Data privacy laws and regulations protect the personal data of citizens or residents within certain locations. They afford individuals rights to how businesses use their data and allow them to make decisions about how their data is used after a company collects it. These regulations can exist at the multi-national, national, state, and local levels.
This page is a running list of data privacy laws and regulations around the world. It will be updated as new laws and regulations emerge. The laws are grouped into the following categories:
- U.S. Federal Regulations
- U.S. State-Specific Regulations
- International Regulations
U.S. Federal Data Privacy Laws and Regulations
Children’s Online Privacy Protection Act (COPPA)
Applies to: Operators of websites or online services that collect data from children under the age of 13.
The Children’s Online Privacy Protection Act (COPPA) of 1998, prohibits unfair or deceptive acts related to the collection, use or disclosure of personal information from and about children on the internet. It was enacted by Congress in 1998 and requires the Federal Trade Commission (FTC) to issue and enforce regulations for children’s online privacy. The goal of COPPA is to give parents control over what information is collected from their young children online. COPPA was put into effect on April 21, 2000.
Gramm-Leach-Bliley Act (GLBA)
Applies to: Financial institutions in the United States
The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, was passed by the U.S. Congress and went into effect on November 12, 1999. The law requires that financial institutions disclose their information-sharing practices to their customers in order to safeguard sensitive customer data.
The law defines “financial institutions” as “companies that offer consumers financial products or services like loans, financial or investment advice, or insurance.”
GLBA’s Financial Privacy Rule requires financial institutions to provide consumers with a privacy notice when they first enroll as customers. The rule also requires a privacy notice be sent annually thereafter. GLBA’s Safeguards Rule requires financial institutions to provide an information security plan that describes how the institution will protect its customers’ nonpublic personal information.
Health Insurance Portability and Accountability Act (HIPAA)
Applies to: Healthcare providers in the United States
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that defines national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
The HIPAA Privacy Rule addresses the use and disclosure of individuals’ health information by these covered entities: healthcare providers, health plans, healthcare clearinghouses and business associates.
The HIPAA Security Rule addresses a subset of the information covered by the Privacy Rule, “all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form (i.e., electronic protected health information or “e-PHI”).”
U.S. State-Specific Data Privacy Laws and Regulations
California Consumer Privacy Act (CCPA)
Applies to: Businesses that collect data about California consumers.
The California Consumer Privacy Act (CCPA) was put into effect on January 1, 2020. It provides California consumers with more control over the personal information that businesses collect about them. The law secures new privacy rights for California consumers, including the right to know about the personal information a business collects about them and the right to opt-out of the sale of their personal information.
In November 2020, California voters approved the California Privacy Rights Act of 2020 (CPRA). The CPRA will come into effect on January 1, 2023. It doesn’t replace the CCPA; however, it provides updates to CCPA and includes additional laws and regulations.
California Online Privacy Protection Act of 2003 (CalOPPA)
Applies to: Commercial websites that collect Personally Identifiable Information (PII) from California’s residents.
The California Online Privacy Protection Act of 2003 (CalOPPA) went into effect on July 1, 2004. It was the first state law in the U.S. that required commercial websites and online services to include a privacy policy on their site. Specifically, websites that collect Personally Identifiable Information (PII) from California residents are required to post and comply with a privacy policy.
According to CalOPPA, the privacy policy must be clearly labeled and easy to find. Many sites list the policy under the heading “Your California Privacy Rights.” The privacy policy must disclose:
- The effective date of the policy
- The information gathered by the website
- How the information is shared with other parties
- How users can request, review and make changes to their stored information
- A list of any changes that took place after the effective date
A website operator that fails to post a privacy policy within 30 days of being notified will be in violation and subject to fines. Violations can be reported to the California Attorney General’s office via their website.
Colorado Privacy Act (ColoPA)
Applies to: Organizations conducting business in Colorado or providing goods and services targeted to Colorado residents.
