500+ obligations. 140+ countries. One platform.

The EU’s comprehensive data protection regulation — one of the world’s most influential privacy laws. GDPR applies to any organization processing personal data of EU residents, introducing strict consent requirements, the right to erasure, data portability, and mandatory breach notification within 72 hours.

California’s landmark privacy law gives consumers the right to know what personal information is collected, to delete it, to opt-out of its sale, and to non-discrimination for exercising rights. CPRA strengthened these with a dedicated enforcement agency (CPPA).

Virginia’s privacy law establishes consumer rights over personal data and controller obligations. It covers businesses that process data of 100,000+ Virginia residents or derive over 50% of gross revenue from selling data of 25,000+ residents.

Singapore’s PDPA governs the collection, use, and disclosure of personal data by private organizations. It establishes a Do Not Call (DNC) registry and mandates data breach notification to the PDPC within 3 calendar days after determining a breach is notifiable.

Japan’s APPI is one of Asia’s oldest privacy laws, significantly strengthened in 2022. It applies to business operators handling personal information and introduces individual rights, cross-border transfer restrictions, and pseudonymized data concepts.

India’s DPDPA establishes a consent-based framework for processing digital personal data. It creates a Data Protection Board and introduces significant penalties. The DPDP Rules were notified on 13 November 2025, with phased implementation through May 2027. Applies to processing within India and to overseas processing of Indian residents’ data.

Canada’s federal privacy law operates alongside provincial layers — notably Quebec’s Law 25, which introduced GDPR-like provisions including privacy impact assessments, mandatory breach notification, and penalties of up to 4% of worldwide turnover.

Brazil’s LGPD closely mirrors GDPR in scope and structure, establishing ten legal bases for processing, individual rights, and an independent supervisory authority (ANPD). It applies to any processing of data of individuals located in Brazil.

HIPAA protects sensitive health information (PHI) held by covered entities and their business associates. It establishes the Privacy Rule, Security Rule, and Breach Notification Rule — with significant penalties for non-compliance.

Post-Brexit, the UK operates its own version of GDPR with the ICO as its supervisory authority and its own adequacy decisions. EU GDPR compliance does not automatically guarantee UK compliance — separate documentation and processes are required.

China’s PIPL is one of the world’s strictest privacy laws, with onerous cross-border data transfer requirements including security assessments, standard contractual clauses, and certification. Any business with Chinese customers or operations needs to comply.

Malaysia’s PDPA has been significantly strengthened with recent amendments aligning it with GDPR — including 72-hour breach notification, mandatory DPO appointment, and revised cross-border transfer rules. Enforcement is intensifying.

South Africa’s POPIA is the gateway framework for African operations. The Information Regulator is actively enforcing, and the law applies to any processing of personal information within South Africa or where South African law applies.

New Zealand’s Privacy Act 2020 replaced the 1993 Act with modernized provisions including mandatory breach notification and expanded cross-border transfer rules. New Zealand holds EU adequacy status, making it an important jurisdiction for Asia-Pacific operations.

Australia’s Privacy Act is undergoing major reform. The first phase of amendments took effect in late 2024 with more coming. Significantly increased penalties and expanded individual rights make this a critical compliance requirement for any business in APAC.

Saudi Arabia’s PDPL is the Gulf’s emerging privacy standard. Enforcement began in September 2024 after the grace period ended. Significant for any business targeting Middle Eastern markets, with requirements covering consent, cross-border transfers, and data subject rights.

Turkey’s KVKK covers a large economy at the crossroads of Europe and Asia. GDPR-influenced but with distinct requirements including registration with the Data Controllers Registry (VERBIS) and specific rules for sensitive data categories.

The GLBA governs consumer financial data in the US. The FTC’s 2023 Safeguards Rule update significantly tightened requirements for non-bank financial institutions, pulling in fintechs, payment processors, and anyone touching consumer financial data.

The ‘cookie law’ — technically separate from GDPR and governing electronic communications, direct marketing, and tracking technologies. Enforcement has been vigorous, especially in France (CNIL) and Italy (Garante). The ePrivacy Regulation will eventually supersede it.

Indonesia’s PDP Law came into full force in October 2024, covering Southeast Asia’s largest economy by population. GDPR-influenced with provisions for consent, cross-border transfers, and significant penalties. Critical for any business in the ASEAN market.

The UAE has multiple overlapping frameworks — the federal PDPL plus free zone-specific regimes in DIFC and ADGM. Important for businesses using Dubai or Abu Dhabi as a regional hub, each with distinct registration, transfer, and compliance requirements.

South Korea’s PIPA is one of the strictest in Asia, with the PIPC actively enforcing. The 2023 amendments expanded penalties and introduced transfer impact assessments. A February 2026 amendment further increased maximum fines to 10% of total revenue for severe violations.

Worth singling out from the US state pack — the TDPSA has no revenue threshold like other state laws, though SBA-defined small businesses have reduced obligations. It applies to any business conducting operations in Texas or targeting Texas residents, making it one of the broadest US state laws by scope.

Switzerland’s revised FADP is often overlooked because people assume EU GDPR covers it — but Switzerland isn’t in the EU or EEA and the revised FADP has distinct requirements including personal criminal liability for individuals (up to CHF 250,000) and organizational fines (up to CHF 50,000). Important for financial services given Switzerland’s role in global banking.

Any digital business that could foreseeably attract users under 13 needs to comply. The FTC finalized significant COPPA rule amendments in January 2025, limiting companies’ ability to monetize children’s data. With US states layering on age-appropriate design codes, enforcement risk is high.

Vietnam’s Personal Data Protection Law (Law 91/2025) came into force on 1 January 2026, superseding Decree 13/2023. Vietnam’s rapidly growing manufacturing and tech economy makes this a critical compliance requirement for businesses operating in or targeting the Vietnamese market.

Quebec’s Law 25 introduced GDPR-like provisions to Canada’s largest province, including privacy impact assessments, mandatory breach notification, and significant penalties. It operates alongside federal PIPEDA, creating a layered compliance requirement.