Europe’s General Data Privacy Regulation, known as the GDPR, is the world’s most powerful privacy law. It requires companies to win consent from consumers to use their data, explain what they do with their data, and alert them every time that data is breached.
Countries around the globe have adopted versions of the European privacy law. The GDPR is “Exhibit A” for the “Brussels Effect,” which refers to the increasing influence of European Union (EU) tech regulations across the world. This interactive map builds on CEPA’s work tracking the global spread of European regulations.
Countries
Albania
The Albanian Parliament passed the Personal Data Protection Law in December 2024, explicitly stating Albania’s alignment with the GDPR. The law, which entered into force in February 2025, repealed Albania’s first legislation on data protection from March 2008. The Information and Data Protection (IDP) Commissioner is the independent supervisory authority that oversees implementation and compliance with Albania’s data protection law.
Argentina
In 2003, Argentina became one of the earliest Latin American nations to receive a data adequacy decision from the European Commission (EC). Argentina’s data protection law has been in place since 2000 and rather comprehensively addresses matters central to the GDPR, like informed consent and purpose limitation for processing. However, this regulation needs modernization. Unlike more recent data protection laws, Argentina’s framework does not include accountability measures or Data Protection Impact Assessments (DPIAs). Some modernization reforms have been proposed in recent years, including a 2022 draft law focused on implementing GDPR-style justification systems, but legislation has yet to be passed. on implementing GDPR-style justification systems, but legislation has yet to be passed.
Armenia
Armenia adopted its Protection of Personal Data Law in 2015. The Personal Data Protection Agency, a subdivision of Armenia’s Ministry of Justice, issues and implements guidelines and supervises compliance with the law and decrees related to the protection of personal data. Armenia also amended its Constitution in 2012 to include the right to protection of personal data as a fundamental right of the human being and of the citizen. Nevertheless, civil society groups have recently stated that data protection in Armenia is at risk, pointing to personal data leaks and the inefficiency of the Ministry of Justice in responding to data breaches to argue that current legislation is outdated.
Australia
Australia’s Privacy Act of 1988 outlines a series of privacy principles that establish basic disclosure requirements surrounding data collection and that give individuals the right to access and correct their personal information. In 2019, the Australian Parliament passed the Consumer Data Rights Act, which designates data standards and consumer rights by industry sector. Despite these laws and the series of amendments passed in 2024, Australia has yet to adopt a fully comprehensive framework for data portability, opting for a more competition-driven approach to data protection that contrasts with the GDPR’s rights-driven approach.
Austria
All European Union members are subject to the GDPR.
Belgium
All European Union members are subject to the GDPR.
Bosnia and Herzegovina
Bosnia and Herzegovina’s 2006 data protection law was amended in 2011 to include regulations on cross-border transfer and to clarify permissible uses of personal data. Bosnia and Herzegovina was granted EU candidacy in 2022; however, implementing a GDPR-aligned data protection law will likely be part of the reforms necessary for the country’s full accession to the EU. Sources expect the implementation of such a law within the next year.
Brazil
The Federative Republic of Brazil enacted its General Law of Data Protection (LGPD) in 2018, which became fully enforceable in 2021. The LGPD is regulated by the National Authority of Personal Data Protection (ANPD), whose Council of Directors is chosen by the president and subject to approval by the Federal Senate. The GDPR was cited as a model for the LGPD in discussions around the initial draft bill and in recent documents issued by the National Authority, though the LGPD differentiates itself from the GDPR on issues like the legal basis to process data, fines, and procedures to report breaches and fines. Companies have had difficulty complying with the data processing and consent measures of the LBPD, posing an enforcement challenge for the National Authority. A case is pending in the Supreme Federal Court related to the regulation of digital platforms that might affect issues such as cryptography and privacy.
Bulgaria
All European Union members are subject to the GDPR.
Canada
Canada is home to one of the older privacy laws, having implemented the Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000. PIPEDA deployed a legal framework for consent mechanisms and processing procedures and, while it was well ahead of its time, has yet to be significantly modernized to align with the GDPR’s individual control measures and transparency requirements. A new bill aims to update PIPEDA with a Consumer Privacy Protection Act and reaffirm Canada’s data adequacy, but Parliament has yet to pass it.
