Global Comprehensive

Privacy Law Mapping Chart

C
omprehensive data protection laws our members. If you have comments about
exist across the globe. While each law is the mapping or believe additional information
different, there are many commonalities should be included, please share it with Cathy
in terms of the rights, obligations and Cosgrove at ccosgrove@iapp.org.
enforcement provisions. The Westin Research
Center has created this chart mapping several Special thanks to Perry Cruz, Amit Gadhia,
comprehensive data protection laws, including Dr. Julien C. Hounkpe, Anna Johnston, Louisa
the laws in the U.S., to assist our members in Meliqsetyan, Selin Ozbek Cittone, Yechiel
understanding how data protection is being Steinmetz, Kezia Talbot, Daimhin Warner,
approached around the world. and former IAPP legal externs, including
Seth Azubuike, Brynne Duvall, Sean Kellogg,
Our intent is to add to this chart and update Eduardo Monteverde, and Cheryl Saniuk-Heinig,
it as laws are amended and other laws come for their contributions.
into force. As always, we appreciate input from

Argentina Armenia Australia Benin Republic

Last updated: April 2022
Note: This tool is for Privacy Act 1988
informational purposes and is Australian Privacy
not legal advice. Whether a law Personal Data Law On Personal Principles (included
includes a particular provision Digital Code
Protection Act* Data Protection in Privacy Act)
should always be verified via
official sources. Australian Privacy
Principles Guidelines
Articles 15, 18(1 and 4)
Right to access Articles 4(6) and 14 APP 12 Article 437
and 20(1 and 2)
Right to correct Article 16 Articles 6, 15(2) and 21(2) APP 13 Article 441
INDIVIDUAL RIGHTS

APP Guidelines, APP 13

Right to delete Articles 4(5) and 16 Article 15(2) (related to correcting Articles 441, 443 and 444
inaccuracy)
Right to portability Article 438
Right to opt out of all or Articles 9(3), 11(2), 12(2)
APP 7 Articles 390 and 440
specific processing and 21(6)
Right to opt in for sensitive
Articles 2 and 7* Articles 12 and 13* APP 3 Article 394
data processing
Age-based opt-in right Article 9(9) Article 446
Right not to be subject to
Articles 401, 415 and 439
fully automated decisions
Notice/transparency Articles 384, 403, 415,
Articles 6 and 13 Articles 9(5-8) and 10 APPs 1 and 5
requirements 416 and 418
Legal basis for processing Article 8 Articles 383 and 389
Articles 4(2), 16, 18(2)
Purpose limitation Article 4(3) APP 6 Articles 383(3) and 424
and 19(1)
Data minimization Article 4(1), (7) Articles 5, 18(2) and 19(1) APP 3.1–3.2 Articles 383(4) and 424
Article 19 and
Security requirements Article 9 Government Decision on APP 11 Articles 383 and 426
Biometric Personal Data*
APP Guidelines,
Privacy by design Article 424
APP 1, 1.3
BUSINESS OBLIGATIONS

Processor/service provider
Article 9 (security) Article 14 Article 386
requirements
Prohibition on discrimination Articles 393 and 401
Chapter IV (Articles
APP Guidelines,
Record keeping 21–28) (for data files, Article 435
APP 1, 1.5
registers, banks, etc.)
Privacy Act 1988, 33D;
APP Guidelines,
Risk/impact assessments APP 1, 1.7; Australian Article 428
Government Agencies
Privacy Code*
Data breach notification* Article 21(3 and 4) Privacy Act 1988, Part IIIC Article 427
Chapter IV (Articles
Articles 405 and 406
Registration with authorities 21–28) (for data files, Article 23
(reporting obligation)
registers, banks, etc.)
Australian Government
Data protection officer Articles 430–432
Agencies Privacy Code*
International data transfer
Article 12 Articles 26 and 27 APP 8 Articles 391 and 392
restrictions
Exemption for Section 16 of
Privacy Act 1988, 7B(3)
employee data Labour Code
SCOPE

Privacy Act 1988, 6C–6E

Nonprofits covered Articles 1 and 2 Article 1(1) Article 380
OAIC guidance
Sectoral law carveouts Article 1(2)
State-level preemption
Office of the Autorité de Protection
Agencia de Acceso a la Personal Data
Australian Information des Données à caractère
Independent enforcement Información Pública Protection Agency
Commissioner Personnel
authority
Chapter V
Articles 24 and 25 Privacy Act 1988, Part IV Articles 462–490
(Articles 29 and 30)
ENFORCEMENT

