Which privacy laws apply
to your business?
Answer 13 questions. Get your complete privacy law checklist — with exact statutory citations. Free, in under 4 minutes.
Three steps to your privacy law checklist
Answer 13 questions
About your organisation type, geographic reach, data processing profile, and industry sector.
Get your law checklist
Every privacy law that applies to your business, with a plain-English explanation of why.
See exact obligations
Each applicable obligation shown with its precise statutory article citation — ready to act on.
Frequently asked questions
Does GDPR apply to businesses outside the EU?
Yes. GDPR applies to any organisation that processes personal data of individuals in the EU/EEA, regardless of where the organisation is based. This is established under Article 3(2) of the GDPR, known as the extraterritorial scope provision.
Does PIPEDA apply to US companies doing business in Canada?
Yes, if a US company collects, uses, or discloses personal information of Canadian residents in the course of commercial activity, PIPEDA applies. Quebec-based individuals are additionally protected by Quebec Law 25, which is stricter than PIPEDA.
What is the CCPA revenue threshold in 2026?
The CCPA/CPRA applies to for-profit businesses that meet at least one of three thresholds: annual gross revenue exceeding $26.625 million (adjusted for CPI in 2026), annual buying/selling/sharing of personal information of 100,000 or more consumers, or deriving 50% or more of annual revenue from selling or sharing personal information.
Does the Australian Privacy Act apply to small businesses?
The Australian Privacy Act 1988 applies to organisations with annual turnover exceeding AUD $3 million. However, some organisations are covered regardless of size, including health service providers, businesses that trade in personal information, and businesses with a government contract.
When does the India DPDP Act become mandatory?
The Digital Personal Data Protection Act 2023 received presidential assent in August 2023. Full enforcement with rules is expected to come into effect progressively, with complete mandatory compliance anticipated by mid-2027.
Is this assessment a substitute for legal advice?
No. This tool provides general educational information about privacy law applicability based on your answers. It does not constitute legal advice. Privacy law obligations depend on your specific circumstances. Always consult a qualified privacy professional or legal counsel for advice specific to your organisation.
Privacy law quick reference — 2026
Key thresholds, penalties, and authorities for major global privacy laws.
| Law | Jurisdiction | Applies to | Max penalty | Breach notification | Supervisory authority |
|---|---|---|---|---|---|
| GDPR | EU/EEA | Any org processing EU data | €20M or 4% global revenue | 72 hours | Relevant DPA |
| UK GDPR | United Kingdom | Any org processing UK data | £17.5M or 4% global revenue | 72 hours | ICO |
| CCPA/CPRA | California, USA | For-profit, meets thresholds | $7,988 per intentional violation | No fixed window | CPPA |
| PIPEDA | Canada (federal) | Commercial orgs | CAD $100,000 | As soon as feasible | OPC |
| Quebec Law 25 | Quebec, Canada | Any org collecting QC data | $25M CAD or 4% global revenue | 72 hours to CAI | CAI |
| LGPD | Brazil | Any org processing BR data | 2% of revenue or R$50M | Prompt | ANPD |
| Australian Privacy Act | Australia | Orgs with >AUD $3M turnover | AUD $50M | 30 days | OAIC |
| India DPDP | India | Any org processing IN data | Up to ₹250 crore | 72 hours | Data Protection Board |
| UAE PDPL | United Arab Emirates | Any org processing UAE data | AED 5M–20M | 72 hours | UAE TDRA |
Penalties shown are maximums. Actual penalties depend on severity, cooperation, and regulatory discretion. Last reviewed April 2026.
Find out exactly which laws apply to your business
Free assessment. No account required. Statutory citations on every result.
Start the assessment →