JWT Privacy Group

Your Full Service Privacy Consultants

Compliance through People, Process and Technology

Frequently Asked Questions

Alberta PIPA

Protects personal information that is collected, used or disclosed by private-sector organizations in the province of Alberta. Balances the rights of individuals and the needs of organizations to collect, use and disclose personal information for reasonable purposes.

Back to Index


Governs within the province of BC the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

Back to Index

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act gives residents of California more control over the personal information that businesses collect about them and provides guidance on how to implement the law. Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

Back to Index


The Federal Trade Commission Act for Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”), is a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations. Each separate email in violation of the CAN-SPAM Act is subject to penalties so non-compliance can be costly.

Despite its name, the CAN-SPAM Act doesn’t apply just to bulk email. It covers all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” including email that promotes content on commercial websites. The law makes no exception for business-to-business email. That means all email – for example, a message to former customers announcing a new product line – must comply with the law.

Back to Index

Can’t I just deal with it if something goes wrong?

Think of it like insurance. You can’t buy a policy to cover something that happened yesterday. It’s best practice to proactively manage privacy and data protection. Being prepared significantly reduces your risk of a data breach and sends a clear message to your customers and staff.

Back to Index


Canada’s Anti-Spam Legislation is the federal law dealing with spam and other electronic threats.  It is meant to protect Canadians while ensuring that businesses can continue to compete in the global marketplace.

Back to Index

Colorado Privacy Act (CPA)

The Colorado General Assembly passed the Colorado Privacy Act which became effective on July 1, 2023. The CPA doesn’t include a private right of action but does carry rights to access and correct data. It also provides for several controller obligations including a one-stop, one-click opt out mechanism and a required data protection assessment.

The CPA gives off a degree of balance between consumer privacy while allowing businesses to remain vibrant within compliance. The basic framework follows the trend of adopting a controller/processor approach rather than a California Consumer Privacy Act-like business/service provider distinction. It lays a foundation that lawmakers are expecting to continue to refine.

Back to Index

Connecticut Data Privacy Act (CTDPA)

The CTDPA was signed on May 10, 2022 and came into effect on July 1, 2023 as a comprehensive consumer privacy law. The Act gives Connecticut residents certain rights over their personal data and establishes responsibilities and privacy protection standards for data controllers that process personal data. It protects a Connecticut resident acting in an individual or household context, such as browsing the Internet or making a purchase at a store. It does not protect an individual acting in an employment context, such as applying for a job

Connecticut residents now have the right to access, correct, delete, or obtain a copy of their personal data when it is collected, processed or stored by private enterprises for commercial purposes. The CTDPA also provides the right to opt out of the sale, processing for targeted advertising or profiling use of their data.

Entities or individuals that violate Connecticut’s new privacy law may face civil penalties up to $5,000 per violation, pursuant to the Connecticut Unfair Trade Practices Act. In addition to civil penalties, the Attorney General can also seek injunctive relief, restitution, and/or disgorgement.

Back to Index


A Data Protection Impact Assessment is a combination of a Threat Risk Assessment and a Privacy Impact Assessment. It’s designed to identify risks arising out of the processing of personal data and to minimize these risks as far and as early as possible. DPIAs are important tools for negating risk, and for demonstrating compliance with privacy regulations. 

Back to Index

Doesn’t my IT person do this already?

No. Cybersecurity is an important component but compliance requires more than technology. You must also align your processes, educate staff, assign responsibilities and have a mitigation plan in case of breach.

Back to Index


Freedom of Information and Protection of Privacy Act (FIPPA) sets out the access and privacy rights of individuals as they relate to the public sector. FIPPA establishes an individual’s right to access records in the custody or control of a “Public Body”, including access to one’s own personal information. In addition to establishing an individual’s right to access records, FIPPA also sets out the terms under which a public body can collect, use and disclose the personal information of individuals. Public bodies are held accountable for their information practices.
FIPPA requires that public bodies protect personal information by making
reasonable security arrangements against unauthorized access, collection, use, disclosure or disposal. There are regulations for provincial and federal public bodies.

Back to Index


The General Data Protection Regulation (GDPR) is a regulation that harmonizes national data privacy laws throughout the EU and enhances the protection of all EU residents with respect to their personal data.

Back to Index

Gramm-Leach-Bliley Act of 1999 (GLBA)

The Gramm-Leach-Bliley Act was enacted on November 12, 1999 and required full compliance by July 1, 2001. In addition to reforming the financial services industry, the Act addressed concerns relating to consumer financial privacy. The Gramm-Leach-Bliley Act required the Federal Trade Commission (FTC) and other government agencies that regulate financial institutions to comply with obligations laid out in the Act’s financial privacy provisions (the Privacy Rule) to implement safeguards, provide notice, limit disclosure, conduct assessments, provide training and appoint a responsible person.

The GLB-Act covers a broad range of financial institutions, including many companies not traditionally considered to be financial institutions because they engage in certain “financial activities” including 1) lending, exchanging, transferring, investing for others; 2) safeguarding money or securities; 3) providing financial, investment or economic advisory services 4) debt collecting; 5) providing real estate settlement services 6) career counseling to individuals seeking employment in the financial services industry. Any entity that receives consumer financial information from a financial institution may be restricted in its reuse and re-disclosure of that information.

