Data privacy laws — also called data privacy regulations — are rules that govern how organizations collect, store, process, and share personal data, granting individuals rights over their information and setting penalties for violations. As of 2026, 144 countries have enacted national data privacy laws, and 20 U.S. states have comprehensive consumer privacy laws in effect. This page is a reference of more than 60 of those laws, organized by region, with effective dates, scope, and maximum penalties — plus what these laws mean for customer data strategy.
Key Facts at a Glance
- 144 countries had national data privacy laws as of January 2025 (IAPP), covering roughly 82% of the world’s population
- 20 U.S. states have comprehensive consumer privacy laws in effect as of July 2026; the U.S. has no equivalent federal law
- The General Data Protection Regulation (GDPR), effective May 25, 2018, carries the largest penalties: €20 million or 4% of global annual revenue, whichever is higher
- The largest privacy fine to date is €1.2 billion against Meta (Irish Data Protection Commission, May 2023)
- China’s Personal Information Protection Law (PIPL) allows fines up to ¥50 million or 5% of prior-year revenue; India’s Digital Personal Data Protection Act (DPDP Act) allows up to ₹250 crore (about $30 million) per instance
- Most laws apply extraterritorially: they cover any organization processing residents’ data, regardless of where the organization is located
How Do the Major Laws Differ Operationally?
The operational differences that determine what compliance systems must do are the consent model (opt-in vs. opt-out), the deadline for answering data subject requests, and whether data must stay in-country. The table below summarizes those dimensions for the regimes most relevant to customer data systems:
| Jurisdiction (law) | Consent model | Deletion/access response deadline | Data localization required |
|---|---|---|---|
| EU/EEA (GDPR) | Opt-in — lawful basis required before processing | 1 month (extendable by 2 for complex requests) | No |
| United Kingdom (UK GDPR) | Opt-in | 1 month | No |
| U.S. states (CCPA/CPRA and the Virginia-model laws) | Opt-out of sale, targeted advertising, and profiling; opt-in for minors and sensitive data in most states | 45 days (typically extendable by 45) | No |
| Quebec, Canada (Law 25) | Opt-in for sensitive data; consent required by default | 30 days | No |
| Brazil (LGPD) | Opt-in — lawful basis required | 15 days for access requests | No |
| China (PIPL) | Opt-in, with separate consent for cross-border transfers | No fixed statutory deadline (“timely”) | Yes — security assessment before exporting personal data; localization for critical operators |
| Russia (152-FZ) | Opt-in | 30 days | Yes — Russian citizens’ data must be stored on servers in Russia |
| Vietnam (PDPD / 2026 PDP Law) | Opt-in | 72 hours for certain requests | Yes — for certain data and providers |
| India (DPDP Act) | Opt-in (“free, specific, informed” consent) | To be set by DPDP Rules | No general requirement (sectoral rules exist) |
| Japan (APPI) | Notice-based; opt-out permitted for third-party sharing with conditions | Without undue delay | No |
For consent enforcement this means one thing in practice: systems must store consent state per customer per jurisdiction, because “opt-in unless consented” (GDPR, PIPL) and “process unless opted out” (U.S. states) are opposite defaults that cannot share one flag.
What Data Privacy Laws Apply in Europe?
The General Data Protection Regulation (GDPR) governs all 27 European Union member states plus Iceland, Liechtenstein, and Norway, and it remains the global template for data privacy regulation. The United Kingdom and Switzerland maintain closely aligned national laws.
| Law | Jurisdiction | Effective date | Who it protects | Maximum penalty | Official text |
|---|---|---|---|---|---|
| General Data Protection Regulation (GDPR) | EU + EEA (30 countries) | May 25, 2018 | Individuals in the EU/EEA | €20M or 4% of global annual revenue | EUR-Lex |
| UK GDPR + Data Protection Act 2018 (DPA 2018) | United Kingdom | May 25, 2018 (UK GDPR from January 1, 2021) | UK residents | £17.5M or 4% of global annual revenue | legislation.gov.uk |
| Revised Federal Act on Data Protection (revFADP) | Switzerland | September 1, 2023 | Individuals in Switzerland | CHF 250,000 (levied on responsible individuals) | Fedlex |
| ePrivacy Directive 2002/58/EC (“cookie law”) | EU | July 31, 2002 (cookie consent amended 2009) | Electronic communications users | Set per member state | EUR-Lex |
| Federal Law No. 152-FZ on Personal Data | Russia | January 26, 2007 | Russian citizens (data localization required) | Up to 3% of revenue (capped at RUB 500M) for repeat data breaches; RUB 18M for repeat localization violations | — |
GDPR applies to any organization worldwide that targets or monitors individuals in the EU, and it requires opt-in consent — a lawful basis must exist before processing begins. Enforcement is real: European regulators had issued more than €5.8 billion in cumulative GDPR fines by January 2025 (DLA Piper GDPR Fines and Data Breach Survey, 2025), including the record €1.2 billion Meta penalty in 2023 over EU-U.S. data transfers.
