Navigating global data compliance and regulations in 2025
Navigating legislation on data privacy can be like finding your way through a maze full of booby-traps. We’ve got the map to guide you and the data you need to know now.This post has been updated to reflect global and domestic updates as of December 2024.
PUBLISHED ON
Protection from loss, theft, and corruption – these are the goals of data privacy regulations.
Adhering to these regulations makes you a trusted sender but it takes resources to keep up with the evolving policies around data privacy. As a dedicated data processor ourselves, we respect every bit of data we touch, and this index will be your guide to existing global legislation and what to expect for the year ahead.
Table of contents
Who are the data subjects?
Who are the data controllers?
Who are the data processors
General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA)
Health Insurance Portability and Accountability Act (HIPAA)
Comparing global data policies: reference table
PCI Data Security Standard (PCI DSS)
SOC2 Type I and II Compliance
ISO standards
Domestic policy updates
Other countries currently creating policies
What is data compliance?
Data compliance is the process that determines legislation and governance to oversee data privacy. That’s a fancy way of saying data legislation tells you how to manage the data within your organization. Data regulations cover the access and management of data pertaining to:
Consumer privacy
Data security
Data storage requirements
How to handle unauthorized access and cybersecurity attacks
Data compliance covers nothing short of fundamental security rights, and there are a lot of angles we can look at – from the rights of the individual to the operation of businesses.
Why data compliance matters
We know firsthand that data is a complex business topic, but consumer data is much more than just information or numbers. There are human beings connected to every piece of data you obtain. That’s why it’s worth protecting and all more important that it does not get in the wrong hands.
Of course, that data is also very valuable to the companies that collect it, helping them grow their business and build better user experiences. Data legislation not only protects the privacy of everyday people but the security of an organization’s data assets.
In a survey conducted by Sinch Mailjet, it’s clear that GDPR has established itself as a necessity, but a substantial 25% of those surveyed were unsure of the specific data legislation that applied to them. There’s a lot to go through between countries and definitions but keep reading and we’ll set the record straight on these policies.
Data and compliance: Parties involved
There are three distinct parties affected by data legislations; data subjects, data controllers, and data processors, each with their own role to play. Though these three players are each represented in all current data legislation, they are not represented in the same way for each.
Before we break down who has to follow which rules, let’s get some basic definitions out of the way.
Who are the data subjects?
Data subjects are individuals whose personal data is collected, stored, sold, or processed by a business or organization. As an email sender your data subjects are your subscribers, or anyone whose email address you store.
Legislation that represents the data rights of consumers first emerged in 2016 with the European Union’s (EU) General Data Protection Regulations (GDPR) (effective date in May 2018). In the U.S. there is currently no comprehensive federal data protection legislation. So far, only a handful of states have put forth their own legislation, including California, with the California Consumer Privacy Act (CCPA) which became effective in January of 2020.
Who are the data controllers?
Data controllers determine the purposes and means by which personal data is processed. If you are a company that collects and stores personally identifiable information (PII) and you have your own users/customers, then you are a data controller. You are also a data controller just by processing the data of your own employees. Data controllers are decision-makers that call the shots on how the data they collect is managed and used.
Who are the data processors
A data processor is the one who carries out the actual processing of the data. A good example of the data roles would be to consider your favorite ecommerce store. The users/customers are the data subjects, the store is the data controller managing the products, and a company like Mailgun is one of the data processors working with that company to enable their automated transaction emails.
You are not necessarily limited to one data role. Mailgun, for example, is a data processor when it comes to enabling automated email but we are also a data controller in terms of collecting and storing our customer’s own data, and a data controller in our partnership with our payment provider. There can also be sub-processors who process data for the data processor on behalf of the data controller.
Consumer privacy laws
Now that we’ve got the definitions out of the way, let’s talk about the data laws that may affect you.
There are a growing number of legislations out there, and depending on the specific laws, data subjects, controllers, and processors have varying rights. If you’re a U.S. based business, these are the three overall guiding rules that will likely affect you the most:
General Data Protection Regulation (GDPR)
The GDPR was the first significant legislation that focused on the protection of data rights by mandating transparency and restoring data control to the individual. The GDPR imposes hefty fines for violations and governs data use with the mentality that individuals loan their data to service providers as opposed to surrendering it upon signup. It seeks to ensure utmost protection to consumers.
Key facts to remember:
Effective since May 25, 2018.
It harmonizes data protection laws throughout the EU.
It affects any business that processes data of EU citizens regardless of where they reside.
Want to learn more about GDPR? Check out our post General Data Protection Regulation (GDPR): Why should you care?
California Consumer Privacy Act (CCPA)
The CCPA only protects the rights of individuals who are California residents. If you are already GDPR compliant, becoming CCPA compliant will not require significant additional effort.
