Data protection laws are changing fast. With new regulations emerging worldwide, businesses need to stay on top of compliance requirements to protect their data, avoid penalties, and build trust with customers.
In 2023 and 2024 alone, we've seen significant new laws and updates that impact data handling and privacy standards. Some of these regulations won’t take effect until 2025, giving organizations time to prepare—but the earlier you start, the better.
Table of Content
- U.S. data protection regulations
1.1 California Privacy Rights Act (CPRA)
1.2 Virginia Consumer Data Protection Act (VCDPA)
1.3 Texas Data Privacy and Security Act (TDPSA) - Other U.S. data protection regulations in 2023/2024
- New global data protection regulations in 2023/2024
3.1 The EU Artificial Intelligence Act (AI Act)
3.2 EU’s Digital Operational Resilience Act (DORA)
3.3 European Data Act
3.4 Switzerland: Federal Act on Data Protection (FADP)
3.5 Israel: Significant changes in Privacy Protection Law (PPL)
3.6 Saudi Arabia: Personal Data Protection Law - Best practices for staying compliant with evolving data protection regulations
- How Safetica can boost your regulatory compliance efforts
This article is your quick guide to the latest global data protection regulations, highlighting essential information on new rules and key updates from around the world. We’ll keep this resource updated regularly, so you can always check here to make sure your organization is prepared for what’s next in data security.
Note on dates:
For data protection laws, you’ll often see both an enacted date and an effective date. The enacted date is when a regulation is officially passed and signed into law, while the effective date is when the law’s requirements officially apply, meaning businesses should be compliant by this time.
In some cases, there’s also an enforcement date, which is when authorities begin actively enforcing the law and may start penalizing non-compliance. Usually, the effective and enforcement dates are the same, but occasionally there’s a grace period after the effective date to give businesses extra time to adjust.
- Enacted date: When a regulation or law is officially passed and signed by the governing body.
- Effective date: When the law’s provisions are intended to apply, requiring compliance.
- Enforcement date: When authorities begin enforcement actions, sometimes allowing an additional preparation period.
U.S. data protection regulations
1.1 California Privacy Rights Act (CPRA)
- Enacted Date: November 3, 2020
- Effective date: January 1, 2023
- Enforcement date: July 1, 2023
- Applies to: Businesses operating in California that have annual gross revenues over USD 25 million, buy, sell, or share the personal information of 100,000 or more California residents or households annually, or derive 50% or more of annual revenue from selling or sharing California residents' personal information.
- Key focus: Enhanced consumer data rights, data minimization, and sensitive data use restrictions
The California Privacy Rights Act (CPRA) builds on the state’s previous CCPA regulation, adding more power to consumers over their data. It requires businesses to implement stronger data protection practices and offers new rights for individuals, such as correcting inaccurate information and restricting the use of sensitive data.
Under the CPRA, companies need to:
- Update privacy policies to reflect enhanced consumer rights.
- Implement data minimization principles, limiting the collection and retention of data to what is necessary.
- Secure “sensitive data” such as social security numbers and geolocation with extra protection and options for consumers to limit its use.
1.2 Virginia Consumer Data Protection Act (VCDPA)
- Enacted date: March 2, 2021
- Effective date: January 1, 2023
- Applies to: Businesses that conduct business in Virginia or target Virginia residents, processing data of at least 100,000 residents annually, or processing data of 25,000 residents and deriving over 50% of revenue from data sales.
- Key focus: Consumer data rights, data protection assessments, and opt-out options for targeted advertising
- For details, see our full article: Virginia Consumer Data Protection Act (VCDPA): The Scope, Purpose, and How to Comply
The VCDPA grants Virginians several new rights, similar to the CPRA. It requires companies to offer individuals rights to access, correct, delete, and opt out of data collection, particularly for purposes like targeted advertising.
Key requirements under the VCDPA include:
- Performing data protection assessments for activities such as targeted advertising or processing sensitive data.
- Setting up systems that allow users to exercise their rights, such as opting out of data collection for marketing purposes.
- Updating data privacy policies to ensure they cover these new consumer rights.
1.3 Texas Data Privacy and Security Act (TDPSA)
- Enacted Date: June 18, 2023
- Effective date: July 1, 2024 (some provisions on January 1, 2025)
- Applies to: Businesses that conduct business in Texas or offer products or services consumed by Texas residents, excluding entities classified as “small businesses” by the U.S. Small Business Administration.
- Key focus: Data transparency, consumer rights, and security measures for sensitive data
The Texas Data Privacy and Security Act (TDPSA) is another critical regulation impacting businesses across the U.S. It focuses on transparency and requires companies to disclose their data collection and processing practices to consumers. The TDPSA also imposes specific obligations around sensitive data protection.
Highlights of the TDPSA include:
- A requirement for clear and accessible privacy policies that explain what data is collected, why it’s collected, and how it’s used.
- Mandatory security measures, especially for sensitive personal data.
- An emphasis on giving consumers control over their data, including rights to access, correct, and delete personal information.
