The Forrester Wave™: Customer Data Platforms For B2C, Q3 2024 Read the report

International & U.S. Data Privacy Laws and Regulations You Need to Know

International Data Privacy Laws

Data privacy laws and regulations protect the personal data of citizens or residents within certain locations. They afford individuals rights to how businesses use their data and allow them to make decisions about how their data is used after a company collects it. These regulations can exist at the multi-national, national, state, and local levels.

This page is a running list of data privacy laws and regulations around the world. It will be updated as new laws and regulations emerge. The laws are grouped into the following categories:

  • U.S. Federal Regulations
  • U.S. State-Specific Regulations
  • International Regulations

U.S. Federal Data Privacy Laws and Regulations

Children’s Online Privacy Protection Act (COPPA)

Applies to: Operators of websites or online services that collect data from children under the age of 13.

The Children’s Online Privacy Protection Act (COPPA) of 1998, prohibits unfair or deceptive acts related to the collection, use or disclosure of personal information from and about children on the internet. It was enacted by Congress in 1998 and requires the Federal Trade Commission (FTC) to issue and enforce regulations for children’s online privacy. The goal of COPPA is to give parents control over what information is collected from their young children online. COPPA was put into effect on April 21, 2000.

Gramm-Leach-Bliley Act (GLBA) 

Applies to: Financial institutions in the United States

The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, was passed by the U.S. Congress and went into effect on November 12, 1999. The law requires that financial institutions disclose their information-sharing practices to their customers in order to safeguard sensitive customer data.

The law defines “financial institutions” as “companies that offer consumers financial products or services like loans, financial or investment advice, or insurance.” 

GLBA’s Financial Privacy Rule requires financial institutions to provide consumers with a privacy notice when they first enroll as customers. The rule also requires a privacy notice be sent annually thereafter. GLBA’s Safeguards Rule requires financial institutions to provide an information security plan that describes how the institution will protect its customers’ nonpublic personal information.

Health Insurance Portability and Accountability Act (HIPAA)

Applies to: Healthcare providers in the United States

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that defines national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. 

The HIPAA Privacy Rule addresses the use and disclosure of individuals’ health information by these covered entities: healthcare providers, health plans, healthcare clearinghouses and business associates. 

The HIPAA Security Rule addresses a subset of the information covered by the Privacy Rule, “all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form (i.e., electronic protected health information or “e-PHI”).”

U.S. State-Specific Data Privacy Laws and Regulations

California Online Privacy Protection Act of 2003 (CalOPPA)

Applies to: Commercial websites that collect Personally Identifiable Information (PII) from California’s residents.

The California Online Privacy Protection Act of 2003 (CalOPPA) went into effect on July 1, 2004. It was the first state law in the U.S. that required commercial websites and online services to include a privacy policy on their site. Specifically, websites that collect Personally Identifiable Information (PII) from California residents are required to post and comply with a privacy policy. 

According to CalOPPA, the privacy policy must be clearly labeled and easy to find. Many sites list the policy under the heading “Your California Privacy Rights.” The privacy policy must disclose:

  • The effective date of the policy
  • The information gathered by the website
  • How the information is shared with other parties
  • How users can request, review and make changes to their stored information
  • A list of any changes that took place after the effective date

A website operator that fails to post a privacy policy within 30 days of being notified will be in violation and subject to fines. Violations can be reported to the California Attorney General’s office via their website.

California Consumer Privacy Act (CCPA)

Applies to: Businesses that collect data about California consumers.

The California Consumer Privacy Act (CCPA) was put into effect on January 1, 2020. It provides California consumers with more control over the personal information that businesses collect about them. The law secures new privacy rights for California consumers, including the right to know about the personal information a business collects about them and the right to opt-out of the sale of their personal information.

In November 2020, California voters approved the California Privacy Rights Act of 2020 (CPRA). The CPRA will come into effect on January 1, 2023. It doesn’t replace the CCPA; however, it provides updates to CCPA and includes additional laws and regulations.

Virginia Consumer Data Protection Act (VCDPA)

Applies to: People or companies that conduct business in the Commonwealth of Virginia.

