Navigating global data compliance and regulations in 2025

Protection from loss, theft, and corruption – these are the goals of data privacy regulations.

Adhering to these regulations makes you a trusted sender but it takes resources to keep up with the evolving policies around data privacy. As a dedicated data processor ourselves, we respect every bit of data we touch, and this index will be your guide to existing global legislation and what to expect for the year ahead.

Data compliance is the process that determines legislation and governance to oversee data privacy. That’s a fancy way of saying data legislation tells you how to manage the data within your organization. Data regulations cover the access and management of data pertaining to:

• Consumer privacy
• Data security
• Data storage requirements
• How to handle unauthorized access and cybersecurity attacks

Data compliance covers nothing short of fundamental security rights, and there are a lot of angles we can look at – from the rights of the individual to the operation of businesses.

We know firsthand that data is a complex business topic, but consumer data is much more than just information or numbers. There are human beings connected to every piece of data you obtain. That’s why it’s worth protecting and all more important that it does not get in the wrong hands.

Of course, that data is also very valuable to the companies that collect it, helping them grow their business and build better user experiences. Data legislation not only protects the privacy of everyday people but the security of an organization’s data assets.

In a survey conducted by Sinch Mailjet, it’s clear that GDPR has established itself as a necessity, but a substantial 25% of those surveyed were unsure of the specific data legislation that applied to them. There’s a lot to go through between countries and definitions but keep reading and we’ll set the record straight on these policies.

There are three distinct parties affected by data legislations; data subjects, data controllers, and data processors, each with their own role to play. Though these three players are each represented in all current data legislation, they are not represented in the same way for each.

Before we break down who has to follow which rules, let’s get some basic definitions out of the way.

Data subjects are individuals whose personal data is collected, stored, sold, or processed by a business or organization. As an email sender your data subjects are your subscribers, or anyone whose email address you store.

Legislation that represents the data rights of consumers first emerged in 2016 with the European Union’s (EU) General Data Protection Regulations (GDPR) (effective date in May 2018). In the U.S. there is currently no comprehensive federal data protection legislation. So far, only a handful of states have put forth their own legislation, including California, with the California Consumer Privacy Act (CCPA) which became effective in January of 2020.

Data controllers determine the purposes and means by which personal data is processed. If you are a company that collects and stores personally identifiable information (PII) and you have your own users/customers, then you are a data controller. You are also a data controller just by processing the data of your own employees. Data controllers are decision-makers that call the shots on how the data they collect is managed and used.

A data processor is the one who carries out the actual processing of the data. A good example of the data roles would be to consider your favorite ecommerce store. The users/customers are the data subjects, the store is the data controller managing the products, and a company like Mailgun is one of the data processors working with that company to enable their automated transaction emails.

You are not necessarily limited to one data role. Mailgun, for example, is a data processor when it comes to enabling automated email but we are also a data controller in terms of collecting and storing our customer’s own data, and a data controller in our partnership with our payment provider. There can also be sub-processors who process data for the data processor on behalf of the data controller.

Now that we’ve got the definitions out of the way, let’s talk about the data laws that may affect you.

There are a growing number of legislations out there, and depending on the specific laws, data subjects, controllers, and processors have varying rights. If you’re a U.S. based business, these are the three overall guiding rules that will likely affect you the most:

The GDPR was the first significant legislation that focused on the protection of data rights by mandating transparency and restoring data control to the individual. The GDPR imposes hefty fines for violations and governs data use with the mentality that individuals loan their data to service providers as opposed to surrendering it upon signup. It seeks to ensure utmost protection to consumers.

Key facts to remember:

• Effective since May 25, 2018.
• It harmonizes data protection laws throughout the EU.
• It affects any business that processes data of EU citizens regardless of where they reside.

The CCPA only protects the rights of individuals who are California residents. If you are already GDPR compliant, becoming CCPA compliant will not require significant additional effort.

Key facts to remember:

• Effective since Jan. 1, 2020.
• This legislation provides data protection rights for California residents.
• The CCPA affects organizations that conduct business in California.