National Assembly, RA
Chapter V
Rulemaking authority Government, Personal Privacy Act 1988, 100 Article 483
(Articles 29 and 30)
Data Protection Agency
Article 24; Article 189.17, Privacy Act 1988,
Articles 452-455, 459
Fining authority Article 31 Administrative Part III, 13G; Part IIIA;
and 483
Violations Code Part V, 46, 65–66, etc.
Privacy Act 1988,
Article 145, Criminal Code
Criminal penalties Articles 31 and 32 Part V, 46, 65 and 66; Articles 460 and 461
(medical privacy)
Part VIA, 80Q, etc.
Personal liability Articles 31 and 32 Privacy Act 1988, 99A Article 460
Private right of action Articles 33–39 Articles 17 and 21 Articles 449–451

*Data breach notification: Many countries and all 50 U.S. states have separate data breach notification laws. The term in this chart refers to a provision included in
a comprehensive data protection law.
*Argentina: Morrison Foerster’s privacy library has an English version of the PDPA. The law provides no person can be compelled to provide sensitive data, subject to
certain exceptions.
*Armenia: The Law on Personal Data Protection has different categories of personal data, including “special category” personal data, “personal life data” and
“biometric personal data.” Armenia also has a decision regarding biometric personal data, RA Government Decision N 1175-N dated 15 October 2015 “On Defining
Requirements for Material Carriers of Biometric Personal Data and Technologies for Storage of Such Data outside of Information Systems.” The Armenian Constitution
includes a right to privacy in Article 31.
*Australia: The Australian Government Agencies Privacy Code requires Australian government agencies subject to the Privacy Act to conduct written privacy impact
assessments for “high privacy risk” projects and requires the appointment of a privacy officer(s) and privacy champion.

Global Comprehensive Privacy Law Mapping Chart 1

 Global Comprehensive
Privacy Law Mapping Chart
Last updated: April 2022 Brazil Canada China Colombia
Note: This tool is for
informational purposes and is Law 1581/2012*
not legal advice. Whether a law Personal Information
General Data Personal Information
includes a particular provision Protection and Electronic
Protection Law Protection Law
should always be verified via Documents Act Law 1266/2008
official sources.
Articles 8 and 18, Law
Right to access Articles 6(IV) and 18(II) Schedule 1, Principle 9 Articles 44 and 45 1581; Article 7, Law 1266;
Article 21, Decree 1377
Articles 8 and 18, Law
Right to correct Article 18(III) Schedule 1, Principle 9 Article 46 1581; Article 7, Law 1266;
Article 22, Decree 1377
INDIVIDUAL RIGHTS

Schedule 1, Principle 9 Articles 8 and 18, Law

Right to delete Article 18(VI) (related to correcting Article 47 1581; Article 7, Law 1266;
inaccuracy) Article 22, Decree 1377
Right to portability Article 18(V) Article 45
Right to opt out of all or Schedule 1,
Articles 15 and 44 Article 8(e), Law 1581
specific processing Principle 3 (4.3.8)
Articles 5 and 6,
Right to opt in for sensitive See OPC Guidance,
Article 11 Article 29 Law 1581; Article 6,
data processing Principle 3
Decree 1377
Article 7, Law 1581*;
Age-based opt-in right Article 14 Article 31
Article 12, Decree 1377
Right not to be subject to
Article 20 Articles 24 and 55
fully automated decisions
Articles 4(e) and 12,
Notice/transparency Schedule 1,
Article 10, Section 2 Articles 7, 17, 23 and 30 Law 1581; Articles 14–18,
requirements Principles 2, 3 and 8
Decree 1377
Article 9, Law 1281;
Schedule 1, Principle 4.3
Legal basis for processing Article 7 Article 13 Article 5, Decree 1377
(consent required)
(consent based)
Purpose limitation Article 6(I) Schedule 1, Principle 4 Article 6 Article 4(b), Law 1581
Articles 4 and 11,
Data minimization Article 6(III) Schedule 1, Principle 4 Articles 6 and 19
Decree 1377
Articles 4(g), 17 and 18,
Security requirements Articles 6(VII) and 46–49 Schedule 1, Principle 7 Articles 9, 51 and 59 Law 1581; Article 19,
Decree 1377
BUSINESS OBLIGATIONS

