Privacy regulations overview

This document provides an overview of the different privacy regulations supported by Adobe Experience Cloud.

Through the use of Adobe Experience Platform Privacy Service, Experience Cloud supports access and delete requests based on the following regulations:

Regulation
Description
APA (Australia)
The Australia Privacy Act (Privacy Act) promotes and protects individuals’ privacy and regulates how Australian Government agencies and organizations handle personal information. The Privacy Act includes principles that apply to private-sector organizations. For example, individuals are afforded the right to understand why the personal information is being collected and how it will be used, the ability to access, erase their data, and correct personal information.
CPA (Colorado)
The Colorado Privacy Act (CPA) provides Colorado consumers additional insight into what personal data controllers collect, share, and sell, and how that data is used. The CPA protects the personal data of Colorado residents when they act in an individual or household context. These rules detail the technical specifications for one or more universal opt-out mechanisms. These mechanisms clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data.
CCPA (California)
The California Consumer Privacy Act (CCPA) enhances privacy rights and consumer protection for residents of California, United States. The CCPA provides new data privacy rights to California residents. They include the right to access and delete their personal data, to know whether their personal data is sold or disclosed (and to whom), and the right to opt out of having their data sold to third parties.
CPRA (California)
The California Consumer Privacy Rights Act (CPRA) expands and amends portions of the California Consumer Privacy Act (CCPA). The CPRA establishes a new baseline for consumer data privacy in California by increasing consumer rights and expanding the type of data covered through a broader definition of sensitive personal information. In addition, the CPRA established the California Privacy Protection Agency, a new agency dedicated to implementing and enforcing data privacy rules.
CTDPA (Connecticut)
The Connecticut Data Privacy Act is a comprehensive consumer privacy law for Connecticut residents and grants them certain rights over their personal data. It also establishes responsibilities and privacy protection standards for data controllers that process their personal data. The CTDPA protects a Connecticut resident acting as an individual or in a household context. The CTDPA grants them the following rights: to access, correct, delete, obtain a copy, or opt-out of the sale; processing; or profiling of their personal data.
DPDPA (Delaware)
The Delaware Personal Data Privacy Act (DPDPA) grants Delaware residents rights to access, correct, delete, and the right to opt out of personal data sales and targeted advertising. It applies to businesses processing data for at least 35,000 consumers or earning over 20% of their revenue from data sales affecting more than 10,000 consumers. The Act mandates consumer data protection practices, timely responses to consumer requests, and a 60-day cure period for violations, and is enforced by the Department of Justice.
FDBR (Florida)
The Florida Digital Bill of Rights (FDBR) provides comprehensive data privacy rights to Florida residents. This legislation ensures that individuals have the right to access, correct, delete, and obtain a copy of their personal data. It also prohibits certain conduct by online platforms, such as surveillance without consumer consent, and requires transparency in data practices, including clear privacy notices and the ability to opt out of the sale or processing of personal data for targeted advertising. The FDBR authorizes the Florida Department of Legal Affairs to enforce these rights and impose civil penalties for violations. Under the Law, data controllers are obligated to respond to the data subject requests within 45 days of receiving the request.
GDPR (European Union)
The General Data Protection Regulation (GDPR) introduced several new data privacy rights for members of the European Economic Area (EEA), including the Right to Access and the Right to be Forgotten. These rights mean that any person living in the EEA whose personal data has been collected by your business can request to access or delete their data at any time.

