Implements Executive Order 14117 restricting the bulk transfer of Americans' sensitive personal data to countries of concern (China, Russia, Iran, North Korea, Cuba, Venezuela). Effective April 2025. Covers genomic data, biometric data, precise geolocation, health data, financial data, and certain government-related data. Tech companies handling large-scale personal data should evaluate whether their data flows implicate these restrictions.
Governs how the government and private parties can access electronic communications and stored data, covering real-time interception, stored records, and metadata collection. It is the primary federal statute protecting the privacy of digital communications. Applies to any entity that intercepts, accesses, or stores electronic communications.
Section 5 prohibits unfair or deceptive acts or practices in commerce and serves as the FTC's primary authority for regulating deceptive AI claims, unfair automated systems, and problematic data practices. It applies broadly to technology companies making representations about AI capabilities, automation, security, personalization, or algorithmic decision-making.
Regulates the collection, use, and sharing of consumer credit and background information. Applies to any company using background checks, credit reports, or algorithmic consumer evaluations for employment, housing, or credit decisions.
Requires financial institutions to explain their information-sharing practices and protect sensitive customer data. The Safeguards Rule mandates specific administrative, technical, and physical data security measures.
Health Information Technology for Economic and Clinical Health Act
HITECH — 42 U.S.C. §§ 17931–17954
Strengthened HIPAA enforcement and extended HIPAA obligations directly to business associates. Introduced tiered civil penalties and required HHS to conduct periodic audits of covered entities and business associates. Relevant to any tech company that is or may become a HIPAA business associate.
Health Insurance Portability and Accountability Act
HIPAA — 42 U.S.C. §§ 1320d–1320d-9
Any tech company building health apps, handling patient records, operating as a business associate of a covered entity, or processing protected health information must understand HIPAA. The Privacy Rule, Security Rule, and Breach Notification Rule each impose distinct obligations. HIPAA's definition of "covered entity" and "business associate" is broader than most tech founders assume — a SaaS platform that processes health data on behalf of a hospital is a business associate and must have a signed BAA. HHS Office for Civil Rights actively enforces, particularly against tech companies following data breaches.
The VPPA restricts the disclosure of personally identifiable information relating to a consumer's video viewing history without consent. Although originally enacted for video rental records, it is increasingly invoked in litigation involving online video platforms, embedded video content, tracking pixels, analytics tools, and advertising technologies that share user viewing activity with third parties.
Prohibits unfair or deceptive practices in the online collection of personal information from children under 13. Requires parental consent before collecting, using, or disclosing a child's data. Enforced by the FTC through the COPPA Rule (16 CFR Part 312), which specifies notice, consent, security, and data retention obligations for operators of child-directed websites and services.
Applies to businesses with $25M+ revenue, or processing data of 100,000+ California residents, or deriving 50%+ of revenue from selling personal information. Grants rights to know, delete, correct, and opt out of data sales or sharing. Enforced by the California Privacy Protection Agency.
Applies to businesses processing data of 100,000+ Colorado residents, or 25,000+ if deriving revenue from data sales. Grants access, deletion, correction, portability, and opt-out rights. Requires data protection assessments for high-risk processing.
Applies to businesses processing data of 100,000+ Connecticut residents, or 25,000+ if deriving revenue from data sales. Grants access, correction, deletion, portability, and opt-out rights for targeted advertising, data sales, and profiling.
Applies to businesses processing data of 35,000+ Delaware residents, or 10,000+ if deriving revenue from data sales. Grants standard consumer privacy rights. One of the lower applicability thresholds among state privacy laws.
Applies to businesses with $1B+ in global revenue that process data of 50,000+ Florida residents. One of the highest thresholds in the US — primarily targets large tech companies. Grants access, deletion, and opt-out rights.
Landmark biometric privacy statute requiring private entities to obtain informed written consent before collecting fingerprints, face geometry, or other biometric identifiers. Notable for its private right of action with statutory damages.
Applies to businesses processing data of 100,000+ Indiana residents, or 25,000+ if deriving revenue from data sales. Grants access, correction, deletion, and opt-out rights. Follows the Virginia model. Effective January 2026.
