ABCDEFGHIJKLMNOPQRSTUVWXYZAAABACADAEAFAGAHAIAJAKALAMANAOAPAQARASATAUAVAWAXAYAZBABBBCBDBEBFBGBHBIBJBKBLBMBNBOBPBQBRBSBTBUBVBWBXBYBZCACBCCCDCECFCGCHCICJCKCLCMCNCOCPCQCRCSCTCUCV
1
2
Cross-Jurisdiction Privacy Project (CJPP) Legal Specifications
3
IAB Legal Affairs Council | July 2021
4
JurisdictionLawPurposes and methods for processing personal information
5
6
Australia
Advertising & Content Purposes
Measurement, Research, and Reporting PurposesInternal Purposes
7
Jurisdiction-Specific Purpose: Basic advertising (P2, SP2)
Jurisdiction-Specific Purpose: Select personalized ads (P4)
Jurisdiction-Specific Purpose: Create a personalized ads profile (P3)
Jurisdiction-Specific Purpose: Purpose - Content personalization (P5,6)
8
Disclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processing
9
Privacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate Interest
10
Privacy Act (1988) & Spam Act (2003)RequiredOptionalPermittedPermittedPermittedPermittedRequiredN/AN/A"We note that APP 5 requires entities to take reasonable steps to notify individuals of various matters which are not limited to the third parties, or types of third parties, to whom they usually disclose personal information of the kind collected.

We also note that, with respect to the conditions for processing referred to in this section:

- where APP 7.2 applies, entities should be selecting both the “Implied” and “Opt Out” options;
- where APP 7.3 applies, and consent has been obtained, entities should be selecting both the “Consent” and “Opt Out” options;
- where APP 7.3 applies, and it was impracticable to obtain consent, entities should be selecting the “Opt Out” option only; and
- where APP 7.4 applies, entities should be consulting the separate section dealing with “sensitive information”.

We note also that, pursuant to APP 7.5, personal information may also be used or disclosed for the purpose of direct marketing where:

- the organisation is a contracted service provider for a Commonwealth contract;
- the organisation collected the information for the purpose of meeting (directly or indirectly) an obligation under the contract; and
- the use or disclosure is necessary to meet (directly or indirectly) such an obligation.

This section also assumes that:

- APP 7, and not the Spam Act, applies;
- the relevant entities are organisations or agencies that APP 7 applies to by virtue of s 7A of the Privacy Act; and
- entities will enter into binding agreements with any third parties to whom they disclose personal information for the purpose stated above and those agreements will include appropriate privacy and confidentiality obligations."		RequiredOptionalPermittedPermittedPermittedPermittedRequiredN/AN/A"We note that APP 5 requires entities to take reasonable steps to notify individuals of various matters which are not limited to the third parties, or types of third parties, to whom they usually disclose personal information of the kind collected.

We also note that, with respect to the conditions for processing referred to in this section:

- where APP 7.2 applies, entities should be selecting both the “Implied” and “Opt Out” options;
- where APP 7.3 applies, and consent has been obtained, entities should be selecting both the “Consent” and “Opt Out” options;
- where APP 7.3 applies, and it was impracticable to obtain consent, entities should be selecting the “Opt Out” option only; and
- where APP 7.4 applies, entities should be consulting the separate section dealing with “sensitive information”.

We note also that, pursuant to APP 7.5, personal information may also be used or disclosed for the purpose of direct marketing where:

- the organisation is a contracted service provider for a Commonwealth contract;
- the organisation collected the information for the purpose of meeting (directly or indirectly) an obligation under the contract; and
- the use or disclosure is necessary to meet (directly or indirectly) such an obligation.

