Global Privacy Laws¶
An overview of major data protection regulations and their key requirements.
GDPR (European Union)¶
Scope: Organizations processing personal data of EU/EEA residents, regardless of where the organization is located.
Key Requirements:
- Valid legal basis for all processing
- Data subject rights (access, deletion, portability, etc.)
- Data Protection Impact Assessments for high-risk processing
- Breach notification within 72 hours to supervisory authority
- Data Processing Agreements with processors
- Records of processing activities
Penalties: Up to EUR 20 million or 4% of annual global revenue, whichever is higher.
CCPA/CPRA (California)¶
Scope: Businesses collecting personal information of California residents that meet any of:
- Annual gross revenue over $25 million
- Buy, sell, or share personal information of 100,000+ consumers or households
- Derive 50%+ of annual revenue from selling/sharing personal information
Key Requirements:
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt-out of sale/sharing
- Right to correct inaccurate information
- Right to limit use of sensitive personal information
- Non-discrimination for exercising rights
- Privacy policy disclosures
Penalties: Up to $7,500 per intentional violation.
UK GDPR and DPA 2018¶
Scope: Organizations processing personal data in the UK context.
Key Requirements: Similar to EU GDPR with UK-specific provisions:
- Registration with the ICO
- UK Representative requirement for non-UK controllers
- UK-specific international transfer mechanisms
Penalties: Similar to GDPR structure.
Other Notable Laws¶
PDPA (Singapore)¶
- Consent requirements for collection, use, and disclosure
- Breach notification for 500+ affected individuals
- Individual access and correction rights
- Penalties up to SGD 1 million
APPI (Japan)¶
- Consent requirements for certain processing
- Cross-border transfer restrictions
- Individual rights to disclosure and correction
- Criminal penalties possible
LGPD (Brazil)¶
- Similar structure to GDPR
- Consent or legitimate interest legal bases
- Individual rights including data portability
- Penalties up to 2% of Brazilian revenue
POPIA (South Africa)¶
- Eight processing conditions similar to GDPR principles
- Information Officer requirement
- Cross-border transfer restrictions
- Penalties including fines and imprisonment
Common Requirements Across Laws¶
Despite variations, most privacy laws share these requirements:
| Requirement | Description |
|---|---|
| Transparency | Clear privacy notices explaining data practices |
| Lawful processing | Valid legal basis for processing personal data |
| Individual rights | Access, correction, deletion, and related rights |
| Security | Appropriate technical and organizational measures |
| Breach notification | Notify authorities and/or individuals of breaches |
| Vendor management | Contractual controls over processors |
| Record keeping | Documentation of processing activities |
Multi-Jurisdictional Compliance¶
When operating across multiple jurisdictions:
- Map applicable laws - Identify which laws apply based on where your users are located and where you operate
- Apply the highest standard - Implement controls that meet the strictest applicable requirements
- Document jurisdiction-specific requirements - Track where specific obligations differ
- Monitor regulatory changes - Privacy laws evolve frequently
Practical Approach¶
Rather than building separate compliance programs for each law:
- Start with GDPR as a baseline (most comprehensive)
- Add CCPA/CPRA requirements for California consumers
- Layer additional requirements for other jurisdictions as needed
- Use Dxtra to track compliance across multiple frameworks