Privacy regulations overview

Regulation

Description

APA (Australia)

The Australia Privacy Act (Privacy Act) promotes and protects individuals’ privacy and regulates how Australian Government agencies and organizations handle personal information. The Privacy Act includes principles that apply to private-sector organizations. For example, individuals are afforded the right to understand why the personal information is being collected and how it will be used, the ability to access, erase their data, and correct personal information.

CPA (Colorado)

The Colorado Privacy Act (CPA) provides Colorado consumers additional insight into what personal data controllers collect, share, and sell, and how that data is used. The CPA protects the personal data of Colorado residents when they act in an individual or household context. These rules detail the technical specifications for one or more universal opt-out mechanisms. These mechanisms clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data.

CCPA (California)

The California Consumer Privacy Act (CCPA) enhances privacy rights and consumer protection for residents of California, United States. The CCPA provides new data privacy rights to California residents. They include the right to access and delete their personal data, to know whether their personal data is sold or disclosed (and to whom), and the right to opt out of having their data sold to third parties.

CPRA (California)

The California Consumer Privacy Rights Act (CPRA) expands and amends portions of the California Consumer Privacy Act (CCPA). The CPRA establishes a new baseline for consumer data privacy in California by increasing consumer rights and expanding the type of data covered through a broader definition of sensitive personal information. In addition, the CPRA established the California Privacy Protection Agency, a new agency dedicated to implementing and enforcing data privacy rules.

CTDPA (Connecticut)

The Connecticut Data Privacy Act is a comprehensive consumer privacy law for Connecticut residents and grants them certain rights over their personal data. It also establishes responsibilities and privacy protection standards for data controllers that process their personal data. The CTDPA protects a Connecticut resident acting as an individual or in a household context. The CTDPA grants them the following rights: to access, correct, delete, obtain a copy, or opt-out of the sale; processing; or profiling of their personal data.

FDBR (Florida)

The Florida Digital Bill of Rights (FDBR) provides comprehensive data privacy rights to Florida residents. This legislation ensures that individuals have the right to access, correct, delete, and obtain a copy of their personal data. It also prohibits certain conduct by online platforms, such as surveillance without consumer consent, and requires transparency in data practices, including clear privacy notices and the ability to opt out of the sale or processing of personal data for targeted advertising. The FDBR authorizes the Florida Department of Legal Affairs to enforce these rights and impose civil penalties for violations. Under the Law, data controllers are obligated to respond to the data subject requests within 45 days of receiving the request.

GDPR (European Union)

The General Data Protection Regulation (GDPR) introduced several new data privacy rights for members of the European Economic Area (EEA), including the Right to Access and the Right to be Forgotten. These rights mean that any person living in the EEA whose personal data has been collected by your business can request to access or delete their data at any time.

The United Kingdom (post-Brexit) has its own version of the regulation, UK-GDPR, which provides its citizens with the same rights as the EEA version.

HIPAA (United States of America)

The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law created to improve healthcare efficiency, improve health insurance portability, and to protect the privacy of patients and health plan members. Under HIPAA, individuals have the right to access and amend their information and obtain copies of their medical records or health information. Covered entities and business associates of covered entities must follow the HIPAA regulations.

LGPD (Brazil)

The Lei Geral de Proteção de Dados (LGPD) aims to regulate the treatment of personal data of all individuals or natural persons in Brazil. The LGPD gives Brazil citizens the rights to access and delete their personal data, to know whether their personal data is sold or disclosed (and to whom), and the right to opt out of having their data sold to third parties.

MHMDA (Washington)

The Washington My Health My Data Act enhances privacy rights for consumers regarding their health data. It mandates disclosures, consumer consent, and deletion rights for health data, and prohibits the sale of health data without authorization. Additionally, the Act makes it unlawful to use geofencing around healthcare facilities.

New Zealand Privacy Act

The New Zealand Privacy Act controls how agencies can collect, use, disclose, store, and give access to the personal information of New Zealand citizens and organizations. In 2020, the latest version of the act introduced significant updates to these privacy laws. The updates include new offenses, increasing fines, mandatory notifications for data breaches, and increasing the powers of the Privacy Commissioner.

OCPA (Oregon)

The Oregon Consumer Privacy Act (OCPA) provides Oregon residents with fundamental rights over their personal data and imposes obligations on businesses that process such data. Consumers have the right to know, correct, delete, and obtain a copy of their data, as well as opt out of data processing for targeted advertising or sales. The Act requires heightened protections for sensitive data, consent for data processing beyond specified purposes, and mandates comprehensive privacy notices from data controllers.

PDPA (Thailand)

The Personal Data Protection Act (PDPA) was introduced to safeguard Thai data owners from the illegal collection, use, or disclosure of their personal data. Inspired by the European Union’s GDPR, the regulation grants Thai citizens the right to request access to, or the deletion of, their stored personal data.

TDPSA (Texas)

The Texas Data Privacy and Security Act (TDPSA) regulates the collection, use, processing, and treatment of consumers’ personal data in Texas. Effective July 1, 2024, it grants residents rights to access, correct, delete, and obtain copies of their data, and to opt out of targeted advertising and data sales. The law applies to entities conducting business in Texas or producing products/services consumed by Texas residents, excluding small businesses and certain other organizations. Violations can incur civil penalties.

UCPA (Utah)

The Utah Consumer Privacy Act creates the right for a consumer to know what personal data a business collects, how the business uses their personal data, and whether the business sells their personal data. Consumers can require the business to delete or stop selling their personal data.

VCDPA (Virginia)

The Virginia Consumer Data Protection Act (VCDPA) provides new data privacy rights to Virginia residents (“Consumers”) including the right to access, delete, and correct personal data. Consumers also have the right to opt out of the sale of personal data, opt out of profiling based on personal data, and processing of personal advertising purposes.