This section also assumes that:

- APP 7, and not the Spam Act, applies;
- the relevant entities are organisations or agencies that APP 7 applies to by virtue of s 7A of the Privacy Act; and
- entities will enter into binding agreements with any third parties to whom they disclose personal information for the purpose stated above and those agreements will include appropriate privacy and confidentiality obligations."		RequiredOptionalPermittedPermittedPermittedPermittedRequiredN/AN/AWe note that APP 5 requires entities to take reasonable steps to notify individuals of various matters which are not limited to the third parties, or types of third parties, to whom they usually disclose personal information of the kind collected.

We also note that, with respect to the conditions for processing referred to in this section:

- where APP 7.2 applies, entities should be selecting both the “Implied” and “Opt Out” options;
- where APP 7.3 applies, and consent has been obtained, entities should be selecting both the “Consent” and “Opt Out” options;
- where APP 7.3 applies, and it was impracticable to obtain consent, entities should be selecting the “Opt Out” option only; and
- where APP 7.4 applies, entities should be consulting the separate section dealing with “sensitive information”.

We note also that, pursuant to APP 7.5, personal information may also be used or disclosed for the purpose of direct marketing where:

- the organisation is a contracted service provider for a Commonwealth contract;
- the organisation collected the information for the purpose of meeting (directly or indirectly) an obligation under the contract; and
- the use or disclosure is necessary to meet (directly or indirectly) such an obligation.

This section also assumes that:

- APP 7, and not the Spam Act, applies;
- the relevant entities are organisations or agencies that APP 7 applies to by virtue of s 7A of the Privacy Act; and
- entities will enter into binding agreements with any third parties to whom they disclose personal information for the purpose stated above and those agreements will include appropriate privacy and confidentiality obligations.		RequiredOptionalPermittedPermittedOptionalOptionalOptionalN/AN/AWe note that APP 5 requires entities to take reasonable steps to notify individuals of various matters which are not limited to the third parties, or types of third parties, to whom they usually disclose personal information of the kind collected.

This section also assumes that:

- individuals would reasonably expect their personal information to be used or disclosed for the purpose stated above and that this purpose is related to the primary purpose for which the personal information was collected (noting that a different test applies in the case of sensitive information); and

- entities will enter into binding agreements with any third parties to whom they disclose personal information for the purpose stated above and those agreements will include appropriate privacy and confidentiality obligations.		RequiredOptionalPermittedPermittedOptionalOptionalOptionalN/AN/AWe note that APP 5 requires entities to take reasonable steps to notify individuals of various matters which are not limited to the third parties, or types of third parties, to whom they usually disclose personal information of the kind collected.

This section also assumes that:

- individuals would reasonably expect their personal information to be used or disclosed for the purposes stated above and that those purposes are related to the primary purpose for which the personal information was collected (noting that a different test applies in the case of sensitive information); and

- entities will enter into binding agreements with any third parties to whom they disclose personal information for the purposes stated above and those agreements will include appropriate privacy and confidentiality obligations.		RequiredOptionalPermittedPermittedOptionalOptionalOptionalN/A
11
Privacy Act Amendments (proposed)?????????????????????????????????????????????????????
12
13
Brazil
Advertising & Content Purposes
Measurement, Research, and Reporting Purposes
Internal Purposes
14
Jurisdiction-Specific Purpose: Purpose 2 - Select Basic Ads
Jurisdiction-Specific Purpose: Purpose 3 - Create a personalized ads profile
Jurisdiction-Specific Purpose: Purpose 4 - Select personalized ads
Jurisdiction-Specific Purpose: Special Purpose 2 - Technically deliver ads or content
Jurisdiction-Specific Purpose: Purpose 5 - Create a personalized content profile
Jurisdiction-Specific Purpose: Purpose 6 - Select personalized contentJurisdiction-Specific Purpose: Purpose 7 - Measure ad performanceJurisdiction-Specific Purpose: Purpose 8 - Measure content performanceJurisdiction-Specific Purpose: Purpose 9 - Apply market research to generate audience insightsJurisdiction-Specific Purpose: Purpose 10 - Develop and improve products
15
Disclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processing
16
Privacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate Interest
17
General Personal Data Protection Law (LGPD)RequiredOptionalRequiredN/APermittedN/AN/APermittedN/ARegarding names of third parties, it will only be mandatory to provide said information if the data subject especifically requires, by means of a access to personal data request, the names of the third parties with whom the personal data at hand is being shared with.

