See where CDP is headed with AI — Agentic World 2026, Oct 5–7, Miami →
CDP Basics

Data Privacy Laws by Country and U.S. State (2026)

Reference tables of 60+ data privacy laws worldwide — GDPR, CCPA/CPRA, PIPL, LGPD, DPDP, and all 20 U.S. state privacy laws — with dates and maximum penalties.

Kazuki Ohta Kazuki Ohta 15 min read

Data privacy laws — also called data privacy regulations — are rules that govern how organizations collect, store, process, and share personal data, granting individuals rights over their information and setting penalties for violations. As of 2026, 144 countries have enacted national data privacy laws, and 20 U.S. states have comprehensive consumer privacy laws in effect. This page is a reference of more than 60 of those laws, organized by region, with effective dates, scope, and maximum penalties — plus what these laws mean for customer data strategy.

Key Facts at a Glance

  • 144 countries had national data privacy laws as of January 2025 (IAPP), covering roughly 82% of the world’s population
  • 20 U.S. states have comprehensive consumer privacy laws in effect as of July 2026; the U.S. has no equivalent federal law
  • The General Data Protection Regulation (GDPR), effective May 25, 2018, carries the largest penalties: €20 million or 4% of global annual revenue, whichever is higher
  • The largest privacy fine to date is €1.2 billion against Meta (Irish Data Protection Commission, May 2023)
  • China’s Personal Information Protection Law (PIPL) allows fines up to ¥50 million or 5% of prior-year revenue; India’s Digital Personal Data Protection Act (DPDP Act) allows up to ₹250 crore (about $30 million) per instance
  • Most laws apply extraterritorially: they cover any organization processing residents’ data, regardless of where the organization is located

How Do the Major Laws Differ Operationally?

The operational differences that determine what compliance systems must do are the consent model (opt-in vs. opt-out), the deadline for answering data subject requests, and whether data must stay in-country. The table below summarizes those dimensions for the regimes most relevant to customer data systems:

Jurisdiction (law)Consent modelDeletion/access response deadlineData localization required
EU/EEA (GDPR)Opt-in — lawful basis required before processing1 month (extendable by 2 for complex requests)No
United Kingdom (UK GDPR)Opt-in1 monthNo
U.S. states (CCPA/CPRA and the Virginia-model laws)Opt-out of sale, targeted advertising, and profiling; opt-in for minors and sensitive data in most states45 days (typically extendable by 45)No
Quebec, Canada (Law 25)Opt-in for sensitive data; consent required by default30 daysNo
Brazil (LGPD)Opt-in — lawful basis required15 days for access requestsNo
China (PIPL)Opt-in, with separate consent for cross-border transfersNo fixed statutory deadline (“timely”)Yes — security assessment before exporting personal data; localization for critical operators
Russia (152-FZ)Opt-in30 daysYes — Russian citizens’ data must be stored on servers in Russia
Vietnam (PDPD / 2026 PDP Law)Opt-in72 hours for certain requestsYes — for certain data and providers
India (DPDP Act)Opt-in (“free, specific, informed” consent)To be set by DPDP RulesNo general requirement (sectoral rules exist)
Japan (APPI)Notice-based; opt-out permitted for third-party sharing with conditionsWithout undue delayNo

For consent enforcement this means one thing in practice: systems must store consent state per customer per jurisdiction, because “opt-in unless consented” (GDPR, PIPL) and “process unless opted out” (U.S. states) are opposite defaults that cannot share one flag.

What Data Privacy Laws Apply in Europe?

The General Data Protection Regulation (GDPR) governs all 27 European Union member states plus Iceland, Liechtenstein, and Norway, and it remains the global template for data privacy regulation. The United Kingdom and Switzerland maintain closely aligned national laws.

LawJurisdictionEffective dateWho it protectsMaximum penaltyOfficial text
General Data Protection Regulation (GDPR)EU + EEA (30 countries)May 25, 2018Individuals in the EU/EEA€20M or 4% of global annual revenueEUR-Lex
UK GDPR + Data Protection Act 2018 (DPA 2018)United KingdomMay 25, 2018 (UK GDPR from January 1, 2021)UK residents£17.5M or 4% of global annual revenuelegislation.gov.uk
Revised Federal Act on Data Protection (revFADP)SwitzerlandSeptember 1, 2023Individuals in SwitzerlandCHF 250,000 (levied on responsible individuals)Fedlex
ePrivacy Directive 2002/58/EC (“cookie law”)EUJuly 31, 2002 (cookie consent amended 2009)Electronic communications usersSet per member stateEUR-Lex
Federal Law No. 152-FZ on Personal DataRussiaJanuary 26, 2007Russian citizens (data localization required)Up to 3% of revenue (capped at RUB 500M) for repeat data breaches; RUB 18M for repeat localization violations

