Identity Review’s Global Data Policy Database serves as a comprehensive record of data policies around the world. Each row is composed of region, regulation, status of the policy, a short description, and a link to find more information. This was last updated June 15, 2021.

The goal of this database is to provide a straightforward, accessible resource for anyone interested in delving into global data policy. If you would like more information, please contact
Region What RegulationProposed/In EffectNotes (What kind of data policy?)Links
VirginiaStateState data protection lawIn effect Consumers receive copies of their online data, amend or delete that data, or opt out of allowing big buisnesses to use the data for marketing/other purposes
CaliforniaStateState data protection lawIn effectConsumers have a right to accesss data through a data subject access request (DSAR). Businesses cannot sell consumer information without providing them an opportunity to opt out
MassachusettsStateData Privacy Law (S-120)ProposedSimilar to CCPA, but consumers can sue for any violation of the proposed MA law.
New York StateS5642ProposedApplies to all businesses without any revenue threshold (different from MA, CA, and VA). Businesses are legally responsble for the consumer data they hold. Very strict proposition, consumers can correct inaccurate information, making it more similar to the EU GDRP
HawaiiStateSB 148 Proposed Very similar to the CCPA, but legal document does not explicitly say it applies to websites that conduct business in HI. Websites based anywhere in the world could violate the law if they don't offer adequate protection as outlined in the bill
Maryland StateSB 613Proposed Companies are required to disclose information that is passed onto third parties, even if the data is transferred for free.Also prohibits websites from knowinly disclosing any personal informaiton collected about childrne
North DakotaStateHB 1485Proposed Currently in the state's House of Representatives. The most significant clause would completely retrict websites from passing on any information to third parties without consent of users. There is no right to have information removed to deleted once consent has been granted. The most lightweight bill currently proposed in the U.S
European UnionRegionGDPRIn effectProtection of natural persons personal data and the free movement of such data.
European UnionRegionData Protection Law Enforcement Directive In effectProtects citizens' fundamental right to data protection whenever personal data is used by criminal law enforement authorities
New York StateNY SHIELD ACTIn effectRequires any preson or business owning data that includes private infromation of an NY resident to implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information
Illinois StateBiometic Information Privacy ActIn effect imposes requirements on buisnesses that collect biometic information. One of the only state laws regulating biometic usage that allows private individuals to bring suit and recover damages for violations.
United StatesCountryGramm Leach Bliley ActIn effectgoverns the protection of personal informaiton in hands of banks, insurance companies and other companies in the financial service industry.
United StatesCountryFair Credit Reporting ActIn effectrestricts the use of infomration with a bearing on an individuals creditworthiness, credit standing, credit capacity, character, and general reputation. requires truncation of credit card numbers of printed receipts*comparison table:
MichiganStateSB 172In effectmodifies requirements for insurers providng privact policies to customers
VirginiaStateSB 101In effectallows a mechant to scan the machine readable zone of an individual's drivers liscense for verification purposes, but requires the mechant to destroy the retained information
California StateAB 82In effectrequires data broker registration fees to be used to offset costs for an internet website where the information provided by data brokers is accessible to the public
California StateAB 713In effectExempts from the Consumer privacy act information that was deidentifed in accordance with specifed federal law or policy
CaliforniaStateAB 1281In effectexempts from the CCPA certain employment information and personal information involved in business to business communications and transactions
United StatesCountryTelephone Consumer Protection ActIn effectregulate calls and text messages to monile phones that are made for marketing purproses,privacy%20and%20data%20protection%20regulations.