The Virginia Consumer Data Protection Act (VCDPA) was signed into law on March 2, 2021 and will go into effect on January 1, 2023. With VCDPA, Virginia became the second state (i.e., after California’s CCPA in 2020) to enact a comprehensive data privacy law for its citizens. 

VCDPA applies to people or companies that conduct business in the Commonwealth of Virginia and:

  • Control or process personal data of at least 100,000 consumers or,
  • Derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers

VCDPA gives consumers the rights to access, correct, delete, and obtain a copy of their personal data. In addition, consumers can opt out from having their personal data used for targeted advertising. They can also opt out from the sale of their personal data. VCDPA gives the Virginia Attorney General the exclusive authority to enforce violations of its laws and regulations.

Colorado Privacy Act (ColoPA)

Applies to: Organizations conducting business in Colorado or providing goods and services targeted to Colorado residents.

The Colorado Privacy Act (ColoPA, also known as CPA) was signed into law on July 7, 2021 and will go into effect on July 1, 2023. Colorado is the third state (behind California’s CCPA and Virginia’s VCDPA) to enact a comprehensive data privacy law for its residents.

ColoPA applies to organizations conducting business in Colorado or providing goods and services to its residents. It also applies if organizations:

  • Control or process data of 100,000 or more Colorado residents in a calendar year, or,
  • Generates revenue from the sale of personal data of at least 25,000 Colorado residents

Utah Consumer Privacy Act (UCPA)

Applies to: For-profit organizations conduct business in Utah or target products and services to consumers who live in the state.

The Utah Consumer Privacy Act was signed into law on March 24, 2022. It will go into effect on December 31, 2023. Utah is the fourth state to enact its own set of data privacy laws.

Additional requirements for the law include:

  • Business that have annual revenues of at least $25 million
  • Control or process the personal data of 100,000 or more Utah residents
  • Derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of 25,000 or more consumers.

Connecticut Data Privacy Act (CDPA)

Applies to: Organizations conducting business in Connecticut or producing products or services targeted to people living in Connecticut residents.

The Connecticut Data Privacy Act (CDPA) was signed into law on May 4, 2022. It will go into effect on July 1, 2023. Connecticut is the fifth state to enact its own set of data privacy legislation.

The Connecticut Data Privacy Act applies to those who conduct business in Connecticut or target residents of the state. Additional parameters include:

  • Organizations that have controlled or processed the personal data of 100,000 or more consumers annually, except for personal data controlled or processed solely for the purpose of completing a payment transaction
  • Organizations that have derived over 25 percent of their gross revenue from the sale of personal data and controlled or processed the personal data of 25,000 or more consumers

International Data Privacy Laws and Regulations

Argentina: Personal Data Protection Act (PDPA)

Applies to: Organizations that target or collect data from citizens of Argentina.

Argentina’s Personal Data Protection Act 25.326 (PDPA) was enacted by the Senate and the House of Representatives of Argentina on October 4, 2000. The law protects the personal data of Argentina’s citizens. It defines “personal data” as information of any kind that refers to certain or ascertainable physical persons or legal entities. 

The law specifies that the use of personal data must be certain, appropriate and pertinent. It must also be consistent with the stated purpose when consent to use the data was received. In addition, the use of personal data is considered unlawful when the owner of that data has not provided explicit consent, either in writing or via similar means.

Bahrain: Personal Data Protection Law (PDPL)

Applies to: Organizations that target or collect data from citizens of Bahrain.

On July 12, 2018, Bahrain enacted Law No. 30 of 2018, the Personal Data Protection Law (PDPL). It went into effect on August 1, 2019. The Law is enforced by the Personal Data Protection Authority, which has the power to investigate violations of the Law. The Authority can force organizations to stop violations and issue emergency orders and fines. The PDPL can result in criminal penalties (including imprisonment) and fines for violating its provisions. Fines can range from 1,000 to 20,000 BHD (Bahraini dinars).

Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)

Applies to: Private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a data privacy law in Canada that enforces how personal information can be used in commercial activity. PIPEDA defines “personal information” as “any factual or subjective information, recorded or not, about an identifiable individual.”