Applies to businesses processing data of 100,000+ Iowa residents, or 25,000+ if deriving revenue from data sales. More limited than most — no correction right and no profiling opt-out.
Applies to businesses processing data of 100,000+ Kentucky residents, or 25,000+ if deriving revenue from data sales. Follows the Virginia framework. Grants access, correction, deletion, and opt-out rights. Effective January 2026.
Applies to businesses processing data of 35,000+ Maryland residents, or 10,000+ if deriving revenue from data sales. One of the strictest state privacy laws — bans the sale of sensitive data without affirmative consent and imposes data minimization requirements.
Applies to businesses processing data of 100,000+ Minnesota residents, or 25,000+ if deriving revenue from data sales. Includes strong protections around profiling and automated decision-making, with rights to access profiling logic and contest decisions.
Applies to businesses processing data of 50,000+ Montana residents, or 25,000+ if deriving revenue from data sales. Follows the Connecticut model. Grants access, correction, deletion, portability, and opt-out rights.
Applies to businesses that are not small businesses under the SBA definition and process Nebraska residents' data. Modeled on the Texas framework — broader applicability than most state privacy laws. Grants standard consumer privacy rights.
Applies to businesses processing data of 35,000+ New Hampshire residents, or 10,000+ if deriving revenue from data sales. Grants standard consumer privacy rights.
Applies to businesses processing data of 100,000+ New Jersey residents, or 25,000+ if deriving revenue from data sales. Grants access, correction, deletion, portability, and opt-out rights. AG enforcement only.
New York's data security and breach notification law. Requires businesses that own or license private information of New York residents to implement reasonable safeguards and notify affected individuals after a breach.
Applies to businesses processing data of 100,000+ Oregon residents, or 25,000+ if deriving revenue from data sales. Includes strong protections for sensitive data and children's information. No revenue threshold — smaller companies may be covered.
Rhode Island Data Transparency and Privacy Protection Act
RIDPA — R.I. Gen. Laws §§ 6-48.1-1–6-48.1-13
Applies to businesses processing data of 35,000+ Rhode Island residents, or 10,000+ if deriving revenue from data sales. Focused on transparency and notice obligations. Effective January 2026.
Applies to businesses processing data of 100,000+ Tennessee residents, or 25,000+ if deriving revenue from data sales. Provides an affirmative defense for businesses that implement NIST-aligned privacy programs.
Requires informed consent before a private entity may capture a biometric identifier (such as fingerprint, voice print, or iris scan) for a commercial purpose, and imposes storage and destruction requirements.
Applies to any business processing Texas residents' data that is not a small business under the SBA definition — no revenue or volume threshold beyond that, making it broader than most state privacy laws. Grants standard consumer privacy rights.
TRAIGA establishes governance requirements for certain AI systems used in consequential decision-making and public-sector contexts. It is particularly relevant to companies deploying automated systems affecting consumers, employment decisions, or government-related services in Texas.
Applies to businesses with $25M+ revenue processing data of 100,000+ Utah residents (or 25,000+ if deriving revenue from data sales). Grants access, deletion, and opt-out rights. No private right of action.
Applies to businesses processing data of 100,000+ Virginia residents, or 25,000+ if deriving revenue from data sales. The first state to follow CCPA (effective 2023) and became the template for CO, CT, UT, and many others. AG enforcement only.
Provides expansive protection for consumer health data not already covered by HIPAA. Requires consent for collection and sharing, creates a consumer right to delete, and includes a private right of action.
Australia's federal privacy law establishing the Australian Privacy Principles, which govern the collection, use, disclosure, storage, and cross-border transfer of personal information. It was significantly reformed in 2022 with increased penalties. Applies to Australian government agencies and private organizations with annual turnover over A$3 million.
Brazil's comprehensive data protection law, heavily influenced by the GDPR. It establishes ten legal bases for processing, data subject rights, and a national data protection authority (ANPD) with enforcement powers. Applies to any organization processing personal data of individuals in Brazil, regardless of where the organization is based.