HIPPA includes rules for emerging technologies to manage health data like email, digital payment providers, and telehealth services. 2022 brought proposed updates affecting protected health information (PHI), flow of information, and patient access rights. The HIPAA Privacy Rule aims to improve care coordination and data sharing (alongside the rise of telehealth) and will require extensive infrastructure updates and additional training for health care providers and business associates.

Key facts to remember:

• Originally passed in 1996.
• It protects the disclosure of personal health information.
• HIPAA applies to covered entities and business associates within the United States, even with respect to non-United States citizens or residents.

GDPR, CCPA, and HIPAA are the big three when it comes to regulating individual consumer data, but they aren’t the only legislation, and operating without some of the other compliance standards can make it challenging to operate your business across borders.

We know that all this policy talk might be starting to feel a bit like a textbook. We’re not in the business of lecturing but we do have the facts. If you are unsure which data legislation applies to you, we’ve created a table that helps you get the knowledge fast.

Legi­sla­tion	Fine­s	Prot­ected data­ subj­ects	Affe­cted data­ cont­rollers and proc­essors
G­DPR: The EU’s­ Gene­ral Data­ Prot­ection Regu­lation	€20M­­ or 4% of annu­­al glob­­al turn­­over (whi­­chever is grea­­ter).	Any EU citi­zen whos­e pers­onal data­ is coll­ected, held­, or proc­essed by an orga­nization.	Glob­­al busi­­nesses that­­ proc­­ess pers­­onal data­­ of EU citi­­zens incl­­uding nonp­­rofits that­­ acce­­pt dona­­tions from­­ EU citi­­zens.
C­CPA: Cali­fornia’s Cons­umer Priv­acy Act	$100­­-$750 per cons­­umer per inci­­dent. $240­­0-$7500 per civi­­l viol­­ation.	Only­ resi­dents of Cali­fornia.	Busi­­nesses oper­­ating in CA that­­ have­­ reve­­nue of $25M­­ or more­­, or proc­­ess data­­ on 50,0­­00 resi­­dents or more­­.
U­CPA Utah­ Cons­umer Priv­acy Act	Up to $750­0 per viol­ation.	An indi­vidual who is a resi­dent of Utah­ acti­ng in an indi­vidual or hous­ehold cont­ext.	Pers­ons or enti­ties doin­g busi­ness in the stat­e of Utah­ with­ an annu­al reve­nue of $25,­000,000 or more­, who eith­er proc­ess pers­onal data­ of 100,­000 or more­ cons­umers or deri­ve over­ 50% of thei­r gros­s reve­nue from­ the sale­ of pers­onal data­ whil­e cont­rolling or proc­essing pers­onal data­ of 25,0­00 or more­ cons­umers.
V­CDPA Virg­inia Cons­umer Data­ Prot­ection Act	Up to $750­0 per viol­ation enfo­rced by the stat­e atto­rney gene­ral.	Only­ resi­dents of Virg­inia.	Natu­ral and lega­l pers­ons cond­ucting busi­ness in VA who meet­ at leas­t one of thes­e requ­irements: Cont­rol or proc­ess pers­onal data­ of at leas­t 100,­000 VA resi­dents, or cont­rol and proc­ess pers­onal data­ of at leas­t 25,0­00 VA cons­umers and deri­ve 50% or more­ gros­s reve­nue from­ the sale­ of pers­onal data­ in a cale­ndar year­.
O­CPA Oreg­on Cons­umer Priv­acy Act	Up to $7,5­00 per viol­ation	Only­ resi­dents of Oreg­on.	Busi­nesses that­ cont­rol pers­onal data­ of at leas­t 100,­000 cons­umers or cont­rol or proc­ess pers­onal data­ of at leas­t 25,0­00 or more­ cons­umers and deri­ve 25 perc­ent or more­ of annu­al gros­s reve­nue from­ sell­ing pers­onal data­.
M­TCDPA Mont­ana Cons­umer Data­ Priv­acy Act	Fine­s not spec­ified unde­r the MTCD­PA, but note­s that­ the Atto­rney Gene­ral can “bri­ng an acti­on”	Only­ resi­dents of Mont­ana	Busi­nesses that­ cont­rol pers­onal data­ of at leas­t 35,0­00 cons­umers excl­uding pers­onal data­ cont­rolled or proc­essed only­ for comp­leting paym­ent tran­sactions, or cont­rol or proc­ess pers­onal data­ of at leas­t 10,0­00 or more­ cons­umers and deri­ve 20 perc­ent or more­ of annu­al gros­s reve­nue from­ sell­ing pers­onal data­