Other U.S. data protection regulations in 2023/2024
The following state-level regulations came into effect across the U.S. in 2023 and 2024, adding new standards for data privacy and consumer rights. Below is a quick overview of each, listed alphabetically for easy reference, including important dates to be aware of.
Connecticut Data Privacy Act (CTDPA)
- Enacted: May 10, 2022
- Effective date: July 1, 2023
- Details: CTDPA: The scope, purpose, and how to comply
Colorado Privacy Act (CPA)
- Enacted: July 7, 2021
- Effective date: July 1, 2023
- Details: CPA: The scope, purpose, and how to comply
Delaware Personal Data Privacy Act (DPDPA)
- Enacted: September 11, 2023
- Effective date: January 1, 2025
Indiana Consumer Data Protection Act (INCDPA)
- Enacted: May 1, 2023
- Effective date: January 1, 2026
Iowa Consumer Data Protection Act (ICDPA)
- Enacted: March 29, 2023
- Effective date: January 1, 2025
Kentucky Consumer Data Protection Act (KCDPA)
- Enacted: June 28, 2023
- Effective date: January 1, 2025
Maryland Online Data Privacy Act (MODPA)
- Enacted: May 19, 2023
- Effective date: January 1, 2025
Minnesota Consumer Data Privacy Act (MCDPA)
- Enacted: July 15, 2023
- Effective date: July 1, 2025
Montana Consumer Data Privacy Act (MTCDPA)
- Enacted: May 19, 2023
- Effective date: October 1, 2024
New Hampshire Privacy Act (NHPA)
- Enacted: June 30, 2023
- Effective date: January 1, 2025
New Jersey Data Privacy Act (NJDPA)
- Enacted: August 8, 2023
- Effective date: February 1, 2025
Oregon Consumer Privacy Act (OCPA)
- Enacted: July 27, 2023
- Effective date: July 1, 2024
Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)
- Enacted: September 15, 2023
- Effective date: January 1, 2025
Tennessee Information Protection Act (TIPA)
- Enacted: May 11, 2023
- Effective date: July 1, 2024
Utah Consumer Privacy Act (UCPA)
- Enacted: March 24, 2022
- Effective date: December 31, 2023
- Details: UCPA: The scope, purpose, and how to comply
New global data protection regulations in 2023/2024
3.1 The EU Artificial Intelligence Act (AI Act)
- Enacted date: July 12, 2024
- Effective date: August 1, 2024
- Certain provisions, such as prohibitions on specific AI systems, apply from February 2, 2025.
- Additional rules, including those for high-risk AI systems, become applicable on August 2, 2025.
- The remaining provisions are set to apply from August 2, 2026.
- Applies to: Entities developing, deploying, or using AI systems within the EU, and companies outside the EU offering AI systems to EU customers.
- Key focus: Ensuring AI safety, transparency, and alignment with EU values, using a risk-based approach to classify and regulate AI systems.
- For details, see our full article: The EU AI Act: The Scope, Purpose, and How to Comply
The EU AI Act establishes a comprehensive regulatory framework for artificial intelligence within the European Union, aiming to ensure that AI systems are safe, transparent, and respect fundamental rights. It introduces a risk-based approach, categorizing AI systems into different levels of risk and imposing corresponding obligations.
Compliance highlights:
- Classify AI systems into risk categories—unacceptable, high, limited, and minimal—based on their potential impact.
- Ensure users are informed when interacting with AI systems, especially high-risk applications.
- Implement mechanisms for human oversight and accountability in high-risk AI systems.
- Conduct regular audits to confirm compliance with EU standards.
3.2 EU’s Digital Operational Resilience Act (DORA)
- Enacted date: December 16, 2022
- Effective date: January 16, 2025
- Enforcement date: January 17, 2025
- Applies to: Financial institutions within the EU, including banks, insurance companies, investment firms, and ICT service providers
- Key focus: Enhancing cybersecurity and operational resilience within the financial sector, ensuring continuity and protection against cyber threats.
- For details, see our full article: DORA: The Scope, Purpose, and How to Comply
DORA aims to strengthen the digital operational resilience of the financial sector against cyber threats and other operational disruptions. It establishes a comprehensive framework on digital operational resilience for EU financial entities.
Compliance highlights:
- Implement a robust ICT risk management framework to address potential vulnerabilities.
- Establish procedures for reporting significant ICT-related incidents to regulatory authorities.
- Conduct regular testing of operational resilience strategies, including penetration testing and other security assessments.
- Ensure thorough vetting and monitoring of third-party ICT service providers to minimize external risks.
3.3 European Data Act
- Enacted date: January 11, 2024
- Effective date: September 12, 2025
- Applies to: Organizations handling non-personal data generated in the EU, including IoT manufacturers, data service providers, and cloud computing companies
- Key focus: Promoting data accessibility and sharing while preventing vendor lock-in, enabling a fair and competitive data economy within the EU.
- For details, see our full article: European Data Act: The Scope, Purpose, and How to Comply
The European Data Act aims to make more data available for use in the economy and society, while keeping the companies and individuals who generate the data in control. It addresses the need to tap into the vast reservoirs of unused industrial data, creating opportunities for innovation and growth.
