Collecting & handling user data

Governs the collection of personal information from children under 13. Requires verifiable parental consent before collecting, using, or disclosing a child's data — any site or service directed at children or with actual knowledge of child users must comply.

Implements Executive Order 14117 restricting the bulk transfer of Americans' sensitive personal data to countries of concern (China, Russia, Iran, North Korea, Cuba, Venezuela). Effective April 2025. Covers genomic data, biometric data, precise geolocation, health data, financial data, and certain government-related data. Tech companies handling large-scale personal data should evaluate whether their data flows implicate these restrictions.

Governs how the government and private parties can access electronic communications and stored data, covering real-time interception, stored records, and metadata collection. It is the primary federal statute protecting the privacy of digital communications. Applies to any entity that intercepts, accesses, or stores electronic communications.

Prohibits unfair or deceptive acts or practices in commerce. The FTC's primary enforcement tool against privacy violations, misleading marketing, security misrepresentations, and dark patterns — applies to nearly every business.

Regulates the collection, use, and sharing of consumer credit and background information. Applies to any company using background checks, credit reports, or algorithmic consumer evaluations for employment, housing, or credit decisions.

Requires financial institutions to explain their information-sharing practices and protect sensitive customer data. The Safeguards Rule mandates specific administrative, technical, and physical data security measures.

Strengthened HIPAA enforcement and extended HIPAA obligations directly to business associates. Introduced tiered civil penalties and required HHS to conduct periodic audits of covered entities and business associates. Relevant to any tech company that is or may become a HIPAA business associate.

Any tech company building health apps, handling patient records, operating as a business associate of a covered entity, or processing protected health information must understand HIPAA. The Privacy Rule, Security Rule, and Breach Notification Rule each impose distinct obligations. HIPAA's definition of "covered entity" and "business associate" is broader than most tech founders assume — a SaaS platform that processes health data on behalf of a hospital is a business associate and must have a signed BAA. HHS Office for Civil Rights actively enforces, particularly against tech companies following data breaches.

California's comprehensive consumer privacy law giving residents rights to know, delete, correct, and opt out of the sale or sharing of their personal information. Applies to businesses meeting revenue or data-volume thresholds processing California residents' data.

Colorado's comprehensive privacy law modeled on the CCPA structure. Grants residents access, deletion, correction, portability, and opt-out rights, and requires data protection assessments for high-risk processing.

Connecticut's comprehensive privacy law providing residents with rights to access, correct, delete, and opt out of targeted advertising, sale of data, and profiling. Enforcement by the attorney general.

Delaware's comprehensive privacy law granting residents standard consumer privacy rights. Applies to businesses processing personal data of 35,000+ Delaware residents. Effective January 2025.

Florida's comprehensive privacy law focused on large tech companies with $1B+ in global revenue. Grants residents rights to access, delete, and opt out of targeted advertising and the sale of data.

Landmark biometric privacy statute requiring private entities to obtain informed written consent before collecting fingerprints, face geometry, or other biometric identifiers. Notable for its private right of action with statutory damages.

Indiana's comprehensive privacy law following the Virginia model. Grants residents access, correction, deletion, and opt-out rights. Effective January 2026.

Iowa's comprehensive privacy law. Provides residents with more limited rights than other state privacy laws (no correction right, no profiling opt-out). Effective January 2025.

Kentucky's comprehensive privacy law modeled on the Virginia framework. Grants residents access, correction, deletion, and opt-out rights. Effective January 2026.

Maryland's comprehensive privacy law — one of the strictest in the US. Imposes data minimization requirements and bans the sale of sensitive personal data without affirmative consent. Effective October 2025.

Minnesota's comprehensive privacy law with strong profiling and automated decision-making provisions. Grants residents access to profiling logic and contestation rights. Effective July 2025.

Montana's comprehensive privacy law following the Connecticut model. Grants standard access, correction, deletion, portability, and opt-out rights.

Nebraska's comprehensive privacy law modeled on the Texas framework. Applies to businesses processing personal data that are not small businesses under the SBA definition.

New Hampshire's comprehensive privacy law granting residents standard consumer privacy rights. Effective January 2025.

New Jersey's comprehensive privacy law. Grants residents access, correction, deletion, portability, and opt-out rights. Effective January 2025.

New York's data security and breach notification law. Requires businesses that own or license private information of New York residents to implement reasonable safeguards and notify affected individuals after a breach.

Oregon's comprehensive privacy law. Grants residents standard consumer privacy rights and includes strong protections for sensitive data, including children's information.

