The Law HQ

Data Protection Laws in the US, UK and EU

Here we offer a guide to data protection laws in the US, UK and EU – important for anyone planning to do business in any of these territories.

Data protection laws

Data protection law governs how organisations collect, use, store, share and secure personal information. Although the US, UK and EU all regulate personal data, they take very different approaches. The EU and UK have broad, principles-based regimes built around the GDPR model. The US has a more fragmented system, with a mix of federal sector-specific laws, state privacy laws and enforcement by regulators such as the Federal Trade Commission.

For any organisation operating internationally, the practical challenge is not just understanding one law, but mapping where customers, employees, suppliers and website users are located, what data is collected about them, why it is used, who it is shared with and whether it crosses borders.

 

1. What counts as personal data?

In the UK and EU, personal data is broadly understood as information relating to an identified or identifiable person. This can include obvious identifiers such as name, address, email address, phone number and ID numbers, but also less obvious data such as online identifiers, device IDs, location data, behavioural data and combinations of information that can identify someone.

The UK government summarises the core obligation by saying that data protection legislation controls how personal information is used by organisations, including businesses and government departments. It also confirms that the UK regime is governed by the UK GDPR and the Data Protection Act 2018.

The EU GDPR similarly gives people rights over data collected about them, including the right to know what is collected, why it is collected and who it is shared with. Individuals can request access, correction, deletion and withdrawal of consent in many circumstances.

In the US, the definition depends on the relevant law. Some laws apply to “personal information”, some to “personally identifiable information”, some to “consumer health information”, some to “non-public personal information”, and others to children’s data, credit data, biometric data or breach-notification data. This makes US compliance more complex because the first question is often: which law applies?

 

2. The EU: GDPR and the wider digital regulation framework

The EU General Data Protection Regulation, usually known as GDPR, is one of the world’s most influential data protection laws. It applies across EU member states and is enforced by data protection authorities in all 27 EU countries.

The GDPR is built around several core principles. Organisations must process personal data lawfully, fairly and transparently; collect it for specific purposes; keep it limited to what is necessary; maintain accuracy; avoid keeping it longer than needed; and protect it with appropriate security. In practice, this means businesses need clear privacy notices, lawful bases for processing, records of processing, retention rules, security controls and processes for handling individual rights requests.

The GDPR also gives individuals important rights, including rights of access, rectification, erasure, restriction, portability, objection and rights related to certain automated decisions. Organisations must also pay attention to special category data, such as health data, biometric data, political opinions, religious beliefs and other sensitive information.

Consent is only one possible lawful basis under GDPR. Others include contract, legal obligation, vital interests, public task and legitimate interests. A common compliance mistake is assuming that every activity needs consent. In many business contexts, another lawful basis may be more appropriate, but the organisation must still document and justify its reasoning.

The GDPR also controls international transfers. The European Commission highlights safeguards such as adequacy decisions, Standard Contractual Clauses and Binding Corporate Rules for transfers to third countries. The Commission adopted modernised Standard Contractual Clauses in 2021 for transfers from EU/EEA controllers and processors to organisations outside the EU/EEA.

The EU data protection picture is now broader than GDPR alone. The EU has added major digital regulation around online platforms, data sharing and AI. The European Commission notes that the Digital Services Act, Digital Markets Act and AI Act now sit alongside GDPR as part of the EU’s wider digital rights framework. The EU Data Act has also applied since 12 September 2025 and is designed to create legal clarity around access to and use of data, complementing the Data Governance Act.

 

3. The UK: UK GDPR, Data Protection Act 2018 and recent reform

After Brexit, the UK retained a GDPR-style regime, now known as the UK GDPR, supported by the Data Protection Act 2018. The Information Commissioner’s Office, or ICO, is the UK’s data protection regulator and provides detailed guidance for organisations.

The UK GDPR is very similar to the EU GDPR in its day-to-day requirements. Organisations must have a lawful basis for processing, provide privacy information, respect individual rights, protect data properly, keep records where required and report certain personal data breaches.