Compliance highlights:
- Implement mechanisms that allow customers to access and share their non-personal data across different service providers.
- Design systems that make it easy for customers to switch between service providers without data-related restrictions.
- Adhere to standards that ensure interoperability between data platforms and services within the EU.
3.4 Switzerland: Federal Act on Data Protection (FADP)
- Enacted date: September 25, 2020
- Effective date: September 1, 2023
- Applies to: Swiss businesses and any international entities processing the data of Swiss residents
- Key Focus: Enhanced individual rights, data transparency, and increased accountability
- For details, see our full article: Switzerland’s FADP: The Scope, Purpose, and How to Comply
Switzerland’s revised Federal Act on Data Protection (FADP) aligns with EU GDPR standards, focusing on transparency and data subject rights. The FADP grants Swiss residents greater control over their data, including the right to access, correct, and delete personal information. It also mandates clear communication on how personal data is used.
Key compliance points for businesses:
- Ensure transparency in data processing and provide information to individuals on how their data is used.
- Implement security measures to protect sensitive data, with accountability for any data breaches.
- Maintain records of processing activities and conduct regular risk assessments.
3.5 Israel: Significant changes in Privacy Protection Law (PPL)
- Enacted date: August 5, 2024
- Effective date: August 2025
- Applies to: All organizations processing personal data in Israel, including international companies handling data of Israeli residents
On August 5, 2024, the Israeli Knesset enacted Amendment No. 13 to the Privacy Protection Law, marking a significant overhaul of the nation's data protection framework. This amendment introduces comprehensive changes aimed at aligning Israel's privacy regulations with global standards, particularly the EU's GDPR.
Key highlights of the amendment:
- Expanded Definitions: The amendment broadens the scope of "personal data" to encompass a wider range of information, including biometric and genetic data.
- Data subject rights: Individuals are granted enhanced rights, such as the ability to access, rectify, and delete their personal data.
- Mandatory data protection officers (DPOs): Certain organizations are now required to appoint DPOs to oversee compliance and ensure adherence to data protection obligations.
- Strengthened enforcement powers: The Privacy Protection Authority (PPA) is endowed with increased enforcement capabilities, including the authority to impose administrative fines for non-compliance.
3.6 Saudi Arabia: Personal Data Protection Law
- Enacted date: September 2021
- Effective date: September 14, 2023
- Applies to: All entities processing personal data within Saudi Arabia, as well as entities outside the Kingdom that process personal data related to individuals residing in Saudi Arabia
- Key focus: Data subject rights, data localization, and strict penalties for non-compliance
Saudi Arabia’s Personal Data Protection Law enforces stringent controls over data handling, mandating that personal data remain within the country unless explicit permission is granted for international transfers. The law grants individuals the right to access, correct, and delete personal data and imposes significant fines for unauthorized disclosures or non-compliance.
Compliance highlights:
- Retain personal data within Saudi borders unless specific permission is obtained for cross-border transfers.
- Establish procedures for handling data subject rights, including data access, correction, and deletion.
- Implement robust security measures to protect sensitive data and avoid penalties.
Best practices for staying compliant with evolving data protection regulations
With the rapid changes in data protection laws worldwide, businesses need a proactive approach to ensure compliance. Here are some best practices to keep your DLP policies up to date:
- Establish a compliance task force
Form a dedicated team or task force responsible for monitoring regulatory changes, reviewing internal policies, and coordinating company-wide compliance efforts. This team can stay informed on updates and make necessary adjustments as new regulations are enacted. - Implement regular audits
Conduct routine audits to assess your current DLP policies and practices. Regular audits help identify gaps in compliance and provide a clear view of where updates are needed, allowing for timely adjustments. - Update policies and train employees
Ensure your DLP policies are regularly updated to reflect the latest regulations. Conduct training sessions to educate employees about data security and about any new compliance requirements and to reinforce data protection best practices, particularly around handling sensitive data. - Leverage technology for compliance
Utilize advanced DLP and compliance management tools to monitor and protect sensitive information. Automated tools can help detect unauthorized access, manage data flows, and provide alerts for potential violations, reducing the risk of non-compliance.
For more detailed guidance on creating a DLP policy, check out our article on How to Create a DLP Policy in Your Organization.
How Safetica can boost your regulatory compliance efforts
Safetica provides a comprehensive solution for regulatory compliance, offering tools that support data privacy and security across various regulations. Here’s how Safetica can help your organization meet evolving compliance requirements:
- Data discovery and classification: Safetica enables businesses to identify and classify sensitive data, ensuring that all regulated data is appropriately managed and protected.
- Continuous monitoring and auditing: Real-time monitoring and audit trails give organizations full visibility into data access and usage, crucial for demonstrating compliance during audits and assessments.
- Behavioral analytics and anomaly detection: With advanced behavioral analytics, Safetica detects suspicious activities, providing early warnings for potential security breaches.
- Security controls as evidence: Safetica's strong security controls and documentation practices serve as solid evidence of compliance during regulatory audits, helping businesses demonstrate their adherence to data protection standards.