By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
The gold standard of global privacy law, the GDPR protects the personal data of individuals within the European Union. It grants individuals sweeping rights over their data, including the right to access, correct, delete, and port their information, while imposing strict consent requirements and transparency obligations on businesses. Non-compliance can result in fines of up to €20 million or 4% of global annual revenue, making it one of the most consequential privacy frameworks in the world.
California's landmark privacy law gives residents control over their personal information held by businesses. The CCPA grants consumers the right to know what data is collected, request deletion, opt out of sales, and prohibits discrimination for exercising these rights. The subsequent CPRA expanded these protections by adding a new category of "sensitive personal information," establishing the California Privacy Protection Agency (CPPA) for enforcement, and introducing new requirements for risk assessments and cybersecurity audits.
Brazil's comprehensive data protection law mirrors many principles of the GDPR, applying to any organization processing personal data in Brazil or offering goods/services to Brazilian residents. The LGPD establishes ten legal bases for processing, grants individuals nine specific rights over their data, and requires transparency through detailed privacy policies. It also created the National Data Protection Authority (ANPD) to enforce compliance and impose penalties.
Canada's federal private-sector privacy law governs how organizations collect, use, and disclose personal information in commercial activities. PIPEDA is built on ten foundational principles, including accountability, consent, limiting collection, and safeguarding data. Consent can be implied or express depending on the sensitivity of the information, and individuals have the right to access and challenge the accuracy of their personal data held by organizations.
Quebec's privacy framework is one of the strictest in North America, imposing obligations beyond PIPEDA, including mandatory data protection officers, privacy impact assessments for data transfers outside Quebec, and breach notification requirements. The law grants individuals expansive rights and carries penalties of up to CAD $25 million or 4% of global revenue. Quebec also requires express consent for processing sensitive information and mandates privacy impact assessments before transferring data outside the province.
Canada's Anti-Spam Legislation (CASL) regulates the sending of commercial electronic messages (CEMs), requiring express or implied consent before contacting individuals via email, text, or social media. Messages must clearly identify the sender and include a functional unsubscribe mechanism. Violations can result in administrative penalties of up to CAD $10 million for businesses, making it one of the strictest anti-spam laws globally.
HIPAA is the cornerstone of U.S. healthcare data privacy, establishing national standards for protecting sensitive patient health information (PHI). The law consists of three key rules: the Privacy Rule (setting standards for PHI use and disclosure), the Security Rule (requiring safeguards for electronic PHI), and the Breach Notification Rule (mandating notifications when PHI is compromised). Covered entities include healthcare providers, health plans, and their business associates.
The GLBA is a U.S. federal law requiring financial institutions to protect consumers' nonpublic personal information (NPI). It mandates clear privacy notices explaining data collection and sharing practices, offers consumers the right to opt out of certain third-party disclosures, and requires a written information security plan. The law applies to banks, insurance companies, investment advisors, and any entity significantly engaged in financial activities.
COPPA is a U.S. federal law designed to protect the privacy of children under 13 online. It requires operators of websites and online services directed at children to obtain verifiable parental consent before collecting, using, or disclosing personal information. The 2025 amendments expanded the definition of personal information to include biometric identifiers, required separate consent for third-party disclosures, and mandated written data retention policies.
Virginia's consumer privacy law grants residents rights over their personal data, including access, correction, deletion, and the right to opt out of targeted advertising and data sales. Effective January 2023 and amended in 2025, the VCDPA applies to businesses processing data of at least 100,000 Virginia consumers (or 25,000 consumers with over 50% revenue from data sales). New 2025 amendments added protections for minors under 16, requiring age-screening mechanisms for social media platforms starting January 2026.
Colorado's comprehensive privacy framework grants consumers rights to access, correct, delete, and obtain a copy of their personal data, along with the right to opt out of targeted advertising and profiling. It applies to businesses processing data of 100,000+ Colorado residents (or 25,000+ with revenue from data sales). The CPA is notable for its detailed rulemaking process regarding automated decision-making and data protection assessments, with enforcement by the Colorado Attorney General.
Florida's privacy law provides residents with rights over their personal data, including access, deletion, and opt-out rights for targeted advertising and data sales. It applies to businesses meeting specific revenue thresholds and processing large volumes of personal information. The law imposes particular restrictions on the use of sensitive data and requires clear disclosures about data collection and sharing practices.
China's comprehensive privacy law governs the processing of personal information within China and applies to organizations outside China targeting Chinese residents. PIPL establishes principles of legality, legitimacy, necessity, and good faith, requiring consent for data collection. It grants individuals rights including access, correction, deletion, and portability, while imposing strict rules on cross-border data transfers and separate consent for sensitive personal information.
The UK's implementation of GDPR standards, this law supplements and tailors the EU GDPR for UK domestic law post-Brexit. It maintains similar principles regarding consent, individual rights, and enforcement, while providing specific exemptions and adaptations for UK contexts including immigration, national security, and certain scientific research purposes. The Information Commissioner's Office (ICO) oversees enforcement.
Often called the "Cookie Law," this directive complements the GDPR by regulating electronic communications, specifically requiring websites to obtain informed consent before storing or accessing information on a user's device. It mandates clear disclosure about cookies and similar tracking technologies, with the requirement that users must actively opt in (no pre-ticked boxes). Enforcement varies by EU member state.
The FCRA is a U.S. federal law regulating the collection, dissemination, and use of consumer credit information. It ensures accuracy, fairness, and privacy of information in consumer reporting agency files, granting individuals the right to access their credit reports, dispute inaccuracies, and be notified when information is used against them (e.g., for employment or credit denials). It also imposes obligations on furnishers and users of credit information.
FERPA is a U.S. federal law protecting the privacy of student education records. It grants parents (and eligible students over 18) the right to access, review, and request amendment of education records, and requires written consent before disclosing personally identifiable information from these records, with exceptions for specific educational purposes. Schools must annually notify families of their rights under FERPA.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.