Data Privacy Laws Explained: GDPR, CCPA, and the Global Compliance Map

Compare GDPR, CCPA, and the 20 US state privacy laws side by side. See the rights they grant, what they require, and which apply to your site.


by Riad Us Salehin • 4 July 2026


Data privacy laws are regulations that govern how organizations collect, use, store, and share personal data, and that grant individuals rights over their own information. No single global law covers every country. Most nations and many US states regulate separately, so one website can fall under several of these laws at once.

Below: how GDPR, CCPA, and US state laws compare, the rights and duties they create, and which laws apply to your site.

What Are Data Privacy Laws?

Data privacy laws set rules for collecting, using, sharing, and securing personal data. They grant individuals rights over their information and impose duties on the businesses that process it. Personal data covers any information that identifies a person directly or indirectly, such as a name, email address, IP address, or device identifier.

These laws exist to give individuals control over their own information and to hold organizations accountable for how they handle it. Jurisdictions differ on the details. Nearly every modern privacy law shares the same core structure: rights for the data subject or consumer, and obligations for the data controller.

GDPR vs CCPA vs US State Laws: The Major Privacy Laws at a Glance

A handful of laws set the template most others follow. Here is how the biggest compare, including when each took effect and the penalties they carry.

LawWho it protectsIn forceConsent modelKey consumer rightsEnforcer and penalty
GDPREU/EEA residents, wherever the business sits2018Opt-inAccess, rectification, erasure, restrict processing, data portability, objectEU data protection authorities; up to EUR 20 million or 4% of global turnover
CCPA (as amended by CPRA)California residents; for-profit businesses over set thresholds2020 (CPRA 2023)Opt-outKnow, delete, correct, opt out of sale or sharing, limit sensitive-data useCalifornia AG and the CPPA; civil penalties per violation
US state laws (collectively)Residents of 20 states with comprehensive laws2020 onwardMostly opt-outAccess, correct, delete, opt out of targeted advertising, sale, and profilingState attorneys general; per-violation fines
UK GDPRUK residents2021Opt-inAccess, rectification, erasure, portability, objectUK Information Commissioner's Office; up to GBP 17.5 million or 4% of turnover

GDPR requires businesses to obtain affirmative consent before collecting data, an opt-in model. CCPA and most US state laws let businesses collect data by default. They require a way to opt out of its sale or use for targeted advertising instead, an opt-out model. For a side-by-side breakdown, see how GDPR and CCPA differ.

What Rights Do Data Privacy Laws Give People?

Almost every modern data privacy law grants the same core set of data subject rights. These are the rights users can exercise over their own information.

  • Right to be informed or access: know what personal data an organization holds and how it uses it
  • Right to correct: fix inaccurate personal data
  • Right to delete: request that an organization erase personal data
  • Right to data portability: receive personal data in a usable format and transfer it elsewhere
  • Right to opt out: decline the sale of personal data, targeted advertising, or certain automated profiling
  • Right to non-discrimination: avoid retaliation for exercising any of these rights

GDPR adds extras beyond this baseline, including a formal right to be forgotten and the right to object to processing based on legitimate interests. Most requests to exercise these rights arrive as a data subject access request.

What Do Data Privacy Laws Require Businesses to Do?

If a privacy law applies to you, it usually imposes the same core duties. These obligations recur across almost every comprehensive regime.

  • Publish a clear privacy notice that explains what data you collect and why
  • Collect only what you need (data minimization) and use it only for the stated purpose (purpose limitation)
  • Get valid consent where required: opt-in for EU visitors under GDPR, an opt-out path for most US visitors
  • Secure the data you hold with appropriate technical and organizational safeguards
  • Honor consumer rights requests within the law's deadline, usually 30 to 45 days
  • Protect sensitive data such as health, biometric, or precise-location data with heightened safeguards
  • Run data protection assessments before high-risk processing, where the law requires one
  • Notify regulators and individuals after a data breach within the required window

Penalties for violating these duties scale with the law and the severity of the breach. GDPR fines run up to EUR 20 million or 4% of global annual turnover, whichever is higher. See GDPR fines for the full penalty structure. Roles matter too: the entity that decides why data is processed is the controller, distinct from the processor that does the work.

Data Privacy Laws in the United States: Federal vs State

The United States has no single comprehensive federal privacy law. Instead, it relies on sector-specific federal laws plus a growing set of comprehensive state laws, 20 states as of mid-2026. That mix is why US privacy is often called a patchwork.

Congress has introduced federal bills to close this gap. The American Data Privacy and Protection Act (2022) and the American Privacy Rights Act (2024) were both proposed. Neither passed into law, so no comprehensive federal privacy statute currently exists.

Federal Sector Laws (HIPAA, GLBA, COPPA, FCRA)

Federal privacy law in the US applies by industry sector, not to all personal data:

  • HIPAA: protects health and medical records held by covered providers and insurers
  • GLBA (Gramm-Leach-Bliley Act): protects financial data held by banks and financial institutions
  • COPPA: requires verifiable parental consent before collecting data from children under 13
  • FCRA (Fair Credit Reporting Act): governs consumer credit reporting and background-check data
  • Privacy Act of 1974: restricts how federal agencies, not private businesses, handle records

None of these functions as a general consumer privacy law. A business outside these sectors has no federal privacy statute to follow, only whichever state laws apply.