Personal Information Protection and Electronic Documents Act
PIPEDA — S.C. 2000, c. 5
Canada's federal private-sector privacy law, built on ten fair information principles. It requires meaningful consent for data collection, use, and disclosure, and gives individuals the right to access and challenge the accuracy of their personal data. Applies to private-sector organizations collecting personal information in the course of commercial activity across Canada.
Quebec Law 25 (Act to modernize legislative provisions as regards the protection of personal information)
Quebec Law 25 — S.Q. 2021, c. 25
Quebec's modernized privacy law introducing mandatory privacy impact assessments, breach notification, enhanced consent requirements, and the right to data portability. It is notably stricter than the federal PIPEDA. Applies to all private organizations collecting personal information in Quebec.
A voluntary, accountability-based framework enabling cross-border data transfers among APEC member economies. Companies certify compliance through a government-approved accountability agent rather than through regulation. Relevant for businesses transferring personal data across the Asia-Pacific region.
Pre-approved contractual terms adopted by the European Commission for transferring personal data from the EU to countries without an adequacy decision. They are the most widely used mechanism for lawful cross-border data transfers from the EU. Any company receiving personal data from the EU without an adequacy finding must implement the appropriate SCC module.
The current mechanism allowing certified US companies to receive personal data from the EU without additional safeguards like Standard Contractual Clauses. US companies self-certify through the Department of Commerce. It replaces the invalidated Privacy Shield, and its long-term durability remains uncertain.
The UK's mechanism for lawful personal data transfers to countries without a UK adequacy decision, replacing the EU SCCs for UK data flows after Brexit. They are required whenever UK personal data is transferred to a non-adequate country. Any company receiving UK personal data must implement the appropriate transfer agreement.
The EU's landmark data protection regulation and the global benchmark for privacy law. It establishes comprehensive rules for collecting, processing, and transferring personal data, with fines up to 4% of global annual revenue. Applies to any organization processing personal data of individuals in the EU, regardless of where the organization is located.
Governs electronic communications privacy across the EU, including the cookie consent rules that drive cookie banners, direct marketing restrictions, and confidentiality of communications. It complements the GDPR with sector-specific rules for electronic communications. Applies to providers of electronic communications services and any website or app using cookies or similar tracking technologies in the EU.
France's foundational data protection law, originally enacted in 1978 and updated to align with the GDPR. It is enforced by the CNIL, one of Europe's most active and influential data protection authorities. Applies to all organizations processing personal data of individuals in France.
Germany's federal data protection law supplementing the GDPR with specific requirements for employment data processing, video surveillance, and the appointment of data protection officers. It is one of the strictest national implementations in the EU. Applies to all organizations processing personal data in Germany.
Germany's telecommunications and telemedia data protection law, governing cookie consent, device access, and confidentiality of telecommunications. It is the national implementation of the EU ePrivacy Directive. Applies to providers of telecommunications and telemedia services in Germany.
India's comprehensive data protection law, enacted in 2023 with implementing rules still being finalized. It establishes consent-based processing, data principal rights, and significant penalties up to 250 crore rupees. Applies to processing of digital personal data within India or of Indian residents' data abroad.
Implementation rules not yet fully in effect as of 2025 — monitor for updates
Ireland's national implementation of the GDPR, particularly significant because Ireland's Data Protection Commission supervises many major US tech companies -- including Apple, Google, Meta, and Microsoft -- whose European headquarters are based there. Applies to all organizations processing personal data of individuals in Ireland.
Irish Data Protection Commission is lead EU regulator for many US tech companies
Israel's primary privacy legislation, regulating database registration, data collection and processing, and data security requirements. Israel holds an EU adequacy decision, making it a significant hub for cross-border data transfers. Applies to all entities managing databases containing personal data in Israel.
Codice in materia di protezione dei dati personali
Codice Privacy — D.Lgs. 196/2003
Italy's data protection code, amended to align with the GDPR, including Italian-specific provisions for processing related to archiving, scientific research, and statistical purposes. It works alongside the GDPR as the national implementing law. Applies to all organizations processing personal data of individuals in Italy.