The FTC is responsible for enforcing its Privacy of Consumer Financial Information Rule (Privacy Rule). The Privacy Rule requires financial institutions to provide particular notices and to comply with certain limitations on disclosure of nonpublic personal information to both affiliated and nonaffiliated third parties. Additionally, consumers must be allowed to opt out of the disclosure of their nonpublic personal information to a nonaffiliated third party if the disclosure is outside of the exceptions.

Back to Index


The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, requires Health and Human Services and health care professionals to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

Back to Index

I’m busy. How much of my time will this take?

Your commitment is the biggest requirement. Our flexible solutions will be customized to match your availability and your business needs.

Back to Index

Indiana Consumer Data Protection Act (CDPA)

Indiana signed a consumer data protection bill on May 01 2023, thereby enacting the Consumer Data Protection Act, which will enter into effect on January 01 2026. The CDPA introduces obligations for data controllers and processors, including transparency obligations, such as the requirement to provide privacy notices, data security obligations, as well as a requirement to conduct and document Data Protection Impact Assessments (‘DPIAs’) in specific circumstances.

Additionally, the CDPA contains provisions that govern controller/processor relationships as well as data subject rights to confirm whether or not the controller is processing the consumer’s personal data, the rights of access, deletion, correction, and the right to opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling. The CDPA provides the Attorney General with enforcement powers, but does not provide a private right of action.

While originally modeled on the EU General Data Protection Regulation (GDPR) and California’s CCPA, the Indiana law evolved into one more similar to the Virginia law after a joint effort from the state’s legislative and business communities. Covered entities under this law have time to be in full compliance since the act becomes effective in 2026. Implementing new compliance measures will not involve much extra work if they are already on track to comply with the Virginia law.

Back to Index

Iowa Consumer Data Protection Act (ICDPA)

On March 28 2023, Iowa signed an act relating to consumer data protection, thereby enacting the ICDPA which will enter into effect on January 01 2025. The ICDPA introduces obligations for data controllers and processors including disclosure as well as vendor management requirements and establishes new consumer rights such as right to access, deletion, be informed (confirmation), and the right to opt out of targeted advertising and the sale of personal data. The ICDPA provides their Attorney General with enforcement powers but does not provide a private right of action.

Back to Index

Is my company legally required to have a privacy policy?

It depends on the privacy regulations for your location and also where your customers are located. Customers actively seek out businesses with good data privacy practices so a privacy policy is good for your business.

Back to Index

Montana Consumer Data Privacy Act (MCDPA)

Montana signed an act to establish the CDPA on May 18, 2023, which will enter into effect October 1, 2024. The CDPA introduces obligations for controllers, including implementing administrative, technical, and physical data security practices, limiting the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to its purposes, and the requirement to conduct Data Protection Assessments. The CDPA also requires a contract between data controllers and data processors to govern procedures performed on the controller’s behalf.

The CDPA provides for personal data rights, including the right to confirm whether a controller is processing their personal data, access, correct, delete, and obtain a copy of such personal data, as well as the right to opt-out of certain processing activities. Furthermore, the CDPA provides the Attorney General with enforcement powers, but does not provide a private right of action.

In addition, the State has its own data breach requirements which require, among other things, that a person or business must disclose any breach of the security of the data system following discovery or notification of the breach. Moreover, the Attorney General’s Office of Consumer Protection needs to be simultaneously notified alongside individuals in the event of a personal data breach.

Back to Index


The Payment Card Industry has developed standards for compliance through adherence to the set of policies and procedures developed to protect credit, debit and cash card transactions and prevent the misuse of cardholders’ personal information.

There are 12 main requirements in six overarching goals which a vendor must complete as part of its PCI compliance checklist. This is a prime example of how technology (cyber security) and privacy requirements are inter dependent in order to protect an individual’s personal information.

Back to Index


In America, the HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.

In Canada, the appropriate management of personal health information is extremely important. Ontario, Newfoundland and Labrador, New Brunswick and Nova Scotia have laws that apply to personal health information within their specific provinces. BC, Alberta and Quebec have privacy laws that cover the management of all personal information.

If a province or territory doesn’t have specific legislation, the federal law, PIPEDA, governs the management of personal information including personal health information.

When more than one law applies, you must comply with all applicable regulations.

Back to Index


The Personal Information Protection and Electronic Data Act is federal regulation that sets out requirements on how Organizations covered by PIPEDA must generally obtain an individual’s consent when they collect, use or disclose that individual’s personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy.

Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent again. Personal information must be protected by appropriate safeguards

Back to Index

Privacy Act (Canada)

This Act extends Canadian laws to protect the privacy of personal information held by a government institution and provide individuals with a right of access to that information.

Back to Index

Privacy Act (USA)

The Privacy Act of 1974 establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is under the control of a federal agency. The Act prohibits the disclosure of a record about an individual without their written consent, unless the disclosure is pursuant to one of twelve statutory exceptions. 