Also, the controller may not specify the names of third parties in response to data access requests if it is part of its trade secret.

Though not explicitly required under the LGPD, controllers often consider implementing opt-out mechanisms in their maketing communications whenever relying on legitimate interesets.		RequiredOptionalRequiredN/APermittedN/AN/APermittedN/ARequiredOptionalRequiredN/APermittedN/AN/APermittedN/ARequiredOptionalRequiredN/APermittedN/AN/APermittedN/ARequiredOptionalRequiredN/APermittedN/AN/APermittedN/ARequiredOptionalRequiredN/APermittedN/AN/APermittedN/ARequiredOptionalRequiredN/APermittedN/AN/APermittedN/ARequiredOptionalRequiredN/APermittedN/AN/APermittedN/ARequiredOptionalRequiredN/APermittedN/AN/APermittedN/ARequiredOptionalRequiredN/APermittedN/AN/APermitted
18
19
CaliforniaAdvertising & Content PurposesMeasurement, Research, and Reporting PurposesInternal Purposes
20
Jurisdiction-Specific Purpose: Select Basic Ads
Jurisdiction-Specific Purpose: Create a personalized ads profileJurisdiction-Specific Purpose: Select personalized adsJurisdiction-Specific Purpose: Technically deliver adsJurisdiction-Specific Purpose: Create a personalized content profile
Jurisdiction-Specific Purpose: Measure ad performance
Jurisdiction-Specific Purpose: Apply market research to generate audience insights
21
Disclosure requirementsConditions for processingDisclosure requirements
Conditions for processing
Disclosure requirementsConditions for processingDisclosure requirements
Conditions for Processing
Disclosure requirements
Conditions for processing
Disclosure requirements
Conditions for processing
Disclosure requirements
Conditions for processing
Disclosure requirements
Conditions for processing
22
Privacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate Interest
23
CCPARequiredOptionalRequiredN/AN/AN/APermittedN/APermitted (1;2;3;4;7;11;12)It's unclear whether selecting basic ads generally involves a "sale" of PI; but there is broad agreement it may be undertaken by a service provider for a business purpose.RequiredOptionalRequiredN/AN/AN/ARequiredN/ANot PermittedRequiredOptionalRequiredN/AN/AN/A?N/APermitted (2;3;4;7;11)RequiredOptionalRequiredN/AN/AN/A?N/APermitted (2;3;4;7;11)RequiredOptionalRequiredN/AN/AN/ARequiredN/ANot PermittedRequiredOptionalRequiredN/AN/AN/A?N/APermitted (1;2;3;7;11;12)It's unclear whether measuring ads generally involves a "sale" of PI; but there is broad agreement it may be undertaken by a service provider for a business purpose.RequiredOptionalRequiredN/AN/AN/A?N/APermitted (1;2;3;11;12;14)It's unclear whether market research generally involves a "sale" of PI; but there is broad agreement it may be undertaken by a service provider for a business purpose.RequiredOptionalN/AN/AN/AN/AN/AN/A
24
CPRA (effective 2023)RequiredOptionalRequiredN/AN/AN/APermittedN/APermitted (1;2;3;4;7;11;12)RequiredOptionalRequiredN/AN/AN/ARequiredN/ANot PermittedRequiredOptionalRequiredN/AN/AN/ARequiredN/ANot PermittedAn opt out of sales or sharing must be effective against this purpose.RequiredOptionalRequiredN/AN/AN/A?N/APermitted (2;3;4;7;11)RequiredOptionalRequiredN/AN/AN/ARequiredN/ANot PermittedRequiredOptionalRequiredN/AN/AN/A?N/APermitted (1;2;3;7;11;12)RequiredOptionalRequiredN/AN/AN/A?N/APermitted (1;2;3;11;12;14)RequiredOptionalN/AN/AN/AN/AN/AN/A
25
26
Canada
Advertising & Content Purposes
Measurement, Research, and Reporting Purposes
Internal Purposes
27
Jurisdiction-specific purpose: online behavioral advertising (personalized ads, creating a personalized ads profile P3,4)
Jurisdiction Specific Purpose: Personalizing Content (select personalized content, create a personalized content profile P5,6)
Jurisdiction-specific purpose: Basic advertising (selecting basic ads, technically delivering the ad P2, SP2)
Jurisdiction specific purpose: Measurement and Reporting (P7,8)
Jurisdiction specific purpose: Market Research (P9)
28
Disclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processing
29
Privacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate Interest
30
Personal Information Protection and Electronic Documents Act (PIPEDA) (200)