Privacy by design
Processor/service provider Articles 8, 12, 17 and 18,
Articles 37, 39 and 40 Article 21
requirements Law 1581
Prohibition on discrimination Article 6(IX) Article 16
Articles 8, 17 and 18,
Part 1, Division 1.1,
Record keeping Article 37 Articles 54–56 Law 1581; Articles 8
Section 10.3
and 26, Decree 1377
Articles 17, 18 and 25,
Risk/impact assessments Article 38 Articles 55 and 56
Law 1581
Part 1, Division 1.1, Articles 17 and 18,
Data breach notification* Article 48 Article 57
Sections 10.1–10.3 Law 1581
Article 25, Law 1581
Registration with authorities Articles 52 and 53
(databases)
Article 23, Decree 1377
(person or area
Data protection officer Article 41 Schedule 1, Principle 1 Article 52 designated to assume
the function of personal
data protection)
Article 26, Law 1581;
International data transfer
Article 33 Articles 38–43 Articles 24 and 25,
restrictions
Decree 1377
Exemption for
Part 1, Section 4(1)(b)*
employee data
SCOPE

Nonprofits covered Article 3 Part 1, Section 4 Article 3 Article 2, Law 1581

Sectoral law carveouts
State-level preemption See OPC Guidance
National Data Office of the Privacy Superintendency of
Independent enforcement Protection Authority Commissioner Industry and Commerce
*
authority
Articles 55-A–55-L Part 1, Division 2 Articles 19–24, Law 1581
Part 1, Division 4,
Rulemaking authority Article 55-J Article 62 Article 21, Law 1581
ENFORCEMENT

Section 26
Part 1, Division 4, Articles 23 and 24, Law
Fining authority Articles 52–54 Article 66
Section 28 1581; Title VII, Law 1266
Criminal penalties Article 71
Articles 23 and 24, Law
Personal liability Article 66 1581; Articles 18 and 19,
Law 1266
Part 1, Division 2, Article 16, Law 1266;
Private right of action Articles 42–45 Articles 50, 69 and 70
Sections 14–17 Decree 2591

*Data breach notification: Many countries and all 50 U.S. states have separate data breach notification laws. The term in this chart refers to a provision included in
a comprehensive data protection law.
*Canada: PIPEDA applies to employee information in organizations engaged in federal works, undertakings or businesses.
*China: Several government departments are responsible for enforcement, including the Cyberspace Administration of China, Ministry of Industry and Information
Technology, and Ministry of Public Security.
*Colombia: In addition to the data protection laws, there are decrees and other documents with relevant data protection provisions, including Decree 1377/2013 and
Decree 2591/1991. Law 1581/2012 prohibits the processing of personal data of children and adolescents.

Global Comprehensive Privacy Law Mapping Chart 2

 Global Comprehensive
Privacy Law Mapping Chart
Last updated: April 2022 European Union Hong Kong Israel Kenya
Note: This tool is for Personal Data Privacy Protection of The Data Protection
informational purposes and is
Ordinance* Privacy Law Act, 2019
not legal advice. Whether a law General Data Protection
includes a particular provision Regulation Data Protection
should always be verified via Privacy Protection (Data The Data Protection
official sources. Principles
Security) Regulations Regulations, 2021*
(PDPO Schedule 1)
Part 5, Division 1,
Right to access Article 15 Article 13 Section 26(b)
Section 18; DPP 6
Part 5, Division 2,
Right to correct Article 16 Article 14 Sections 26(d) and 40
Section 22
INDIVIDUAL RIGHTS