The Colorado Privacy Act (ColoPA, also known as CPA) was signed into law on July 7, 2021 and will go into effect on July 1, 2023. Colorado is the third state (behind California’s CCPA and Virginia’s VCDPA) to enact a comprehensive data privacy law for its residents.
ColoPA applies to organizations conducting business in Colorado or providing goods and services to its residents. It also applies if organizations:
- Control or process data of 100,000 or more Colorado residents in a calendar year, or,
- Generates revenue from the sale of personal data of at least 25,000 Colorado residents
Connecticut Data Privacy Act (CDPA)
Applies to: Organizations conducting business in Connecticut or producing products or services targeted to people living in Connecticut residents.
The Connecticut Data Privacy Act (CDPA) was signed into law on May 4, 2022. It will go into effect on July 1, 2023. Connecticut is the fifth state to enact its own set of data privacy legislation.
The Connecticut Data Privacy Act applies to those who conduct business in Connecticut or target residents of the state. Additional parameters include:
- Organizations that have controlled or processed the personal data of 100,000 or more consumers annually, except for personal data controlled or processed solely for the purpose of completing a payment transaction
- Organizations that have derived over 25 percent of their gross revenue from the sale of personal data and controlled or processed the personal data of 25,000 or more consumers
Delaware Personal Privacy Act
Applies to: Organizations conducting business in Delaware or producing products or services targeted to people living in Delaware residents.
Enacted on Jan. 1, 2025, the Delaware Personal Data Privacy Act provides stronger privacy rights for consumers. This includes protections for children’s data, more definitions of sensitive data, and consumers being able to opt out of the processing of personal data for advertising purposes.
Indiana Consumer Data Protection Act
Applies to: Organizations conducting business in Indiana that process the personal data of at least 100,000 Indiana residents, or ones that handle the information of at least 25,000 state consumers but get more than 50% of their revenue from selling data.
The Indiana Consumer Data Protection Act takes effect on Jan. 1, 2026.
Kentucky Consumer Data Act (KCDPA)
Applies to: Organizations that conduct business in Kentucky or target residents and manage the personal data of at least 100,000 consumers per year.
The Kentucky Consumer Data Act goes into effect on Jan. 1, 2026.
Maryland Online Data Privacy Act (MODPA)
Applies to: Companies that handle the personal data of at least 35,000 residents per year, or 10,000 residents if more than 20% of the company’s revenue comes from selling personal data.
The Maryland Online Data Privacy Act takes effect on Oct. 1, 2025.
Montana Consumer Data Privacy Bill (MCDPA)
Applies to: Organizations or data controllers that product goods or services targeted to Montana residents and process or control data for 50,000 or more Montana residents. The bill excludes data collected “solely for payment transactions.”
The Montana Consumer Data Privacy Bill was passed in April 2023 and is set to go into effect in October 2024. Additional consumer protections include:
- Consumers have the right to opt-out, or “revoke consent” of the use of their personal data.
- Consumers have the right to have their personal data deleted upon request.
Nebraska Data Privacy Act (NDPA)
Applies to: Companies that do business in Nebraska or target its residents and also process or sell personal data.
The law goes into effect on Jan. 1, 2025.
New Hampshire Privacy Act (NHPA)
Applies to: Companies that handle the data of at least 35,000 state residents a year, or 10,000 if more than a quarter of their gross revenue comes from selling personal data.
The New Hampshire Privacy Act will take effect Jan. 1, 2025.
New Jersey Data Privacy Act (NJDPA)
Applies to: Companies that do business in the state and handle the personal data of at least 100,000 consumers per year, or at least 25,000 if the company also sells personal data.
The New Jersey Data Privacy Act goes into effect on Jan. 15, 2025.
Oregon Consumer Privacy Act (OCPA)
Applies to: Anyone who conducts business in Oregon or produces products or services that are targeted to the residents of Oregon.
The Oregon Consumer Privacy Act went into effect on July 1, 2024.