Key facts to remember:
Effective since Jan. 1, 2020.
This legislation provides data protection rights for California residents.
The CCPA affects organizations that conduct business in California.
Want to learn more about CCPA? Check out our post California Consumer Privacy Act (CCPA): Why should you care?
Health Insurance Portability and Accountability Act (HIPAA)
HIPPA includes rules for emerging technologies to manage health data like email, digital payment providers, and telehealth services. 2022 brought proposed updates affecting protected health information (PHI), flow of information, and patient access rights. The HIPAA Privacy Rule aims to improve care coordination and data sharing (alongside the rise of telehealth) and will require extensive infrastructure updates and additional training for health care providers and business associates.
Key facts to remember:
Originally passed in 1996.
It protects the disclosure of personal health information.
HIPAA applies to covered entities and business associates within the United States, even with respect to non-United States citizens or residents.
Want to learn more about HIPAA? Check out our post HIPPA compliance and email: What you need to know
Comparing global data policies: reference table
GDPR, CCPA, and HIPAA are the big three when it comes to regulating individual consumer data, but they aren’t the only legislation, and operating without some of the other compliance standards can make it challenging to operate your business across borders.
We know that all this policy talk might be starting to feel a bit like a textbook. We’re not in the business of lecturing but we do have the facts. If you are unsure which data legislation applies to you, we've created a table that helps you get the knowledge fast.
Legislation | Fines | Protected data subjects | Affected data controllers and processors |
|---|---|---|---|
Legislation | |||
GDPR: The EU’s General Data Protection Regulation | €20M or 4% of annual global turnover (whichever is greater). | Any EU citizen whose personal data is collected, held, or processed by an organization. | Global businesses that process personal data of EU citizens including nonprofits that accept donations from EU citizens. |
Fines | |||
CCPA: California’s Consumer Privacy Act | $100-$750 per consumer per incident. $2400-$7500 per civil violation. | Only residents of California. | Businesses operating in CA that have revenue of $25M or more, or process data on 50,000 residents or more. |
Protected data subjects | |||
UCPA Utah Consumer Privacy Act | Up to $7500 per violation. | An individual who is a resident of Utah acting in an individual or household context. | Persons or entities doing business in the state of Utah with an annual revenue of $25,000,000 or more, who either process personal data of 100,000 or more consumers or derive over 50% of their gross revenue from the sale of personal data while controlling or processing personal data of 25,000 or more consumers. |
Affected data controllers and processors | |||
VCDPA Virginia Consumer Data Protection Act | Up to $7500 per violation enforced by the state attorney general. | Only residents of Virginia. | Natural and legal persons conducting business in VA who meet at least one of these requirements: Control or process personal data of at least 100,000 VA residents, or control and process personal data of at least 25,000 VA consumers and derive 50% or more gross revenue from the sale of personal data in a calendar year. |
OCPA Oregon Consumer Privacy Act | Up to $7,500 per violation | Only residents of Oregon. | Businesses that control personal data of at least 100,000 consumers or control or process personal data of at least 25,000 or more consumers and derive 25 percent or more of annual gross revenue from selling personal data. |
MTCDPA Montana Consumer Data Privacy Act | Fines not specified under the MTCDPA, but notes that the Attorney General can “bring an action” | Only residents of Montana | Businesses that control personal data of at least 35,000 consumers excluding personal data controlled or processed only for completing payment transactions, or control or process personal data of at least 10,000 or more consumers and derive 20 percent or more of annual gross revenue from selling personal data |
TDPSA Texas Data Privacy and Security Act | Up to $7,500 per violation | Only residents of Texas | Businesses conducting business in Texas or generating products or services consumed by Texas residents and who process or engaging in the sale of personal data that do not identifying as a small business as defined by the U.S. Small Business Administration (independent for-profit entity with fewer than 500 employees) |
HIPAA: Health Insurance Portability and Accountability Act | Civil monetary penalties (CMP) are imposed ranging from $100 to $50,000 per affected PHI record, with a maximum fine of $1.5 million per incident. | All medical records and other individually identifiable health information used or disclosed by a covered entity in any form. | HIPAA affects health care providers, health plans, and health care clearinghouses, and Business Associates carrying out work on behalf of a covered entity. |
UK GDPR: Great Britain’s enactment of the GDPR after Brexit. The GDPR is retained in domestic law as the UK GDPR, but the UK has the independence to keep the framework under review. | The UK GDPR has two tiers of fines; the standard maximum fine is £8.7 million or 2% of the total annual worldwide turnover and the higher maximum fine, £17.5 million or 4% of the total annual worldwide turnover. | Governs the processing of personal data from individuals located within the United Kingdom. | The UK GDPR applies to controllers and processors within the UK. It covers organizations based outside the UK if their processing activities relate to monitoring, or offering goods or services to individuals in the UK. |