United StatesCountryPayment Card Data Security StandardIn effectregulations for major credit card companies required for buisnesses that process, store, or transmit payment card data
NevadaStateSB 220In effect relates to internet privacy, prohibits the sale of certain consumer information
AlabamaStateHB 216ProposedAlabama Consumer Privacy Act - allows consumers to opt in or out of sale of personal information with certain conditions, resquires buisnesses to make certain disclosures
ArizonaStateHB 2865Proposedpersonal data, processing, security standards
KentuckyStateHB 408ProposedKentucky Consumer Privacy Act
Maryland StateSB 0930ProposedMaryland Online Consumer Protection Act
New York StateA 680ProposedNew York Privacy Act
New York StateSB 567ProposedAllow consumers the right to request fron businesses the categories of personal information a business has sold or disclosed to third parties
OklahomaStateHB 1602ProposedOklahoma Computer Data Privacy Act
WashingtonStateHB 1433ProposedPeople's Privacy Act
WashingtonStateSB 5062ProposedWashington Privacy Act 2021
CanadaCountryCPPAIn effectCanada Consumer Privacy Act - protects consumers control over their data and promotes improved transparency regarding how organizations use data containing personal identifers
CanadaCountryPIPEDAIn effectPersonal Information Protection and Electonic Documents Act - governs how organizations use, collect and disclose presonal information in the course of personal buisness
Mexico CountryFederal Law on Protection of Personal Data Held by Private PartiesIn effect Regulates informationla self-determination. Its provisions apply to all natural or legal persons who carry out the processing of personal data in activites (banks, insurface, hospitals, schools, etc.)
Mexico CountryThe General Law on Protection of Personal Data Held by Mandated PartiesIn effectFederal, state, and municipal privacy laws.
Mexico CountryThe Recommendations on Personal Data SecurityIn effectentered into force in 2011
Mexico CountryThe Parameters for Self-Regulation regarding personal dataIn effectin effect in 2014
Mexico CountryThe General Law on Protection of Personal Data in Possession of Obligated SubjectIn effectin effect in 2017
AlbertaStatePersonal Information Protection Act In effectapplies to provincially regulated private sector organizations in Alberta to provide a right of access to an individual's personal information
British ColumbiaStatePersonal Information Protection Act In effectapplies to provincially regulated private sector organizations in BC to provide a right of access to an individual's personal information
QuebecStateQuebec Privacy ActIn effectapplies to provincially regulated private sector organizations in Quebec to provide a right of access to an individual's personal information
HondurasCountryNational Constitution Article 182In effectgives individuals the right to access any file or record that contains information that may produce damage
HondurasCountryLaw of the Civil RegistryIn effect
refers only to public personal information that is contained in the archives of the Civil Registry.
HondurasCountryLaw for Transparency and for Access to Public InformationIn effect
access of any person to all the information contained in public entities, except that which is classified as 'Confidential.'
BrazilCountryBrazilian General Data Protection Law (LGPD)In effectthe first comprehensive data protection regulation, largely aligned to GDPR
Costa Rica CountryLaw No. 7975 - Undisclosed Information Law In effectmakes it a crime to disclose confidential and or personal information without authorization
Costa Rica CountryLaw No. 8968 - Protection in the Handling of the Personal Data of Individuals In effectregulates companies that administers databses containing personal information
PanamaCountryLaw No. 81In effect47 articles that reglates the principles, obgliations, and procedures applicable to the protection of personal data in Panama, expected to be further regulated by an Executive Decree, which will be published later in 2021
Cayman Islands CountryData Protection Law In effectregulates whethern an organization is established in the Cayman Islands, or only has personal data processed in the Cayman Islands
Domincan Republic CountryProtection of Personal Data ActIn effectregulates the collection, storage, and safekeeping of personal data as well as usage and access rights
Trinidad and Tobago CountryData Protection ActIn effectprovides protection of personal privacy information processed and collected by public bodies and private organizations
Colombia CountryLaw 1266In effectregulates the processing of financial data, credit records, and commercial information collected in Colombia or abroad
Colombia CountryLaw 1581In effectdefines special categories of data including sensitive data, and data collected from minors
Peru CountryPersonal Data Protection Law. No 29733In effectprovides provisions for activities related to companies that handle personal information related to financial, commerical tax, employment or insurance obligations, and other sensitve data
BoliviaCountryBill of Personal Data Protection In effectAny individual who believes to be prevented from objtecting, knowing or obtaining registered data in public or private files may file a Private Protection Action
ParaguayCountryLaw No. 6534 - Personal Credit Data Protection Law In effectregulates the use of private information
Paraguay CountryLaw No. 4868 - Electonic Commerce Law In effectregulates electronic commerce and data collection procedures
Chile CountryLaw 19,628/1999In effectprovides data subjects with the right to access, rectify, delete, block and object to processing of personal data
Chile CountryLaw 20,575/2012In effectesblishes the purpose principle for the processing of personal data of an economic, financial, banking or commercial nature
Argentina CountryLaw 25,326 - Personal Data Protection Law In effectfollows international standards, and has been considered as granding adequate protection by the European commission.