GDPR applies to any organization worldwide that targets or monitors individuals in the EU, and it requires opt-in consent — a lawful basis must exist before processing begins. Enforcement is real: European regulators had issued more than €5.8 billion in cumulative GDPR fines by January 2025 (DLA Piper GDPR Fines and Data Breach Survey, 2025), including the record €1.2 billion Meta penalty in 2023 over EU-U.S. data transfers.

How Can Personal Data Legally Leave the EU?

Personal data may leave the EU only through a recognized transfer mechanism: an adequacy decision, certification under the EU-U.S. Data Privacy Framework, or Standard Contractual Clauses (SCCs). The European Commission grants adequacy decisions to countries whose protections it deems equivalent (including the UK, Japan, South Korea, Argentina, and Uruguay). U.S. companies can self-certify under the Data Privacy Framework, adopted in July 2023 after the mechanism Meta was fined over was invalidated. Everyone else relies on SCCs — standardized contract terms — usually paired with a transfer impact assessment. China imposes the mirror-image constraint: under PIPL, exporting personal data out of China requires a government security assessment, standard contract, or certification.

What Are the U.S. Federal and Canadian Privacy Laws?

The United States regulates privacy by sector — children’s data, health, finance, education — while Canada has one national private-sector law plus a stricter provincial law in Quebec.

LawJurisdictionEffective dateWho it protectsMaximum penaltyOfficial text
Children’s Online Privacy Protection Act (COPPA)U.S. (federal)April 21, 2000Children under 13$50,000+ per violation (inflation-adjusted annually)FTC
Health Insurance Portability and Accountability Act (HIPAA)U.S. (federal)1996 (Privacy Rule compliance April 14, 2003)Patients (protected health information)$1.5M+ per violation category per year (inflation-adjusted)HHS
Gramm-Leach-Bliley Act (GLBA)U.S. (federal)November 12, 1999Customers of financial institutions$100,000 per violation (institutions); $10,000 (individuals)FTC
Family Educational Rights and Privacy Act (FERPA)U.S. (federal)1974Students (education records)Loss of federal education fundingED.gov
Personal Information Protection and Electronic Documents Act (PIPEDA)Canada (federal, private sector)January 1, 2001 (fully phased January 1, 2004)Canadian consumers in commercial activityCAD 100,000 per violationOPC
Law 25 (Act to Modernize Legislative Provisions Respecting the Protection of Personal Information)Quebec, CanadaPhased September 2022–2024 (core provisions September 22, 2023)Quebec residentsCAD 25M or 4% of worldwide turnoverCAI

PIPEDA requires organizations to follow ten fair information principles, from accountability to individual access. Quebec’s Law 25 goes further than the federal law — its GDPR-scale penalties (CAD 25 million or 4% of worldwide turnover) make it the strictest privacy law in North America outside California.

Which U.S. States Have Comprehensive Privacy Laws?

Twenty U.S. states have enacted comprehensive consumer privacy laws, and all 20 are in effect as of July 2026. Most follow the Virginia model — rights to access, correct, delete, and opt out of sale, targeted advertising, and profiling — with California remaining the broadest (it also covers employee and B2B data) and Maryland the strictest on data minimization. Applicability is threshold-based: most state laws apply only to businesses processing data of 100,000 or more residents (or 25,000 if the business derives revenue from selling data), so whether a law applies depends on your customer footprint in that state, not where your company is headquartered.