LGPD: Brazil’s General Personal Data Protection Law | Up to 2% of the net turnover of the economic group in Brazil, in its last fiscal year, limited to BRL 50 million (approx. USD 10.5 million) per violation. | Applies to any natural person located in Brazil whose data has been collected or processed, regardless of where the company that collects the data is located. | The LGPD applies to any data processing that takes place in Brazil, for the purposes of offering goods and services or to process data of people who are located in Brazil. |
PIPEDA: Canada’s Personal Information Protection and Electronic Documents Act | Organizations that commit offenses may be subject to fines of up to CAD 100,000. | PIPEDA protects the personal information of individuals. An individual does not have to be a Canadian citizen or a resident of a specific province. | PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity. |
APPI: Japan’s Personal Information Privacy Act | Up to 100,000,000 Japanese yen ($907,715) or a criminal punishment of up to 1 year in prison. | The APPI aims to protect the personal data of Japanese citizens. | APPI applies to all business operators that handle the personal data of individuals in Japan. Regardless if the company is located within the country. |
PIPL: China’s Personal Information Protection Law | The PIPL imposes a maximum fine of up to 50 million Yuan (7.8 million USD), or 5% of the annual revenue of the preceding financial year. | The PIPL aims to protect the rights and interests of individuals, regulate personal information processing activities, and facilitate reasonable use of personal information. | PIPL requirements cover all companies handling the data of Chinese citizens, whether they are a domestic or international business, and whether large or small. |
Data security standards
We can’t give you a data policy article without talking about these: PCI DSS, SOC2, and ISO are data compliance standards. While these often overlap with the global legislation we’ve covered, there are separate compliance entities that govern them.
These data security standards are essentially audits that result in compliance certifications. Once obtained, these standards let data controllers know that an organization is a responsible partner.
As a responsible data processor, we pursue ISO and SOC2 to prove our security. Learn more about Sinch Mailgun security and compliance in our Trust Center.
Working with organizations that have achieved these standards can save you the trouble of needing to obtain them yourself. For example, Mailgun doesn’t need to be PCI compliant because we sub processor the payment services, and partner with payment processors that are respecting their own obligations.
Let’s learn a bit more about these standards.
PCI Data Security Standard (PCI DSS)
The PCI DSS is about creating confidence and security when processing payments. This standard is governed by the PCI Security Standards Council and is a set of security standards formed in 2004 by Visa, Mastercard, Discover Financial Services, JCB International, and American Express. It protects cardholder data and authentication data for individuals and reduces the risk of data breaches.
The PCI DSS has four main objectives:
Protect stored cardholder data.
Use and regularly update antivirus software or programs.
Restrict access to cardholder data by business need-to-know.
Track and monitor all access to network resources and cardholder data.
SOC2 Type I and II Compliance
System and Organization Controls (SOC) are internal reports that provide proof of security. Technology service providers like Mailgun voluntarily get this certification to prove their security processes can be trusted. Another audit-based compliance standard, SOC2, holds providers accountable for their data processing methods and cyber security controls.
Mailgun has SOC2 Type I & II, which are stringent and comprehensive reports that test the effectiveness of security controls and ensure they’re working.
SOC 2 Type I: Tests to ensure email security controls are in place (you need this for Type II).
SOC 2 Type II: Tests to ensure controls are in place and they are working effectively.
ISO standards
ISO standards establish baseline securities. If every country had different approaches to security best practices, it would be nearly impossible for companies to create security infrastructure. The solution is a shared international standards body which manages compliance by consensus. The International Organization for Standardization (ISO) has developed and published 25K standards since 1947 (Mailgun has achieved two).
ISO compliance proves you can handle different scenarios and control variables that help protect data and prevent malicious cyberattacks, data breaches, and other security disasters. These standards can also be specific. For example, ISO27701 is a rare certification within the email space containing 40 privacy controls that are closely mapped to GDPR standards.
From the information we've shared, you may think that existing legislation covers just about everything but that’s not the way the cookie crumbles. In truth, there are many more policies coming down the pipeline.
What are the limitations of compliance laws?
As you can tell from our very large table early in this post, not all data legislation is created equal. Currently, data compliance is regulated by individual countries – and in the U.S. by individual states – and that can make things muddy for establishing effective business practices. Here are the main things to keep in mind:
Data jurisdiction: Where your company exists doesn’t necessarily matter. Data jurisdiction is determined more by where your data subjects are located.
Data impact: Not all organizations are large enough to be represented in legislation. For example, in California the CCPA only affects you if you process data on 50,000 residents or more.