China
On August 20, 2021, the People’s Republic of China adopted the Personal Information Protection Law (PIPL), which entered into force on November 1, 2021. Though similar to the GDPR, its legal provisions are not as detailed. The Cyberspace Administration of China, the primary regulatory body, is responsible for supervising implementation of regulations, issuing regulatory guidelines, and proposing regulatory revisions. According to analysts, PIPL is intended to protect individuals, Chinese society, and national security from potential abuse of personal information, but it does not directly address privacy, which is a separate concept in Chinese law.
Croatia
All European Union members are subject to the GDPR.
Cyprus
All European Union members are subject to the GDPR.
The Czech Republic
All European Union members are subject to the GDPR.
Denmark
All European Union members are subject to the GDPR.
Egypt
Egypt’s Personal Data Protection Law has existed since 2020, but implementation of its provisions has been extremely limited. While the law carves out detailed rights for data subjects, the lack of a regulatory body and of government guidance has rendered it less than useful. Additionally, human rights advocates have been quick to point out the authoritarian surveillance regime in Egypt, raising concerns about the efficacy and legitimacy of such a law.
Estonia
All European Union members are subject to the GDPR.
Finland
All European Union members are subject to the GDPR.
France
All European Union members are subject to the GDPR.
Georgia
Georgia replaced its 2011 data privacy law with the 2022 Personal Data Protection Law (PDPL), strengthening its bid for, and ultimate succession to, EU candidacy. The PDPL includes a framework heavily inspired by the GDPR and establishes an independent supervisory authority called the State Inspector’s Service. No EU adequacy decision has been granted yet, and Georgia has faced enforcement difficulties; however, the law’s framework follows the GDPR closely.
Germany
All European Union members are subject to the GDPR.
Greece
All European Union members are subject to the GDPR.
Hungary
All European Union members are subject to the GDPR.
Iceland
All members of the European Economic Area are subject to the GDPR.
India
India passed the Digital Personal Data Protection Act (DPDPA), its first standalone framework governing data protection, in 2023. Given the heightened attention to data privacy in the European market after the GDPR went into effect, India’s IT Act (2000) and its associated Privacy Rules needed an update. The DPDPA achieved this, introducing consent requirements and data subject rights for individual citizens. However, India has yet to regulate on some key GDPR measures, including purpose limitation and data minimization. The government is also the subject of a vast array of exemptions to the DPDPA, drawing concerns from privacy advocates.
Indonesia
Indonesia’s Personal Data Protection Law (PDP), passed in 2022, bears many structural similarities to the GDPR. The requirements for data protection officers aim to bring organizations under compliance with its robust consent measures and with new regulations around individual rights to access, correction, and erasure. Some legal nuances are lacking when compared with the EU framework, but the most striking difference is that the PDP delayed the formation of an independent supervisory authority until 2024 — the supervisory body has yet to be established in mid-2025, severely limiting the law’s enforcement capacity.
Ireland
All European Union members are subject to the GDPR.
Israel
Israel is home to an assortment of data privacy laws, including the Protection of Privacy Law of 1981, one of the world’s oldest digital rights laws. Israel’s robust patchwork of laws earned it a data adequacy decision from the EC in 2011, which was consequently reaffirmed in 2024. Recently, Israel has taken steps toward modernizing the PPL with Amendment 13, which aims to introduce stronger enforcement measures and some data protection officer requirements.
Italy
All European Union members are subject to the GDPR.
Japan
Japan’s Protection of Personal information Act (PPIA) was originally enacted in 2003. Following the GDPR, the PPIA was amended in 2020 to include regulation around pseudonymization, data breach notifications, and other GDPR-style concerns. Japan was recognized by the EC as data adequate in 2019 and has successfully maintained this status in subsequent reviews. Despite the data adequacy decision and the law’s close alignment with the GDPR, the PPIA still falls behind the EU when it comes to Personally Identifiable Information (PII) collection consent requirements and enforcement measures.
Kenya
Kenya has explicitly followed the GDPR in creating a rights-based legal framework for data privacy regulation, codifying the necessary safeguards via the Data Privacy Act of 2019 (KDPA). The KDPA is one of the strongest data privacy frameworks in Africa, and its implementation was likely inspired by the economic motivations of participating in the EU market.
Kosovo
The 2019 Protection of Personal Data Law (PPDL) states that the Republic of Kosovo will comply with the GDPR.
Latvia
All European Union members are subject to the GDPR.
Liechtenstein
All members of the European Economic Area are subject to the GDPR.