T­DPSA Texa­s Data­ Priv­acy and Secu­rity Act	Up to $7,5­00 per viol­ation	Only­ resi­dents of Texa­s	Busi­nesses cond­ucting busi­ness in Texa­s or gene­rating prod­ucts or serv­ices cons­umed by Texa­s resi­dents and who proc­ess or enga­ging in the sale­ of pers­onal data­ that­ do not iden­tifying as a smal­l busi­ness as defi­ned by the U.S.­ Smal­l Busi­ness Admi­nistration (ind­ependent for-­profit enti­ty with­ fewe­r than­ 500 empl­oyees)
H­IPAA: Heal­th Insu­rance Port­ability and Acco­untability Act	Civi­l mone­tary pena­lties (CMP­) are impo­sed rang­ing from­ $100­ to $50,­000 per affe­cted PHI reco­rd, with­ a maxi­mum fine­ of $1.5­ mill­ion per inci­dent.	All medi­cal reco­rds and othe­r indi­vidually iden­tifiable heal­th info­rmation used­ or disc­losed by a cove­red enti­ty in any form­.	HIPA­A affe­cts heal­th care­ prov­iders, heal­th plan­s, and heal­th care­ clea­ringhouses, and Busi­ness Asso­ciates carr­ying out work­ on beha­lf of a cove­red enti­ty.
U­K GDPR­: Grea­t Brit­ain’s enac­tment of the GDPR­ afte­r Brex­it. The­ GDPR­ is reta­ined in dome­stic law as the UK GDPR­, but the UK has the inde­pendence to keep­ the fram­ework unde­r revi­ew.	The UK GDPR­ has two tier­s of fine­s; the stan­dard maxi­mum fine­ is £8.7­ mill­ion or 2% of the tota­l annu­al worl­dwide turn­over and the high­er maxi­mum fine­, £17.­5 mill­ion or 4% of the tota­l annu­al worl­dwide turn­over.	Gove­rns the proc­essing of pers­onal data­ from­ indi­viduals loca­ted with­in the Unit­ed King­dom.	The UK GDPR­ appl­ies to cont­rollers and proc­essors with­in the UK. It cove­rs orga­nizations base­d outs­ide the UK if thei­r proc­essing acti­vities rela­te to moni­toring, or offe­ring good­s or serv­ices to indi­viduals in the UK.
L­GPD: Braz­il’s Gene­ral Pers­onal Data­ Prot­ection Law	Up to 2% of the net turn­over of the econ­omic grou­p in Braz­il, in its last­ fisc­al year­, limi­ted to BRL 50 mill­ion (app­rox. USD 10.5­ mill­ion) per viol­ation.	Appl­ies to any natu­ral pers­on loca­ted in Braz­il whos­e data­ has been­ coll­ected or proc­essed, rega­rdless of wher­e the comp­any that­ coll­ects the data­ is loca­ted.	The LGPD­ appl­ies to any data­ proc­essing that­ take­s plac­e in Braz­il, for the purp­oses of offe­ring good­s and serv­ices or to proc­ess data­ of peop­le who are loca­ted in Braz­il.
P­IPEDA: Cana­da’s Pers­onal Info­rmation Prot­ection and Elec­tronic Docu­ments Act	Orga­nizations that­ comm­it offe­nses may be subj­ect to fine­s of up to CAD 100,­000.	PIPE­DA prot­ects the pers­onal info­rmation of indi­viduals. An indi­vidual does­ not have­ to be a Cana­dian citi­zen or a resi­dent of a spec­ific prov­ince.	PIPE­DA appl­ies to priv­ate-sector orga­nizations acro­ss Cana­da that­ coll­ect, use or disc­lose pers­onal info­rmation in the cour­se of a com­mercial acti­vity.
A­PPI: Japa­n’s Pers­onal Info­rmation Priv­acy Act	Up to 100,­000,000 Japa­nese yen ($90­7,715) or a crim­inal puni­shment of up to 1 year­ in pris­on.	The APPI­ aims­ to prot­ect the pers­onal data­ of Japa­nese citi­zens.	APPI­ appl­ies to all busi­ness oper­ators that­ hand­le the pers­onal data­ of indi­viduals in Japa­n. Rega­rdless if the comp­any is loca­ted with­in the coun­try.
P­IPL: Chin­a’s Pers­onal Info­rmation Prot­ection Law	The PIPL­ impo­ses a maxi­mum fine­ of up to 50 mill­ion Yuan­ (7.8­ mill­ion USD)­, or 5% of the annu­al reve­nue of the prec­eding fina­ncial year­.	The PIPL­ aims­ to prot­ect the righ­ts and inte­rests of indi­viduals, regu­late pers­onal info­rmation proc­essing acti­vities, and faci­litate reas­onable use of pers­onal info­rmation.	PIPL­ requ­irements cove­r all comp­anies hand­ling the data­ of Chin­ese citi­zens, whet­her they­ are a dome­stic or inte­rnational busi­ness, and whet­her larg­e or smal­l.