US State Privacy Laws

Twenty US states have passed comprehensive consumer privacy laws, starting with California in 2018. Virginia and Colorado followed in 2021, then Utah and Connecticut in 2022. A larger wave across 2023 and 2024 added states including Texas, Florida, Montana, Oregon, and New Jersey.

These laws share a common shape: similar applicability thresholds, the same core rights (access, correct, delete, opt out), and mostly opt-out consent. The details still vary by state. Texas's Data Privacy and Security Act, for example, grants residents the right to know whether a company processes their data. It also grants the right to get that data in a readable format. See the full US state privacy laws map for every state, including the Colorado Privacy Act and the Texas Data Privacy and Security Act.

Data Privacy Laws Around the World

Beyond the US, most regions have their own data privacy law, and several may apply to you at once.

Region / CountryLawIn forceScope
EU/EEAGDPR2018Comprehensive rules for any organization processing EU/EEA residents' data
UKUK GDPR plus PECR2021The UK's retained GDPR, plus PECR for cookies and electronic marketing
EU (cookies)ePrivacy Directive2002EU-wide rules on cookies and electronic communications, alongside GDPR
CanadaPIPEDA plus Quebec Law 252000; Quebec 2023 to 2024Federal private-sector data law; Quebec runs its own stricter regime
BrazilLGPD2020GDPR-style rights and opt-in consent for Brazilian residents' data
SwitzerlandnFADPSeptember 2023Modernized data protection law replacing a 1992 statute
South AfricaPOPIA2021Requires explicit consent, enforced by an Information Regulator
IndiaDPDP ActPhasing in through 2027Comprehensive law, rolling out in stages
AustraliaPrivacy Act1988Governs private-sector handling of personal information above a size threshold

Well over 100 countries now have some form of national data privacy law, and the list keeps growing every year.

Which Data Privacy Laws Apply to Your Website?

Which laws apply depends on whose data you collect, not where your business is based.

  • If you collect data from EU/EEA or UK residents: GDPR and UK GDPR apply, regardless of where your company is located.
  • If you collect data from California or another covered state's residents, and you meet that state's thresholds: that state's law applies.
  • If you collect data from Canadian, Brazilian, or other regulated countries' residents: PIPEDA, LGPD, or the relevant local law applies.

A typical website with international visitors often falls under several of these laws at once. The practical baseline, a clear privacy notice, a compliant cookie consent banner, and records of consent, covers the overlapping obligations most of these laws share.

See who needs to comply with GDPR and whether GDPR applies to US companies for two common edge cases. Start with the practical baseline to make your website compliant.

How a Consent Management Platform Helps You Comply

A consent management platform (CMP) handles the website tasks these laws share: disclosing data use, offering visitors a consent choice, and keeping proof of it.

Most of these laws converge on the same website obligations: tell visitors what you track, let them consent or decline, and keep a record. Consently operationalizes that directly. It shows visitors a cookie consent banner with the model each region expects. Region-based banner display picks between a GDPR opt-in template for EU visitors and a CCPA/US opt-out template for US visitors. It also scans and auto-blocks cookies and trackers until the visitor consents.

Beyond the banner, Consently keeps consent logs with export, an audit trail of who consented and when. Its cookie, privacy, and terms policy generators produce the disclosures these laws require. Consently supports the consent and disclosure side of compliance; it does not replace legal advice. It also does not detect browser-level universal opt-out signals such as Global Privacy Control.

Consently's GDPR and CCPA cookie consent tools show the right banner per region out of the box. Try Consently free with a 14-day trial, no credit card required.

FAQs

What are data privacy laws in simple terms?

Data privacy laws are rules that control how organizations collect and use your personal data. They give you rights over your own information, such as the right to see, correct, or delete it.

What is the difference between GDPR and CCPA?

GDPR is an EU regulation that requires opt-in consent before data collection and grants broad rights, including erasure and portability. CCPA is a California law that lets businesses collect data by default and requires an opt-out path for the sale of that data. The comparison table above breaks down the full difference.

How many US states have data privacy laws?

Twenty US states have comprehensive consumer privacy laws as of mid-2026, starting with California in 2018 and expanding through waves in 2021 to 2024.

Is there a federal data privacy law in the United States?

No comprehensive one exists. The US relies on sector-specific federal laws (HIPAA, GLBA, COPPA, FCRA) plus state laws. Bills such as the American Privacy Rights Act have been proposed but not passed.

Do data privacy laws apply to small businesses?

Yes, if a business meets a law's triggers. Many small US sites fall under GDPR simply by collecting data from EU visitors. Some state laws exempt smaller businesses below specific revenue or data-volume thresholds.

Which data privacy laws apply to my website?

Whichever laws cover the residents whose data you collect. That means GDPR for EU or UK visitors, the relevant state law for a covered state's residents, and the applicable local law elsewhere. Sites with international traffic often face several at once.

What are the core rights in most data privacy laws?

Access, correction, deletion, data portability, and the right to opt out of the sale or targeted-advertising use of personal data.

What are the 7 principles of data privacy?

Most modern privacy laws share seven principles: lawfulness and transparency, purpose limitation, data minimization, accuracy, storage limitation, security, and accountability. They come from GDPR but shape how almost every comprehensive law expects businesses to handle personal data.

What happens if you violate a data privacy law?

Penalties range from regulator fines (GDPR reaches 4% of global turnover) to state attorney-general enforcement actions, and the exact figures vary by law.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.