Examples of personal information include age, name, ID numbers, income, ethnic origin and blood type. Under PIPEDA, businesses must follow 10 fair information principles to protect personal information. The 10 principles are:

  1. Accountability
  2. Identifying Purposes
  3. Consent
  4. Limiting Collection
  5. Limiting Use, Disclosure, and Retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Individual Access
  10. Challenging Compliance

European Union: General Data Protection Regulation (GDPR)

Applies to: Organizations that target or collect data from citizens of the European Union.

GDPR was put into effect on May 25, 2018. The laws apply to any organization that targets or collects data related to European Union (EU) citizens. The creators of GDPR call it “the toughest privacy and security law in the world.” 

The laws are extensive and intentionally light on specifics. As a result, understanding GDPR compliance can be a challenge for small and medium-sized businesses (SMBs). The fines for violating GDPR regulations are high. Penalties can reach as much as €20 million or 4 percent of global revenue, whichever is higher.

Israel: Privacy Protection (Data Security) Regulations

Applies to: Organizations that target or collect data from citizens of Israel.

Israel’s Privacy Protection (Data Security) Regulations were passed into law in May 2017 and went into effect in May 2018. The law applies to both private and public sectors and aims to make data security part of the management routines of all organizations processing personal data. The regulations are expected to improve the level of data security in the country, making the protection of privacy stronger than ever.

The regulations are enforced by the privacy protection authority ׂ(PPA). The PPA may instruct a database to implement changes to strengthen the security of its activities. For example, PPA may instruct low-level risk databases to implement provisions that apply to medium-risk databases.

Japan: Act on the Protection of Personal Information (APPI)

Applies to: Organizations that target or collect data from citizens of Japan.

The Japan Act on the Protection of Personal Information (APPI) went into effect in 2005. The purpose of the act is to protect the personal information of Japanese citizens. All organizations that collect or receive personal information of Japanese citizens must comply with the act or face penalties. APPI is enforced by the Personal Information Protection Commission (PPC), a Japanese government commission charged with the protection of personal information..

Kenya: Data Protection Act

Applies to: Organizations that target or collect data from citizens of Kenya.

Kenya’s Data Protection Act went into effect on November 25, 2019. It was one of the first comprehensive data privacy laws established in Africa. The Act applies to organizations that process the personal data of Kenya’s residents. It closely resembles the parameters of the European Union’s GDPR law. Penalties under the Act can reach 5 million Kenyan shillings (KES) or 1% of the company’s annual revenue from the preceding financial year.

Brazil: Lei Geral de Proteção de Dados Pessoais (LGPD)

Applies to: Organizations that target or collect data from citizens of Brazil.

Lei Geral de Proteção de Dados Pessoais (LGPD) is a data protection law in Brazil. LGPD was put into effect on September 18, 2020. The law is enforced by Autoridade Nacional de Proteção de Dados, Brazil’s National Data Protection Authority. 

LGPD comprises sixty-five articles and defines rights of the use of personal data, including the conditions in which personal data can be collected, processed, stored, and shared. LGPD applies to the handling of personal data of individuals located in Brazil, as well as data that is collected or processed in the country. In addition, it applies when data is used to offer products or services to individuals in Brazil.

Mauritius: Data Protection Act, 2017 (DPA)

Applies to: Organizations that target or collect data from citizens of Mauritius.

The Mauritius Data Protection Act, 2017 (DPA) protects the privacy rights of individuals in Mauritius in relation to the collection, processing and handling of their personal information. The act was passed into law by the Mauritian Assembly on December 8, 2017 and went into effect on January 15, 2018. DPA supersedes The Data Protection Act of 2004. 

DPA is enforced by the Data Protection Commissioner (DPC). To encourage compliance with the Act, the DPC issues guidelines and may establish technical standards for data protection certification mechanisms and data protection seals and marks.

New Zealand: Privacy Act 2020

Applies to: Organizations that target or collect data from citizens of New Zealand.

Privacy Act 2020 legislation went into effect on December 1, 2020 by New Zealand’s Office of the Privacy Commissioner. The law seeks to promote and protect individual privacy by providing a framework for protecting an individual’s right to privacy of personal information. It also specifies the rights of individuals to access their personal information. 