Articles 14 (related to
Section 26(e) (if false
DPP 2 (related to correcting inaccuracy)
Right to delete Article 17 or misleading data)
correcting inaccuracy) and 17F(b)
and 40 (limited)
(direct mailing)
Right to portability Article 20 Section 38
Right to opt out of all or Part 6A, Division 2, Sections 26(c), 32,
Articles 7 and 21
specific processing Section 35G 34 and 36
Right to opt in for sensitive
Article 9 *
data processing
Age-based opt-in right Article 8 Section 33
Right not to be subject to
Article 22 Section 35
fully automated decisions
Notice/transparency Sections 25(b), (e)
Article 12 DPPs 5 and 6 Article 11
requirements and 29
Legal basis for processing Article 6 DPP 1 Article 1 Section 30
Purpose limitation Article 5(1)(b) DPPs 1 and 3 Articles 2(9) and 8(b) Section 25(c)
Article 2(c), Privacy
Data minimization Article 5(1)(c) DPP 1 Protection (Data Sections 25(d) and 39
Security) Regulations*
Articles 17 and 17B;
Sections 19(2)(e), 29(f),
Security requirements Article 32 DPP 4 Privacy Protection (Data
41 and 42
Security) Regulations
Privacy by design Article 25 Section 41
Articles 17 and 17A;
Processor/service provider Articles 15 and 19, Parts III and IV; Part IV,
Article 28 DPPs 2(3) and 4(2)
BUSINESS OBLIGATIONS

requirements Privacy Protection (Data General Regulations

Security) Regulations
Prohibition on discrimination Recital 71
Articles 6(b), 10, 11,
Section 43(8)
Part 5, Division 3, 15(a)(2)(d), 17, 18, and 19,
Record keeping Article 30 (data breach);
Section 27 Privacy Protection (Data
General Regulation 19
Security) Regulations
Article 5(c), Privacy
Section 31; Part VIII,
Risk/impact assessments Article 35 Protection (Data
General Regulations
Security) Regulations
Article 33 Article 11(d), Privacy
Section 43; Part VI,
Data breach notification* Protection (Data
Article 34 General Regulations
Security) Regulations
Sections 18-22;
Article 8(a)(1) Registration of Data
Registration with authorities Article 37(7) Part 4, Section 15
(databases) Controllers and Data
Processors Regulations
Article 17B
Data protection officer Article 37 Section 24 (optional)
(security supervisor)*
Privacy Protection
Sections 25(h) and
International data transfer Part 6, Section 33 (Transfer of Data to
Articles 44–50 Part VI; Part VII,
restrictions (not yet in operation) Databases Abroad)
General Regulations
Regulations
Exemption for
Part 8, Sections 53 and 54
employee data
SCOPE

Article 1; Article 4 of the

Nonprofits covered Article 2 Part 1, Section 2 Section 4
Interpretation Law
Sectoral law carveouts Article 6(2) Article 13(c)(3)
State-level preemption Recital 10
Office of the Privacy
EU national data Privacy Protection Office of the Data
Commissioner for
protection authorities Authority Protection Commissioner
Personal Data
Independent enforcement Articles 9, 10, 10A, and 12
authority (database registration);
Articles 51–59 Part 2, Section 5 Articles 11(d) and 20, Sections 5-17
Privacy Protection (Data
ENFORCEMENT

Security) Regulations
Articles 64, 65(1)(c) Article 36; the Privacy
Rulemaking authority Part 3, Section 12 Sections 5, 8, 9 and 74
and 92 Protection Authority
Part 7, Sections 35C, Privacy Protection
Fining authority Article 83 Sections 9(1)(f) and 63
50A, 64, etc. Authority
Articles 5, 6, 16, 29A, 30,
Criminal penalties Numerous provisions Section 73
31A and 31
Director convicted Articles 4, 17, 17B(b), 30,
Personal liability
under PDPO 31A, 31B and 31
Articles 4, 15, 17F(e), 30,
Private right of action Article 79 Part 9, Section 66 Section 65
31B and 31

*Data breach notification: Many countries and all 50 U.S. states have separate data breach notification laws. The term in this chart refers to a provision included in
a comprehensive data protection law.
*Hong Kong: The Personal Data (Privacy) (Amendment) Ordinance 2021 focused on combating doxxing acts took effect Oct. 8, 2021.
*Israel: As with most countries, there are other laws in Israel that may be relevant to data privacy, including the Basic Law: Human Dignity and Liberty that provides
all persons the right to privacy (Article 7) and Communications Law (Bezeq and Transmissions) (Amendment No. 72), 2018. The PPA has publications on topics like data
minimization, cross-border transfers and the appointment of data protection officers.
*Kenya: The Data Protection Regulations include general regulations, regulations regarding complaints handling and enforcement procedures, and regulations
regarding registration of data controllers and data processors. Kenya limits the grounds for processing sensitive personal data (Sections 44 and 45) and personal data
relating to the health of a data subject (Section 46).

