Last update: October 2021

4 mins to read - 2021/10/18

Data Privacy Regulations Around the World You Should Know

Recently, we’ve been on a data privacy kick. We’ve been exploring all aspects of kids’ data privacy, news about recent penalties, and what mobile apps need to do to make sure they’re staying compliant. However, while our recent blog posts have focused mainly on COPPA, there are a lot of other data privacy regulations out there. And, depending on where your app and its users are based, you may have to abide by the rules set by their restrictions. (This is key to note: even if your app is based in, say, Azerbaijan, if you want to target the US market you MUST comply with US regulations, and likewise for the rest of the regulations listed below.)

Download our Data Security Whitepaper to learn more about OpenBack’s innovative approach to data tracking and privacy regulation compliance:

europe eu gdpr

Europe – GDPR

Europe’s GDPR (General Data Protection Regulation) applies to all countries within the European Union, as well as European countries that choose to adopt it. GDPR covers all digital personal data generated by European citizens, meaning any identification information such as phone numbers, email addresses, or physical addresses, as well as geolocation, online identifiers, and any information pertaining to a person’s physical, physiological, medical, genetic, economic, cultural, political identity, and more.

Companies cannot track, process, or sell any of this information with first obtaining the user’s consent. And, as clarified by Article 8, or GDPR-K, the EU age of digital consent is 16. To track the data of users younger than 16, you must first get the permission of their parent or guardian.

GDPR requires any company to display an easy-to-access privacy policy on their website, as well as a cookie policy. What’s more, it’s illegal to export user data to a country outside of the EU, unless that country has adopted a similarly strict data privacy regulation. Violations of GDPR can incur a penalty from 10 million euros to 2% of the company’s annual turnover, whichever is more.

United States

The United States is a complicated case, as every state has a different approach to digital data privacy. The two national regulations – COPPA and HIPAA – were both implemented in the 1990s. So they fall behind the modern understanding of personal data and what must be done to mitigate security risks, and have been updated at various points in recent years.

Other states, such as California with its CCPA regulation, have taken it upon themselves to implement data privacy regulations that are more in line with GDPR.

coppa data privacy regulations


The Children’s Online Privacy Protection Act (COPPA) was passed in 1998. Initially, it only covered personal data in the sense of someone’s name, address, phone/social security number, credit card numbers, etc. However, as the scope of what comprises personal data and its abuse has broadened in the past two decades, the FTC has updated COPPA to affirm that personal data can also include:

  • a persistent identifier, such an IP address, cookie identifier, or push token
  • any photo, video, or audio file containing a child’s voice or image
  • geolocation
  • any other information about a child or their parent combined with an above piece of information

For COPPA, the age of consent is 13. To track the data of children below that age, companies must gain the permission of their parent or guardian first. Like GDPR-K, to comply with COPPA you must include a privacy policy on your website, or on your app store page for mobile apps. Moreover, you must agree to delete any data belonging to underage users upon request by their parent. The penalty for violating COPPA is $43,280 per child per violation.


Likewise, HIPAA (Health Insurance Portability and Accountability Act) addressed personal data in the realm of health, healthcare, and health insurance. So professionals and organizations that have to comply with HIPAA are:

  • Healthcare providers: doctors, clinics, psychologists, chiropractors, dentists, etc.

  • Health plans: including health insurance companies, HMOs, company health plans, government healthcare programs

  • Healthcare clearinghouses: including billing services and community healthcare systems

  • Business associates: any entity that uses PHI to perform a function or activity or provide a service

In order for any of these entities to share any of their patients’ personal health data (PHI), they first must obtain patient consent. Because HIPAA was passed in 1996, it was updated in 2003 by the HIPAA Omnibus Rule, making it easier for patients’ to control their own health data.

Keep in mind, any mobile app that deals in users’ mental, emotional, or physical health may be liable under HIPAA.

california golden gate bridge


HIPAA and COPPA are both very specialized data privacy regulations. California was the first state to pass CCPA, a law that covers all personal data, similar to GDPR. However, unlike the other regulations on this list, CCPA (California Consumer Protection Act) only applies to larger companies: ones earning at least $20 million in gross annual revenue, and which are processing the data of at least 50,000 California residents, or which make at least 50% of their revenues from processing user data.

Under CCPA, California residents are entitled to access and delete all of their personal information, as well as opt-out of having their data tracked. They are also entitled to non-discrimination for exercising their CCPA rights. Also, for users younger than 16, you must gain their consent before processing their data. Penalties for violation can go up to $2,500 for each violation and $7,500 for each intentional violation.

China – PIPL

Many countries are following in the footsteps of Europe’s GDPR, with data privacy regulations currently being drafted. One of these is China’s PIPL (Personal Information Protection Law). Under China’s previous cybersecurity law, it was only legal to process a Chinese citizen’s data if they gave their consent. Now, they are updating their stance to allow data processing if it contributes to the utility of the application, the fulfillment of statutory obligations, or for emergency situations.

Companies from outside of China that seek to process above a certain volume of data (to be determined) must appoint a data protection officer to oversee the process. Penalties for violation of PIPL will likely reach up to 50 million Chinese yuan, or 5% of the company’s turnover.

To learn more about how your mobile app can be fully compliant with global data privacy regulations without requiring your users to opt-in, get in touch with the experts at OpenBack. We look forward to hearing from you!

Leave a Reply

Your email address will not be published.

seven + sixteen =

Download our Mobile Marketing Playbook to perfect your user engagement game!


Translate »