Lithuania
All European Union members are subject to the GDPR.
Luxembourg
All European Union members are subject to the GDPR.
Malta
All European Union members are subject to the GDPR.
Mexico
Mexico enacted the Federal Law on Protection of Personal Data Held by Private Parties in 2010 and has since replaced it with a 2025 Data Protection Reform. The law governs via a consent-based framework, providing definitions for controllers and processors and introducing new rights applicable to automated processing activities. The 2025 reform introduces a right to object to certain data collection and processing, which is its most notable inspiration from the GDPR. However, it still falls behind the EU, lacking independent oversight and limited enforcement capacity.
Moldova
Moldova’s Personal Data Protection Law has governed the country’s data practices since 2011. Its most notable departure from the EU framework is a lack of applicability for public bodies; the law can only be enforced against private actors.
Montenegro
Montenegro enacted its Personal Data Protection Law (PDPL) in 2008. The agency is engaged in the Twinning+ instrument to strengthen Montenegro’s capacity to implement data protection regulations and align existing legislation with the GDPR. To this end, the PDPL has gone through multiple amendments since its enactment, several of which brought the law closer to EU standards.
Netherlands
All European Union members are subject to the GDPR.
New Zealand
New Zealand replaced its 1993 law on data protection with the GDPR-inspired Privacy Act of 2020, which modernized the country’s legal digital privacy framework. Despite meeting international standards and being granted data adequacy status by the EC, the Privacy Act does not include data portability measures or a right to object to processing. Additionally, enforcement has been limited, and New Zealand’s digital legal framework contains no comprehensive conditions for consent like those included in the GDPR.
Nigeria
Nigeria replaced its 2019 data privacy framework with the Data Protection Act of 2023 to develop a more rights-based approach following the enactment of the GDPR. The new law provides for multiple consumer rights in addition to data portability measures and lawful conditions directly in line with the EU’s framework. While Nigeria has not been granted a data adequacy decision by the EC, it maintains its own standards for cross-border transfers.
North Macedonia
North Macedonia enacted its Personal Data Protection Law (PDPL) in 2020. The law requires certain data collectors and processors to establish data protection officers and delegates enforcement measures to its national data protection agency. While the PDPL contains specific international transfer laws that differ from those in the EU, its framework is largely inspired by the GDPR.
Norway
All members of the European Economic Area are subject to the GDPR.
Poland
All European Union members are subject to the GDPR.
Portugal
All European Union members are subject to the GDPR.
Romania
All European Union members are subject to the GDPR.
Russia
Russian law dictates specific consent measures that must be in place to collect and process citizen data. While these consent measures appear to be in line with much of the GDPR, they lack key elements to regulate personal data processing, including purpose limitation, data minimization, and the right to object. Multiple human rights organizations have flagged Russia for violations of citizen privacy due to government surveillance and the prohibition of privacy-enhancing technologies.
Rwanda
Rwanda enacted the Protection of Personal Data and Privacy Law in October 2021, joining the wave of African countries enacting digital rights frameworks inspired, most likely, by EU market participation. The law provides for consumer rights via a predominantly consent-oriented legal basis; however, it also includes multiple GDPR-style provisions surrounding cross-border transfers and rights to access, rectification, and deletion. While the law largely aligns with the GDPR, it falls behind in data portability and automated decision-making measures.
Serbia
Serbia’s Personal Data Protection Law (LPDP) includes legal conditions for processing and data subject rights (access, correction, and erasure), as well as provisions on data transfers, consent, and supervisory authority independence.
Singapore
Singapore enacted the Personal Data Protection Act in 2012, which underwent significant amendments in 2020 and 2021 to strengthen enforcement and consumer rights. The law and its amendments are clearly inspired by the GDPR in areas like consent-oriented processing, cross-border transfers, and imposing meaningful penalties. Singapore’s law remains more business-friendly in many respects, including the lack of certain GDPR-style data subject rights and a limited legal basis framework for data collection and processing.
Slovakia
All European Union members are subject to the GDPR.
Slovenia
All European Union members are subject to the GDPR.
South Africa
The Protection of Personal Information Act (POPIA) was signed into law in 2013 but was only gradually implemented until it became fully enforceable on June 30, 2021. The Information Regulator, an independent statutory body whose members are appointed by the president on the recommendation of the National Assembly, monitors and enforces compliance with POPIA. POPIA was amended a few times. Its interpretations, regulatory guidance, and enforcement approaches make it similar to the GDPR. Other laws related to data protection in South Africa are the Cybercrimes Act (2020) and the Promotion of Access to Information Act (PAIA, 2020).