UruguayCountryData Protection Law No. 18.331In effectpersonal data protection laws
Australia CountryPrivacy ActIn effectapply to all private sector entiries - regulates the handling of personal information
Australian Capital TerritoryRegionInformation Privacy Act 2014In effectspecific privacy laws to the Australian Capital territory
Australian Northern TerritoryRegionInformation Act 2002In effectcombines laws related to privacy, freedom of information, and public records in one Act
New South WalesRegionPrivacy and Personal Information Protection Act 1998In effectdeals with how NSW government agencies manage personal information. It applies to state government agencies, statutory or declared authorities, the police service and local councils
QueenslandRegionInformation Privacy Act 2014In effect
The information privacy act introduced the Territory Privacy Principles, which set out standards for handling personal information.
Tasmania StatePersonal Information Protection Act 2004In effectCreates a consisten approach to protecting presonal health information
Victoria StatePrivacy and Data Protection Act 2014In effect10 Information Privacy Princiles that outline how public sector organizations must handle your personal information
Australia CountryConsumer Data Right (CDR)Proposedallows a consumer to obtain certain data about that consumer by a third party and require data be given to accredited third parties for certain purposes.
New Zealand CountryThe Privacy Act 2020In effectgoverns how agencies collect, use, disclose, store, retain and give access to personal information.
ChinaCountryThe Civil Code of ChinaIn effectComprehensively strengthens protection of people's various rights. Right of Privacy is detailed in the chapter with “Privacy and Personal Information Protection,” which contains detailed provisions to protect privacy and personal information. Also covers Tort Liabilities and contains several articles relating to network infringement. This newer code replaces previous civil laws, the relevant ones relating to data policy are the Tort Law and General Principles of Civil Law.
ChinaCountryCybersecurity LawIn effectIncrease data protection, data localization, and cybersecurity in the interest of national security. Defines obligations for "network operators" and “providers of network products and services.”
ChinaCountryNational Standard of Information Security TechnologyIn effectPersonal Information Security Specification (PIS Specification) - systematic, national standard set by the People's Republic of China in order to protect personal information and how it is shared both domestically and abroad.
ChinaCountryGuidelines on Internet Personal Information Security ProtectionIn effectTechnical guide (covering in detail key issues such as data transfers, sensitive personal information and data subject rights), and thus not legally binding, they are highly persuasive. Recommendations for protecting personal information
ChinaCountryDecision on Strengthening Online Information ProtectionIn effectProtect online information security, safeguard the lawful rights and interests of citizens, legal entities or other organizations, and ensure national security and public interests.
ChinaCountryPRC Data Security LawProposedBuilds on existing structures set up by the Cybersecurity Law and related regulations and introduces rules around markets for data, government data collection and handling, and classification of different types of data.
ChinaCountryPRC Personal Information Protection LawProposedThe first comprehensive national level personal information protection law in the PRC, creating binding compliance obligations previously considered recommended practice (under the Guidelines), and requiring organizations to comply with new compliance steps.
South KoreaCountryPersonal Information Protection Act ("PIPA")In effectA general, comprehensive statute. It prescribes how personal data is processed in order to protect the rights and interests of all citizens and further realize the dignity and value of each individual. The Act aims to protect personal data from unnecessary collection, unauthorized use or disclosure, and abuse.
South KoreaCountryCredit Information Use and Protection ActIn effectRegulates personal credit information. Foster a stable credit information industry, promote the efficient utilization and systematic management of credit information, and protect personal and credit information from misuse and abuse.