Texas Data Privacy and Security Act
Applies to: Organizations conducting business in Texas or producing goods and services consumed in Texas. Businesses that process or sell personal data. Small businesses, as defined by the United Small Business Administration.
The Texas Data Privacy and Security Act was approved by the state Senate in May 2023. Additional consumer protections include:
- Consumer rights to obtain a copy of personal data that has been provided
- Opt-out of processing personal data for the purposes of targeted advertising, or for the sale of personal data.
- Consumer rights to correct inaccurate personal data and delete data that is provided.
Additional data processor and controller regulations include:
- Organizations must clearly disclose data collection and use policies, including whether they intend to sell personal data to third parties. Consumers must be given the option to opt-out if desired.
- Organizations must provide clear consent when sensitive data is collected.
- Data collectors must limit the amount of personal data collected to what is “adequate, relevant, and reasonably necessary” for their data collection purposes.
- Data collectors cannot discriminate against consumers based on the personal information provided.
Utah Consumer Privacy Act (UCPA)
Applies to: For-profit organizations conduct business in Utah or target products and services to consumers who live in the state.
The Utah Consumer Privacy Act was signed into law on March 24, 2022. It will go into effect on December 31, 2023. Utah is the fourth state to enact its own set of data privacy laws.
Additional requirements for the law include:
- Business that have annual revenues of at least $25 million
- Control or process the personal data of 100,000 or more Utah residents
- Derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of 25,000 or more consumers.
Virginia Consumer Data Protection Act (VCDPA)
Applies to: People or companies that conduct business in the Commonwealth of Virginia.
The Virginia Consumer Data Protection Act (VCDPA) was signed into law on March 2, 2021 and will go into effect on January 1, 2023. With VCDPA, Virginia became the second state (i.e., after California’s CCPA in 2020) to enact a comprehensive data privacy law for its citizens.
VCDPA applies to people or companies that conduct business in the Commonwealth of Virginia and:
- Control or process personal data of at least 100,000 consumers or,
- Derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers
VCDPA gives consumers the rights to access, correct, delete, and obtain a copy of their personal data. In addition, consumers can opt out from having their personal data used for targeted advertising. They can also opt out from the sale of their personal data. VCDPA gives the Virginia Attorney General the exclusive authority to enforce violations of its laws and regulations.
International Data Privacy Laws and Regulations
Argentina: Personal Data Protection Act (PDPA)
Applies to: Organizations that target or collect data from citizens of Argentina.
Argentina’s Personal Data Protection Act 25.326 (PDPA) was enacted by the Senate and the House of Representatives of Argentina on October 4, 2000. The law protects the personal data of Argentina’s citizens. It defines “personal data” as information of any kind that refers to certain or ascertainable physical persons or legal entities.
The law specifies that the use of personal data must be certain, appropriate and pertinent. It must also be consistent with the stated purpose when consent to use the data was received. In addition, the use of personal data is considered unlawful when the owner of that data has not provided explicit consent, either in writing or via similar means.
Bahrain: Personal Data Protection Law (PDPL)
Applies to: Organizations that target or collect data from citizens of Bahrain.
On July 12, 2018, Bahrain enacted Law No. 30 of 2018, the Personal Data Protection Law (PDPL). It went into effect on August 1, 2019. The Law is enforced by the Personal Data Protection Authority, which has the power to investigate violations of the Law. The Authority can force organizations to stop violations and issue emergency orders and fines. The PDPL can result in criminal penalties (including imprisonment) and fines for violating its provisions. Fines can range from 1,000 to 20,000 BHD (Bahraini dinars).
Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
Applies to: Private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a data privacy law in Canada that enforces how personal information can be used in commercial activity. PIPEDA defines “personal information” as “any factual or subjective information, recorded or not, about an identifiable individual.”