The UK government lists the core data protection principles as using data fairly, lawfully and transparently; using it for specified purposes; keeping it adequate, relevant and limited; keeping it accurate; not keeping it longer than necessary; and handling it securely.

The UK also has the Privacy and Electronic Communications Regulations, often called PECR, which sit alongside data protection law and cover areas such as email marketing, SMS marketing, cookies, tracking technologies and electronic communications. For many marketing teams, PECR is just as important as the UK GDPR because it determines when consent is needed for cookies and direct marketing.

The UK regime has recently changed through the Data Use and Access Act. The ICO states that provisions affecting data protection law and the Privacy and Electronic Communications Regulations are now in force. One important practical change is a new complaints-handling duty: organisations handling personal data must give people a clear way to raise a data protection complaint, acknowledge it within 30 days, investigate appropriately and communicate the outcome.

For UK organisations, this means data protection compliance should now include a clear internal complaints process, not just a privacy notice and subject access request procedure.

 

4. The US: a patchwork of federal, state and sector laws

The US does not currently have one comprehensive national data protection law equivalent to GDPR. Instead, US privacy law is a patchwork of federal, state and local rules. DLA Piper’s data protection guide describes US privacy law as a complex mix of national, state and local laws, with no comprehensive national privacy law.

At federal level, laws often apply by sector or data type. Examples include rules for financial institutions, healthcare providers, credit reporting agencies, children’s online privacy, telecommunications, marketing, biometrics, communications privacy and breach notification.

The FTC plays a major enforcement role in consumer privacy and data security. Its business guidance covers children’s privacy, health privacy, consumer privacy, credit reporting, data security, the Gramm-Leach-Bliley Act and related areas. The FTC also stresses that companies must honour their privacy promises and maintain appropriate security for the data they hold.

Important US federal privacy and data laws include:

FTC Act – prohibits unfair or deceptive acts or practices. This is often used when companies make misleading privacy claims or fail to provide reasonable security.

HIPAA – applies to certain healthcare organisations, health plans, healthcare clearinghouses and business associates handling protected health information. The FTC notes that businesses collecting or sharing consumer health information may need to consider HIPAA, the FTC Act and the Health Breach Notification Rule.

Gramm-Leach-Bliley Act – applies to financial institutions and includes privacy and security obligations for non-public personal information.

COPPA – protects children’s online privacy. The FTC says COPPA gives parents control over what information websites can collect from children, with the COPPA Rule adding protections and procedures for covered companies.

Fair Credit Reporting Act – regulates consumer reports and credit reporting data. The FTC highlights responsibilities for organisations using consumer reports for creditworthiness, employment, leases or insurance.

State breach notification laws – all US states have some form of data breach notification requirement, although the details vary.

The biggest recent development in the US is the rise of comprehensive state privacy laws. California led the way with the CCPA and CPRA, but many other states now have their own broad privacy laws. IAPP’s US State Privacy Legislation Tracker is updated regularly and tracks comprehensive state privacy bills across the US. White & Case reported in April 2026 that 20 US states had enacted comprehensive data privacy laws, including California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Florida, Maryland, Minnesota, Montana, Oregon, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska and Rhode Island.

Common rights under US state privacy laws include the right to access personal information, delete it, correct it, opt out of sale or sharing, opt out of targeted advertising, and limit certain uses of sensitive data. However, thresholds, exemptions, enforcement powers and definitions vary significantly from state to state.

 

5. Main differences between the US, UK and EU

The EU and UK use broad, principles-based laws that apply across most sectors. The US relies more heavily on sector-specific laws and state-by-state rules. This is the most important structural difference.

The EU GDPR generally has the strongest and most consistent individual rights framework. The UK is similar, although recent reforms are creating some divergence. The US position depends heavily on the state, sector and data type.