Global Comprehensive Privacy Law Mapping Chart 3

 Global Comprehensive
Privacy Law Mapping Chart
New Zealand Nigeria Philippines Singapore
Last updated: April 2022
Note: This tool is for Privacy Act 2020 Nigeria Data Data Privacy Act of 2012
informational purposes and is Protection Regulation (R.A. 10173)*
Information Privacy
not legal advice. Whether a law Principles (Part 3, Personal Data
Nigeria Data
includes a particular provision Subpart 1 of the Implementing Rules and Protection Act
should always be verified via
Protection Regulation
Privacy Act) Regulations of the Data
official sources. Implementation
Privacy Act of 2012
Codes of practice Framework
Section 16(c); IRR,
Right to access IPP 6; Part 4, Subpart 1 Paragraph 3.1 (6) and (14) Section 21
Rule VIII, Section 34(c)
Section 16(d); IRR,
Right to correct IPP 7; Part 4, Subpart 2 Paragraph 3.1(7)(h) Section 22
Rule VIII, Section 34(d)
IPP 7; Section 7(1); Part Section 16(e); IRR,
Section 25 (obligation
Right to delete 4, Subpart 2 (related to Paragraph 3.1(9) Rule VIII, Section 34(e)
limiting retention)
INDIVIDUAL RIGHTS

correcting inaccuracy) (certain circumstances)

Paragraph 3.1(14) Section 18; IRR, Rule VIII,
Right to portability Sections 26F–26J*
and (15) Section 36
Right to opt out of all or Paragraphs 2.3(c) IRR, Rule VIII,
Section 16
specific processing and 3.1(11) Section 34(b)
Right to opt in for sensitive NDPR Framework, Section 13; IRR, Rule V,
data processing Articles 5.3.2 and 5.4* Section 22
NDPR Framework,
Age-based opt-in right Articles 5.3.1(d), 5.4 * *
and 5.5*
Paragraph 3.1(7)(L);
Right not to be subject to NDPR Framework, Section 16(c)(6); IRR,
fully automated decisions Articles 3.2 (xvi) Rule VIII, Section 34(b)
and 5.3.1(f)
Paragraphs 2.5, 3.1(1) Sections 11 and 16(a)
Notice/transparency and (7); NDPR and (b); IRR, Rule IV,
IPP 3 Sections 12(d) and 20
requirements Framework, Annex B Section 18(a) and
(Privacy Policy Template) Rule VIII, Section 34(a)
IPPs 10 and 11 Section 13
Legal basis for processing Paragraph 2.2 Section 12; IRR, Rule V
(post-collection) (consent required)
Paragraphs 2.1(1)(a) Sections 11 and 12;
Purpose limitation IPP 10 and 3.1(7)(m); NDPR IRR, Rule IV, Sections 18 and 20
Framework, Article 4.1 Sections 18 and 19.
Sections 11(d) and (e);
NDPR Framework,
IPPs 1 and 9 IRR, Rule IV, Section
Data minimization Annex A (Audit Section 14(2)(a)
(storage limitation) 19(d) and Rule VI,
Template), No. 4.6
Section 26(e)
Paragraphs 2.1(1)(d) and
Chapters V and VII;
Security requirements IPP 5 2.6; NDPR Framework, Section 24
IRR, Rules VI and VII
Article 3.2(v)
BUSINESS OBLIGATIONS

Privacy by design
Sections 14, 20(d)
Processor/service provider Paragraph 2.7; NDPR
IPP 5; Section 11 and 21; IRR, Rule VI, Section 4(2)
requirements Framework, Article 3.2
Section 26(f) and Rule X
Prohibition on discrimination
NDPR Framework,
IRR, Rule VI,
Record keeping Annex A (Audit Section 22A
Section 26(c)
Template), No. 3.1
Paragraph 4.1(5)-(7) Section 20(c); IRR,
(audit requirement); Rule VI, Section 29;
NDPR Framework, NPC Advisory No.
Risk/impact assessments *
Articles 3.2(viii) and 4.2 2017-03, Guidelines
(data protection on Privacy Impact
impact assessment) Assessments
NDPR Framework, Section 20(f);
Data breach notification* Part 6, Subpart 1 Sections 26A–26E
Articles 3.2(ix) and 9 IRR, Rule IX
IRR, Rule XI;
Registration with authorities Section 11(5)*
NPC Circular 17-01
Section 21(b); IRR,
Paragraph 4.1(2); NDPR
Data protection officer Section 201 Rule VI, Section 26(a) and Section 11
Article 3.4-3.7
Rule XII, Section 50(b)
Paragraphs 2.11-12 and
International data transfer
IPP 12; Part 8 3.1(8); NDPR Framework, Section 21; IRR, Rule XII Section 26
restrictions
Articles 7 and 14
Section 4 (limited to
First Schedule, Part 3
Exemption for government officers,
Legitimate Interests,
employee data employees and
Section 10
SCOPE