How Can Personal Data Legally Leave the EU?
Personal data may leave the EU only through a recognized transfer mechanism: an adequacy decision, certification under the EU-U.S. Data Privacy Framework, or Standard Contractual Clauses (SCCs). The European Commission grants adequacy decisions to countries whose protections it deems equivalent (including the UK, Japan, South Korea, Argentina, and Uruguay). U.S. companies can self-certify under the Data Privacy Framework, adopted in July 2023 after the mechanism Meta was fined over was invalidated. Everyone else relies on SCCs — standardized contract terms — usually paired with a transfer impact assessment. China imposes the mirror-image constraint: under PIPL, exporting personal data out of China requires a government security assessment, standard contract, or certification.
What Are the U.S. Federal and Canadian Privacy Laws?
The United States regulates privacy by sector — children’s data, health, finance, education — while Canada has one national private-sector law plus a stricter provincial law in Quebec.
| Law | Jurisdiction | Effective date | Who it protects | Maximum penalty | Official text |
|---|---|---|---|---|---|
| Children’s Online Privacy Protection Act (COPPA) | U.S. (federal) | April 21, 2000 | Children under 13 | $50,000+ per violation (inflation-adjusted annually) | FTC |
| Health Insurance Portability and Accountability Act (HIPAA) | U.S. (federal) | 1996 (Privacy Rule compliance April 14, 2003) | Patients (protected health information) | $1.5M+ per violation category per year (inflation-adjusted) | HHS |
| Gramm-Leach-Bliley Act (GLBA) | U.S. (federal) | November 12, 1999 | Customers of financial institutions | $100,000 per violation (institutions); $10,000 (individuals) | FTC |
| Family Educational Rights and Privacy Act (FERPA) | U.S. (federal) | 1974 | Students (education records) | Loss of federal education funding | ED.gov |
| Personal Information Protection and Electronic Documents Act (PIPEDA) | Canada (federal, private sector) | January 1, 2001 (fully phased January 1, 2004) | Canadian consumers in commercial activity | CAD 100,000 per violation | OPC |
| Law 25 (Act to Modernize Legislative Provisions Respecting the Protection of Personal Information) | Quebec, Canada | Phased September 2022–2024 (core provisions September 22, 2023) | Quebec residents | CAD 25M or 4% of worldwide turnover | CAI |
PIPEDA requires organizations to follow ten fair information principles, from accountability to individual access. Quebec’s Law 25 goes further than the federal law — its GDPR-scale penalties (CAD 25 million or 4% of worldwide turnover) make it the strictest privacy law in North America outside California.
Which U.S. States Have Comprehensive Privacy Laws?
Twenty U.S. states have enacted comprehensive consumer privacy laws, and all 20 are in effect as of July 2026. Most follow the Virginia model — rights to access, correct, delete, and opt out of sale, targeted advertising, and profiling — with California remaining the broadest (it also covers employee and B2B data) and Maryland the strictest on data minimization. Applicability is threshold-based: most state laws apply only to businesses processing data of 100,000 or more residents (or 25,000 if the business derives revenue from selling data), so whether a law applies depends on your customer footprint in that state, not where your company is headquartered.
