA) provides new data privacy rights to Virginia residents (“Consumers”) including the right to access, delete, and correct personal data. Consumers also have the right to opt out of the sale of personal data, opt out of profiling based on personal data, and processing of personal advertising purposes.

Next steps

For more information on supported regulations, refer to the following documents:

To learn how to support customer access and delete requests for data stored on your Experience Cloud applications, refer to the guide on Privacy Service and Experience Cloud applications.