Examples of personal information include age, name, ID numbers, income, ethnic origin and blood type. Under PIPEDA, businesses must follow 10 fair information principles to protect personal information. The 10 principles are:
- Accountability
- Identifying Purposes
- Consent
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Accuracy
- Safeguards
- Openness
- Individual Access
- Challenging Compliance
European Union: General Data Protection Regulation (GDPR)
Applies to: Organizations that target or collect data from citizens of the European Union.
GDPR was put into effect on May 25, 2018. The laws apply to any organization that targets or collects data related to European Union (EU) citizens. The creators of GDPR call it “the toughest privacy and security law in the world.”
The laws are extensive and intentionally light on specifics. As a result, understanding GDPR compliance can be a challenge for small and medium-sized businesses (SMBs). The fines for violating GDPR regulations are high. Penalties can reach as much as €20 million or 4 percent of global revenue, whichever is higher.
Israel: Privacy Protection (Data Security) Regulations
Applies to: Organizations that target or collect data from citizens of Israel.
Israel’s Privacy Protection (Data Security) Regulations were passed into law in May 2017 and went into effect in May 2018. The law applies to both private and public sectors and aims to make data security part of the management routines of all organizations processing personal data. The regulations are expected to improve the level of data security in the country, making the protection of privacy stronger than ever.
The regulations are enforced by the privacy protection authority ׂ(PPA). The PPA may instruct a database to implement changes to strengthen the security of its activities. For example, PPA may instruct low-level risk databases to implement provisions that apply to medium-risk databases.
Japan: Act on the Protection of Personal Information (APPI)
Applies to: Organizations that target or collect data from citizens of Japan.
The Japan Act on the Protection of Personal Information (APPI) went into effect in 2005. The purpose of the act is to protect the personal information of Japanese citizens. All organizations that collect or receive personal information of Japanese citizens must comply with the act or face penalties. APPI is enforced by the Personal Information Protection Commission (PPC), a Japanese government commission charged with the protection of personal information..
Kenya: Data Protection Act
Applies to: Organizations that target or collect data from citizens of Kenya.
Kenya’s Data Protection Act went into effect on November 25, 2019. It was one of the first comprehensive data privacy laws established in Africa. The Act applies to organizations that process the personal data of Kenya’s residents. It closely resembles the parameters of the European Union’s GDPR law. Penalties under the Act can reach 5 million Kenyan shillings (KES) or 1% of the company’s annual revenue from the preceding financial year.
Brazil: Lei Geral de Proteção de Dados Pessoais (LGPD)
Applies to: Organizations that target or collect data from citizens of Brazil.
Lei Geral de Proteção de Dados Pessoais (LGPD) is a data protection law in Brazil. LGPD was put into effect on September 18, 2020. The law is enforced by Autoridade Nacional de Proteção de Dados, Brazil’s National Data Protection Authority.
LGPD comprises sixty-five articles and defines rights of the use of personal data, including the conditions in which personal data can be collected, processed, stored, and shared. LGPD applies to the handling of personal data of individuals located in Brazil, as well as data that is collected or processed in the country. In addition, it applies when data is used to offer products or services to individuals in Brazil.
Mauritius: Data Protection Act, 2017 (DPA)
Applies to: Organizations that target or collect data from citizens of Mauritius.
The Mauritius Data Protection Act, 2017 (DPA) protects the privacy rights of individuals in Mauritius in relation to the collection, processing and handling of their personal information. The act was passed into law by the Mauritian Assembly on December 8, 2017 and went into effect on January 15, 2018. DPA supersedes The Data Protection Act of 2004.
DPA is enforced by the Data Protection Commissioner (DPC). To encourage compliance with the Act, the DPC issues guidelines and may establish technical standards for data protection certification mechanisms and data protection seals and marks.
New Zealand: Privacy Act 2020
Applies to: Organizations that target or collect data from citizens of New Zealand.
Privacy Act 2020 legislation went into effect on December 1, 2020 by New Zealand’s Office of the Privacy Commissioner. The law seeks to promote and protect individual privacy by providing a framework for protecting an individual’s right to privacy of personal information. It also specifies the rights of individuals to access their personal information.
