Privacy Regulation Database

EU directive on privacy in electronic communications. Governs cookies, direct marketing, and confidentiality of communications. Often enforced alongside GDPR.

cookieselectronic_communicationsdirect_marketingtracking

View Details →

General Data Protection Regulation

GDPR

active

Jurisdiction: European Union

Effective: 5/25/2018

Authority: National Data Protection Authorities (DPAs)

Max Fine: Up to €20M or 4% of annual global turnover

EU-wide data protection law governing the processing of personal data of individuals in the EU/EEA. Sets strict requirements for consent, data subject rights, breach notification, and cross-border transfers.

Key Articles

Art. 5: Principles of processing

Art. 6: Lawful basis

Art. 7: Conditions for consent

Art. 9: Special categories

Art. 15: Right of access

Art. 17: Right to erasure

Art. 20: Data portability

Art. 25: Data protection by design

Art. 32: Security of processing

Art. 33: Breach notification to authority

Art. 35: Data protection impact assessment

Art. 83: Fines and penalties

Art. 12-14: Transparency and information

Art. 44-49: International transfers

consentdata_subject_rightsbreach_notificationcross_border_transferdpoprivacy_by_designchildren

View Details →

Federal

Act on the Protection of Personal Information

APPI

active

Jurisdiction: Japan

Effective: 5/30/2003

Authority: Personal Information Protection Commission (PPC)

Max Fine: Up to JPY 100M (~K) for corporations

Japan comprehensive data protection law. Amended in 2020 and 2022 with strengthened individual rights and cross-border transfer rules.

consentdata_subject_rightscross_border_transferanonymization

View Details →

Brazil General Data Protection Law

LGPD

active

Jurisdiction: Brazil

Effective: 9/18/2020

Authority: National Data Protection Authority (ANPD)

Max Fine: Up to 2% of revenue, capped at R$50M per violation

Brazil's comprehensive data protection law, modeled on GDPR.

consentdata_subject_rightsdpocross_border_transfer

View Details →

Cable Communications Policy Act (Cable Privacy)

CCPA-Cable

active

Jurisdiction: United States

Effective: 10/30/1984

Authority: FCC / Private right of action

Max Fine: Actual damages (minimum ,000) plus punitive damages

Protects cable TV subscriber privacy. Requires notice and consent before collecting or disclosing personally identifiable information about subscribers viewing habits.

cable_recordsviewing_habitssubscriber_dataconsent

View Details →

CAN-SPAM Act

CAN-SPAM

active

Jurisdiction: United States

Effective: 12/16/2003

Authority: Federal Trade Commission (FTC)

Max Fine: Up to ,120 per email in violation

Sets rules for commercial email. Requires accurate headers, clear identification as ads, opt-out mechanisms, and physical postal address. Does not require opt-in consent (unlike GDPR).

email_marketingopt_outcommercial_messagesdeceptive_headers

View Details →

Children's Online Privacy Protection Act

COPPA

active

Jurisdiction: United States

Effective: 4/21/2000

Authority: Federal Trade Commission (FTC)

Max Fine: Up to $50,120 per violation (adjusted for inflation)

US federal law protecting children under 13 online. Requires verifiable parental consent before collecting personal information from children.

Key Articles

§312.2: Definitions

§312.3: Regulation of unfair/deceptive acts

§312.4: Notice requirements

§312.5: Parental consent

§312.6: Right to review

§312.7: Prohibition against conditioning

§312.8: Confidentiality and security

§312.10: Data retention and deletion

childrenconsentparental_consentdata_collectionthird_party_sharing

View Details →

China Personal Information Protection Law

PIPL

active

Jurisdiction: China

Effective: 11/1/2021

Authority: Cyberspace Administration of China (CAC)

Max Fine: Up to RMB 50M (~M) or 5% of annual revenue

China comprehensive personal information protection law. Strict cross-border transfer restrictions. Applies extraterritorially to processing of Chinese residents data.

consentdata_subject_rightscross_border_transferautomated_decision_makingfacial_recognition

View Details →

Digital Personal Data Protection Act

DPDPA-India

active

Jurisdiction: India

Effective: 8/11/2023

Authority: Data Protection Board of India

Max Fine: Up to INR 250 crore (~M)

India comprehensive data protection law. Enforcement beginning 2025. Applies to processing of digital personal data within India and outside India if processing is for offering goods/services to Indian data principals.

consentdata_subject_rightschildrencross_border_transfer

View Details →

Driver Privacy Protection Act

DPPA

active

Jurisdiction: United States

Effective: 9/13/1994

Authority: Department of Justice / Private right of action

Max Fine: ,500 per violation plus actual damages

Protects personal information in state motor vehicle records. Restricts disclosure of driver information by state DMVs and authorized recipients.

driver_recordsmotor_vehicle_recordspermissible_uses

View Details →

Electronic Communications Privacy Act

ECPA

active

Jurisdiction: United States

Effective: 10/21/1986

Authority: Department of Justice

Max Fine: Criminal fines and up to 5 years imprisonment

Extends government restrictions on wiretaps to include electronic data transmissions. Includes the Wiretap Act (Title I), Stored Communications Act (Title II), and Pen Register Act (Title III).