We can’t give you a data policy article without talking about these: PCI DSS, SOC2, and ISO are data compliance standards. While these often overlap with the global legislation we’ve covered, there are separate compliance entities that govern them.

These data security standards are essentially audits that result in compliance certifications. Once obtained, these standards let data controllers know that an organization is a responsible partner.

Working with organizations that have achieved these standards can save you the trouble of needing to obtain them yourself. For example, Mailgun doesn’t need to be PCI compliant because we sub processor the payment services, and partner with payment processors that are respecting their own obligations.

Let’s learn a bit more about these standards.

The PCI DSS is about creating confidence and security when processing payments. This standard is governed by the PCI Security Standards Council and is a set of security standards formed in 2004 by Visa, Mastercard, Discover Financial Services, JCB International, and American Express. It protects cardholder data and authentication data for individuals and reduces the risk of data breaches.

The PCI DSS has four main objectives:

1. Protect stored cardholder data.
2. Use and regularly update antivirus software or programs.
3. Restrict access to cardholder data by business need-to-know.
4. Track and monitor all access to network resources and cardholder data.

System and Organization Controls (SOC) are internal reports that provide proof of security. Technology service providers like Mailgun voluntarily get this certification to prove their security processes can be trusted. Another audit-based compliance standard, SOC2, holds providers accountable for their data processing methods and cyber security controls.

Mailgun has SOC2 Type I & II, which are stringent and comprehensive reports that test the effectiveness of security controls and ensure they’re working.

• SOC 2 Type I: Tests to ensure email security controls are in place (you need this for Type II).
• SOC 2 Type II: Tests to ensure controls are in place and they are working effectively.

ISO standards establish baseline securities. If every country had different approaches to security best practices, it would be nearly impossible for companies to create security infrastructure. The solution is a shared international standards body which manages compliance by consensus. The International Organization for Standardization (ISO) has developed and published 25K standards since 1947 (Mailgun has achieved two).

ISO compliance proves you can handle different scenarios and control variables that help protect data and prevent malicious cyberattacks, data breaches, and other security disasters. These standards can also be specific. For example, ISO27701 is a rare certification within the email space containing 40 privacy controls that are closely mapped to GDPR standards.

From the information we’ve shared, you may think that existing legislation covers just about everything but that’s not the way the cookie crumbles. In truth, there are many more policies coming down the pipeline.

As you can tell from our very large table early in this post, not all data legislation is created equal. Currently, data compliance is regulated by individual countries ­– and in the U.S. by individual states – and that can make things muddy for establishing effective business practices. Here are the main things to keep in mind:

• Data jurisdiction: Where your company exists doesn’t necessarily matter. Data jurisdiction is determined more by where your data subjects are located.
• Data impact: Not all organizations are large enough to be represented in legislation. For example, in California the CCPA only affects you if you process data on 50,000 residents or more.
• Penalties: There is no consistency regarding how violations are fined. Some will charge a total percentage of net turnover, while others charge per affected subject for each violation.