BC PIPA

AB PIPA

Quebec Private Sector Act

CASL		OptionalRequiredRequiredOptionalPermittedNot PermittedPermittedN/AN/ASee section 4.2.2 of the Canadian policy document.

Privacy Policy listed as Optional because Explicit Notice is required. Market practice, however, is to have a privacy policy since Explicit Notices are generally not detailed enough to satisfy the full set of the organization's openness and transparency requirements.

"Opt-Out" column maps to an "implied consent" under Canadian privacy law (i.e. it permits an opt-out). The "Implied Consent" column does not permit an opt-out and therefore does not map to "implied consent" under Canadian privacy law.		PermittedPermittedRequiredOptionalPermittedPermittedPermittedN/AN/ASee section 4.2.2 of the Canadian policy document.

"Opt-Out" column maps to an "implied consent" under Canadian privacy law (i.e. it permits an opt-out). The "Implied Consent" column does not permit an opt-out and therefore does not map to "implied consent" under Canadian privacy law.		PermittedPermittedRequiredOptionalPermittedPermittedPermittedN/AN/ASee section 4.2.2 of the Canadian policy document.

Privacy Policy listed as Optional because Explicit Notice is required. Market practice, however, is to have a privacy policy since Explicit Notices are generally not detailed enough to satisfy the full set of the organization's openness and transparency requirements.

"Opt-Out" column maps to an "implied consent" under Canadian privacy law (i.e. it permits an opt-out). The "Implied Consent" column does not permit an opt-out and therefore does not map to "implied consent" under Canadian privacy law.		PermittedPermittedRequiredOptionalPermittedPermittedPermittedN/AN/ASee section 4.2.2 of the Canadian policy document.

"Opt-Out" column maps to an "implied consent" under Canadian privacy law (i.e. it permits an opt-out). The "Implied Consent" column does not permit an opt-out and therefore does not map to "implied consent" under Canadian privacy law."		PermittedPermittedRequiredOptionalPermittedPermittedPermittedN/AN/ASee section 4.2.2 of the Canadian policy document.

"Opt-Out" column maps to an "implied consent" under Canadian privacy law (i.e. it permits an opt-out). The "Implied Consent" column does not permit an opt-out and therefore does not map to "implied consent" under Canadian privacy law.		PermittedPermittedRequiredOptionalPermittedPermittedPermittedN/A
31
PIPEDA Amendments (expected 2021 or 2022)?????????????????????????????????????????????????????
32
33
ChinaAdvertising & Content PurposesMeasurement, Research, and Reporting PurposesInternal Purposes
34
35
Disclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processing
36
Privacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate Interest
37
Current Laws:
Civil Code of the People's Republic of China (Civil Code)
Cybersecurity Law of the People's Republic of China (CSL)
Advertising Law of the People’s Republic of China (Advertising Law)
E-Commerce Law of People’s Republic of China China (E-Commerce Law)
Measures for the Determination of the Collection and Use of Personal Information by Apps in Violation of Laws and Regulation (Measures for App Operators) - Applies only to Special Methods
Measures on the Online Protection of Children’s Personal Data (Children's Measures) - Applies only to Special Categories of Data