LawStateEffective dateWho it protectsMaximum penaltyOfficial text
California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA)CaliforniaJanuary 1, 2020 (CPRA amendments January 1, 2023)Residents, including employees and B2B contacts$2,500 per violation; $7,500 if intentional or involving minorsCA AG
Virginia Consumer Data Protection Act (VCDPA)VirginiaJanuary 1, 2023Residents (consumer context)$7,500 per violationVirginia LIS
Colorado Privacy Act (CPA)ColoradoJuly 1, 2023Residents (consumer context)$20,000 per violationCO General Assembly
Connecticut Data Privacy Act (CTDPA)ConnecticutJuly 1, 2023Residents (consumer context)$5,000 per willful violationCT General Assembly
Utah Consumer Privacy Act (UCPA)UtahDecember 31, 2023Residents (consumer context)$7,500 per violationUtah Legislature
Texas Data Privacy and Security Act (TDPSA)TexasJuly 1, 2024Residents (consumer context)$7,500 per violation
Oregon Consumer Privacy Act (OCPA)OregonJuly 1, 2024Residents (consumer context)$7,500 per violation
Florida Digital Bill of Rights (FDBR)FloridaJuly 1, 2024Residents (applies mainly to businesses with $1B+ global revenue)$50,000 per violation (trebled in some cases)
Montana Consumer Data Privacy Act (MTCDPA)MontanaOctober 1, 2024Residents (consumer context)Not specified in statute (attorney general enforcement)
Iowa Consumer Data Protection Act (ICDPA)IowaJanuary 1, 2025Residents (consumer context)$7,500 per violation
Delaware Personal Data Privacy Act (DPDPA)DelawareJanuary 1, 2025Residents (consumer context)$10,000 per violation (via consumer fraud statutes)
Nebraska Data Privacy Act (NDPA)NebraskaJanuary 1, 2025Residents (consumer context)$7,500 per violation
New Hampshire Privacy Act (SB 255)New HampshireJanuary 1, 2025Residents (consumer context)$10,000 per violation (via consumer protection act)
New Jersey Data Privacy Act (NJDPA)New JerseyJanuary 15, 2025Residents (consumer context)$10,000 first violation; $20,000 subsequent
Tennessee Information Privacy Act (TIPA)TennesseeJuly 1, 2025Residents (consumer context)$7,500 per violation (trebled if willful)
Minnesota Consumer Data Privacy Act (MCDPA)MinnesotaJuly 31, 2025Residents (consumer context)$7,500 per violation
Maryland Online Data Privacy Act (MODPA)MarylandOctober 1, 2025Residents (consumer context)$10,000 per violation; $25,000 if repeated
Indiana Consumer Data Protection Act (INCDPA)IndianaJanuary 1, 2026Residents (consumer context)$7,500 per violation
Kentucky Consumer Data Protection Act (KCDPA)KentuckyJanuary 1, 2026Residents (consumer context)$7,500 per violation
Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)Rhode IslandJanuary 1, 2026Residents (consumer context)$10,000 per violation

California remains the reference point. The CCPA/CPRA applies to for-profit businesses that exceed $25 million in annual revenue, handle data of 100,000 or more consumers or households, or derive 50% or more of revenue from selling or sharing personal data — and it created the California Privacy Protection Agency (CPPA), the only dedicated state privacy regulator. Every other state relies on attorney general enforcement, and none grants a private right of action beyond California’s narrow data-breach provision.

Do not let the per-violation figures mislead: penalties multiply across affected consumers, so a practice applied to a full customer base compounds quickly — Sephora’s 2022 CCPA settlement with the California Attorney General was $1.2 million for a single tracking practice. Note also that this table covers comprehensive laws only; narrower state laws can still bite customer data systems, most notably Washington’s My Health My Data Act, which covers health inferences and grants consumers a private right of action.

What Data Privacy Laws Apply in Latin America?

Every major Latin American economy now has a national data protection law, with Brazil’s Lei Geral de Proteção de Dados (LGPD) the most actively enforced.

LawJurisdictionEffective dateWho it protectsMaximum penaltyOfficial text
Lei Geral de Proteção de Dados (LGPD), Law 13.709/2018BrazilSeptember 18, 2020 (sanctions from August 1, 2021)Individuals in BrazilBRL 50M or 2% of Brazil revenue per infractionPlanalto
Personal Data Protection Act, Law 25.326 (PDPA)ArgentinaOctober 4, 2000Individuals and legal entities in ArgentinaAdministrative fines set by the AAIPAAIP
Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP)MexicoJuly 6, 2010 (replaced by a new LFPDPPP, March 21, 2025)Individuals in MexicoFines up to 320,000 UMA (Mexico’s inflation-indexed fine unit)
Law No. 21.719 on Personal Data ProtectionChilePublished December 13, 2024; fully effective December 1, 2026Individuals in ChileUp to 20,000 UTM (about USD 1.4M) for gravest violations
Law 1581 of 2012 (Personal Data Protection Law)ColombiaOctober 17, 2012Individuals in ColombiaUp to 2,000 monthly minimum wages (SIC enforcement)
Organic Law on Personal Data Protection (LOPDP)EcuadorMay 26, 2021 (sanctions from May 2023)Individuals in EcuadorUp to 1% of prior-year business volume
Personal Data Protection Law, Law 29733Peru2011 (regulations 2013)Individuals in PeruUp to 100 UIT (tax units)
Data Protection Act, Law 18.331UruguayAugust 11, 2008Citizens and legal entities in UruguayAdministrative fines; database registration required

