Governs processing of personal data of EU residents. Key obligations include lawful basis for processing, data minimization, purpose limitation, conducting DPIAs for high‑risk processing, breach notification within 72 hours, and honoring data subject rights (access, rectification, erasure, portability). Typical controls: data inventories, consent flows, encryption in transit and at rest, role‑based access, retention policies, and data processing agreements with vendors.

Governs personal information of California residents and grants rights to access, deletion, and opt‑out of sale or sharing. Key obligations include privacy notices, consumer request handling, data mapping, and opt‑out mechanisms. Typical controls: consumer request workflows, verification procedures, logging of disclosures, and contractual commitments with service providers.

Governs protection of electronic protected health information (ePHI) handled by covered entities and business associates. Key obligations include administrative, physical, and technical safeguards; Business Associate Agreements (BAAs); regular risk assessments; and breach reporting. Typical controls: access logging, encryption, least privilege, incident response, and staff training tailored to ePHI handling.

Governs environments that store, process, or transmit cardholder data. Key obligations include strong access controls, encryption of cardholder data, network segmentation, regular vulnerability scanning, and documented change control. Typical controls: tokenization, secure payment gateways, quarterly scans, and coordination with Qualified Security Assessors for scoped assessments.

Governs handling of nonpublic personal information by financial institutions. Key obligations include implementing an information security program, limiting sharing of customer financial information, and providing privacy notices. Typical controls: risk assessments, vendor management, encryption, access controls, and incident response tailored to financial data.

Governs processing of personal data in Brazil with rights and obligations similar to GDPR. Key obligations include lawful bases for processing, transparency, data subject rights, and breach notification. Typical controls: data mapping, consent management, retention policies, and safeguards for cross‑border transfers.