South Korea
The Republic of Korea enacted its Personal Information Protection Act (PIPA) in 2011, which included the establishment of the Personal Information Protection Commission (PIPC) as an independent regulatory body. Following the GDPR, PIPA was amended in 2020 to include additional data protection measures and to vest all data protection authorities within the PIPC. This amendment earned South Korea a data adequacy ruling, deeming PIPA essentially equivalent to EU law. Further amendments in 2023 strengthened data subject rights and introduced economic sanctions as penalties; however, PIPA still falls behind the GDPR in data portability rights and enforcement scope. ((Peter Oladimeji, “South Korea Data Protection Law (PIPA): Everything You Need to Know,” Didomi Blog, May 3, 2023, ))
Spain
All European Union members are subject to the GDPR.
Sri Lanka
Sri Lanka passed Personal Data Protection Act (PDPA) No. 9 in 2022, directly modeled after the GDPR. Sri Lanka implemented the PDPA in phases over three years, and the law became fully enforceable in March 2025. After several rounds of revisions, the PDPA has a robust, rights-based framework that is well aligned with that of the EU.
Sweden
All European Union members are subject to the GDPR.
Switzerland
Originally enacted in 1992, Switzerland’s Federal Act on Data Protection (FADP) was comprehensively revised in 2020 in response to the GDPR, better aligning Switzerland’s privacy law with the EU and giving its regulatory agency more enforcement power. These FADP revisions led the EC to reaffirm Switzerland’s data adequacy status in 2020 and 2024. There are notable differences between Swiss and EU law surrounding notice-and-consent frameworks.
Thailand
Thailand’s Personal Data Protection Act (PDP) came into effect in 2022, preceding a larger plan announced in 2024 to implement a more holistic data protection framework. The PDP grants consumer rights and explicitly follows the GDPR in many respects, including providing legal conditions for processing and establishing an independent regulatory body.
Turkey
Turkey’s Personal Data Protection Law (PDPL) was enacted in 2016, based on the amendment of the Turkish Constitution in 2010 to include the protection of personal data as a fundamental right and inspired by the EU’s 1995 Data Protection Directive, which preceded the GDPR. Turkey has sought international alignment on data protection — it ratified the Council of Europe Convention 108 in 2016 and issued an Action Plan on Human Rights in March 2021, which emphasizes the protection of personal data. Turkey intends for the PDPL to fully align with the GDPR — in March 2024, Turkey introduced an amendment to PDPL to address data transfers abroad, define the conditions for processing special categories of personal data, and introduce administrative fines. The Kişisel Verileri Koruma Kurumu (KVKK), the Personal Data Protection Authority, is responsible for overseeing data protection laws and by-laws and for issuing resolutions.
Uganda
Uganda’s Data Protection Act of 2019 introduced data privacy law to the country. Many of the Data Protection Act’s provisions align with the GDPR, but critics have pointed out that a lack of clear penalties have impeded the independent supervisory body’s authority and delayed revisions and new amendments.
Ukraine
Ukraine advanced a new draft law on Personal Data Protection in 2024 but has not yet passed it. The law aims to replace Ukraine’s 2010 data protection law with a more GDPR-friendly framework. The law includes expanded data subject rights, mandatory data protection officers, and — most notably — a number of legal conditions for data processing, which many countries have failed to achieve in their legislation. However, until the law is passed, Ukraine is subject to its 2010 law, which provides limited and dated regulation of consent and processing mechanisms.
United Arab Emirates
The United Arab Emirates enacted its first comprehensive data privacy law, the Personal Data Protection Law (PDPL), in 2021. The PDPL is a rights-based approach heavily inspired by the GDPR, and it includes EU-mirrored legal bases along with multiple avenues for consumer consent controls and processing limitations.
United Kingdom
After its departure from the EU in 2020, the UK updated its 2018 Data Protection Act to become the UK-GDPR. The UK-GDPR retains the GDPR in the UK’s domestic law and includes the key aspects of the EU legislation.