The LGPD mirrors GDPR’s structure — lawful bases, data subject rights, a national regulator (the ANPD) — but caps fines at 2% of Brazilian revenue per infraction, up to BRL 50 million. Uruguay and Argentina hold EU adequacy status, meaning the European Commission recognizes their protections as equivalent to GDPR for data transfers.

What Data Privacy Laws Apply in Asia-Pacific?

Asia-Pacific has the widest range of privacy regimes, from China’s strict localization rules under PIPL to India’s consent-centric DPDP Act, which is still being phased in.

LawJurisdictionEffective dateWho it protectsMaximum penaltyOfficial text
Personal Information Protection Law (PIPL)ChinaNovember 1, 2021Individuals in China¥50M or 5% of prior-year revenue
Act on the Protection of Personal Information (APPI)JapanApril 1, 2005 (major amendment April 1, 2022)Individuals in Japan¥100M for corporationsPPC
Personal Information Protection Act (PIPA)South KoreaSeptember 30, 2011 (major amendment September 2023)Individuals in South KoreaUp to 3% of related revenuePIPC
Digital Personal Data Protection Act, 2023 (DPDP Act)IndiaEnacted August 11, 2023; phased via DPDP Rules (2025–2027)Individuals in India (“data principals”)₹250 crore (about USD 30M) per instanceMeitY
Personal Data Protection Act 2012 (PDPA)SingaporeJuly 2, 2014Individuals in SingaporeSGD 1M or 10% of Singapore annual turnoverSingapore Statutes
Privacy Act 1988 (including Australian Privacy Principles)AustraliaDecember 1988 (penalties raised December 2022)Individuals in AustraliaAUD 50M, 3x the benefit gained, or 30% of adjusted turnoverOAIC
Privacy Act 2020New ZealandDecember 1, 2020Individuals in New ZealandNZD 10,000 per offenseNZ Legislation
Personal Data Protection Act B.E. 2562 (PDPA)ThailandJune 1, 2022Individuals in ThailandTHB 5M administrative fine
Personal Data Protection Law, Law No. 27/2022 (PDP Law)IndonesiaOctober 17, 2022 (transition ended October 2024)Individuals in Indonesia2% of annual revenue
Decree 13/2023 on Personal Data Protection (PDPD)VietnamJuly 1, 2023 (Personal Data Protection Law follows January 1, 2026)Individuals in VietnamAdministrative fines; up to 5% of revenue under the 2026 law
Data Privacy Act of 2012 (RA 10173)PhilippinesSeptember 8, 2012Individuals in the PhilippinesPHP 5M plus possible imprisonmentNPC
Personal Data Protection Act 2010 (PDPA)MalaysiaNovember 15, 2013 (amended 2024)Individuals in commercial transactionsRM 1M plus possible imprisonmentPDP Department

PIPL is often called China’s GDPR, but it goes further: it requires security assessments for cross-border transfers and localization of certain data — ride-hailing company Didi was fined ¥8.026 billion (about USD 1.2 billion) under it in 2022. India’s DPDP Act is the newest major regime; its implementing rules were finalized in 2025 and obligations phase in through 2027, so global companies are building compliance programs now.

What Data Privacy Laws Apply in the Middle East and Africa?

Most Gulf states and Africa’s largest economies have adopted GDPR-influenced data protection laws since 2018, each with a national regulator.