contractors)
Paragraph 1.2; NDPR
Nonprofits covered Section 8 Section 4 Section 4
Framework, Article 2.1
Sectoral law carveouts Sections 24 and 28 Section 4 Section 4(6)(b)
State-level preemption
Office of the Privacy Nigeria Data National Privacy Personal Data
Independent enforcement Commissioner Protection Bureau* Commission Protection Commission
authority Paragraph 4.2; NDPR
Part 2 Chapter II; IRR, Rule III Sections 5–10
Framework, Article 10
Rulemaking authority Part 3, Subpart 2 Preamble to NDPR Chapter II; IRR, Rule III Section 65
ENFORCEMENT

Paragraph 2.10; NDPR Sections 7(i); Sections 48C–48F,

Fining authority
Framework, Article 10.1.4 IRR, Rule III, Section 9(f) 48J–48K, 51–52A and 56
Sections 104, 118, 197 Paragraph 2.10; NDPR Chapter VIII; IRR, Rule XII, Sections 48C–48F,
Criminal penalties
and 212 Framework, Article 10.1.5 Section 51 and Rule XIII 51–52A and 56
Sections 48C–48F,
Sections 12, 27, 119, 120, Chapter VIII; IRR, Rule XII,
Personal liability 48J–48K, 51–52A, 56
and 211 Section 51 and Rule XIII
and 60
Section 16(f); IRR,
Private right of action Section 31 Rule VIII, Section 34(f) Section 48O
and Rule XII, Section 51

*Data breach notification: Many countries and all 50 U.S. states have separate data breach notification laws. The term in this chart refers to a provision included in
a comprehensive data protection law.
*Nigeria: Explicit consent is required for the processing of sensitive personal data. Consent is required for the processing of the personal data of a minor. A child
is defined as any person under 13. The National Information Technology Development Agency issued the NDPR and was the main regulator. In February 2022, the
government of Nigeria created the NDPB to oversee implementation of the NDPR.
*Philippines: The NPC has issued a number of guidance documents regarding the interpretation of the DPA and the IRR that may be informative. For example, in
Advisory Opinion No. 2017-49, the NPC stated “a minor cannot validly provide the consent as defined under the DPA.”
*Singapore: Amendments to the PDPA not yet in effect will create a right of portability and increase potential financial penalties. The PDPC has issued Advisory
Guidelines on various topics, including data activities related to minors and data protection impact assessments. There is no DPO registration requirement but the law
does require DPO contact details be made public.

Global Comprehensive Privacy Law Mapping Chart 4

 Global Comprehensive
Privacy Law Mapping Chart
Last updated: April 2022 South Africa South Korea Turkey
Note: This tool is for Protection of Personal
informational purposes and is
Information Act
not legal advice. Whether a law Personal Information Law on the Protection
includes a particular provision Regulations Relating to Protection Act of Personal Data
should always be verified via the Protection of Personal
official sources. Information
Right to access Sections 5(b), 23 and 25* Articles 4 and 35 Chapter 3, Article 11
Right to correct Sections 5(c) and 24; Regulation 3 Articles 4 and 36 Chapter 3, Article 11
INDIVIDUAL RIGHTS