Data policy isn’t just changing, it’s changing fast.

In the U.S., an Executive Order was signed by President Biden in early October 2022, implementing the European Union-U.S. Data Privacy Framework, which takes us closer to fixing cross border data transfer protections.

As of July 10, 2023 the European Commision adopted its adequacy decision for the EU-U.S. Data Privacy Framework. What does this mean? This adoption signifies that the United States provides an adequate level of protection for the personal data of EU citizens transferred through US organizations.

This recent adoption follows the Safe Harbor Framework (invalidated in 2015) and the EU-US Privacy Shield Framework (invalidated in 2020) that were both overturned by European courts.

It’s likely that federal data laws are imminent for the U.S., especially if the DPF Program holds, that will be comparable to Europe’s GDPR and make data policies between the U.S. and the EU more seamless. As of late 2024, the U.S. continues to see a patchwork of state laws emerge, pushing closer to federal data legislation. The following states have confirmed new consumer data privacy acts coming into effect in 2025 and beyond:

Signed laws

• The Delaware Personal Data Privacy Act goes into effect January 1, 2025
• The Iowa Consumer Data Protection act goes into effect Jan 1, 2025
• New Jersey legislation goes into effect January 15, 2025
• Tennessee information protection act goes into effect July 1, 2025
• The Indiana consumer data protection act goes into effect January 1, 2026
• The Colorado Privacy Act went into effect July 1, 2023 in a staged approach, full effect October 1, 2025
• The Nebraska Data Privacy Act goes into efect January 1, 2025
• The Kentucky Consumer Data Protection Act goes into effect January 1, 2026
• The Maryland Online Data Privacy Act goes into effect October 1, 2025
• The New Jersey Senate Bill 332 goes into effect January 15, 2025
• The Connecticut Data Privacy Act went into effect July 1, 2023 in a staged approach, full effect January 1, 2025
• The Rhode Island Data Transparency and Privacy Protection Act goes into effect January 1, 2026
• The New Hampshire Senate Bill 255 goes into effect January 1, 2025

States with legislation in committee

• Ohio
• Pennsylvania
• Michigan

States with legislation introduced

• Oklahoma

Once all the above states have active legislation, roughly 50% of the country will be operating with data policies of varying degrees while the other half of states currently have no bills introduced. The increasing adoption of state-specific laws is accelerating pressure for federal-level legislation, potentially mirroring GDPR standards .

These countries are developing legislation that we may see finalized in 2025 or within the next couple of years.

Australia

Australia’s updated Privacy Act addressing digital concerns and enhances online privacy and other measures. The bill (proposed in 2021) will give effect to the Australian Government’s commitment to strengthen the Privacy Act 1988. It enables the introduction of a binding online privacy code for social media and certain other online platforms, increases penalties and enforcement measures, and aims to bring data policies for Australia closer in-line with standards established by the GDPR. In February 2023, Australia’s Attorney-General’s Department released a final report on its review of the Privacy Act, presenting over 100 proposed reformations to the act to update it for the digital age. The Australian Government’s amendments to the Privacy Act 1988 are expected to be finalized in 2025. Proposed updates focus on digital privacy, consumer data transparency, and GDPR-aligned penalties.

India

India’s Personal Data Protection Bill (PDPB) was proposed in 2019 and was recently withdrawn (As of August. 2022) with stark criticism from stakeholders that believed the bill would give the government too much power over the data of its citizens. New legislation was approved by the president of India in August 2023. India’s Digital Personal Data Protection Act (DPDP) is anticipated to enter full enforcement by mid-2025, setting strict data processing limits for businesses handling Indian citizen data.

Canada

Canada’s anticipated update to the Personal Information Protection and Electronic Documents Act (PIPEDA) will integrate stronger individual rights protections and cross-border data transfer guidelines, scheduled for Q1 2025.

Data represents people, and at Mailgun we respect people.

It’s no surprise that data – an endless resource ­– takes a lot of explanation and research to understand. As a data controller in technology, no one knows this better than us. If the links in this post don’t direct you to the information you need, or if you want to know more about how Mailgun manages your data, check out our data and compliance guide.