Rhode Island's comprehensive privacy law focused on transparency and notice obligations. Effective January 2026.

Tennessee's comprehensive privacy law. Notable for explicitly providing an affirmative defense for businesses that implement NIST-aligned privacy programs.

Requires informed consent before a private entity may capture a biometric identifier (such as fingerprint, voice print, or iris scan) for a commercial purpose, and imposes storage and destruction requirements.

Texas's comprehensive privacy law. Applies to any business processing Texas residents' data that is not a small business under the SBA definition — broader applicability than most state privacy laws.

Passed 2025 legislative session. Applies to developers and deployers of high-risk AI systems affecting Texas consumers. Requires impact assessments, transparency disclosures, and human oversight mechanisms for high-risk AI. Modeled partly on Colorado's AI Act but with Texas-specific carve-outs for small businesses and certain industry sectors. Effective January 2026. One of the most significant state AI laws for companies with Texas operations or Texas-based customers.

Virginia's comprehensive privacy law — the first to follow the CCPA in 2023. Became the template for many subsequent state privacy laws including CO, CT, UT, and others.

Provides expansive protection for consumer health data not already covered by HIPAA. Requires consent for collection and sharing, creates a consumer right to delete, and includes a private right of action.

Australia's federal privacy law establishing the Australian Privacy Principles, which govern the collection, use, disclosure, storage, and cross-border transfer of personal information. It was significantly reformed in 2022 with increased penalties. Applies to Australian government agencies and private organizations with annual turnover over A$3 million.

Brazil's comprehensive data protection law, heavily influenced by the GDPR. It establishes ten legal bases for processing, data subject rights, and a national data protection authority (ANPD) with enforcement powers. Applies to any organization processing personal data of individuals in Brazil, regardless of where the organization is based.

Canada's proposed overhaul of federal privacy law, currently before Parliament. It would replace PIPEDA with the Consumer Privacy Protection Act and create a new AI regulatory framework. Companies operating in Canada should monitor its progress as it will substantially change Canadian privacy obligations.

Canada's federal private-sector privacy law, built on ten fair information principles. It requires meaningful consent for data collection, use, and disclosure, and gives individuals the right to access and challenge the accuracy of their personal data. Applies to private-sector organizations collecting personal information in the course of commercial activity across Canada.

Quebec's modernized privacy law introducing mandatory privacy impact assessments, breach notification, enhanced consent requirements, and the right to data portability. It is notably stricter than the federal PIPEDA. Applies to all private organizations collecting personal information in Quebec.

A voluntary, accountability-based framework enabling cross-border data transfers among APEC member economies. Companies certify compliance through a government-approved accountability agent rather than through regulation. Relevant for businesses transferring personal data across the Asia-Pacific region.

Pre-approved contractual terms adopted by the European Commission for transferring personal data from the EU to countries without an adequacy decision. They are the most widely used mechanism for lawful cross-border data transfers from the EU. Any company receiving personal data from the EU without an adequacy finding must implement the appropriate SCC module.

The current mechanism allowing certified US companies to receive personal data from the EU without additional safeguards like Standard Contractual Clauses. US companies self-certify through the Department of Commerce. It replaces the invalidated Privacy Shield, and its long-term durability remains uncertain.

The UK's mechanism for lawful personal data transfers to countries without a UK adequacy decision, replacing the EU SCCs for UK data flows after Brexit. They are required whenever UK personal data is transferred to a non-adequate country. Any company receiving UK personal data must implement the appropriate transfer agreement.

The EU's landmark data protection regulation and the global benchmark for privacy law. It establishes comprehensive rules for collecting, processing, and transferring personal data, with fines up to 4% of global annual revenue. Applies to any organization processing personal data of individuals in the EU, regardless of where the organization is located.

Governs electronic communications privacy across the EU, including the cookie consent rules that drive cookie banners, direct marketing restrictions, and confidentiality of communications. It complements the GDPR with sector-specific rules for electronic communications. Applies to providers of electronic communications services and any website or app using cookies or similar tracking technologies in the EU.

France's foundational data protection law, originally enacted in 1978 and updated to align with the GDPR. It is enforced by the CNIL, one of Europe's most active and influential data protection authorities. Applies to all organizations processing personal data of individuals in France.

Germany's federal data protection law supplementing the GDPR with specific requirements for employment data processing, video surveillance, and the appointment of data protection officers. It is one of the strictest national implementations in the EU. Applies to all organizations processing personal data in Germany.

