A complete guide to data privacy regulations

The average consumer is awakening to the ways their data is being collected, shared and sold without their consent or knowledge – and consumers are, in turn, awakening legislators. 

Data shows that approximately six out of ten Americans believe it's impossible to go through life without having their data collected. As a result, 81% of US adults feel a lack of control over their data, and 79% express concern over data use. 

Many governments are starting to respond more forcefully by developing and enforcing data privacy regulations, many of which carry significant penalties for organizations caught skirting the rules. The goal of these regulations is to protect citizens' rights and ensure organizations handle personal data responsibly – but the policies are inconsistent, leaving organizations to grapple with abiding by different rules which correspond to different consumers. 

Protecting data privacy rights is becoming an increased priority globally and companies that don’t keep up will be left behind. Gartner estimates that by the end of 2023, at least 65% of the world's population will be subject to data privacy regulations. To ensure compliance, organizations must be able to navigate and abide by the current patchwork of legislation. 

Data privacy laws by country

Today, over 80 countries have passed or strengthened data privacy laws.

Data privacy laws are not universal; they vary by country, with some being stricter than others. However, there can be an overlap between certain countries, such as the General Data Protection Regulation (GDPR). This applies to processing European residents' data. Canada has a similar statute called the Personal Information Protection and Electronic Documents Act (PIPEDA).

While there is no federal-level data protection and privacy law within the United States, individual states have adopted their own legislation, such as the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020. More states continue to follow, so businesses must remain aware of changes. 

Understanding data protection laws around the world is crucial if you conduct business internationally or plan to expand. For example, you may think that the GDPR does not apply to you as an American-based company. That's a costly mistake. GDPR applies to who your business targets more than where your business is located. For example, if you are a US company that handles data from people in the European Union (EU), the GDPR applies to you. 

Read more here: Does GDPR apply to US customers?

Countries with strict data privacy laws outside of the EU, Canada, and the United States include:

• Iceland
• Israel
• Turkey
• South Africa
• Kenya
• Japan

However, this is not a comprehensive list. As stated above, dozens of countries are now enforcing or developing data privacy laws. To protect your business, remain mindful of ongoing data privacy regulation trends. 

Data privacy laws in Europe

In the EU, the General Data Protection Regulation (GDPR) is a set of data privacy laws that protects its residents. Since being implemented in 2018, several companies have been penalized for failure to comly. The consequences can be severe when you do not practice GDPR compliance, including:

• Significant fines that can equal up to four percent of the company's annual turnover.
• Legal repercussions in the event of a breach. 
• A blow to a company's reputation from increased public attention, resulting in severe commercial repercussions. 

Regardless of the size of your business, this privacy policy must be followed. The goal is to limit the amount of customer data business organizations can access. Citizens are entitled to greater control over their personal information, and this policy forces businesses to handle data in ways that ensure and respect privacy rights. 

While Europe developed the laws associated with the EU GDPR, their impact reaches far beyond European borders. If you collect any data related to EU citizens, the GDPR applies to you. 

United States data protection laws

Despite several proposals over the years, there are still no federal data privacy laws. The American Data Privacy and Protection Act (ADPPA) has passed numerous legislative stages but still faces hurdles. So, when considering variables related to US data protection laws vs. GDPR, the main difference is that no singular, comprehensive policy applies to all types of data and all businesses in the United States. 

Despite that, some regulations govern more specific sectors, such as the following:

• The Health Insurance Portability and Accountability Act (HIPAA)
• The Gramm-Leach Bliley Act (GLBA)
• Children's Online Privacy Protection Rule (COPPA)
• The Federal Information Security Modernization Act (FISMA)

Dive deeper: Your guide to US state data privacy compliance

Data privacy laws by state

United States data protection laws are currently enforced based on individual state laws. Here are some of the data privacy laws by state.

The most comprehensive data privacy laws based on individual states include:

• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (CPA)
• Connecticut Data Privacy Act (CTDPA)
• Utah Consumer Privacy Act (UCPA)

There are also more limited data privacy laws based on individual states, including:

• Nevada enforces several laws, such as NRS § 603A.300. This law mandates that websites allow Nevada-based users to opt-in before companies can sell personal information to third parties. 

Ten additional states enforce limited data protection laws compared to those mentioned above. These include:

• Arizona – Ariz. Rev. Stat. § 41-151.22
• Vermont – 9 V.S.A § 2446-2447
• Oregon – ORS § 646.607
• Hawaii – House Bill No. 1253
• Minnesota – Minn. Stat. §§ 325M.01 to .09
• Missouri – Mo. Stat. § 182.817
• Maine – 35-A § 9301
• Delaware – Del. Code § 1204C 
• New York – § 52-C*2
• Tennessee – § 10-7-512