PermittedPermittedOptionalOptionalPermittedPermittedN/AN/AN/AUnder current Chinese laws, consent is the only applicable lawful basis. The privacy notice should contain the purpose, scope and the means of the personal information processing but the categories or names of third parties are not clearly required. For websites, there is no clear requirement to give explicit notice. PermittedPermittedOptionalOptionalPermittedPermittedN/AN/AN/ASee comments for Advertising & Content PurposesPermittedPermittedOptionalOptionalPermittedPermittedN/AN/A
38
Non-binding standards:
Information Security Technology - Personal Information Security Specification (Information Security Standards)
Industry Standard Framework of China Internet Targeted Advertisement Customer Information Protection 2014		PermittedPermittedRequiredOptionalPermittedPermittedRequiredN/AN/AUnder Article 8.4(b) of the Information Security Standard, data controllers must ensure that data subjects have the right to refuse commercial advertisements based on their personal information.PermittedPermittedRequiredOptionalPermittedPermittedRequiredN/AN/ASee comments for Advertising & Content PurposesPermittedPermittedRequiredOptionalPermittedPermittedRequiredN/A
39
Pending Laws:
DRAFT Personal Information Protection Law (PIPL)
DRAFT Data Security Law (DSL)		PermittedPermittedOptionalRequiredPermittedPermittedN/AN/AN/A1. Separate consent must be obtained for sharing personal information with third parties, for which purpose PI processors should notify data subjects of the third party’s identity, contact information, processing purpose, processing method and categories of personal information.

2. The Draft PIPL provides more clarity on the “informed consent” principle - Consent must be fully informed and freely and unambiguously given. However, it remains unclear as to whether this requirement is equivalent to explicit consent. This is expected to be further clarified by the PRC regulators. 		PermittedPermittedOptionalRequiredPermittedPermittedN/AN/AN/APermittedPermittedOptionalRequiredPermittedPermittedN/AN/A
40
41
EEA/UK
Advertising & Content Purposes
Measurement, Research, and Reporting Purposes
Internal Purposes
42
Jurisdiction-Specific Purpose: Purpose 2 - Select Basic Ads
Jurisdiction-Specific Purpose: Purpose 3 - Create a personalized ads profile
Jurisdiction-Specific Purpose: Purpose 4 - Select personalized ads
Jurisdiction-Specific Purpose: Special Purpose 2 - Technically deliver ads or content
Jurisdiction-Specific Purpose: Purpose 5 - Create a personalized content profile
Jurisdiction-Specific Purpose: Purpose 6 - Select personalized contentJurisdiction-Specific Purpose: Purpose 7 - Measure ad performanceJurisdiction-Specific Purpose: Purpose 8 - Measure content performanceJurisdiction-Specific Purpose: Purpose 9 - Apply market research to generate audience insightsJurisdiction-Specific Purpose: Purpose 10 - Develop and improve products
43
Disclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processing
44
Privacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate Interest
45
GDPR/ePrivacyRequiredRequiredRequiredRequiredPermittedN/AN/APermittedN/ARequiredRequiredRequiredRequiredPermittedN/AN/APermittedN/ARequiredRequiredRequiredRequiredPermittedN/AN/APermittedN/ARequiredRequiredRequiredRequiredN/AN/AN/ARequiredN/AThe TCF 2.0 policy allows LI as the basis for this processing (no other basis), and does not allow a right to object, so although LI is required it would always be 'on' if properly noticed.RequiredRequiredRequiredRequiredPermittedN/AN/APermittedN/ARequiredRequiredRequiredRequiredPermittedN/AN/APermittedN/ARequiredRequiredRequiredRequiredPermittedN/AN/APermittedN/ARequiredRequiredRequiredRequiredPermittedN/AN/APermittedN/ARequiredRequiredRequiredRequiredPermittedN/AN/APermittedN/ARequiredRequiredRequiredRequiredPermittedN/AN/APermitted
46
47
IndiaAdvertising & Content PurposesMeasurement, Research, and Reporting PurposesInternal Purposes
48
49
Disclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processing
50
Privacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate Interest
51
Information Technology Act (IT ACT)

Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Privacy Rules”)		RequiredN/ARequiredOptionalN/AN/ARequiredN/AN/AThe Privacy Rules require companies to have a privacy policy, obtain consent when collecting or transferring SPDI, and inform the data subject (“Data Subject”) of recipients of such collected data.

A Data Subject should be provided the option to opt out of sharing any of his/her Personal Information/SPDI. Further details on the opt-out functionality have been set out in detail in Paragraph 4.4.1 in page 23

Providing a contact email for a grievance officer is sufficient for an opt-out mechanism.		RequiredN/ARequiredOptionalN/AN/ARequiredN/AN/AA Data Subject should be provided the option to opt out of sharing any of his/her Personal Information/SPDI. Further details on the opt-out functionality have been set out in detail in Paragraph 4.4.1 in page 23RequiredN/ARequiredOptionalN/AN/ARequiredN/A
52
Personal Data Protection Bill (PDP Bill) (2019)RequiredRequiredRequiredOptionalRequiredN/AN/AN/AN/ALaw is not yet in effect and is subject to further amendment. Please note that the PDP Bill contains provisions regarding processing of personal data. However, where the processing of personal data is for employment purposes, consent need not be obtained from the Data Subject [all PDP Bill related responses provided as of March 30, 2021].RequiredRequiredRequiredOptionalRequiredN/AN/AN/AN/APlease note that the PDP Bill mentions different categories of data such as personal data, sensitive personal data and critical personal data. Since the Rules to the PDP Bill have not yet been formulated, we have populated to the extent possible.RequiredRequiredRequiredOptionalRequiredN/AN/AN/A
53
54
Israel
Advertising & Content Purposes
Measurement, Research, and Reporting PurposesInternal Purposes
55
Jurisdiction specific purpose: Select and Serve Basic Ads and Content (P2, SP2)
Jurisdiction specific purpose: Profiling and Targeted Advertising (P3,4,5,6)
56
Disclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processing
57
Privacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate Interest
58
Protection of Privacy (Data Security) Regulations, 5777-2017; Protection of Privacy Law, 5741-1981
RequiredRequiredRequiredRequiredPermittedPermittedN/AN/AN/ANames of third parties required only for controller-to-controller transfers. Explicit notice required if implied consent is chosen (data subject must be informed of the nature of processing).

Explicit notice of the *privacy policy* is all that is required when relying on implied consent.		RequiredRequiredRequiredRequiredRequiredNot PermittedN/AN/AN/ANames of third parties required only for controller-to-controller transfers. Explicit notice required if implied consent is chosen (data subject must be informed of the nature of processing).

RequiredRequiredRequiredRequiredPermittedPermittedN/AN/AN/ANames of third parties required only for controller-to-controller transfers. Explicit notice required if implied consent is chosen (data subject must be informed of the nature of processing).

Explicit notice of the *privacy policy* is all that is required when relying on implied consent.		RequiredRequiredRequiredRequiredPermittedPermittedN/AN/A
59
60
JapanAdvertising & Content PurposesMeasurement, Research, and Reporting PurposesInternal Purposes
61
62
Disclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processing
63
Privacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate Interest
64
Act on the Protection of Personal Information (Act No. 57 of May 30, 2003, as amended; “APPI”)

PPC Guidelines		PermittedPermittedPermittedPermittedPermittedPermittedNot PermittedN/AN/ALocal practice leans toward using consent instead of implied consent but both are permitted under the law.

