Which data privacy laws apply to my business?
Start with the three questions that decide scope
Where are you established and where do you target?
Most laws key off establishment (where you operate) and/or targeting (whose data you collect or whose market you serve).
Whose data do you collect and how much?
Thresholds often depend on number of people/households you affect, your revenue, or whether you sell/share data for ads.
What kind of data and for what purpose?
Rules tighten for sensitive data (health, financial, children, precise location), profiling/ads, and children’s data.
Global baseline you should assume by default
GDPR (EU/EEA + UK variant):
Applies if you’re established in the EU/EEA or if, from outside, you offer goods/services to people in the EU/EEA or monitor their behavior (think analytics/ads). That’s Article 3’s “territorial scope.”
ePrivacy rules for cookies and similar tech (EU/EEA):
Separate from GDPR. If you store or access information on a user’s device (cookies, localStorage, SDKs, fingerprinting), you generally need prior consent unless a narrow exception applies.
- UK: GDPR-style regime remains in force, with reforms enacted in 2025 that refine (not replace) the framework. If you target UK users, treat it as GDPR-like with some differences.
United States (consumer privacy, state-by-state)
The U.S. has sector laws (see below) and state consumer privacy laws with differing thresholds. As a baseline, if you do business with residents of a state and meet thresholds, the law applies—even if you’re not physically there.
- California CCPA/CPRA (most influential): Applies to for-profit businesses doing business in CA that (a) exceed $25M revenue, or (b) buy/sell/share personal info of 100,000+ residents/households, or (c) get ≥50% of revenue from selling CA personal info. CPRA amended CCPA; it’s one law.
Colorado CPA (illustrative of other states): No revenue threshold; applies from 100,000 consumers (or 25,000 if you get revenue from selling data). Many states mirror this style with tweaks.
(Tip: If California applies to you, assume other enacted state laws may as well and run a state-by-state check.)
The Americas beyond the U.S.
Brazil LGPD: GDPR-style law with extraterritorial scope; applies if you process data in Brazil or offer/collect data from people in Brazil.
Canada:
- PIPEDA (federal, private sector) + provincial laws (e.g., Quebec Law 25) create obligations when handling residents’ personal information, including new governance and DPIA-style expectations in Quebec.
APAC and Africa (quick compass)
- Singapore PDPA: Baseline personal data law covering collection, use, and disclosure; applies to organizations handling personal data in Singapore, with specific obligations and exceptions.
- (Also consider) Australia Privacy Act, New Zealand Privacy Act 2020, South Africa POPIA, and others—each with GDPR-like concepts but local nuances.
Sector-specific laws you can’t ignore
These apply because of what you do or which data you handle—regardless of general consumer privacy laws:
- HIPAA (U.S. health): If you’re a covered entity (health plans, most providers, clearinghouses) or a business associate handling PHI for them, HIPAA’s Privacy/Security Rules apply. Not a covered entity/BA? HIPAA likely doesn’t apply.
- GLBA (U.S. financial): If you’re a financial institution (broadly defined)—loans, investment advice, insurance—you must provide privacy notices and safeguard nonpublic personal information.
- COPPA (U.S. children): If your site/app is directed to children under 13 or you have actual knowledge you’re collecting from under-13s, you need verifiable parental consent and other controls.
A 10-minute self-assessment (decision path)
- Map the data: What personal data do you collect (including cookies/IDs), from whom (countries/states), and for what purposes (analytics, ads, personalization, support)?
List audiences by location: EU/EEA, UK, U.S. states, Brazil, Canada (incl. Quebec), Singapore, etc.
Check thresholds:
- California: $25M revenue or 100k residents/households or ≥50% revenue from selling/sharing.
- Colorado: 100k consumers or 25k + revenue from sales.
- GDPR/ePrivacy: Target EU/EEA residents or monitor behavior? Use cookies/SDKs requiring consent?
- LGPD/Canada/others: Do you collect from residents there? If yes, assume applicability.
- Identify special data/uses: Health (HIPAA), finance (GLBA), children (COPPA), sensitive categories, selling/sharing for ads, cross-border transfers.
- Decide your role: Controller/processor (GDPR terms) or service provider/third party (U.S. terms). Your role changes your obligations.
- Document your conclusion: Keep a short record of which laws you believe apply and why. It becomes your accountability artifact.
What “compliance” usually means in practice
- Consent and preferences: When the law requires consent (e.g., EU ePrivacy for most cookies; GDPR for certain processing), show a banner, record choices, and respect GPC/“Do Not Track” if your policy says so. (Cookie Compliance supports consent banners, GPC detection, and consent logs.)
- Notices: Maintain a privacy notice tailored to the applicable regimes (EU, CA, CO, etc.).
- Data rights: Provide access/deletion/opt-out controls where required.
- Contracts: Put DPA/DPAs and state law addenda in place with vendors.