Our Insights

Thought Leadership and Industry Trends

Home 9 Insights 9 Best Practices 9 Global Data Privacy Laws: The Current Environment and What To Look For in 2026

Global Data Privacy Laws: The Current Environment and What To Look For in 2026

Jan 28, 2026

Data has become a valuable business asset that organizations must handle responsibly. Data privacy laws set standards for how organizations collect, process, store, and share data to protect individuals’ personal information.

As organizations continue to collect ever-larger volumes of personal data to improve services and boost growth, data privacy laws help ensure that data subjects understand their rights and that companies handle data securely and transparently. Understanding your obligations under relevant data privacy laws will become more challenging as major legislative proposals in Europe and the United States present sweeping changes and new laws governing data privacy. Here is a rundown on the current state of data privacy law in regions and countries around the globe:

European Union (EU)

The General Data Protection Regulation (GDPR) applies to any organization that handles the data of EU residents, not just EU-based companies. Since enforcement began in 2018, the GDPR has continued to set an extremely high bar for data protection by requiring valid consent through explicit, affirmative action, granting EU individuals the right to erasure (the right to be forgotten), and imposing heavy fines for non-compliance.

United States

The U.S. has no federal law governing data privacy. While some federal laws regarding data privacy exist, they typically only address personal data in specific contexts or certain industries. Individual states have the broader responsibility for protecting personal data, and 19 states have passed data protection laws, including California. The California Consumer Privacy Act (CCPA) requires companies to disclose what consumer data they collect and to provide ways to opt out of third-party data sales.

China

China’s chief data privacy law, the Personal Information Protection Law (PIPL), was passed in 2021. Mirroring many of the EU’s GDPR principles, the PIPL requires consent and data minimization while providing data subject rights. It works in collaboration with the Data Security Law (DSL) and the Cybersecurity Law (CSL) to offer comprehensive personal data protection for residents of China. The PIPL is enforced and administered by the Cyberspace Administration of China and imposes substantial penalties for non-compliance.

India

The Digital Personal Data Protection (DPDP) Act is India’s foremost data protection law. Enacted in 2023, it protects digital personal data and gives individuals the right to consent, access, and correct their data. The DPDP pertains to the processing of digital personal data in India and also applies to foreign entities that offer goods and services to “data principals” residing in India. It contains strict provisions on cross-border data transfers and the processing of children’s data.

Brazil

The Brazilian General Data Protection Law (LGPD in Portuguese) took effect in 2020, unifying 40 existing laws into a single data protection framework. Influenced by the EU’s GDPR, the LGPD imposes strict rules on the processing of personal data and applies to any organization that processes personal data, offers goods or services, or collects data within Brazil, regardless of where the business is located.

Canada

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) controls how personal data is collected, used, and shared. PIPEDA compels organizations to obtain informed consent, implement sufficient safeguards for personal information, and communicate data processing practices clearly.

Together, these regional frameworks illustrate how data protection has become a global compliance priority, even as approaches continue to vary by jurisdiction. Looking ahead, several regulatory developments set to unfold in 2026 will further reshape how organizations manage privacy risk worldwide.

What to Track in 2026

Cross-border transfer: China’s certification measures for cross-border transfers are set to take effect on January 1, 2026.

AI regulations: The European Commission has also proposed sweeping changes to AI regulation. The EU AI Act takes full effect on August 2, 2026, and will require companies to explain AI-driven decisions affecting consumers. That law may see significant changes based on the EC’s Digital Omnibus Regulation Proposal. Organizations should expect increased uncertainty and scrutiny around transparency, governance, and unacceptable risk.

State laws: Additional state data privacy laws will take effect in the U.S. in 2026, including Indiana’s Consumer Data Protection Act. California’s CCPA will undergo significant updates, including mandatory privacy risk assessments and a one-click mechanism for data deletion (the Delete Act). To date, 19 states have enacted comprehensive Data Privacy laws, and that list will continue to grow. https://iapp.org/resources/article/us-state-privacy-legislation-tracker

Schrems III and a Proposed GDPR Re-Write: Privacy advocates like Max Schrems and others are pursuing legal challenges that could bring the EU-US Data Privacy Framework (DPF) back before the Court of Justice of the European Union (CJEU), further complicating transatlantic data transfers between the EU and the U.S. In Europe, the European Commission (EC) has proposed significant amendments to GDPR, redefining what constitutes “Personal Data” and reducing some of the burdens found in the GDPR. The EC’s proposal states, for example, “In Article 3: Paragraph 1 would clarify the definition of personal data under Article 4 of Regulation (EU) 2016/679 (General Data Protection Regulation) by stating that information is not to be considered personal data for a given entity when it does not have means reasonably likely to be used to identify the natural person to whom the information relates.”

Data privacy laws around the world are expected to change dramatically. With the European Commission proposed re-write, which includes parallel proposed changes to AI regulations, privacy professionals expect a period of significant change and uncertainty. Those changes will be closely watched throughout the world, especially since so many privacy laws are modeled after the GDPR. In contrast to the trend in the EU, the US continues to see more states signing into law comprehensive Data Privacy laws tightening data privacy regulation, with stricter rules governing AI, data brokers, and the processing of minors’ data.

Nations will continue to work toward harmonized data protection standards to simplify how businesses navigate overlapping regulatory requirements across multiple jurisdictions.Stay tuned for more on international data privacy, sensitive information, cross-border litigation and other topics centering on data protection. Ready to learn more about global privacy laws impacting your organization? Contact us at  and schedule a consultation today.

About the Author

William Wallace Belt, Jr., Esq.

Bill has 25 years of experience as a partner, shareholder and board member of AmLaw 200 law firms, including Williams Mullen where he built one of the first law firm eDiscovery practices. For the last 10 years Bill has participated in and now runs a Corporate-Only Roundtable where corporate eDiscovery teams, judges and industry experts have met to share experiences and discuss emerging challenges and solutions that combine technological and legal solutions.

09 March 2026

Geneva International Legal Week

CDS is sponsoring GILW 2026, March 9–11 in Geneva. Join legal leaders for conferences, workshops, and insights on global legal trends.

Find out more

10 March 2026

Legaltech Roast: Live From New York

Join CDS for a one-night-only LegalTech Roast in NYC—an off-agenda Legalweek event with comedy, candid conversation, and community.