Data Privacy Laws Around the World: What You Need to Know

The Global Privacy Landscape

Data privacy regulation is no longer a niche concern. Over 140 countries have enacted data protection laws, and the trend is accelerating. For any business with an online presence, understanding the global privacy landscape isn't optional — it's essential.

This guide provides a practical overview of the major data privacy laws you need to know about.

Europe: GDPR

General Data Protection Regulation (EU/EEA) Effective: May 2018

GDPR is the gold standard of privacy regulation. It applies to any organization processing personal data of EU/EEA residents, regardless of where the organization is based.

Key requirements:

• Lawful basis for all data processing
• Comprehensive privacy notices
• Data subject rights (access, deletion, portability, etc.)
• Data Protection Officers for certain organizations
• 72-hour breach notification
• Data Protection Impact Assessments for high-risk processing
• International transfer restrictions

Fines: Up to €20 million or 4% of annual global revenue

UK GDPR — After Brexit, the UK adopted its own version of GDPR through the UK Data Protection Act 2018. Requirements are nearly identical.

United States: A Patchwork Approach

The US has no single federal privacy law. Instead, privacy is regulated through a patchwork of state and sector-specific laws.

CCPA/CPRA (California)

The most comprehensive US state privacy law. Applies to businesses meeting revenue or data volume thresholds. Grants consumers rights to know, delete, correct, and opt out.

Other State Laws

As of 2026, over 15 states have enacted comprehensive privacy laws:

• Virginia (VCDPA) — Consumer rights similar to CCPA
• Colorado (CPA) — Opt-out rights and data protection assessments
• Connecticut (CTDPA) — Consumer rights and consent requirements
• Utah (UCPA) — Business-friendly approach with consumer rights
• Texas (TDPSA) — Broad coverage with no revenue threshold
• Oregon, Montana, Delaware, Iowa, Tennessee, Indiana — Various effective dates and requirements

Sector-Specific Federal Laws

• HIPAA — Health information
• COPPA — Children's privacy (under 13)
• GLBA — Financial information
• FERPA — Education records
• CAN-SPAM — Email marketing

Brazil: LGPD

Lei Geral de Proteção de Dados Effective: September 2020

Often called "Brazil's GDPR," LGPD applies to any processing of personal data of individuals in Brazil.

Key requirements:

• Ten legal bases for processing (similar to GDPR's six)
• Data subject rights including confirmation, access, correction, and deletion
• Data Protection Officer requirement
• Breach notification to authorities and data subjects
• International transfer restrictions

Fines: Up to 2% of revenue in Brazil, capped at R$50 million per violation

China: PIPL

Personal Information Protection Law Effective: November 2021

China's PIPL is one of the strictest privacy laws globally and applies to processing personal information of individuals in China.

Key requirements:

• Consent as the primary legal basis
• Separate consent for sensitive personal information
• Data localization requirements
• Cross-border transfer restrictions (security assessments, certifications)
• Personal information impact assessments
• Data Protection Officers for certain processors

Fines: Up to ¥50 million or 5% of annual revenue

Canada: PIPEDA and Provincial Laws

Personal Information Protection and Electronic Documents Act Effective: 2000 (updated periodically)

PIPEDA applies to private-sector organizations collecting personal information in the course of commercial activity.

Key requirements:

• Consent for collection, use, and disclosure
• Limited to purposes a reasonable person would consider appropriate
• Individual access rights
• Breach notification for real risk of significant harm

Canada is also advancing the Consumer Privacy Protection Act (CPPA) to modernize its federal privacy framework.

India: DPDPA

Digital Personal Data Protection Act Effective: 2023 (phased implementation)

India's DPDPA regulates digital personal data processing of individuals in India.

Key requirements:

• Consent-based processing with clear notice
• Data fiduciary obligations
• Rights of data principals (access, correction, erasure)
• Restrictions on children's data processing
• Significant data fiduciary obligations for large processors
• Cross-border transfer restrictions

Fines: Up to ₹250 crore (approximately $30 million)

Other Notable Privacy Laws

Japan — APPI

The Act on Protection of Personal Information requires consent for data use beyond stated purposes and restricts international transfers.

South Korea — PIPA

One of Asia's strictest privacy laws, requiring consent for most processing and imposing criminal penalties for violations.

Australia — Privacy Act

Applies to organizations with revenue over AUD $3 million, with Australian Privacy Principles governing data handling.

Thailand — PDPA

Thailand's Personal Data Protection Act (2022) mirrors GDPR in many respects, including consent requirements and data subject rights.

South Africa — POPIA

The Protection of Personal Information Act requires lawful processing, purpose limitation, and data subject rights.

What This Means for Your Business

If your website is accessible globally — which most are — you're potentially subject to privacy laws from multiple jurisdictions. Here's how to approach this:

1. Start with GDPR

GDPR is the most comprehensive regulation. If you comply with GDPR, you'll be well-positioned for most other privacy laws. It sets the highest bar for privacy protection.

2. Address US State Laws

If you have US customers, pay attention to CCPA/CPRA and the growing list of state privacy laws. Add "Do Not Sell" links and handle opt-out requests.

3. Generate Compliant Documentation

Your privacy policy should address multiple jurisdictions. LegalForge generates privacy policies that cover major regulatory frameworks, giving you a solid multi-jurisdictional foundation.

4. Implement Universal Best Practices

Regardless of specific laws:

• Be transparent about data collection
• Minimize the data you collect
• Secure the data you have
• Respect user preferences and rights
• Keep your privacy documentation current

The Direction of Travel

The global trend is clear: more privacy regulation, stronger enforcement, and higher fines. Countries that don't yet have comprehensive privacy laws are actively developing them.

Building privacy into your business practices now — starting with a comprehensive privacy policy from LegalForge — positions you ahead of the curve rather than scrambling to catch up.