The Privacy Commissioner is granted the power to ensure that organizations and businesses comply with the Act. The Act makes it an offense to mislead an agency to access personal information that they are entitled to see. The offense can result in a fine of up to $10,000 (New Zealand dollars).

Nigeria Data Protection Regulation (NDPR)

Applies to: Organizations that target or collect data from citizens of Nigeria.

The Nigeria Data Protection Regulation (NDPR) was passed into law in January 2019. It applies to the processing of personal data within and outside Nigeria. The law protects the right to privacy, creating the right environment for digital transactions, job creation and improving information management practices in Nigeria.

NDPR is enforced by the National Information Technology Development Agency (NITDA), the Regulatory Authority for Data Protection in Nigeria. NITDA’s goal is to pursue data protection management in Africa through regulatory strategies, partnerships and continuous improvement. 

Qatar: Law No. 13 of 2016

Applies to: Organizations that target or collect data from citizens of Qatar.

Established in 2016, Qatar’s Law No. 13 protects the processing of personal data using electronic means. It has elements that are similar to the European Union’s GDPR. Law No. 13 includes a “privacy by design” principle, that requires organizations to consider privacy issues when designing and developing products and services. In addition, it requires that operators of websites targeting children post specific notifications to obtain the explicit consent of a child’s parent or guardian. 

South Africa: Protection of Personal Information Act (POPIA)

Applies to: Organizations that target or collect data from citizens of South Africa.

South Africa’s Protection of Personal Information Act (POPIA) was passed into law on July 1, 2020 and went into effect on July 1, 2021. The law applies to any company or organization that processes personal information about the residents of South Africa. 

The Act provides a constitutional right to privacy by safeguarding personal information. It regulates the manner in which personal information may be processed by prescribing minimum threshold requirements for the lawful processing of personal information. It also provides South African residents with rights and remedies to protect their personal information from processing that is not in accordance with the Act. POPIA established the role of an Information Regulator whose charter is to enforce and fulfill the rights protected by the Act.

South Korea: Personal Information Protection Act (PIPA)

Applies to: Organizations that target or collect data from citizens of South Korea.

South Korea’s Personal Information Protection Act (PIPA) was enacted September 30, 2011. The law specifies how personal information is processed in order to protect the rights and interests of its citizens. The law protects personal information from unnecessary collection, unauthorized use, unauthorized disclosure and abuse. “Personal information” is defined as information about any living person that makes it possible to identify them by their name, resident registration number, image, etc.

Turkey: Law on Protection of Personal Data No. 6698 

Applies to: Organizations that target or collect data from citizens of Turkey.

Turkey’s Law on Protection of Personal Data No. 6698 was passed into law on April 7, 2016. The purpose of the Law is to protect the rights and freedoms of Turkish residents, particularly the right to privacy in the use and processing of personal data. The law prohibits the processing or storing of personal data without explicit consent from the data subject.

Uganda: Data Protection and Privacy Act, 2019

Applies to: Organizations that target or collect data from citizens of Uganda.

Uganda’s Data Protection and Privacy Act, 2019 builds upon Article 27 of the Constitution of the Republic of Uganda (1995) to protect the collection, processing and storage of Ugandan citizens’ personal data. The act specifies that personal data be collected in a lawful and fair manner, and be adequate, accurate and secure. It also specifies that data not be kept longer than needed and not be transferred outside the jurisdiction of its collection.

Uruguay: Data Protection Act

Applies to: Controllers in Uruguay who process personal data.

Uruguay’s Data Protection Act Law No. 18.331 went into effect on August 11, 2008. It requires the registration of all databases containing the personal data of citizens or legal entities. The law defines “personal data” as information about citizens or legal entities that is identified or identifiable. In order to collect personal data, the law requires data processors to obtain prior documented consent. In addition, personal data cannot be used for purposes other than those specified when consent was received.

To learn more about data privacy, governance and what it means for marketing organizations, check out our ongoing coverage here.

CDP.com Staff
CDP.com Staff
The CDP.com staff has collaborated to deliver the latest information and insights on the customer data platform industry.