The Privacy Commissioner is granted the power to ensure that organizations and businesses comply with the Act. The Act makes it an offense to mislead an agency to access personal information that they are entitled to see. The offense can result in a fine of up to $10,000 (New Zealand dollars).
Nigeria Data Protection Regulation (NDPR)
Applies to: Organizations that target or collect data from citizens of Nigeria.
The Nigeria Data Protection Regulation (NDPR) was passed into law in January 2019. It applies to the processing of personal data within and outside Nigeria. The law protects the right to privacy, creating the right environment for digital transactions, job creation and improving information management practices in Nigeria.
NDPR is enforced by the National Information Technology Development Agency (NITDA), the Regulatory Authority for Data Protection in Nigeria. NITDA’s goal is to pursue data protection management in Africa through regulatory strategies, partnerships and continuous improvement.
Qatar: Law No. 13 of 2016
Applies to: Organizations that target or collect data from citizens of Qatar.
Established in 2016, Qatar’s Law No. 13 protects the processing of personal data using electronic means. It has elements that are similar to the European Union’s GDPR. Law No. 13 includes a “privacy by design” principle, that requires organizations to consider privacy issues when designing and developing products and services. In addition, it requires that operators of websites targeting children post specific notifications to obtain the explicit consent of a child’s parent or guardian.
South Africa: Protection of Personal Information Act (POPIA)
Applies to: Organizations that target or collect data from citizens of South Africa.
South Africa’s Protection of Personal Information Act (POPIA) was passed into law on July 1, 2020 and went into effect on July 1, 2021. The law applies to any company or organization that processes personal information about the residents of South Africa.
The Act provides a constitutional right to privacy by safeguarding personal information. It regulates the manner in which personal information may be processed by prescribing minimum threshold requirements for the lawful processing of personal information. It also provides South African residents with rights and remedies to protect their personal information from processing that is not in accordance with the Act. POPIA established the role of an Information Regulator whose charter is to enforce and fulfill the rights protected by the Act.
South Korea: Personal Information Protection Act (PIPA)
Applies to: Organizations that target or collect data from citizens of South Korea.
South Korea’s Personal Information Protection Act (PIPA) was enacted September 30, 2011. The law specifies how personal information is processed in order to protect the rights and interests of its citizens. The law protects personal information from unnecessary collection, unauthorized use, unauthorized disclosure and abuse. “Personal information” is defined as information about any living person that makes it possible to identify them by their name, resident registration number, image, etc.
Turkey: Law on Protection of Personal Data No. 6698
Applies to: Organizations that target or collect data from citizens of Turkey.
Turkey’s Law on Protection of Personal Data No. 6698 was passed into law on April 7, 2016. The purpose of the Law is to protect the rights and freedoms of Turkish residents, particularly the right to privacy in the use and processing of personal data. The law prohibits the processing or storing of personal data without explicit consent from the data subject.
Uganda: Data Protection and Privacy Act, 2019
Applies to: Organizations that target or collect data from citizens of Uganda.
Uganda’s Data Protection and Privacy Act, 2019 builds upon Article 27 of the Constitution of the Republic of Uganda (1995) to protect the collection, processing and storage of Ugandan citizens’ personal data. The act specifies that personal data be collected in a lawful and fair manner, and be adequate, accurate and secure. It also specifies that data not be kept longer than needed and not be transferred outside the jurisdiction of its collection.
Uruguay: Data Protection Act
Applies to: Controllers in Uruguay who process personal data.
Uruguay’s Data Protection Act Law No. 18.331 went into effect on August 11, 2008. It requires the registration of all databases containing the personal data of citizens or legal entities. The law defines “personal data” as information about citizens or legal entities that is identified or identifiable. In order to collect personal data, the law requires data processors to obtain prior documented consent. In addition, personal data cannot be used for purposes other than those specified when consent was received.
To learn more about data privacy, governance and what it means for marketing organizations, check out our ongoing coverage here.