| Law | State | Effective date | Who it protects | Maximum penalty | Official text |
|---|---|---|---|---|---|
| California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA) | California | January 1, 2020 (CPRA amendments January 1, 2023) | Residents, including employees and B2B contacts | $2,500 per violation; $7,500 if intentional or involving minors | CA AG |
| Virginia Consumer Data Protection Act (VCDPA) | Virginia | January 1, 2023 | Residents (consumer context) | $7,500 per violation | Virginia LIS |
| Colorado Privacy Act (CPA) | Colorado | July 1, 2023 | Residents (consumer context) | $20,000 per violation | CO General Assembly |
| Connecticut Data Privacy Act (CTDPA) | Connecticut | July 1, 2023 | Residents (consumer context) | $5,000 per willful violation | CT General Assembly |
| Utah Consumer Privacy Act (UCPA) | Utah | December 31, 2023 | Residents (consumer context) | $7,500 per violation | Utah Legislature |
| Texas Data Privacy and Security Act (TDPSA) | Texas | July 1, 2024 | Residents (consumer context) | $7,500 per violation | — |
| Oregon Consumer Privacy Act (OCPA) | Oregon | July 1, 2024 | Residents (consumer context) | $7,500 per violation | — |
| Florida Digital Bill of Rights (FDBR) | Florida | July 1, 2024 | Residents (applies mainly to businesses with $1B+ global revenue) | $50,000 per violation (trebled in some cases) | — |
| Montana Consumer Data Privacy Act (MTCDPA) | Montana | October 1, 2024 | Residents (consumer context) | Not specified in statute (attorney general enforcement) | — |
| Iowa Consumer Data Protection Act (ICDPA) | Iowa | January 1, 2025 | Residents (consumer context) | $7,500 per violation | — |
| Delaware Personal Data Privacy Act (DPDPA) | Delaware | January 1, 2025 | Residents (consumer context) | $10,000 per violation (via consumer fraud statutes) | — |
| Nebraska Data Privacy Act (NDPA) | Nebraska | January 1, 2025 | Residents (consumer context) | $7,500 per violation | — |
| New Hampshire Privacy Act (SB 255) | New Hampshire | January 1, 2025 | Residents (consumer context) | $10,000 per violation (via consumer protection act) | — |
| New Jersey Data Privacy Act (NJDPA) | New Jersey | January 15, 2025 | Residents (consumer context) | $10,000 first violation; $20,000 subsequent | — |
| Tennessee Information Privacy Act (TIPA) | Tennessee | July 1, 2025 | Residents (consumer context) | $7,500 per violation (trebled if willful) | — |
| Minnesota Consumer Data Privacy Act (MCDPA) | Minnesota | July 31, 2025 | Residents (consumer context) | $7,500 per violation | — |
| Maryland Online Data Privacy Act (MODPA) | Maryland | October 1, 2025 | Residents (consumer context) | $10,000 per violation; $25,000 if repeated | — |
| Indiana Consumer Data Protection Act (INCDPA) | Indiana | January 1, 2026 | Residents (consumer context) | $7,500 per violation | — |
| Kentucky Consumer Data Protection Act (KCDPA) | Kentucky | January 1, 2026 | Residents (consumer context) | $7,500 per violation | — |
| Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) | Rhode Island | January 1, 2026 | Residents (consumer context) | $10,000 per violation | — |
California remains the reference point. The CCPA/CPRA applies to for-profit businesses that exceed $25 million in annual revenue, handle data of 100,000 or more consumers or households, or derive 50% or more of revenue from selling or sharing personal data — and it created the California Privacy Protection Agency (CPPA), the only dedicated state privacy regulator. Every other state relies on attorney general enforcement, and none grants a private right of action beyond California’s narrow data-breach provision.
Do not let the per-violation figures mislead: penalties multiply across affected consumers, so a practice applied to a full customer base compounds quickly — Sephora’s 2022 CCPA settlement with the California Attorney General was $1.2 million for a single tracking practice. Note also that this table covers comprehensive laws only; narrower state laws can still bite customer data systems, most notably Washington’s My Health My Data Act, which covers health inferences and grants consumers a private right of action.
What Data Privacy Laws Apply in Latin America?
Every major Latin American economy now has a national data protection law, with Brazil’s Lei Geral de Proteção de Dados (LGPD) the most actively enforced.
| Law | Jurisdiction | Effective date | Who it protects | Maximum penalty | Official text |
|---|---|---|---|---|---|
| Lei Geral de Proteção de Dados (LGPD), Law 13.709/2018 | Brazil | September 18, 2020 (sanctions from August 1, 2021) | Individuals in Brazil | BRL 50M or 2% of Brazil revenue per infraction | Planalto |
| Personal Data Protection Act, Law 25.326 (PDPA) | Argentina | October 4, 2000 | Individuals and legal entities in Argentina | Administrative fines set by the AAIP | AAIP |
| Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) | Mexico | July 6, 2010 (replaced by a new LFPDPPP, March 21, 2025) | Individuals in Mexico | Fines up to 320,000 UMA (Mexico’s inflation-indexed fine unit) | — |
| Law No. 21.719 on Personal Data Protection | Chile | Published December 13, 2024; fully effective December 1, 2026 | Individuals in Chile | Up to 20,000 UTM (about USD 1.4M) for gravest violations | — |
| Law 1581 of 2012 (Personal Data Protection Law) | Colombia | October 17, 2012 | Individuals in Colombia | Up to 2,000 monthly minimum wages (SIC enforcement) | — |
| Organic Law on Personal Data Protection (LOPDP) | Ecuador | May 26, 2021 (sanctions from May 2023) | Individuals in Ecuador | Up to 1% of prior-year business volume | — |
| Personal Data Protection Law, Law 29733 | Peru | 2011 (regulations 2013) | Individuals in Peru | Up to 100 UIT (tax units) | — |
| Data Protection Act, Law 18.331 | Uruguay | August 11, 2008 | Citizens and legal entities in Uruguay | Administrative fines; database registration required | — |
The LGPD mirrors GDPR’s structure — lawful bases, data subject rights, a national regulator (the ANPD) — but caps fines at 2% of Brazilian revenue per infraction, up to BRL 50 million. Uruguay and Argentina hold EU adequacy status, meaning the European Commission recognizes their protections as equivalent to GDPR for data transfers.
