Data Privacy by Location
Navigating Global Regulations
Canada
California
Utah
Colorado
Virginia
Connecticut
Click the
button to expand
North America
Europe
Click the
button to expand
North America
California
California
The California Consumer Privacy Act (CCPA) has been in effect since January 1, 2020, and it protects CA
residents' rights with respect to their personal data. The California Privacy Rights Act (CPRA), effective as of
January 1, 2023, expands the scope of the CCPA. Together, they protect California residents' rights of access in a
portable manner, correction, and deletion, along with the ability to opt out of select processes for sensitive data,
sales, and automated decisions. The Acts also require regular risk assessments and prohibit discrimination
against indiviudals for exercising rights granted to them by the Acts.
The CCPA and CPRA apply to for-profit businesses in California with gross annual revenue over $25,000,000,
those that process data pertaining to at least 100,000 CA residents, or those that derive at least 50% of their
revenue from the sale of residents' data. If a data breach occurs, eligible organizations must notify impacted
parties as soon as possible and without reasonable delay, and the California Attorney General must be notified if at
least 500 people are impacted.
Colorado
Colorado
The Colorado Privacy Act (CPA), effective as of July 1, 2023, protects CO residents' right to privacy regarding their
personal data. Organizations must ensure residents have access to their personal data in a portable format, along with
the ability to correct or delete information. Colorado residents can opt out of processing for targeted advertising,
along with sales and some automated decision-making regarding their data. Organizations must conduct risk assessments
to ensure these rights are upheld and cannot discriminate against residents for exercising them.
The CPA applies to both for-profit and non-profit entities that operate in Colorado or deliver goods or services to
individuals in the state, so long as they process data belonging to 100,000 state residents in a calendar year or
derive revenue or other incentives from the sale of 25,000 or more residents If a data breach occurs, eligible
organizations must provide notice to all impacted parties without unreasonable delay and no later than 30 days
after recognizing the incident They must also provide notice to the Colorado Attorney General.
Connecticut
Connecticut
The Connecticut Data Privacy Act (CTDPA), effective as of July 1, 2023, protects the data privacy rights of CT residents.
It grants the rights of access to personal data in portable formats, along with corrections to and deletions of
personal data. CT residents can opt out of processes for targeted advertising and sales of their personal data, along
with some automated decisions regarding their data. Organizations must conduct risk assessmenta related to these rights
and cannot discriminate against Connecticut residents for exercising rights granted by the CTDPA.
The CDTPA applies to entities conducting business in the state of producing goods and services targeted
toward Connecticut residents if they process the data of 100,000 or more residents or 25,000 or more residents
while deriving at least 25% of revenue from the sale of such data. When a data breach occurs, eligible entities
must notify impacted parties without unreasonable delay and no later than 60 days after discovering the incident
- or sooner, per applicable federal mandates. Notification must also be provided to the Connecticut
Virginia
Virginia
The Virginia Consumer Data Protection Act (VCDPA) is effective as of January 1, 2023. It protects VA residents'
data privacy rights, including the rights to access personal data in a portable manner, to delete it, or to correct
inaccuracies in it. It also enables Virginia residents to opt out of select processes concerning their data, such
as targeted advertising, sales, and certain automated decisions. Organizations must implement risk assessments
regarding data privacy and are prohibited from discriminating against individuals for exercising their VCDPA rights.
The VCDPA applies to entities that conduct business in Virginia or market goods or services to its residents if they
process personal data belonging to at least 100,000 VA residents or process personal data of 25,000 residents and
dervive at least 50% of revenue from the sale of said data. If a breach impacting this personal data occurs, eligible
entities must provide notification to all impacted parties and the Virginia Attorney General without unreasonable delay.
Utah
Utah
The Utah Consumer Privacy Act (UCPA), effective as of December 1, 2023, protects Utah residents' data privacy rights.
Utah residents have the right to access their personal data in a portable manner, and they have the right to delete
information about them. They can also opt out of sales regarding their personal data, along with processes related to
targeted advertising. Organizations cannot discriminate against UT residents for exercising any of these rights.
The UCPA applies to entities that conduct business in Utah or market goods or services to its residents
and meet certain revenue and data processing thresholds. Namely, eligible entities have an annual
revenue of at leat $25,000,000 that process the personal data of 100,000 or more state residents or that derive
at least 50% of their revenue fromm personal data sales and process the personal data of at least 25,000 residents.
If a data breach occurs, these entities must notify the impacted parties as soon as possible and without
unreasonable delay.
Canada
Canada
The Personal Information Protection and Electronic Documents Act (PIPEDA) has been in effect since January
1, 2011, protecting the data privacy of Canadian citizens. Organizations must uphold 10 principles to
ensure personal data processing is appropriate. They must remain accountable for data processes; identify the
purposes for collection; garner consent for data processing; limit processing to stated purposes; ensure
accuracy of records; install safeguards to protect data; be transparent about processes related to data; provide
access to data subjectsl and entertain individuals' challenges regarding organizational compliance.
PIPEDA applies to all private-sector organizations operating in Canada that process personal data pertaining
to Canadian residents as part of their commercial activities. It also apploes to organizations that process data
crossing privincial or national borders, regardless of where the entity is based. If a breach occurs and an
eligible entity deems it to pose a Real Risk of Significant Harm (RROSH) to impacted parties, they must notify
them as soon as possible.
Europe
Europe
The General Data Protection Regulation (GDPR) has been in effect since May 25, 2018. It protects the privacy rights
of data subjects in the European Union. It ensures transparency in communication and accessible modalities for
data subjects to exercise their rights, which include: information about and access to personal data; rectification
and erasure, including restrictions on select processes; and opting out of automated decision-making. Data processors
and controllers must ensure privacy by design and default, and they may need to appoint a Data Protection Officer (DPO)
or implement risk assessments and other measures, per the discretion of the EU Member State or other entity designated
as their supervisory authority.
The GDPR applies to organizations based in the EU that process personal data, along with organizations outside of the
EU that process the personal data of EU residents, offer goods or services to them, or monitor the behavior of EU residents.
If a data breach occurs, the data controller is responsible for providing notification to their supervisory authority no
more than 72 hours after becoming aware of the incident. The notice must include the nature of the breach, its likely
consequences, and what measures are being taken to mitigate them, among other details.