Back to Index

Quebec Private Sector Act

Regulates in Quebec the collection, use, and disclosure of personal information by private organizations (referred to as ‘enterprises’).

Back to Index


A Subject Access Request can be requested by anyone who wants to know if you hold their personal data

Back to Index

Tennessee Information Protection Act (TIPA)

The TIPA sets out obligations for businesses covered by its scope, such as risk assessments, data minimization requirements, and obtaining opt-in consent for processing sensitive personal information. It establishes consumer rights, including the right to know, access, correction, deletion, and data portability, as well as a right to opt out of the sale of personal information, targeted advertising, and profiling. 

TIPA is closely modeled on Virginia’s Privacy act that went into effect on January 1 of this year. The frameworks share key definitions, business obligations, and core consumer rights. However, the Tennessee proposal contains some unique deviations including 1) applicable to a narrower range of businesses 2) a yet to be interpreted and enforced definition of “pseudonymous data” 3) exception for licensed insurance companies and 4) a 60 day period to cure any alleged violation of the Act. TIPA also uses the NIST Privacy Framework as the standard to safeguard consumer privacy.

Back to Index

Texas Data Privacy and Security Act (TDPSA)

On June 18, 2023 Texas signed the Texas Data Privacy and Security Act which will enter into effect on July 1, 2024. The ability for consumers to direct a third party to opt-out of processing their personal data on their behalf enters into effect on January 1, 2025.

The TDPSA protects consumer information by ensuring that an individual’s personal data is limited to what is adequate, relevant and reasonably necessary to the purposes for which that personal data is processed. Similar to the Health Insurance Portability and Accountability Act (HIPAA), the TDPSA also requires controllers to protect the confidentiality, integrity and accessibility of personal data by establishing, implementing and maintaining reasonable administrative, technical and physical data security practices that are appropriate to the volume and nature of the personal data at issue. 

The TDPSA empowers Texas residents to seek information on how their personal data is being used or processed by a controller. The TDPSA includes several rights consumers may exercise to better understand how their personal data is collected and used, including correcting inaccuracies in consumer’s personal information and deleting personal data provided by or obtained about a consumer. Importantly, consumers may also opt out of processing their personal data for targeted advertising, the sale of personal data or profiling. 

Unlike the previous nine state privacy acts, the TDPSA is applicable to entities AND individuals that 1) conduct business in Texas or produce a product or service consumed by Texas residents, 2) process or engage in the sale of personal data and 3) are not considered “small businesses” by the U.S. Small Business Administration. Furthermore, Texas has a range of sector-specific privacy regulations governing health data, financial data, biometric data, and unsolicited commercial communications. These include the Identity Theft Enforcement and Protection Act (‘the Identity Theft Act’) that contains general privacy provisions for the protection of personal identifying information and sensitive personal information.

Back to Index

Utah Consumer Privacy Act (UCPA)

As of March 24th, 2022 the Utah Consumer Privacy Act was signed into law and becomes effective on December 31, 2023. The Utah Consumer Privacy Act is similar to California, Nevada, Virginia, and Colorado state privacy laws.

The new privacy law includes broad definitions of personal and sensitive data, and requires controllers of data to provide notice to consumers of collection of personal data, and practice data minimization with appropriate security measures in place to protect personal data after collection.

The law provides authority to the Attorney General to enforce its provisions and to seek recovery for actual damages of any consumer, and $7500 per violation per law.  Companies who are in scope of the new privacy law must have an annual revenue of at least $25 million, and do business or market their product and service to Utah residents. Additionally, the entity must either process or control data of at least 100,000 Utah Residents or derive at least half of its gross revenue from the sale of personal data and control the data of at least 25,000 consumers.

Back to Index

Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act was signed on March 2, 2021 and became effective as of Jan 01 2023. The VCDPA applies to business that produce products or provide services and either (1) control or process personal data of at least 100,000 Virginia residents, or (2) derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 Virginia residents.

The VCDPA provides a variety of privacy rights to Virginia consumers. Businesses are obligated to provide disclosures and respond to consumer data subject requests (DSRs). They must also comply with certain data processing requirements including data minimization, implement reasonable data security practices and conduct a Data Protection Assessment (DPA)

Consumers are protected against discrimination if/when they elect to exercise their rights and have the ability to opt-out of the sale of their personal data, targeted advertising, and certain profiling.

VCDPA exempts certain organizations including state agencies, financial institutions (subject to the Gramm-Leach-Bliley Act), entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPPA), non-profit organizations and higher education institutions.

Back to Index

What is Personally Identifiable Information?

Personally Identifiable Information, that we refer to as PII, is information about an individual that can be used to distinguish or trace an individual’s identity.  Sometimes this is called linked data because it is information that is linked or linkable to an individual.  It can be either a single piece or a combination of information that when used together specifically identifies someone.

Some examples of PII are name, social security or social insurance number, date and place of birth, mother‘s maiden name, biometric records, medical, educational, financial, and employment information. 

Back to Index

Leave a Reply