A Guide to Data Privacy Laws Around the World for Businesses

79% of the world is already covered under data privacy regulations, and regulators everywhere are zeroing in on businesses that handle personal data. That means data privacy and data protection can’t sit in the fine print anymore. It has to be built into the way products are designed, data is managed, and trust is earned. In 2025 and beyond, the companies that treat data privacy as a strategy, not red tape, will be the ones that stay ahead. This blog discusses global data privacy, including:

• Major privacy laws across the world and their scope
• Key requirements for privacy compliance and data privacy rights
• Fines and penalties for non-compliance

Data privacy/ information privacy, is the practice of protecting personal data so that it remains confidential and secure. It’s about being responsible and accountable in how organizations collect, use, store, share, transfer, or sell personal information.

At its core, data privacy ensures individuals have control over their information while organizations follow laws and regulations to safeguard trust and prevent misuse.

“Data is the new oil. It’s valuable, but if unrefined it cannot really be used. It has to be changed into gas, plastic, chemicals, etc to create a valuable entity that drives profitable activity; so must data be broken down, analyzed for it to have value.”

Clive Humby, British mathematician and Data Science Entrepreneur

In recent years, data privacy has been gaining momentum. With many privacy violations unearthed, many countries have come forward with their data privacy legislations, regulations, policies, and governance frameworks.

Let us take a quick look at some of the major enacted data privacy laws around the world and how they uphold the data rights of the people.

General Data Protection Regulation (GDPR)

The EU GDPR came into force on May 25, 2018 and is one of the most significant data privacy regulations. It has influenced many other data privacy laws in the world. 

Who does GDPR apply to?

The GDPR regulates organizations in the EU, as well as non-EU organizations that offer products/services to EU residents or monitor their behaviour.

What is personal data under GDPR?

The law defines personal data as any data that can identify a natural person in the EU, with or without additional data. Examples include personal identifiers and online identifiers. 

GDPR also carves out sensitive data called the special categories of data, requiring a higher level of protection. It includes physical, physiological, genetic, mental, economic, cultural, or social data.

What are the key requirements under GDPR?

Key business obligations under GDPR are:

• Determine at least one of the six lawful bases of processing: explicit consent, legitimate interest, legal obligation, vital interest, contractual obligation, and public interest before processing.
• Comply with the 7 principles of data processing: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.
• Provide a privacy policy describing what type of data you collect, how you collect it, its purpose, legal basis, how long it is being stored, and where it is being shared (international transfer and third parties).
• Limit the collection and processing of personal data to what is necessary.
• Consent must be freely given, informed, specific, and unambiguous to be valid. Withdrawing the consent must be as easy as it was to give it.
• Respect data subject rights and fulfil subject access requests promptly.

• For large-scale processing that will likely put the rights and freedom of people at risk, appoint a Data Protection Officer (DPO). A DPO must train and supervise the GDPR compliance of an organization.
• Carry out Data Protection Impact Assessment (DPIA), if you handle sensitive personal data or the processing of data might put the rights and freedom of people at risk.
• Have contractual arrangements with data processors and third parties.
• Implement adequate security measures at the technical, organizational, and operational levels
• Comply with GDPR cross-border transfer rules, such as security safeguards and adequacy decisions.
• Report any data breaches to your Supervisory Authority and, for severe cases, the affected individual within 72 hours of becoming aware of it.

Failing to comply with the GDPR results (depending on the severity of the violation) to fines up to €20 million or 4% of the annual turnover of the organization, whichever is higher.

ePrivacy Directive

Privacy and Electronic Communications Directive ( 2002/58/EC) or ePrivacy Directive (ePD), is an EU directive on data protection and privacy. 

It deals with the confidentiality of electronic communication, transfer of data, and cookies. It lays out rules for data collection and processing and sets the need for prior consent.

Due to the amendments in 2009 that included a clause for cookies and cookie consent, it came to be known as the EU Cookie Law. 

It states that a website cannot store cookies (other than strictly necessary) on the user device without their prior consent and the user must be able to opt out of cookies whenever they want. 

In addition to these laws, several EU countries, such as Belgium and Italy, have published their cookie consent guidelines, making it mandatory to provide a cookie banner and obtain opt-in cookie consent for non-necessary cookies.

Apart from sector-specific data security and privacy laws like HIPAA, the United States currently lacks an effective federal privacy legislation. Instead, there are around 20 state-specific data privacy laws in place that govern the digital privacy of its citizens. Of these, 14 state privacy laws are already in effect, while 6 more will come into effect by 2026.

California Consumer Privacy Act (CCPA)

Known as the most robust data privacy law in the US, the CCPA, which came into force on January 1, 2020, is a state-wide data privacy legislation in California.