Opt out is not typically used in connection with digital advertising because it includes a filing requirement with the PPC.		PermittedPermittedPermittedPermittedPermittedPermittedNot PermittedN/AN/ALocal practice leans toward using consent instead of implied consent but both are permitted under the law.

Opt out is not typically used in connection with digital advertising because it includes a filing requirement with the PPC.		PermittedPermittedPermittedPermittedPermittedPermittedNot PermittedN/A
65
2020 Amendments (effective in 2022)PermittedPermittedPermittedPermittedPermittedPermittedNot PermittedN/AN/AInformation transferred for digital ads is more likely to be considered as personal information.PermittedPermittedPermittedPermittedPermittedPermittedNot PermittedN/AN/AInformation transferred for digital ads is more likely to be considered as personal information.PermittedPermittedPermittedPermittedPermittedPermittedNot PermittedN/A
66
67
Mexico
Advertising & Content Purposes
Measurement, Research, and Reporting Purposes
Internal Purposes
68
Jurisdictions specific purpose: Advertising and delivering content and the personalization thereof P 1, 2, 3, 4, 5, 6, SP2, F1, F2, F3)
Jurisdiction-specific purpose -- Develop and improve products (TCF 10)
69
Disclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processing
70
Privacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate Interest
71
Federal Law on Protection of Personal Data Held by Private Parties

Federal Consumer Protection Law		RequiredRequiredPermittedPermittedPermittedPermittedRequiredN/AN/APrivacy policies (named privacy notices), need to include specific information and references to particular mechanisms set forth in the applicable laws.
Business purposes are permitted provided they are informed to the data subjects through the privacy policy (privacy notice).
If a duly appointed processor is involved in the processing activity, no disclosure requirements or conditions for processing need to be met. Otherwise, either the category or name of the third party involved in processing activity needs to be disclosed and consented.
Implied consent is permitted exclusively for personal data other than sensitive, financial or property personal data. Otherwise, implied consent is not permitted, and explicit consent is required.
Additional requirements must be met to be able to transfer personal data to third parties and so they can be involved in the processing activity.		RequiredRequiredPermittedPermittedPermittedPermittedRequiredN/AN/A
Privacy policies (named privacy notices), need to include specific information and references to particular mechanisms set forth in the applicable laws.
Business purposes are permitted provided they are informed to the data subjects through the privacy policy (privacy notice).
If a duly appointed processor is involved in the processing activity, no disclosure requirements or conditions for processing need to be met. Otherwise, either the category or name of the third party involved in processing activity needs to be disclosed and consented.
Implied consent is permitted exclusively for personal data other than sensitive, financial or property personal data. Otherwise, implied consent is not permitted, and explicit consent is required.
Additional requirements must be met to be able to transfer personal data to third parties and so they can be involved in the processing activity.
RequiredRequiredPermittedPermittedPermittedPermittedRequiredN/A
72
73
NigeriaAdvertising & Content PurposesMeasurement, Research, and Reporting PurposesInternal Purposes
74
75
Disclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processing
76
Privacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate Interest
77
National Information Technology Development Agency (NITDA) Act (2007)