electronic_communicationswiretappingstored_communicationspen_registers

View Details →

Fair Credit Reporting Act

FCRA

active

Jurisdiction: United States

Effective: 10/26/1970

Authority: FTC / CFPB

Max Fine: Statutory damages up to ,000 per violation; actual damages; punitive damages

Promotes accuracy, fairness, and privacy of consumer information in credit reporting agency files. Gives consumers the right to dispute inaccurate information and limits who can access credit reports.

credit_reportsconsumer_rightsaccuracypermissible_purpose

View Details →

Family Educational Rights and Privacy Act

FERPA

active

Jurisdiction: United States

Effective: 8/21/1974

Authority: Department of Education

Max Fine: Loss of federal funding

Protects privacy of student education records. Gives parents rights over their children records until age 18 or enrollment in post-secondary education. Schools must have consent before disclosing personally identifiable information.

Key Articles

§99.3: Definitions

§99.10: Right to inspect records

§99.20: Right to amend records

§99.30: Consent for disclosure

§99.31: Disclosure exceptions

§99.33: Redisclosure limitations

educationstudent_recordsparental_consent

View Details →

FTC Act Section 5

FTC Act

active

Jurisdiction: United States

Effective: 9/26/1914

Authority: Federal Trade Commission (FTC)

Max Fine: No statutory maximum; consent orders with monetary penalties

Prohibits unfair or deceptive acts or practices in commerce. The FTC's primary authority for privacy enforcement, used when companies break privacy promises or fail to secure data.

Key Articles

Section 5(a): Unfair or deceptive acts prohibited

Section 5(b): FTC enforcement proceedings

deceptive_practicesunfair_practicesdata_securityprivacy_promises

View Details →

Gramm-Leach-Bliley Act

GLBA

active

Jurisdiction: United States

Effective: 11/12/1999

Authority: FTC / Federal banking regulators

Max Fine: Up to ,000 per violation; criminal penalties up to ,000 and 5 years

Requires financial institutions to explain data-sharing practices and to safeguard sensitive data. Includes the Safeguards Rule requiring security programs and the Privacy Rule requiring privacy notices.

Key Articles

§501: Protection of nonpublic personal information

§502: Obligations for financial institutions

§521: Privacy of consumer financial information

Title V: Privacy

financial_dataconsumer_noticesafeguardspretexting

View Details →

Health Breach Notification Rule

HBNR

active

Jurisdiction: United States

Effective: 9/24/2009

Authority: Federal Trade Commission (FTC)

Max Fine: Up to $50,120 per violation per day

FTC rule requiring vendors of personal health records and related entities to notify consumers and the FTC of breaches of unsecured health information.

Key Articles

§318.1: Purpose and scope

§318.2: Definitions

§318.3: Breach notification requirement

§318.4: Timeliness

§318.5: Methods of notice

§318.6: Content of notice

health_databreach_notificationhealth_apps

View Details →

Health Insurance Portability and Accountability Act

HIPAA

active

Jurisdiction: United States

Effective: 8/21/1996

Authority: Department of Health and Human Services (HHS) Office for Civil Rights

Max Fine: Up to $1.5M per violation category per year; criminal penalties up to $250K and 10 years

US federal law protecting health information. Privacy Rule governs use and disclosure of protected health information (PHI) by covered entities and business associates.

Key Articles

Privacy Rule: Use and disclosure of PHI

Security Rule: Administrative, physical, technical safeguards

Enforcement Rule: Compliance and penalties

Breach Notification Rule: Notification requirements for breaches

health_dataphibreach_notificationbusiness_associatesminimum_necessary

View Details →

Personal Data Protection Act

PDPA-Singapore

active

Jurisdiction: Singapore

Effective: 10/15/2012

Authority: Personal Data Protection Commission (PDPC)

Max Fine: Up to SGD 1M (~K) or 10% of annual turnover

Singapore comprehensive data protection law with Do Not Call Registry.

consentdo_not_calldata_breach_notificationdata_portability

View Details →

Personal Data Protection Law

PDPL

active

Jurisdiction: Saudi Arabia

Effective: 9/14/2023

Authority: Saudi Data & AI Authority (SDAIA)

Max Fine: Up to SAR 5M (~.3M)

Saudi Arabia comprehensive data protection law, heavily influenced by GDPR.

consentdata_subject_rightscross_border_transfersensitive_data

View Details →

Personal Information Protection and Electronic Documents Act

PIPEDA

active

Jurisdiction: Canada

Effective: 4/13/2000

Authority: Office of the Privacy Commissioner of Canada

Max Fine: Up to CAD ,000 per violation

Canada federal private-sector privacy law. Based on 10 fair information principles. Being replaced by Consumer Privacy Protection Act (CPPA).

consentdata_subject_rightsaccountabilitycross_border_transfer

View Details →

Privacy Act 1988

Australian Privacy Act

active

Jurisdiction: Australia

Effective: 12/14/1988

Authority: Office of the Australian Information Commissioner (OAIC)