In January 2023, the California Privacy Rights Act (CPRA), which amends the CCPA, came into effect. It enhances the existing framework by introducing sensitive personal information and increasing the consumer threshold from 50,000 to 100,000. Additionally, the CPRA brings in more consumer rights, including extending opt-out rights to cross-contextual behaviour.

Who does CCPA/CPRA apply to?

The CCPA/CPRA applies to for-profit entities doing business in California or elsewhere that collect and process the personal information (PI) of California residents (consumers) and satisfy one of the following:

• More than $25 million gross revenue
• Buys, receives, or sell personal information of 100,000 or more California consumers, households, or devices
• Derives half of its annual revenue by selling the personal information of consumers

It defines personal information as any information that identifies or relates to, directly or indirectly,  a consumer or household. 

CCPA also grants consumers the right to know, delete, correct, opt-out of sharing/selling of personal data, non-discrimination, and to limit the use of sensitive personal information.

What are the key requirements/business obligations under CCPA/CPRA?

• Provide a privacy notice and notice at collection.
• Follow data minimization and purpose limitation principles.
• Facilitate convenient methods for consumers to exercise their data privacy rights
• Provide “Do not sell or share my personal information” and “Limit the use of sensitive personal information” options for consumers.
• Honour global privacy opt-out signals.
• Implement reasonable security measures to protect data

Fines for non-compliance can go up to $7500 per intentional violation and up to $2500 per unintentional violation. CCPA also provides a private right of action.

Colorado Privacy Act (CPA)

The CPA applies to businesses in Colorado or businesses elsewhere that target Colorado residents, and controls/processes: the personal data of:

• >100K consumers; or
• 25k consumers and generates at least 50% of revenue from the sale of personal data

Colorado privacy law provides similar rights as the CCPA, such as the right to access, correct, delete, and opt out of targeted advertising. Businesses must publish a privacy policy, provide opt-out choices, fulfil consumer rights, honour universal/global opt-out signals, and obtain consent for sensitive data.

Virginia Consumer Data Protection Act (VCDPA)

Virginia’s privacy law went into effect in 2023 and shares the same applicability thresholds as Colorado privacy law.

Under VCDPA, businesses must be transparent about their data practices, respect and fulfil consumer requests promptly, implement security safeguards for data protection, and have a contractual relationship with processors.

Other US state privacy laws

Operating across the U.S. means playing by more than one set of privacy rules. From California to Connecticut, states are setting their own standards, and businesses must adapt to stay compliant as this list keeps growing.

Here are more US data privacy regulations and their effective dates:

Since Brexit, the UK has its own framework for data protection, separate from the EU’s GDPR. The regime is built on the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). In June 2025, the Data (Use and Access) Act brought reforms to modernise these rules.

Who does the UK GDPR and DPA apply to?

Any organization handling personal data in the UK, plus non-UK businesses offering goods or services to UK residents or tracking their behaviour.

Key business obligations under UK GDPR and DPA are:

• Process data lawfully, fairly, and transparently.
  
• Keep it accurate, secure, and only for as long as needed.
  
• Honour data subject requests.
  
• Get valid opt-in consent for cookies unless strictly necessary.
  
• Publish a privacy policy revealing how you process personal data.

UK residents get the right to access, correct, erase, object to processing, data portability and withdraw consent at any time.

Breaches can trigger penalties of up to £17.5 million or 4% of global turnover. Cookie compliance is under particular scrutiny, with regulators cracking down on misleading consent banners.

The Lei Geral de Proteção de Dados (Brazil LGPD) draws a lot of inspiration from its European counterpart, the GDPR. The bill was passed in 2018 and came into force on September 18, 2020. It replaces over 40 personal data governing statutes for both online and offline. 

Like other data privacy laws, it aims to protect the fundamental rights and data privacy of the people by encouraging innovation and economic and technological development.

Any natural person or entity will be subject to the LGPD if:

• it processes the personal data in Brazil,
• it processes the personal data of people located in Brazil, or
• it collects personal data of people, regardless of their nationality or current location when they were in Brazil.

Key LGPD requirements are:

• Collect and process data only for lawful purposes (10 legal bases similar to GDPR, e.g., consent, legal obligation, contract, legitimate interests).
• Provide clear notice of processing purposes (Privacy policy).
• Maintain security measures to protect personal data.
• Appoint a Data Protection Officer (DPO) in many cases.
• Report data breaches to the national authority (ANPD) within three days and, in some cases, to data subjects.
• Conduct impact assessments for high-risk processing.
• Ensure contracts with third parties (processors) include proper safeguards.