Vietnam
Vietnam issued a Decree on Personal Data Protection in 2023, aiming to bring the country in line with modern digital rights movements. While the decree is not a law, the framework is heavily inspired by the GDPR’s approach to granting consumer privacy rights and establishing limits for processing activity. The decree is regulated through Vietnam’s Department of Cybersecurity and High-Tech Crime Prevention.
Zambia
Zambia passed a GDPR-inspired data protection law in 2021; however, many measures fall behind global norms. Zambia’s law includes a consent-oriented framework for legal conditions and multiple data subject rights. However, a lack of enforcement mechanisms, fines, or an independent regulatory body render application of the law weak. The framework for strong data privacy regulation is in place, but revisions are necessary to bring it fully in line with advanced EU law.
United States
Although the US has no federal privacy law, European-style privacy protections have caught on at the state level. California has taken the lead, with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
Although the US has no federal privacy law, European-style privacy protections have caught on at the state level. California has taken the lead, with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
California
California enacted the California Consumer Privacy Act in 2018, immediately after the GDPR came into effect, making it the first comprehensive US state privacy law. The CCPA was strengthened in 2020 by the California Privacy Rights Act. The CCPA and CPRA have incorporated EU trends into California’s data privacy regulatory approach, granting consumers extensive rights over their personal data by providing California residents with an opt-out mechanism to prevent companies from selling their personal data. The transparency requirements for the use of data apply only to California businesses. California has made amendments to the CCPA in the past few years to include data minimization, purpose limitation, and privacy impact assessments. In contrast, the GDPR provides more rights for citizens to opt out from companies’ specific uses of data while retaining others. The CCPA serves as the gold standard for US state privacy law and has become a useful framework for state legislatures writing their own digital privacy legislation. The CCPA is enforced by the state’s attorney general. California is also the only state to have established an independent regulatory body for data privacy.
Colorado
The Colorado Privacy Act (CPA) took effect in 2023, granting consumers an enormous expansion of their digital rights. Taking after the CCPA and GDPR, the CPA provides extensive data control rights for consumers and internet users, emphasizing collection consent mechanisms and targeted advertising. On the processing side, Colorado’s law differs from the CCPA by requiring data processors to implement data protection assessments. Unlike the CCPA, the CPA does not establish an independent regulatory body or provide any private right of action for data breaches.
Connecticut
Connecticut’s Data Privacy Act of 2023 grants extensive privacy rights to consumers around consent and processing. Connecticut’s law closely resembles the Colorado model and therefore mostly aligns with the CCPA; however, a recent set of amendments made on June 30, 2025, vastly lowered the law’s applicability thresholds and introduced a new right to contest certain profiling decisions.
Delaware
Delaware’s Personal Data Privacy Act (DPDPA) went into effect in January 2025, closely following the models of its predecessors. One notable difference in the DPDPA is its applicability threshold, which targets any entity processing the data of more than 35,000 individuals — a much lower threshold than California and Colorado’s 100,000-person requirement.
Florida
Florida passed a limited digital privacy law in 2023 titled the Florida Digital Bill of Rights (FDBR). The FDBR focuses mainly on consent mechanisms, requiring large tech companies processing personal data to provide consent notices and opt-out mechanisms for the use and sale of data to conduct profiling or targeted advertisements. Unlike the CCPA, Florida’s bill does not provide general consumer rights surrounding personal data processing.
Indiana
Indiana’s Consumer Data Privacy Act of 2023 has a heavily CCPA-influenced framework. With rights to access, deletion, and correction as well as multiple consent and privacy notice requirements, Indiana’s law is comprehensive and similar to other US state laws.
Iowa
Iowa’s Consumer Data Protection Act includes the right to consent opt-outs and processing mechanisms but notably lacks the right to data correction and to opt out of profiling.Otherwise, the law follows the framework of most other state laws and takes after the CCPA.
Kentucky
Kentucky’s Consumer Data Protection Act (KCDPA) will go into effect at the beginning of 2026, making Kentucky the 15th state to enact a digital privacy law. It contains extensive user rights and applicability, making it a GDPR-style law with a CCPA framework. Notably, the KCDPA does not include a provision mandating that businesses respect universal opt-out mechanisms for consent preferences, which symbolizes a slight departure from more recent state laws.
Maine
Maine passed the Act to Protect the Privacy of Online Customer Information (APPOCI) in 2019 and has not passed any significant digital privacy laws since. The APPOCI mandates consent requirements for Internet service providers to collect personal information but does not extend this to broader categories of data processors like businesses and advertising companies. Additionally, the act focuses solely on consent mechanisms, ignoring processing rights like those included in the CCPA.