The United Kingdom (post-Brexit) has its own version of the regulation, UK-GDPR, which provides its citizens with the same rights as the EEA version.
HIPAA (United States of America)
The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law created to improve healthcare efficiency, improve health insurance portability, and to protect the privacy of patients and health plan members. Under HIPAA, individuals have the right to access and amend their information and obtain copies of their medical records or health information. Covered entities and business associates of covered entities must follow the HIPAA regulations.
ICDPA (Iowa)
The Iowa Consumer Data Protection Act provides Iowa residents with rights to access, delete, and opt out of the sale of their personal data. It applies to businesses processing the data of over 100,000 Iowa residents or generating over 50% of their revenue from the sale of personal data. The ICDPA emphasizes consumer control over personal information but exempts certain organizations, including nonprofits and educational institutions. This Act also offers a 90-day cure period for businesses to rectify violations before penalties are applied.
LGPD (Brazil)
The Lei Geral de Proteção de Dados (LGPD) aims to regulate the treatment of personal data of all individuals or natural persons in Brazil. The LGPD gives Brazil citizens the rights to access and delete their personal data, to know whether their personal data is sold or disclosed (and to whom), and the right to opt out of having their data sold to third parties.
MHMDA (Washington)
The Washington My Health My Data Act enhances privacy rights for consumers regarding their health data. It mandates disclosures, consumer consent, and deletion rights for health data, and prohibits the sale of health data without authorization. Additionally, the Act makes it unlawful to use geofencing around healthcare facilities.
MCDPA (Montanna)
The Montana Consumer Data Privacy Act gives residents the right to know what personal data businesses collect, share, and sell, and the purpose of its use. It also grants consumers the ability to correct, delete, or obtain a copy of their collected data. This law applies to businesses processing the data of over 50,000 Montana consumers. The Act emphasizes the protection of sensitive personal data, including biometric and genetic information.
NDPA (Nebraska)
The Nebraska Data Protection Act provides Nebraskans with rights over their personal data, such as accessing, correcting, deleting, and opting out of its sale. The Act applies to businesses meeting specific thresholds for data processing and revenue from the sale of personal information. It also requires businesses to implement reasonable data security practices and provides a mandatory 30-day cure period for resolving compliance issues before penalties are imposed.
New Zealand Privacy Act
The New Zealand Privacy Act controls how agencies can collect, use, disclose, store, and give access to the personal information of New Zealand citizens and organizations. In 2020, the latest version of the act introduced significant updates to these privacy laws. The updates include new offenses, increasing fines, mandatory notifications for data breaches, and increasing the powers of the Privacy Commissioner.
NHDPA (New Hampshire)
The New Hampshire Privacy Act protects the personal information of New Hampshire residents by establishing consumer rights related to data access, deletion, and portability. It requires organizations to disclose their data collection and sharing practices and allows consumers to opt out of data sales. The Act applies to businesses that meet certain data processing thresholds.
NJDPA (New Jersey)
The New Jersey Data Protection Act grants New Jersey residents control over their personal data by providing rights to access, correct, and delete their information. It includes opt-out mechanisms for data sales and for targeted advertising. The Act covers businesses that process significant volumes of consumer data and mandates transparency in data usage.
OCPA (Oregon)
The Oregon Consumer Privacy Act (OCPA) provides Oregon residents with fundamental rights over their personal data and imposes obligations on businesses that process such data. Consumers have the right to know, correct, delete, and obtain a copy of their data, as well as opt out of data processing for targeted advertising or sales. The Act requires heightened protections for sensitive data, consent for data processing beyond specified purposes, and mandates comprehensive privacy notices from data controllers.
PDPA (Thailand)
The Personal Data Protection Act (PDPA) was introduced to safeguard Thai data owners from the illegal collection, use, or disclosure of their personal data. Inspired by the European Union’s GDPR, the regulation grants Thai citizens the right to request access to, or the deletion of, their stored personal data.
ql25 (Quebec)
The Quebec Law 25 (QL25) enhances privacy rights for Quebec residents to align with global standards. The act mandates explicit consent, data minimization, and rights for residents to access, correct, delete, and transfer their personal data. Organizations must also appoint a privacy officer, conduct privacy impact assessments, and notify breaches. Legally enforced compliance deadlines and substantial penalties apply for non-compliance.
TDPSA (Texas)
The Texas Data Privacy and Security Act (TDPSA) regulates the collection, use, processing, and treatment of consumers’ personal data in Texas. Effective July 1, 2024, it grants residents rights to access, correct, delete, and obtain copies of their data, and to opt out of targeted advertising and data sales. The law applies to entities conducting business in Texas or producing products/services consumed by Texas residents, excluding small businesses and certain other organizations. Violations can incur civil penalties.
UCPA (Utah)
The Utah Consumer Privacy Act creates the right for a consumer to know what personal data a business collects, how the business uses their personal data, and whether the business sells their personal data. Consumers can require the business to delete or stop selling their personal data.
VCDPA (Virginia)
The Virginia Consumer Data Protection Act (VCDPA) provides new data privacy rights to Virginia residents (“Consumers”) including the right to access, delete, and correct personal data. Consumers also have the right to opt out of the sale of personal data, opt out of profiling based on personal data, and processing of personal advertising purposes.

Next steps

For more information on supported regulations, refer to the following documents:

To learn how to support customer access and delete requests for data stored on your Experience Cloud applications, refer to the guide on Privacy Service and Experience Cloud applications.

recommendation-more-help
9cbf7061-a312-49f7-aaf8-a10885d53580