Max Fine: Up to AUD 50M or 30% of turnover

Australia comprehensive privacy law. 13 Australian Privacy Principles (APPs). Major reform package pending with significantly increased penalties.

australian_privacy_principlesbreach_notificationcredit_reportinghealth_records

View Details →

Privacy Act 2020

NZ Privacy Act

active

Jurisdiction: New Zealand

Effective: 12/1/2020

Authority: Office of the Privacy Commissioner

Max Fine: Up to NZD ,000 per offense

New Zealand comprehensive privacy law replacing the 1993 Privacy Act. 13 information privacy principles.

information_privacy_principlesbreach_notificationcross_border_transfer

View Details →

Protection of Personal Information Act

POPIA

active

Jurisdiction: South Africa

Effective: 7/1/2020

Authority: Information Regulator

Max Fine: Up to ZAR 10M (~K) or imprisonment up to 10 years

South Africa comprehensive data protection law modeled on GDPR.

consentdata_subject_rightscross_border_transferdirect_marketing

View Details →

South Korea Personal Information Protection Act

PIPA

active

Jurisdiction: South Korea

Effective: 9/30/2011

Authority: Personal Information Protection Commission (PIPC)

Max Fine: Up to 3% of related revenue

South Korea comprehensive data protection law. One of the strictest in Asia with significant penalties.

consentdata_subject_rightscross_border_transferpseudonymization

View Details →

Telephone Consumer Protection Act

TCPA

active

Jurisdiction: United States

Effective: 12/20/1991

Authority: Federal Communications Commission (FCC)

Max Fine: -,500 per violation

Restricts telemarketing calls, auto-dialed calls, prerecorded and artificial voice messages, and text messages. Requires prior express consent for marketing communications.

telemarketingrobocallstext_messagesdo_not_callconsent

View Details →

UK Data Protection Act 2018

UK DPA

active

Jurisdiction: United Kingdom

Effective: 5/25/2018

Authority: Information Commissioner's Office (ICO)

Max Fine: Up to £17.5M or 4% of annual global turnover

UK implementation of GDPR (post-Brexit: UK GDPR). Supplemented by Data Protection Act 2018.

consentdata_subject_rightsbreach_notificationchildren

View Details →

Video Privacy Protection Act

VPPA

active

Jurisdiction: United States

Effective: 11/5/1988

Authority: Private right of action

Max Fine: Actual damages (minimum ,500) plus punitive damages and attorney fees

Protects consumer privacy with respect to video rental and streaming records. Prohibits disclosure of personally identifiable rental/streaming information without written consent.

video_recordsrental_recordsstreaming_dataconsent

View Details →

State & Provincial

California Consumer Privacy Act / California Privacy Rights Act

CCPA/CPRA

active

Jurisdiction: California

Effective: 1/1/2020

Authority: California Privacy Protection Agency (CPPA) / California Attorney General

Max Fine: Up to $7,500 per intentional violation; $2,500 per unintentional

California state law giving consumers rights over their personal data including right to know, delete, opt-out of sale, and non-discrimination. CPRA (2023) added the California Privacy Protection Agency.

Key Articles

§1798.100: Right to know

§1798.105: Right to delete

§1798.110: Right to disclosure

§1798.115: Right to opt-out of sale

§1798.120: Right to opt-out

§1798.125: Non-discrimination

§1798.130: Notice and request procedures

§1798.135: Do Not Sell link

§1798.140: Definitions

§1798.155: Administrative fines

consumer_rightsright_to_knowright_to_deleteopt_out_saledata_brokerssensitive_data

View Details →

Colorado Privacy Act

CPA

active

Jurisdiction: Colorado

Effective: 7/1/2023

Authority: Colorado Attorney General

Max Fine: Up to $20,000 per violation

Colorado state privacy law with consumer rights and controller obligations.

consumer_rightsopt_outuniversal_opt_out

View Details →

Connecticut Data Privacy Act

CTDPA

active

Jurisdiction: Connecticut

Effective: 7/1/2023

Authority: Connecticut Attorney General

Max Fine: Up to $5,000 per violation

Connecticut state privacy law with consumer data rights and business obligations.

consumer_rightsopt_outchildrensensitive_data

View Details →

Delaware Personal Data Privacy Act

DPDPA

active

Jurisdiction: Delaware

Effective: 1/1/2025

Authority: Delaware Attorney General

Max Fine: Up to ,000 per violation

Delaware comprehensive privacy law.

consumer_rightsopt_outchildrensensitive_data

View Details →

Illinois Biometric Information Privacy Act

BIPA

active

Jurisdiction: Illinois

Effective: 10/3/2008

Authority: Private right of action

Max Fine: ,000-,000 per violation (private lawsuits)

Most aggressive US biometric privacy law. Requires informed written consent before collecting biometric identifiers. Private right of action has generated billions in settlements (Meta M, Google M, TikTok M).

biometricfingerprintsfacial_recognitionconsentretention

View Details →