LawJurisdictionEffective dateWho it protectsMaximum penaltyOfficial text
Protection of Privacy Law 5741-1981 (Amendment 13)Israel1981 (Amendment 13 effective August 14, 2025)Individuals in IsraelAdministrative fines under Amendment 13PPA
Law on Protection of Personal Data No. 6698 (KVKK)TurkeyApril 7, 2016Individuals in TurkeyAdministrative fines adjusted annuallyKVKK
Personal Data Protection Law (PDPL)Saudi ArabiaSeptember 14, 2023 (grace period ended September 2024)Individuals in Saudi ArabiaSAR 5M (doubled for repeat violations)SDAIA
Federal Decree-Law No. 45 of 2021 (PDPL)United Arab EmiratesJanuary 2, 2022Individuals in the UAETo be set by executive regulationsUAE Government
Law No. 13 of 2016 on Personal Data Privacy ProtectionQatar2017Individuals in QatarQAR 5MCompliance QCERT
Personal Data Protection Law, Law No. 30 of 2018 (PDPL)BahrainAugust 1, 2019Individuals in BahrainBHD 20,000 plus possible criminal penalties
Protection of Personal Information Act (POPIA)South AfricaJuly 1, 2021Individuals in South AfricaZAR 10M or imprisonmentInformation Regulator
Data Protection Act, 2019KenyaNovember 25, 2019Individuals in KenyaKES 5M or 1% of annual turnoverKenya Law
Nigeria Data Protection Act, 2023 (NDPA)NigeriaJune 12, 2023 (replaced the 2019 NDPR)Individuals in Nigeria₦10M or 2% of annual revenue, whichever is higherNDPC
Personal Data Protection Law No. 151 of 2020EgyptOctober 2020Individuals in EgyptFines up to EGP 5M plus possible imprisonment
Data Protection and Privacy Act, 2019Uganda2019Individuals in UgandaFines and possible imprisonmentMinistry of ICT
Data Protection Act, 2017 (DPA)MauritiusJanuary 15, 2018Individuals in MauritiusMUR 200,000 plus possible imprisonmentData Protection Office

What Do Data Privacy Regulations Mean for Marketers?

For marketing and data teams, privacy regulations turn consent, purpose limitation, and auditability into operating requirements — and the durable response is a consented first-party data strategy. Data collected directly from customers, with clear consent and a stated purpose, gives you a lawful basis for processing in every jurisdiction on this page — though rights handling, retention, and transfer obligations still apply. Third-party data rarely offers even that starting point, which is one reason cookieless tracking and first-party collection have displaced third-party audience buying.

Two capabilities matter most in practice. Consent management records what each customer agreed to — opt-in for GDPR and PIPL jurisdictions, opt-out signals for U.S. states — and enforces it at the point of activation. Data governance answers the questions every regulator asks: where does personally identifiable information (PII) live, who can access it, and can you delete it when a customer exercises that right?

Both depend on knowing where every customer record is. That is why privacy compliance and customer data infrastructure converge: a customer data platform that unifies profiles in one place can attach consent flags to each profile and honor access and deletion requests without hunting across a dozen disconnected systems.

FAQ

How many countries have data privacy laws?

144 countries had national data privacy laws as of January 2025, according to the International Association of Privacy Professionals (IAPP). Together those laws cover roughly 82% of the world’s population. Growth has been rapid: roughly 40 such laws existed in 2000, per privacy scholar Graham Greenleaf’s global tables. The remaining gaps are concentrated in parts of Africa, Central Asia, and the Pacific, and several of those countries have draft bills pending.

What is the strictest data privacy law?

The GDPR is widely considered the strictest data privacy law because it combines opt-in consent, extraterritorial reach, and penalties up to 4% of global annual revenue. China’s PIPL matches or exceeds it in specific areas — data localization, mandatory cross-border transfer assessments, and fines up to 5% of revenue. Among U.S. states, Maryland’s MODPA sets the tightest data-minimization standard.

Do U.S. states have their own privacy laws?

Yes — 20 U.S. states have comprehensive consumer privacy laws in effect as of July 2026, because no federal equivalent exists. California started the wave with the CCPA in 2020 and remains the only state with a dedicated privacy regulator and coverage of employee and B2B data. The other 19 follow a broadly similar model: rights to access, correct, delete, and opt out of sale, targeted advertising, and profiling.

This page is an educational reference, not legal advice — consult qualified counsel for compliance decisions.

Kazuki Ohta
Written by

Kazuki Ohta is Co-Founder & CEO of Treasure AI (formerly Treasure Data), which he co-founded in 2011. A co-developer of Fluentd, a CNCF graduated open-source project, he previously served as CTO of Preferred Infrastructure. Ohta graduated with honors in Computer Science from the University of Tokyo and conducted research in high-performance computing and large-scale data processing as a visiting researcher at Argonne National Laboratory. CDP.com is managed by Treasure AI as an educational resource.