Consent also works differently. Under GDPR and UK GDPR, consent must be freely given, specific, informed and unambiguous, and people must be able to withdraw it. However, consent is not always required because other lawful bases may apply. In the US, consent requirements vary widely. Some contexts require opt-in consent, while others rely on notice and opt-out mechanisms, especially around sale, sharing or targeted advertising under state privacy laws.

International transfers are another major difference. The EU and UK have structured transfer rules, including adequacy decisions and contractual safeguards. The US does not usually restrict outbound transfers in the same broad way, although specific sectors, contracts and emerging security rules may impose limits.

Penalties also differ. GDPR-style fines can be very significant, especially for serious or repeated violations. In the US, enforcement may come from the FTC, state attorneys general, sector regulators or private litigation, depending on the law.

 

6. What businesses should do in practice

The best starting point is a data map. Organisations should identify what personal data they collect, where it comes from, where it is stored, which systems use it, who it is shared with, how long it is kept and whether it crosses borders.

Next, businesses should define their lawful basis or legal justification for each major activity. In the UK and EU, this means identifying the correct GDPR lawful basis. In the US, it means identifying the applicable federal and state laws, sector rules and contractual obligations.

Privacy notices should be clear, accurate and kept up to date. A common risk is having a privacy policy that says one thing while the business does another. In the US, this can create FTC risk because the FTC focuses heavily on whether companies honour their privacy promises.

Organisations should also maintain processes for individual rights requests. In the EU and UK, this includes subject access requests and other GDPR rights. In the US, it may include access, deletion, correction and opt-out rights under applicable state privacy laws.

Security is central in all three regions. Businesses should use appropriate technical and organisational measures, such as access control, encryption, multi-factor authentication, staff training, secure development practices, supplier due diligence, incident response plans and retention controls.

Marketing teams need particular care. Email marketing, SMS marketing, cookies, analytics, pixels, retargeting and lead generation can trigger different rules in the UK, EU and US. UK and EU rules are usually stricter on cookies and electronic marketing, while US rules require careful attention to state opt-out rights, “sale” or “sharing” definitions and targeted advertising requirements.

Supplier contracts also matter. If a third-party processor, vendor, SaaS platform, payroll provider, CRM, marketing platform or analytics provider handles personal data, contracts should include appropriate data protection terms. For EU and UK data, this often means controller-processor clauses and international transfer safeguards where relevant.

 

7. Practical compliance checklist

A basic compliance programme should include:

  1. A personal data inventory or data map.
  2. A record of processing activities where required.
  3. Clear privacy notices for customers, employees and website users.
  4. Lawful basis assessments for UK and EU processing.
  5. Consent and preference management where required.
  6. Cookie and tracking technology controls.
  7. Individual rights request procedures.
  8. A complaints process, especially for UK compliance.
  9. Data retention and deletion rules.
  10. Security controls and breach response plans.
  11. Supplier due diligence and data processing agreements.
  12. International transfer assessments and safeguards.
  13. Staff training for anyone handling personal data.
  14. Regular reviews of privacy policies, vendor tools and marketing practices.
  15. Monitoring of new US state privacy laws and EU/UK regulatory changes.

 

8. Key takeaways

The EU remains the strictest and most harmonised of the three regions, with GDPR at the centre of a wider digital regulation framework. The UK remains close to the GDPR model but is now developing its own post-Brexit reforms, including new complaints-handling duties. The US is the most fragmented, with no single federal GDPR equivalent, but an increasingly important set of state privacy laws.

For organisations operating across all three regions, the safest approach is to build a GDPR-style privacy governance programme, then layer on UK-specific, EU-specific and US state-specific requirements. That means knowing your data, limiting what you collect, being transparent, securing it properly, respecting individual rights and keeping up with regulatory change.

 

For anyone looking at doing businesses in the US, UK or EU, we’ll aim to keep this age up to date with the latest data protection laws and compliance best practices.

Scroll to Top