Maryland
Maryland’s Online Data Privacy Act goes into effect on October 1, 2025, and will be one of the strongest US privacy laws to date.
Minnesota
The Minnesota Consumer Data Privacy Act will come into effect in late July 2025. It provides for multiple consumer rights and focused consent regulations, such as the prohibition of dark patterns. While the CDPA follows the models of previous state laws, it has slightly less strict data minimization rules than states like Maryland do.
Montana
The Montana Consumer Data Privacy Act of 2023 provides extensive rights to consumer consent preferences and data processing requests.
Nebraska
Nebraska joined the wave of states implementing data privacy laws with its 2024 Data Privacy Act (NDPA). Notably, the NDPA does not require revenue or subject-processing thresholds, instead applying to all businesses collecting and processing the personal information of Nebraska residents.
New Hampshire
The New Hampshire Data Privacy Act (NHDPA) of 2024 closely follows the CCPA framework. New Hampshire’s law includes extensive consumer rights, including the right of access, correction, deletion, and even data portability. Additionally, like Delaware’s law, the NHDPA has a lower applicability threshold for companies that sell data, making it slightly stricter than the California and Colorado frameworks. The law also closely follows the GDPR and CCPA when it comes to regulating and honoring universal opt-out mechanisms.
New Jersey
New Jersey’s Data Privacy Act closely follows the CCPA framework, absent an independent regulatory agency.
Oregon
In 2023 the Oregon legislature passed the Oregon Consumer Privacy Act (OCPA), which came into effect in 2024 after several years of work by an AG-appointed Consumer Privacy Task Force. Following the steps of other state privacy laws, the OCPA focuses on GDPR- and CCPA-style consumer rights to access and deletion, with regulatory measures for both processing and consent. Its applicability thresholds and opt-in style of consent for sensitive data put it squarely in line with California.
Rhode Island
The Rhode Island Data Transparency and Privacy Protection Act will go into effect in early 2026. The law is different from most other privacy laws in the US, as it has no general data minimization requirements, a broad and extensive applicability threshold, and a focused information-sharing notice requirement as opposed to the usual privacy notice provision. Despite these differences, it still focuses on consumer rights surrounding consent and processing, making it a CCPA-inspired framework with a few notable twists.
Tennessee
The Tennessee Information Protection Act was passed in 2023 in accordance with the standard for many other state privacy laws, The IPA robustly protects consumer rights; however, it also includes a somewhat controversial element — the “Safe Harbor” provision guarantees affirmative defense to any of the law’s violations if a business complies with the NIST privacy framework, a first among state laws.
Texas
Texas passed the Data Privacy and Security Act (DPSA) in 2023, which largely mirrors the CCPA-inspired model that other states have adopted. One notable difference is the applicability threshold, which regulates any business processing information and conducting business in the state so long as it is not recognized as a small business. Otherwise, Texas’s DPSA gives consumers the standard digital privacy rights and requires businesses to produce multiple different records of processing to regulators upon request.
Utah
Utah was one of the earliest states to enact a privacy law, passing the Consumer Privacy Act in 2022. Utah’s law grants consumer rights under the standard opt-out model but notably does not include a right to correction or mention of profiling. A recent amendment set to go into effect at the beginning of 2026 will install a right to correction; however, the amendment will not add any mention of rights surrounding the opt-out mechanisms for profiling. rights surrounding the opt-out mechanisms for profiling.
Virginia
Virginia was the first state to pass a privacy law after the CCPA when it enacted the Virginia Consumer Data Privacy Act (VCDPA) in 2021. The VCDPA follows the CCPA framework very closely, differing only in nuanced measures surrounding universal opt-out signaling and in Virginia’s lack of an independent enforcement agency.
Puerto Rico
Due to the lack of US federal privacy law, Puerto Rico’s data privacy landscape is quite limited. Other than a data breach notification law passed in 2007, Puerto Rico has no legislation regulating consent mechanisms and personal data processing.
US Virgin Islands
Due to the lack of US federal privacy law, the US Virgin Islands do not have legal mechanisms regulating consent for collecting or processing personal data. The US Virgin Islands do have territorial legislation in place surrounding data breach notifications but have not enacted a comprehensive privacy law.
link