Japan's comprehensive data protection law, substantially amended in 2022 to strengthen cross-border transfer rules and expand data subject rights. It regulates the collection, use, and transfer of personal information with breach notification requirements. Applies to all businesses handling personal information of individuals in Japan.
Ley Federal de Protección de Datos Personales en Posesión de los Particulares
LFPDPPP — DOF 05-07-2010
Mexico's federal data privacy law governing private-sector data processing. It requires privacy notices, consent, and provides data subjects with access, rectification, cancellation, and opposition (ARCO) rights. Applies to all private entities processing personal data in Mexico.
The Dutch implementation act supplementing the GDPR with specific provisions on processing national identification numbers, health and genetic data, criminal conviction data, and exemptions for journalistic and academic purposes. It tailors the GDPR to the Dutch legal system. Applies to all organizations processing personal data in the Netherlands.
New Zealand's updated privacy law, replacing the 1993 Act. It introduces mandatory data breach notification, strengthens cross-border data transfer controls, and enhances the Privacy Commissioner's enforcement powers. Applies to any agency, public or private, collecting or holding personal information in New Zealand.
Poland's national implementation of the GDPR, supplementing EU requirements with Polish-specific provisions on penalties and the powers of the national data protection authority (UODO). It fills gaps left by the GDPR with local administrative and procedural rules. Applies to all organizations processing personal data of individuals in Poland.
Singapore's comprehensive data protection law governing the collection, use, and disclosure of personal data by private organizations. It includes consent requirements, mandatory data breach notification, and maintains a national Do Not Call Registry. Applies to all private organizations processing personal data in Singapore.
South Korea's comprehensive data protection law, one of the strictest in Asia. It requires explicit consent for most data processing, mandates data breach notification, and imposes criminal penalties for violations. Applies to all public and private entities processing personal information in South Korea.
Ley Orgánica de Protección de Datos y Garantía de los Derechos Digitales
LOPDGDD — Ley Orgánica 3/2018
Spain's national data protection law supplementing the GDPR with innovative digital rights provisions, including the right to digital disconnection in the workplace and rights related to digital wills. It extends data protection into broader digital rights territory. Applies to all organizations processing personal data in Spain.
Sweden's national data protection act supplementing the GDPR with provisions on processing personal identity numbers and the powers of the Swedish Data Protection Authority (IMY). It adapts the GDPR to the Swedish legal context. Applies to all organizations processing personal data in Sweden.
Data protection rules for entities operating within the Abu Dhabi Global Market financial free zone, closely modeled on the GDPR. It establishes data subject rights, breach notification duties, and cross-border transfer controls for the ADGM jurisdiction. Applies to companies registered in or processing data through the ADGM.
Applies within the Abu Dhabi Global Market free zone
Data protection law for the Dubai International Financial Centre free zone, closely modeled on the GDPR. It establishes data subject rights, breach notification obligations, and cross-border transfer controls specific to the DIFC jurisdiction. Applies to entities registered in or processing data through the DIFC.
Applies within the Dubai International Financial Centre free zone
Federal Decree-Law No. 45 of 2021 on Personal Data Protection
UAE PDPL — Federal Decree-Law No. 45/2021
The UAE's first comprehensive federal data protection law, establishing consent requirements, data subject rights, cross-border transfer restrictions, and breach notification obligations. It brings the UAE closer to international data protection standards. Applies to all processing of personal data within the UAE, excluding the ADGM and DIFC free zones which have their own laws.
The UK's primary data protection legislation, working alongside the UK GDPR after Brexit. It covers law enforcement processing, intelligence services processing, and supplements the UK GDPR with UK-specific derogations. Applies to all organizations processing personal data of individuals in the United Kingdom.
The retained EU GDPR as incorporated into UK law after Brexit, substantively similar to the EU version but enforced by the UK Information Commissioner's Office (ICO). Companies serving both EU and UK markets must comply with both versions independently. Applies to all organizations processing personal data of individuals in the United Kingdom.