Nigerian Data Protection Regulation (NDPR) (2019)		RequiredRequiredPermittedPermittedRequiredN/AN/ANot PermittedN/AWe understand “legitimate interest” is not a basis for processing due to the ambiguities arising from its interpretation. RequiredRequiredPermittedPermittedRequiredN/AN/ANot PermittedN/AWe understand “legitimate interest” is not a basis for processing due to the ambiguities arising from its interpretation. RequiredRequiredPermittedPermittedRequiredN/AN/ANot Permitted
78
Data Protection Bill (2020 (Proposed Bill)?????????This Bill is still undergoing review and its provisions are subject to change. Reliance should not be placed on the Bill until it has been passed.?????????????????
79
80
SingaporeAdvertising & Content PurposesMeasurement, Research, and Reporting PurposesInternal Purposes
81
Jurisdiction specific purpose: Select and Serve Basic Ads and Content (P2, SP2)
Jurisdiction specific purpose: Select personalized ads or content and create associated profiles (P2,4,5,6)
Jurisdiction Specific Purpose: Measurement and Reporting (P7,8)
Jurisdiction Specific Purpose: Market Research (P9)
Disclosure requirements
Conditions for processing
82
Disclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processing
83
Privacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate Interest
84
Personal Data Protection Act (PDPA) (2012/2020)RequiredOptionalRequiredOptionalPermittedPermittedN/APermittedN/ABest practice recommendation from CJPP Singapore Cookie document is to give just-in-time notice and obtain consent, but other bases such as opt-out and deemed consent (both effectively implied consent) are discussed; legitimate interests is another possible basis (all subject to specific criteria).

Regarding jurisdiction-specific purposes (which are presently omitted for Singapore), the Purpose Limitation Obligation is "Under Section 18 of the PDPA, an organisation may only collect, use, and disclose personal data about an individual
only for purposes that a reasonable person would consider appropriate in the circumstances, and, if applicable, have been notified to the individual concerned ('the Purpose Limitation Obligation').		RequiredRequiredRequiredOptionalPermittedPermittedN/APermittedN/AAs a practical matter, companies relying on consent will want to provide explicit notice to allow effective consent for personalized advertising.

RequiredOptionalRequiredOptionalPermittedPermittedN/APermittedN/AAvailable bases for processing include Consent, "Deemed Consent by Notification" (i.e. implied consent), Legitimate Interests, Business Improvement Purposes (each subject to specific criteria).

Regarding jurisdiction-specific purposes (which are presently omitted for Singapore), the Purpose Limitation Obligation is "Under Section 18 of the PDPA, an organisation may only collect, use, and disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances, and, if applicable, have been notified to the individual concerned ('the Purpose Limitation Obligation'). 		RequiredOptionalRequiredOptionalPermittedPermittedN/APermittedN/ARequiredOptionalRequiredOptionalPermittedPermittedN/APermitted
85
86
South KoreaAdvertising and Content PurposesMeasurement, Research, and Reporting PurposesInternal Purposes
87
88
Disclosure requirementsConditions for processingDisclosure requirementsConditions for processingDisclosure requirementsConditions for processing
89
Privacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate InterestBusiness PurposeCommentsPrivacy PolicyExplicit NoticeCategories of third partiesNames of third partiesConsentImplied ConsentOpt-Out Legitimate Interest
90
Personal Information Protection Act (PIPA) (as amended in 2020)RequiredRequiredOptionalRequiredRequiredN/AN/ANot PermittedN/AThe PIPA only requires data controllers to obtain opt-in consent when processing personal information and not in cases where other types of data (which is not personal information) is processed. Yet, the Personal Information guidelines on online personalised advertising privacy issued by Korea Communications Commission (the "KCC Online Processing Guidelines") provide that consent (similar to opt-out consent) should also be obtained in order to process behavioral data – which differs somewhat from what is explicitly prescribed by the PIPA. It should be noted that the PIPA is a legally binding statute whereas the KCC Online Processing Guidelines representing non-binding regulatory guidance. Although the PIPA exceptionally provides that personal information may be collected and used without consent in cases where the collection/use is necessary to achieve a legitimate interest of the data controller and where such legitimate interest clearly overrides the rights of the data subject, the ‘legitimate interest’ basis is unlikely to apply in cases where the purposes for the collection/use of personal information relate to marketing.RequiredRequiredOptionalRequiredRequiredN/AN/ANot PermittedN/ARequiredRequiredOptionalRequiredRequiredN/AN/ANot Permitted
91
92
93
94
95
96
97
98
99
100