South KoreaCountryAct on Promotion of Information and Communications Network Utilization and Information Protection (“Network Act”)In effectPromote the use of information and communications networks, to protect the user’s personal information when they are in use of information and communications services, and to construct a milieu within which users can safely use information and communications networks with the aim of improving individual lives as well as the general public welfare.,communications%20networks%20in%20order%20to
South KoreaCountryAct on the Protection, Use, ETC. of Location InformationIn effectProtect privacy from the divulging, abuse and misuse of location information, provide a safe environment for using location information
JapanCountryAct on the Protection of Personal Information ("APPI")In effectRegulates privacy protection issues in Japan and the Personal Information Protection Commission ("PPC"), a central agency acts as a supervisory governmental organization on issues of privacy protection.
RussiaCountryRussian Constitution, Articles 23 and 24In effectEstablishes the right to privacy of each individual
RussiaCountryData Protection Act No. 152 FZ (DPA)In effectBackbone of Russian privacy laws. Requires data operators to take "all the necessary organizational and technical measures required for protecting personal data against unlawful or accidental access
RussiaCountryInformation, Information Technologies and Information Protection Act No. 149 FZ ("Law on Information")In effectEstablishes basic rules as to the information in general and its protection.
TaiwanCountryPersonal Data Protection Act (“PDPA”)In effectRegulate the collection, processing and use of personal data so as to prevent harm on personality rights, and to facilitate the proper use of personal data.
TaiwanCountryEnforcement Rules of the Personal Data Protection Act (“Enforcement Rules”)In effectProvides further guidelines on the interpretation and implementation of the PDPA.
PhillipinesCountryData Privacy Act of 2012 (“Act”)In effectThe governing law on data privacy matters in the Philippines. Protects the fundamental human right of privacy.
Hong KongCountryPersonal Data (Privacy) OrdinanceIn effectRegulates the collection and handling of personal data.
MacauCountryPersonal Data Protection Act 8/2005In effectEstablishes the legal system on the processing and protection of personal data.
MacauCountryCybersecurity Law 13/2019In effectEstablishes and regulates the network security system of the Macau Special Administrative Region to protect the information network, computer system and computer data of key infrastructure operators.
VietnamCountryConstitution 2013 (“Constitution”)In effectRight of privacy and right of reputation, dignity and honour and fundamental principles of such rights
VietnamCountryCivil Code 2015 (“Civil Code”)In effectRight of privacy and right of reputation, dignity and honour and fundamental principles of such rights. Article 38 provides rules for the collection, storage, processing, use, disclosure, and publication of personal information.
VietnamCountryLaw No. 86/2015/QH13 ("Network Information Security Law")In effectEnforces data privacy rights for individual data subjects. Provides regulations on network information security activities, rights and duties of agencies, organizations and individuals in securing network information security; civil cryptography.
VietnamCountryLaw No. 67/2006/QH11 ("IT Law")In effectGoverns information technology applications and development, sets out the rights and obligations of agencies, organisations, and individuals engaged in these activities, as well as regulates the collection, processing, use, storage, and provision of personal data on a network environment.
VietnamCountryLaw No. 51/2005/QH11 ("E-transacations Law")In effectGoverns electronic transactions by state agencies as well as the private sector and generally prohibits the use, provision, or disclosure of data, which can be accessed in relation to an electronic transaction, without consent.
VietnamCountryLaw No. 59/2010/QH12 ("Protection of Consumers' Rights Law")In effectSets out a variety of consumer rights and details organisations' obligations to protect consumer information.
VietnamCountryLaw No. 41/2009/QH12 ("Telecommunications Law")In effectRegulates telecommunications activities and the rights and obligations of those working in the telecommunication industry, and expressly requires telecommunications enterprises not to disclose information of an end-user without consent from such end-user or a valid request from a competent authority.
VietnamCountryPersonal Data Protection Decree (PDPD)ProposedWould consolidate all data protection laws and regulations into one comprehensive data protection law. Would adopt a GDPR-type framework. Proposed effective date Dec. 1, 2021