Penalties: There is no consistency regarding how violations are fined. Some will charge a total percentage of net turnover, while others charge per affected subject for each violation.
Data regulations heading into 2025
Data policy isn't just changing, it’s changing fast.
In the U.S., an Executive Order was signed by President Biden in early October 2022, implementing the European Union-U.S. Data Privacy Framework, which takes us closer to fixing cross border data transfer protections.
As of July 10, 2023 the European Commision adopted its adequacy decision for the EU-U.S. Data Privacy Framework. What does this mean? This adoption signifies that the United States provides an adequate level of protection for the personal data of EU citizens transferred through US organizations.
Learn more: Learn more about the requirements and adoption process for businesses for the Data Privacy Framework (DPF) Program here.
This recent adoption follows the Safe Harbor Framework (invalidated in 2015) and the EU-US Privacy Shield Framework (invalidated in 2020) that were both overturned by European courts.
Domestic policy updates
It’s likely that federal data laws are imminent for the U.S., especially if the DPF Program holds, that will be comparable to Europe’s GDPR and make data policies between the U.S. and the EU more seamless. As of late 2024, the U.S. continues to see a patchwork of state laws emerge, pushing closer to federal data legislation. The following states have confirmed new consumer data privacy acts coming into effect in 2025 and beyond:
Signed laws
The Delaware Personal Data Privacy Act goes into effect January 1, 2025
The Iowa Consumer Data Protection act goes into effect Jan 1, 2025
New Jersey legislation goes into effect January 15, 2025
Tennessee information protection act goes into effect July 1, 2025
The Indiana consumer data protection act goes into effect January 1, 2026
The Colorado Privacy Act went into effect July 1, 2023 in a staged approach, full effect October 1, 2025
The Nebraska Data Privacy Act goes into efect January 1, 2025
The Kentucky Consumer Data Protection Act goes into effect January 1, 2026
The Maryland Online Data Privacy Act goes into effect October 1, 2025
The New Jersey Senate Bill 332 goes into effect January 15, 2025
The Connecticut Data Privacy Act went into effect July 1, 2023 in a staged approach, full effect January 1, 2025
The Rhode Island Data Transparency and Privacy Protection Act goes into effect January 1, 2026
The New Hampshire Senate Bill 255 goes into effect January 1, 2025
States with legislation in committee
Ohio
Pennsylvania
Michigan
States with legislation introduced
Oklahoma
Once all the above states have active legislation, roughly 50% of the country will be operating with data policies of varying degrees while the other half of states currently have no bills introduced. The increasing adoption of state-specific laws is accelerating pressure for federal-level legislation, potentially mirroring GDPR standards .
Other countries currently creating policies
These countries are developing legislation that we may see finalized in 2025 or within the next couple of years.
Australia
Australia’s updated Privacy Act addressing digital concerns and enhances online privacy and other measures. The bill (proposed in 2021) will give effect to the Australian Government's commitment to strengthen the Privacy Act 1988. It enables the introduction of a binding online privacy code for social media and certain other online platforms, increases penalties and enforcement measures, and aims to bring data policies for Australia closer in-line with standards established by the GDPR. In February 2023, Australia’s Attorney-General's Department released a final report on its review of the Privacy Act, presenting over 100 proposed reformations to the act to update it for the digital age. The Australian Government's amendments to the Privacy Act 1988 are expected to be finalized in 2025. Proposed updates focus on digital privacy, consumer data transparency, and GDPR-aligned penalties.
India
India’s Personal Data Protection Bill (PDPB) was proposed in 2019 and was recently withdrawn (As of August. 2022) with stark criticism from stakeholders that believed the bill would give the government too much power over the data of its citizens. New legislation was approved by the president of India in August 2023. India’s Digital Personal Data Protection Act (DPDP) is anticipated to enter full enforcement by mid-2025, setting strict data processing limits for businesses handling Indian citizen data.
Canada
Canada's anticipated update to the Personal Information Protection and Electronic Documents Act (PIPEDA) will integrate stronger individual rights protections and cross-border data transfer guidelines, scheduled for Q1 2025.
As part of its evolving GDPR enforcement measures, the European Commission plans to roll out additional AI-related data processing rules under the AI Act, expected to intersect with GDPR policies by late 2025.
Data compliance matters at Mailgun
Data represents people, and at Mailgun we respect people.
It’s no surprise that data – an endless resource – takes a lot of explanation and research to understand. As a data controller in technology, no one knows this better than us. If the links in this post don’t direct you to the information you need, or if you want to know more about how Mailgun manages your data, check out our data and compliance guide.
Learn about email security and compliance
Email security and compliance
Email security isn't easy. But you need to protect your business, brand, employees, and subscribers. Find out about the benefits of continually improving email security and compliance from our industry experts. It's yours to explore. No form filling required.
