Filter by:


Data Security

Data Usage

Data Regulations

Process Governance


Supply Chain

Ethics & Sustainability

Emerging Technology

Software Development

Human Resources

Financial Discipline

Getting Started

Personal Data Security

Home Life

Data Laws and Regulations by Location

There are multiple laws and regulations related to the security and management of customer data. Regions, countries, and states throughout the world have different requirements. A company is responsible for meeting the specific requirements of each location they operate in.

Data Regulation EU GDPR

The primary goal of GDPR is to give control of personal data back to citizens and residents of the EU. This is reflected by requirements that subjects give consent before data is processed, that collected data is anonymized (remove identifiable information) and safely handled when transferred, and that breaches are handled with the utmost urgency and care. The regulation also applies strict rules to the export of personal data to entities outside of the EU and requires certain types of companies to appoint data protection officers for overseeing GDPR compliance within their organizations.

Data Regulation US CA Shine the Light

California Civil Code 1798.83 to .84 requires all nonfinancial businesses to disclose to customers, in writing or by electronic mail, the types of personal information the business shares with or sells to a third party for direct marketing purposes or for compensation. Under the California law, businesses may post a privacy statement that gives customers the opportunity to choose not to share information at no cost.

Data Regulation PCI DSS

PCI DSS compliance is essential for any company handling credit card information. It entails maintaining a secure data network, regularly monitoring networks, and implementing security controls, among other rules. Most small-to-medium sized businesses fall into Level 4 (<20,000 transactions per year) and are required to submit the relevant Self-Assessment Questionnaire (SAQ) report.

Data Regulation US HIPAA

Sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA compliance. Regulations focus on the handling of medical information, including privacy and security. The regulation requires that any company handling healthcare data, from hospitals to insurance companies, must comply with HIPAA security standards when transmitting and storing electronic protected health information (ePHI).

Data Regulation US HBNR

The Federal Trade Commission (FTC), the nation’s consumer protection agency, has issued the Health Breach Notification Rule to require certain businesses not covered by HIPAA to notify their customers and others if there’s a breach of unsecured, individually identifiable electronic health information. This FTC rule does not apply if you are a HIPAA covered entity or to the extent you are acting as a HIPAA business associate.

Data Regulation US Red Flags Rule

Identity Theft Red Flags Rule requires financial institutions to implement a program to detect, prevent, and mitigate identity theft.

Data Regulation US SOX 404

The goal of SOX 404 is to implement accounting and disclosure requirements that increase transparency in corporate governance and financial reporting. Focus is on a company's formal system of internal checks and balances. Information technology (IT) controls are specific activities performed by persons or systems to ensure that business objectives are met. IT control objectives relate to the confidentiality, integrity, and availability of data.

Data Regulation US CCPA

The new California data privacy act SB1386 or AB-375 was effective Jan 1, 2020. The CCPA focuses exclusively on data collection and privacy. Citizens have the right to bring a civil action against companies that violate the law.

Data Regulation CAN CASL

The Canadian law sets clear requirements for all commercial emails. The Canadian Radio-television and Telecommunications Commission (CRTC) works hand in hand with its international counterparts—including agencies in the U.S., U.K., and Australia—to investigate and enforce violations of CASL by international senders.

Data Regulation US Privacy Shield

The EU-U.S. Privacy Shield Framework provides a method for companies to transfer personal data to the United States from the European Union (EU) in a way that is consistent with EU law. To join the Privacy Shield Framework, a company must self-certify to the Department of Commerce that it complies with the Privacy Shield Principles. Requirements of the EU-U.S. and Swiss-U.S. Privacy Shield are the same.

Data Regulation US COPPA

Children's Online Privacy Protection Act requires websites that collect information on children under the age of 13 to comply with the Federal Trade Commission (FTC). The FTC determines whether a website is geared towards children by reviewing its language, content, advertising, graphics, features, and intended audience. The law also affects general interest sites looking to collect information from children, whether the site’s operators mean to do so or not. A company must have certain information in their privacy policy and get parental consent before collecting some types of information from children.

Data Regulation US GLBA

The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.

Data Regulation US Disposal Rule

Any large or small business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule. The Rule requires the proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.” The Disposal Rule requires disposal practices that are reasonable and appropriate.

Data Regulation US CAN-SPAM

The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003 establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations. It covers all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service."

Data Regulation US OH Data Protection Act

Provides organizations with a legal incentive to achieve a “higher level of cybersecurity” by maintaining a cybersecurity program that substantially complies with any one of the approved industry-recommended frameworks. Companies in compliance with any of the frameworks are entitled to a “legal safe harbor” as a defense against legal claims related to a data breach stemming from alleged failures to adopt reasonable cybersecurity measures.

Data Regulation US CT Gen Statute 42-471

Conn. Gen. Stat. § 42-471 requires any company who collects Social Security numbers in the course of business to create a privacy protection policy. The policy must be "publicly displayed" by posting on a web page and the policy must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.

Data Regulation US DE Code 6-205C

Del. Code Tit. 6 § 205C affects an operator of a commercial internet website, online or cloud computing service, online application, or mobile application that collects personally identifiable information through the Internet about individual users residing in Delaware. A company must make its privacy policy conspicuously available on its internet website, online or cloud computing service, online application, or mobile application.

Data Regulation US NV NRS 603A

Nevada Revised Statutes, Chapter 603A, focuses on the security of personal information.

Data Regulation US UT Code 13-37-201

Utah law 13-37-201 to -203, although not specifically targeted to online businesses, require all non-financial businesses to disclose to customers, in writing or by electronic mail, the types of personal information the business shares with or sells to a third party for direct marketing purposes or for compensation.