Chapter 2, Article 7;
Right to delete Sections 5(c) and 24; Regulation 3 Articles 4 and 36
Chapter 3, Article 11 (limited)
Right to portability
Right to opt out of all or
Sections 5(d)-(e) and 11(3)-(4) Articles 4 and 37
specific processing
Right to opt in for sensitive Sections 26–33
Article 23 Chapter 2, Article 6
data processing (“special personal information”)
Age-based opt-in right Sections 34 and 35 Article 22(6)
Right not to be subject to
Sections 5(g) and 71 Chapter 3, Article 11(1)(g)
fully automated decisions
Notice/transparency
Sections 5(a) and 18 Articles 3, 4 and 30 Chapter 3, Article 10(1)
requirements
Legal basis for processing Sections 4, 9 and 11 Articles 3 and 15 Chapter 2, Articles 4–6
Purpose limitation Sections 13 and 15 Articles 3, 15, 18 and 19 Chapter 2, Article 4(2)(c)
Data minimization Sections 10, 14 and 16 Article 16(1) Chapter 2, Article 4(2)(ç) and (d)
Security requirements Sections 19–21 Article 29 Chapter 3, Article 12
Privacy by design
BUSINESS OBLIGATIONS

Processor/service provider
Sections 20 and 21 (security) Articles 19 and 26 Chapter 3, Article 12
requirements
Prohibition on discrimination
Record keeping Sections 14 and 17 Article 29 Chapter 4, Article 16
Risk/impact assessments Regulation 4(b) Article 33
Data breach notification* Section 22 Article 34 Chapter 3, Article 12(5)
Sections 55 (for Information
Officers) and 58 (certain
Registration with authorities processing); Guidance Note Article 32 Chapter 4, Article 16
on Application for Prior
Authorisation*
Sections 55 and 56;
Regulation 4; Guidance Note on
Data protection officer Article 31
Information Officers and Deputy
Information Officers*
International data transfer Articles 14(2), 17(3), 39-12
Section 57(1),(d) and 72 Chapter 2, Article 9
restrictions and 39-13
Exemption for
Section 32(1)(f)
employee data
SCOPE

Nonprofits covered Section 3 Article 58 Chapter 1, Article 2

Sectoral law carveouts Article 6 Chapter 7, Article 28
State-level preemption Chapter 7, Article 28
Personal Information Personal Data Protection
Independent enforcement Information Regulator
Protection Commission Authority
authority
Sections 39–54 Article 7 Chapter 6, Articles 19 and 20
Rulemaking authority Sections 40(1)(f), 60-68 and 112(2) Articles 7-8 and 7-9 Chapter 6, Article 22
ENFORCEMENT

Chapter 5, Article 18;

Fining authority Section 109 Articles 70–76
Chapter 6, Article 22
Criminal penalties Section 107 Articles 70–73 Chapter 5, Article 17
Section 93(b)(ii) (Information
Officers); Guidance Note on
Personal liability Articles 70–76 Chapter 5, Article 18
Information Officers and Deputy
Information Officers*
Private right of action Section 99 Articles 51–57 Chapter 3, Article 11(1)(ğ)

*Data breach notification: Many countries and all 50 U.S. states have separate data breach notification laws. The term in this chart refers to a provision included in
a comprehensive data protection law.
*South Africa: Access to personal informatiom is further regulated by the Promotion of Access to Information Act No. 2 of 2000. Guidelines, guidance notes and
notices from the Information Regulator can be found here.

Global Comprehensive Privacy Law Mapping Chart 5

 Global Comprehensive
Privacy Law Mapping Chart
United States
Last updated: April 2022
California Colorado Utah Virginia
Note: This tool is for
informational purposes and is California
not legal advice. Whether a law Consumer California Privacy Colorado Utah Consumer Virginia’s Consumer
includes a particular provision Privacy Act Rights Act Privacy Act* Privacy Act Data Protection Act
should always be verified via (fully operative (effective (effective (effective
California
official sources.
Consumer Privacy Jan. 1, 2023) July 1, 2023) Dec. 31, 2023) Jan. 1, 2023)
Act Regulations
Section 1798.100 Section 1798.100
Section Section
Right to access Section 1798.110 Section 1798.110 Section 13-61-201(1)
6-1-1306(1)(b) 59.1-577(A)(1)
Section 1798.115 Section 1798.115
Section Section
Right to correct Section 1798.106
6-1-1306(1)(c) 59.1-577(A)(2)
Section Section Section
Right to delete Section 1798.105 Section 1798.105
6-1-1306(1)(d) 13-61-201(2) 59.1-577(A)(3)
Sections
Section Section Section Section
Right to portability 1798.100(d) and
INDIVIDUAL RIGHTS

1798.130(a)(3)(B)(iii) 6-1-1306(1)(e) 13-61-201(3) 59.1-577(A)(4)