Germany's telecommunications and telemedia data protection law, governing cookie consent, device access, and confidentiality of telecommunications. It is the national implementation of the EU ePrivacy Directive. Applies to providers of telecommunications and telemedia services in Germany.

India's comprehensive data protection law, enacted in 2023 with implementing rules still being finalized. It establishes consent-based processing, data principal rights, and significant penalties up to 250 crore rupees. Applies to processing of digital personal data within India or of Indian residents' data abroad.

Ireland's national implementation of the GDPR, particularly significant because Ireland's Data Protection Commission supervises many major US tech companies -- including Apple, Google, Meta, and Microsoft -- whose European headquarters are based there. Applies to all organizations processing personal data of individuals in Ireland.

Israel's primary privacy legislation, regulating database registration, data collection and processing, and data security requirements. Israel holds an EU adequacy decision, making it a significant hub for cross-border data transfers. Applies to all entities managing databases containing personal data in Israel.

Italy's data protection code, amended to align with the GDPR, including Italian-specific provisions for processing related to archiving, scientific research, and statistical purposes. It works alongside the GDPR as the national implementing law. Applies to all organizations processing personal data of individuals in Italy.

Japan's comprehensive data protection law, substantially amended in 2022 to strengthen cross-border transfer rules and expand data subject rights. It regulates the collection, use, and transfer of personal information with breach notification requirements. Applies to all businesses handling personal information of individuals in Japan.

Mexico's federal data privacy law governing private-sector data processing. It requires privacy notices, consent, and provides data subjects with access, rectification, cancellation, and opposition (ARCO) rights. Applies to all private entities processing personal data in Mexico.

The Dutch implementation act supplementing the GDPR with specific provisions on processing national identification numbers, health and genetic data, criminal conviction data, and exemptions for journalistic and academic purposes. It tailors the GDPR to the Dutch legal system. Applies to all organizations processing personal data in the Netherlands.

New Zealand's updated privacy law, replacing the 1993 Act. It introduces mandatory data breach notification, strengthens cross-border data transfer controls, and enhances the Privacy Commissioner's enforcement powers. Applies to any agency, public or private, collecting or holding personal information in New Zealand.

Poland's national implementation of the GDPR, supplementing EU requirements with Polish-specific provisions on penalties and the powers of the national data protection authority (UODO). It fills gaps left by the GDPR with local administrative and procedural rules. Applies to all organizations processing personal data of individuals in Poland.

Singapore's comprehensive data protection law governing the collection, use, and disclosure of personal data by private organizations. It includes consent requirements, mandatory data breach notification, and maintains a national Do Not Call Registry. Applies to all private organizations processing personal data in Singapore.

South Korea's comprehensive data protection law, one of the strictest in Asia. It requires explicit consent for most data processing, mandates data breach notification, and imposes criminal penalties for violations. Applies to all public and private entities processing personal information in South Korea.

Spain's national data protection law supplementing the GDPR with innovative digital rights provisions, including the right to digital disconnection in the workplace and rights related to digital wills. It extends data protection into broader digital rights territory. Applies to all organizations processing personal data in Spain.

Sweden's national data protection act supplementing the GDPR with provisions on processing personal identity numbers and the powers of the Swedish Data Protection Authority (IMY). It adapts the GDPR to the Swedish legal context. Applies to all organizations processing personal data in Sweden.

Data protection rules for entities operating within the Abu Dhabi Global Market financial free zone, closely modeled on the GDPR. It establishes data subject rights, breach notification duties, and cross-border transfer controls for the ADGM jurisdiction. Applies to companies registered in or processing data through the ADGM.

Data protection law for the Dubai International Financial Centre free zone, closely modeled on the GDPR. It establishes data subject rights, breach notification obligations, and cross-border transfer controls specific to the DIFC jurisdiction. Applies to entities registered in or processing data through the DIFC.

The UAE's first comprehensive federal data protection law, establishing consent requirements, data subject rights, cross-border transfer restrictions, and breach notification obligations. It brings the UAE closer to international data protection standards. Applies to all processing of personal data within the UAE, excluding the ADGM and DIFC free zones which have their own laws.

The UK's primary data protection legislation, working alongside the UK GDPR after Brexit. It covers law enforcement processing, intelligence services processing, and supplements the UK GDPR with UK-specific derogations. Applies to all organizations processing personal data of individuals in the United Kingdom.

The retained EU GDPR as incorporated into UK law after Brexit, substantively similar to the EU version but enforced by the UK Information Commissioner's Office (ICO). Companies serving both EU and UK markets must comply with both versions independently. Applies to all organizations processing personal data of individuals in the United Kingdom.