Privacy & Data Protection

The GDPR is the world's most influential data protection law, setting the standard for how organizations collect, process, and protect personal data of individuals in the EU and EEA. This guide covers lawful bases, data subject rights, breach notification, and practical compliance steps.

The ADGM Data Protection Regulations provide a GDPR-aligned framework governing personal data processing within Abu Dhabi's international financial free zone, establishing comprehensive data subject rights and controller obligations.

Japan's APPI is one of Asia's longest-standing data protection laws, recently strengthened with enhanced cross-border transfer rules, mandatory breach reporting, and expanded individual rights. The EU has recognized Japan as providing adequate protection.

Australia's Privacy Act 1988 and its 13 Australian Privacy Principles govern how organizations collect, use, disclose, and store personal information. The Act includes the Notifiable Data Breaches scheme and is undergoing significant reform proposals.

The CCPA is California's landmark consumer privacy law granting residents the right to know, delete, and opt out of the sale of their personal information. This guide covers applicability thresholds, consumer rights, and practical compliance steps.

The Colorado Privacy Act grants residents rights over personal data and requires businesses to honor universal opt-out mechanisms, conduct data protection assessments, and obtain consent for sensitive data processing.

The CPRA amends and expands the CCPA, introducing new consumer rights, the concept of sensitive personal information, the California Privacy Protection Agency, and mandatory cybersecurity audits for high-risk businesses.

The CTDPA is Connecticut's comprehensive data privacy law, closely modeled on the VCDPA and CPA, with additional provisions for universal opt-out mechanisms and loyalty program disclosures.

The DIFC Data Protection Law is a GDPR-aligned framework governing the processing of personal data within Dubai's premier financial free zone. It applies to all entities operating in the DIFC and sets a high bar for data protection in the Middle East.

India's DPDPA establishes a consent-driven framework for digital personal data protection, introducing the Data Protection Board of India for enforcement and imposing significant obligations on Data Fiduciaries processing the data of Indian residents.

Switzerland's revised FADP modernizes the country's data protection framework to align closely with the GDPR, introducing enhanced transparency obligations, breach notification requirements, and significant personal liability for violations.

Kenya's Data Protection Act establishes a comprehensive framework for personal data protection, creating the Office of the Data Protection Commissioner and granting individuals extensive rights over their personal data.

Turkey's KVKK is the country's comprehensive data protection law modeled on the EU Data Protection Directive, requiring consent-based processing, VERBIS registration, data subject rights, and supervised cross-border transfers.

Brazil's LGPD is a comprehensive data protection law closely modeled on the GDPR, establishing rights for data subjects, obligations for controllers and processors, and enforcement by the ANPD. This guide covers legal bases, data subject rights, and practical compliance.

Nigeria's NDPA is Africa's largest economy's comprehensive data protection law, establishing the NDPC as the regulatory body, requiring annual audits for major data processors, and granting extensive data subject rights.

Singapore's PDPA governs the collection, use, and disclosure of personal data by private organizations, with mandatory breach notification, DPO appointment requirements, and the Do Not Call Registry.

Thailand's PDPA is a comprehensive data protection law modeled on the GDPR, establishing consent requirements, data subject rights, breach notification obligations, and cross-border transfer restrictions for organizations processing personal data in Thailand.

Saudi Arabia's PDPL is the Kingdom's first comprehensive data protection law, establishing consent requirements, data subject rights, cross-border transfer restrictions, and the SDAIA as the supervisory authority for personal data protection.

South Korea's PIPA is one of Asia's strictest data protection laws, featuring detailed consent requirements, strong individual rights, a robust pseudonymization framework, and the PIPC as an independent supervisory authority with significant enforcement powers.

PIPEDA is Canada's federal private-sector privacy law built on ten fair information principles. It governs how commercial organizations collect, use, and disclose personal information in the course of business activities.

China's PIPL is one of the world's strictest data protection laws, combining GDPR-like individual rights with stringent cross-border transfer controls, data localization requirements, and significant penalties for non-compliance.

POPIA is South Africa's comprehensive data protection law modeled on European data protection principles. It establishes eight conditions for lawful processing, data subject rights, and the Information Regulator as the supervisory authority.

The VCDPA is Virginia's comprehensive consumer data protection law, granting residents rights over their personal data and imposing obligations on businesses regarding data processing, consent, and protection assessments.