LGPD grants data subjects the following rights:

• Confirm whether their data is being processed.
• Access their personal data.
• Correct incomplete, inaccurate, or outdated data.
• Request anonymization, blocking, or deletion of unnecessary or excessive data.
• Portability of data to another service or provider.
• Comply with cross-border transfer rules.
• Deletion of personal data processed with consent.
• Information about entities with whom the controller has shared data.
• Refuse consent and be informed of its consequences.
• Revoke consent at any time.

Fines for non-compliance with LGPD could go up to 2% of a company’s revenue in Brazil, capped at 50 million Brazilian reais (about USD $10M) per violation.

Canada has a patchwork of privacy laws at the federal, provincial, and territorial levels. In the private sector, the most notable are:

• Personal Information Protection and Electronic Documents Act (PIPEDA)
  
• Alberta Personal Information Protection Act (Alberta PIPA)
  
• British Columbia Personal Information Protection Act (British Columbia PIPA)
  
• Act Respecting the Protection of Personal Information in the Private Sector (Québec)
  

Among these, PIPEDA is one of the most significant. While provincial laws like PIPAs govern organizations operating entirely within those provinces, PIPEDA remains the cornerstone federal legislation. It applies to organizations processing personal data of Canadians for commercial activities.

Key requirements under Canada PIPEDA are:

• Must have a designated person who oversees compliance with PIPEDA.
• Identify the specific purpose for processing prior to data collection.
• Obtain consent for data processing, unless the law explicitly requires not to.
• Practice data minimization and purpose limitation.
• Maintain the accuracy of the personal data you keep.
• Implement appropriate data security safeguards.
• Be transparent about your data practices (Privacy policy).
• Fulfil access requests promptly.

Fines for violations could reach $100,000 CAD per violation.

The United Arab Emirates protects the data privacy of its people through the Personal Data Protection Law (PDPL) in the mainland and similar laws in the free zones such as DIFC and ADGM.

Here are the key UAE PDPL features:

• It has an extra-territorial reach similar to GDPR and applies to any organization processing the personal data of UAE residents.
• Any data that can be linked to an identifiable or identified natural person is considered personal data under PDPL.
• It also defines sensitive personal data, which includes highly sensitive personal information such as health status and ethnic origins.
• Informed, specific and unambiguous consent is important for data processing.
• Legal bases other than consent are contract performance, legal obligation, vital interest, etc.
• Key business requirements under UAE PDPL include data minimization, purpose limitation, transparency, accuracy and security measures.

Although the UAE PDPL is in effect, there is no official enforcement authority yet. UAE is currently awaiting executive regulations for the UAE data office to be established for the enforcement action to begin.

Here are more data privacy frameworks around the world:

Argentina PDPL

Argentina’s Personal Data Protection Law (PDPL) went into effect in 2000. It applies to organizations in the country or those outside that deal with the personal data of Argentine residents. Some of the law’s key features include:

• Consent and contract are two of the most important legal bases under the law.
• Key requirements include maintaining accuracy, storage limitation, purpose limitation, data security implementation, etc.
• Gives its citizens the right to information, access, and correction.

There are ongoing proposals and discussions over amendments to the current PDPL.

Australia Privacy Act

The Privacy Act is the major data privacy law of the country. It applies to government agencies and organizations processing the personal data of Australian residents and has an annual turnover of more than 3 million AUD.

The law lays down 13 privacy principles that the organization must follow in order to be compliant.

Fines for non-compliance could reach up to:

• $50,000,000,
• Thrice the value of the benefit generated by the organization from the violation; or
• 30% of the annual turnover of the company during the period of breach.

China PIPL

The data privacy of the people of China is mostly regulated by three laws- the Personal Information Protection Law, Cyber Security Law and the Data Security Law.

The PIPL has extraterritorial scope, applying to the processing of personal data of individuals in China when:

• Products/services are offered to them,
• Their behavior is analyzed/assessed, or
• Other situations defined by law.

Key principles under China’s PIPL are transparency, data minimization, purpose limitation, adherence to legal basis of processing, storage limitation, accuracy and accountability.

If found non-compliant, authorities may :

• order corrections, issue warnings, and confiscate illegal gains..
• issue fines up to RMB 1 million for organizations, and RMB 10,000 to RMB 100,000 for responsible individuals.
• in serious cases, issue fines up to RMB 50 million or 5% of annual turnover, along with suspension of business or even revocation of licenses.

Moreover, individuals in charge can also face fines of RMB 100,000 to RMB 1 million and may be barred from holding senior management or data protection roles for a certain period.

CookieYes believes complying with data privacy laws does not have to be complicated or too hard to achieve. We have continuously strived to provide our customers with the best solution for cookie compliance for their websites. That is why over 2 million users trust CookieYes products. 

CookieYes cookie consent solution is a cloud-based service. You can install a cookie consent banner on your website which is fully customizable — down to the T.