What Data Privacy Laws Apply in Asia-Pacific?
Asia-Pacific has the widest range of privacy regimes, from China’s strict localization rules under PIPL to India’s consent-centric DPDP Act, which is still being phased in.
| Law | Jurisdiction | Effective date | Who it protects | Maximum penalty | Official text |
|---|---|---|---|---|---|
| Personal Information Protection Law (PIPL) | China | November 1, 2021 | Individuals in China | ¥50M or 5% of prior-year revenue | — |
| Act on the Protection of Personal Information (APPI) | Japan | April 1, 2005 (major amendment April 1, 2022) | Individuals in Japan | ¥100M for corporations | PPC |
| Personal Information Protection Act (PIPA) | South Korea | September 30, 2011 (major amendment September 2023) | Individuals in South Korea | Up to 3% of related revenue | PIPC |
| Digital Personal Data Protection Act, 2023 (DPDP Act) | India | Enacted August 11, 2023; phased via DPDP Rules (2025–2027) | Individuals in India (“data principals”) | ₹250 crore (about USD 30M) per instance | MeitY |
| Personal Data Protection Act 2012 (PDPA) | Singapore | July 2, 2014 | Individuals in Singapore | SGD 1M or 10% of Singapore annual turnover | Singapore Statutes |
| Privacy Act 1988 (including Australian Privacy Principles) | Australia | December 1988 (penalties raised December 2022) | Individuals in Australia | AUD 50M, 3x the benefit gained, or 30% of adjusted turnover | OAIC |
| Privacy Act 2020 | New Zealand | December 1, 2020 | Individuals in New Zealand | NZD 10,000 per offense | NZ Legislation |
| Personal Data Protection Act B.E. 2562 (PDPA) | Thailand | June 1, 2022 | Individuals in Thailand | THB 5M administrative fine | — |
| Personal Data Protection Law, Law No. 27/2022 (PDP Law) | Indonesia | October 17, 2022 (transition ended October 2024) | Individuals in Indonesia | 2% of annual revenue | — |
| Decree 13/2023 on Personal Data Protection (PDPD) | Vietnam | July 1, 2023 (Personal Data Protection Law follows January 1, 2026) | Individuals in Vietnam | Administrative fines; up to 5% of revenue under the 2026 law | — |
| Data Privacy Act of 2012 (RA 10173) | Philippines | September 8, 2012 | Individuals in the Philippines | PHP 5M plus possible imprisonment | NPC |
| Personal Data Protection Act 2010 (PDPA) | Malaysia | November 15, 2013 (amended 2024) | Individuals in commercial transactions | RM 1M plus possible imprisonment | PDP Department |
PIPL is often called China’s GDPR, but it goes further: it requires security assessments for cross-border transfers and localization of certain data — ride-hailing company Didi was fined ¥8.026 billion (about USD 1.2 billion) under it in 2022. India’s DPDP Act is the newest major regime; its implementing rules were finalized in 2025 and obligations phase in through 2027, so global companies are building compliance programs now.
What Data Privacy Laws Apply in the Middle East and Africa?
Most Gulf states and Africa’s largest economies have adopted GDPR-influenced data protection laws since 2018, each with a national regulator.
