Last reviewed April 2026
Privacy Law Comparison — 2026
Side-by-side comparison of GDPR, UK GDPR, CCPA/CPRA, PIPEDA, Quebec Law 25, LGPD, Australian Privacy Act, India DPDP, and UAE PDPL.
Scroll horizontally on mobile to view all columns. Click any law's column header to view its full guide.
| Attribute | GDPR | UK GDPR | CCPA/CPRA | PIPEDA | Quebec Law 25 | LGPD | Australian PA | India DPDP | UAE PDPL |
|---|---|---|---|---|---|---|---|---|---|
| Jurisdiction | EU/EEA (27 states) | United Kingdom | California, USA | Canada (federal) | Quebec, Canada | Brazil | Australia | India | United Arab Emirates |
| Who it applies to | Any org processing EU data regardless of location | Any org processing UK data regardless of location | For-profit businesses meeting revenue/volume thresholds | Private sector commercial organisations | All organisations collecting Quebec resident data | Any org processing Brazil data regardless of location | Orgs with >AUD $3M turnover + exempt categories | Any org processing India digital personal data | Any org processing UAE data regardless of location |
| Consent model | Opt-in (one of 6 legal bases) | Opt-in (one of 6 legal bases) | Opt-out (notice + right to opt-out) | Meaningful consent (opt-in) | Opt-in (explicit consent for secondary use) | Opt-in (one of 10 legal bases) | Notice-based (consent + legitimate interests) | Opt-in (explicit consent required) | Opt-in (consent + legitimate interests) |
| Right to access | Yes — Art. 15 GDPR | Yes — Art. 15 UK GDPR | Yes — Cal. Civ. Code §1798.100 | Yes — PIPEDA Principle 9 | Yes — s.28 | Yes — LGPD Art. 18(I) | Yes — APP 12 | Yes — DPDP s.11 | Yes — UAE PDPL Art. 12 |
| Right to erasure | Yes — Art. 17 GDPR | Yes — Art. 17 UK GDPR | Yes — Cal. Civ. Code §1798.105 | Limited — PIPEDA | Yes — s.28.1 | Yes — LGPD Art. 18(VI) | Yes — APP 11.2 | Yes — DPDP s.12 | Yes — UAE PDPL Art. 13 |
| Right to portability | Yes — Art. 20 GDPR | Yes — Art. 20 UK GDPR | No — not a CCPA right | No | Yes — s.28.1 | Yes — LGPD Art. 18(V) | Limited — under review | Pending rules | No |
| Automated decisions opt-out | Yes — Art. 22 GDPR | Yes — Art. 22 UK GDPR | Yes — sensitive PI limit use | No | Yes — s.12 | Yes — LGPD Art. 20 | Yes — effective Dec 2026 | Pending rules | Pending regulations |
| Breach notification deadline | 72 hours to DPA | 72 hours to ICO | No fixed window | As soon as feasible | 72 hours to CAI | Prompt (2 business days) | 30 days to OAIC | 72 hours expected | 72 hours to TDRA |
| Max penalty | €20M or 4% global revenue | £17.5M or 4% global revenue | $7,988 per intentional violation | CAD $100,000 | CAD $25M or 4% global revenue | 2% revenue or R$50M | AUD $50,000,000 | ₹250 crore per instance | AED 5M–20M |
| DPO/Privacy Officer required | Yes — in certain cases (Art. 37) | Yes — in certain cases | No — but CPO recommended | Yes — Privacy Officer | Yes — mandatory (s.3.1) | Yes — Encarregado (Art. 41) | No — but recommended | Yes — for Significant Fiduciaries | No — not mandatory |
| Children's age threshold | 16 (or 13–16 with member state option) — Art. 8 | 13 (UK DPA 2018 s.9) | 16 (opt-in) / 13 under COPPA | 13 (default under PIPEDA) | 14 — s.4.1 | 18 (consent) / stricter rules | 15 (proposed reforms) | 18 (DPDP Act s.9) | Pending regulations |
| Supervisory authority | National DPAs (EDPB coordination) | ICO (Information Commissioner) | California Privacy Protection Agency | Office of Privacy Commissioner (OPC) | Commission d'accès à l'information (CAI) | Autoridade Nacional de Proteção de Dados (ANPD) | Office of Australian Info Commissioner (OAIC) | Data Protection Board of India | UAE TDRA |
Data correct as of April 2026. Some jurisdictions have pending rule-making that may alter obligations. Not legal advice — always verify with official sources.
Find out which of these laws apply to your business
Run the free assessment to get a personalised privacy law checklist with exact statutory citations — in under 4 minutes.
Start free assessment →