1798.130(a)(2)
Right to opt out of all or Section Section Section
Section 1798.120 Section 1798.120
specific processing 6-1-1306(1)(a) 13-61-201(4) 59.1-577(A)(5)
Section
16-61-302(3)(a)
Right to opt in for sensitive Section
Section 1798.121* Section 6-1-1308(7) (notice and
data processing 59.1-578(A)(5)
opportunity to
opt-out)
Section Section
13-61-302(3)(b) 59.1-578(A)(5)
(process in (process in
Age-based opt-in right Section 1798.120(c) Section 1798.120(c) Section 6-1-1308(7) accordance with accordance with
the Children’s the Children’s
Online Privacy Online Privacy
Protection Act)) Protection Act)
Right not to be subject to Section Section Section
fully automated decisions 1798.185(a)(16)* 6-1-1306(1)(a)(I)(C) 59.1-577(A)(5)
Section 1798.100(b) Section 1798.100(a)
Notice/transparency Sections Section
Section 6-1-1308(1) Section 13-61-302(1)
requirements 1798.130(a) and Section 1798.130 59.1-578(C)-(E)
1798.135
Legal basis for processing
Section Section
Purpose limitation Section 1798.100(b) Section 1798.100(c)
6-1-1308(2), (4) 59.1-578(A)(2)
Sections
Section
Data minimization 1798.100(c) and Section 6-1-1308(3)
59.1-578(A)(1)
1798.100(a)(d)
BUSINESS OBLIGATIONS

Sections
Section Section
Security requirements Section 1798.150(a) 1798.100(e) and Section 6-1-1308(5)
13-61-302(2) 59.1-578(A)(3)
1798.150(a)
Privacy by design
Sections
Processor/service provider
Section 1798.140(v) 1798.100(d) and Section 6-1-1305 Section 13-61-301 Section 59.1-579
requirements
1798.140(ag)(1)
Section Section
Prohibition on discrimination Section 1798.125 Section 1798.125 Section 6-1-1308(6)
13-61-302(4) 59.1-578(A)(4)
CCPA Regulations,
Record keeping
Section 999.317
Section
Risk/impact assessments Section 6-1-1309 Section 59.1-580
1798.185(a)(15)
Data breach notification*
Registration with authorities
Data protection officer
International data transfer
restrictions
Section
Section
1798.145(m) from
Exemption for 6-1-1304(2)(k) Section Section
CPRA operative
employee data (employment 13-61-102(2)(o)* 59.1-576(C)(14)*
immediately until
SCOPE

records)*
Jan. 1, 2023
Nonprofits covered Section 6-1-1304
Sections 1798.145 Sections 1798.145 Section
Sectoral law carveouts Section 6-1-1304(2) Section 59.1-576
and 1798.146 and 1798.146 13-61-102(2)
Preemption Section 1798.180 Section 1798.180 Section 6-1-1312 Section 13-61-103(1)
California Privacy
Independent enforcement Protection Agency*
authority Section 1798.199.10
ENFORCEMENT

et seq.
Rulemaking authority Section 1798.185 Section 1798.185 Section 6-1-1313
Sections 1798.155,
Fining authority Section 1798.155 1798.199.55 and Section 6-1-1311 Section 13-61-402 Section 59.1-584
1798.199.90
Criminal penalties
Personal liability
Private right of action Section 1798.150 Section 1798.150

*Data breach notification: Many countries and all 50 U.S. states have separate data breach notification laws. The term in this chart refers to a provision included in
a comprehensive data protection law.
*California: The CPRA categorizes sensitive data and allows consumers to limit its use and disclosure but does not require opt-in consent for use of sensitive data.
There is no explicit right against automatic decision-making but the use of automatic decision-making is within the scope of the regulations to be promulgated. The
CPPA has administrative authority to implement and enforce the CPRA. The California attorney general’s office retains civil enforcement authority.
*Colorado: The CPA is now codified in the Colorado Revised Statutes. The definition of “consumer” in Section 6-1-1303(6)(b) “does not include an individual acting in a
commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.”
*Utah: In addition to the exemption for data processed in the employment context, the definition of “consumer” in Section 13-61-101(10)(b) “does not include an
individual acting in an employment or commercial context.”
*Virginia: The definition of “consumer” in Section 59.1-575 “does not include a natural person acting in a commercial or employment context.”

Global Comprehensive Privacy Law Mapping Chart 6