| Law | Jurisdiction | Effective date | Who it protects | Maximum penalty | Official text |
|---|---|---|---|---|---|
| Protection of Privacy Law 5741-1981 (Amendment 13) | Israel | 1981 (Amendment 13 effective August 14, 2025) | Individuals in Israel | Administrative fines under Amendment 13 | PPA |
| Law on Protection of Personal Data No. 6698 (KVKK) | Turkey | April 7, 2016 | Individuals in Turkey | Administrative fines adjusted annually | KVKK |
| Personal Data Protection Law (PDPL) | Saudi Arabia | September 14, 2023 (grace period ended September 2024) | Individuals in Saudi Arabia | SAR 5M (doubled for repeat violations) | SDAIA |
| Federal Decree-Law No. 45 of 2021 (PDPL) | United Arab Emirates | January 2, 2022 | Individuals in the UAE | To be set by executive regulations | UAE Government |
| Law No. 13 of 2016 on Personal Data Privacy Protection | Qatar | 2017 | Individuals in Qatar | QAR 5M | Compliance QCERT |
| Personal Data Protection Law, Law No. 30 of 2018 (PDPL) | Bahrain | August 1, 2019 | Individuals in Bahrain | BHD 20,000 plus possible criminal penalties | — |
| Protection of Personal Information Act (POPIA) | South Africa | July 1, 2021 | Individuals in South Africa | ZAR 10M or imprisonment | Information Regulator |
| Data Protection Act, 2019 | Kenya | November 25, 2019 | Individuals in Kenya | KES 5M or 1% of annual turnover | Kenya Law |
| Nigeria Data Protection Act, 2023 (NDPA) | Nigeria | June 12, 2023 (replaced the 2019 NDPR) | Individuals in Nigeria | ₦10M or 2% of annual revenue, whichever is higher | NDPC |
| Personal Data Protection Law No. 151 of 2020 | Egypt | October 2020 | Individuals in Egypt | Fines up to EGP 5M plus possible imprisonment | — |
| Data Protection and Privacy Act, 2019 | Uganda | 2019 | Individuals in Uganda | Fines and possible imprisonment | Ministry of ICT |
| Data Protection Act, 2017 (DPA) | Mauritius | January 15, 2018 | Individuals in Mauritius | MUR 200,000 plus possible imprisonment | Data Protection Office |
What Do Data Privacy Regulations Mean for Marketers?
For marketing and data teams, privacy regulations turn consent, purpose limitation, and auditability into operating requirements — and the durable response is a consented first-party data strategy. Data collected directly from customers, with clear consent and a stated purpose, gives you a lawful basis for processing in every jurisdiction on this page — though rights handling, retention, and transfer obligations still apply. Third-party data rarely offers even that starting point, which is one reason cookieless tracking and first-party collection have displaced third-party audience buying.
Two capabilities matter most in practice. Consent management records what each customer agreed to — opt-in for GDPR and PIPL jurisdictions, opt-out signals for U.S. states — and enforces it at the point of activation. Data governance answers the questions every regulator asks: where does personally identifiable information (PII) live, who can access it, and can you delete it when a customer exercises that right?
Both depend on knowing where every customer record is. That is why privacy compliance and customer data infrastructure converge: a customer data platform that unifies profiles in one place can attach consent flags to each profile and honor access and deletion requests without hunting across a dozen disconnected systems.
Related Articles
- How to Navigate Data Privacy and Compliance with a CDP — How unified customer data supports compliance operations
- Data Privacy Governance: 8 Best Practices — Practical governance program for multi-jurisdiction compliance
- Consent Management and Data Privacy in Your CDP — Operationalizing consent across channels
- Want to Build Your 1P Data Strategy? Start with Trust — Turning privacy transparency into a data-collection advantage
- Data Privacy & Brand Trust Statistics — Consumer attitudes and adoption data behind these laws
FAQ
How many countries have data privacy laws?
144 countries had national data privacy laws as of January 2025, according to the International Association of Privacy Professionals (IAPP). Together those laws cover roughly 82% of the world’s population. Growth has been rapid: roughly 40 such laws existed in 2000, per privacy scholar Graham Greenleaf’s global tables. The remaining gaps are concentrated in parts of Africa, Central Asia, and the Pacific, and several of those countries have draft bills pending.
What is the strictest data privacy law?
The GDPR is widely considered the strictest data privacy law because it combines opt-in consent, extraterritorial reach, and penalties up to 4% of global annual revenue. China’s PIPL matches or exceeds it in specific areas — data localization, mandatory cross-border transfer assessments, and fines up to 5% of revenue. Among U.S. states, Maryland’s MODPA sets the tightest data-minimization standard.
Do U.S. states have their own privacy laws?
Yes — 20 U.S. states have comprehensive consumer privacy laws in effect as of July 2026, because no federal equivalent exists. California started the wave with the CCPA in 2020 and remains the only state with a dedicated privacy regulator and coverage of employee and B2B data. The other 19 follow a broadly similar model: rights to access, correct, delete, and opt out of sale, targeted advertising, and profiling.
This page is an educational reference, not legal advice — consult qualified counsel for compliance decisions.