Data Privacy Compliance Beyond GDPR: CCPA, LGPD, POPIA and US Frameworks โ 2026 Guide
Complete guide for US companies navigating CCPA/CPRA, state privacy laws, GDPR extraterritorial scope, LGPD, and POPIA. FTC enforcement, sector-specific rules, and multi-framework compliance strategy.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokThe era of a single governing privacy law has ended for US companies with any international footprint. As of 2026, a mid-size American business serving California consumers, EU customers, Brazilian users, and South African partners is simultaneously subject to CCPA/CPRA, the GDPR's extraterritorial reach, Brazil's LGPD, and South Africa's POPIA โ on top of a growing patchwork of state-level privacy statutes and sector-specific federal regulations including HIPAA, GLBA, COPPA, and FinCEN's BSA data retention rules. Non-compliance is no longer an abstract risk: California's CPPA issued its first enforcement actions in 2024, and the FTC collected $4.7 billion in privacy-related penalties between 2019 and 2024.
CheckFile's platform has processed over 2.4 million documents across 32 jurisdictions, helping 85+ enterprise clients reduce document processing time by 83% while achieving a 99.2% audit compliance rate (CheckFile.ai โ enterprise results 2025).
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult qualified legal counsel for guidance specific to your organization.
What Privacy Laws Apply to US Companies in 2026?
US companies face a layered compliance landscape with no single federal privacy law. Federal sectoral statutes govern specific data types, state comprehensive privacy laws cover consumer data broadly, and foreign laws apply when US companies process data of individuals located in those jurisdictions.
Federal Sectoral Laws: The Foundation
Three federal statutes create baseline obligations that apply regardless of state law:
HIPAA (Health Insurance Portability and Accountability Act, 45 C.F.R. Parts 160, 164). Governs protected health information (PHI) held by covered entities and business associates. The HIPAA Privacy Rule limits uses and disclosures; the Security Rule mandates administrative, physical, and technical safeguards; the Breach Notification Rule requires notification to individuals and HHS within 60 days of discovery. Civil penalties range from $100 to $50,000 per violation, capped at $1.9 million per violation category per year (as adjusted for inflation).
GLBA (Gramm-Leach-Bliley Act, 15 U.S.C. ยง 6801 et seq.). Requires financial institutions to protect the security and confidentiality of nonpublic personal information (NPI) of consumers. The FTC's Safeguards Rule (16 C.F.R. Part 314), substantially revised in 2023, now requires financial institutions to implement a written information security program, designate a qualified individual, and report security events to the FTC. FinCEN's Bank Secrecy Act (BSA) regulations (31 C.F.R. Part 1010) mandate a minimum 5-year retention period for financial records and customer identification program documents.
COPPA (Children's Online Privacy Protection Act, 15 U.S.C. ยง 6501 et seq.). Prohibits collecting personal information from children under 13 without verifiable parental consent. The FTC's COPPA Rule (16 C.F.R. Part 312) was updated in 2024 to address new technologies. Civil penalties reach $51,744 per violation per day.
OFAC compliance and data handling. The Office of Foreign Assets Control (OFAC) requires financial institutions and covered businesses to screen transactions and customers against sanctions lists maintained under 31 C.F.R. Parts 500โ599. OFAC compliance programs generate substantial personal data processing obligations โ including data retention requirements aligned with the 5-year BSA standard.
CCPA and CPRA: The US Benchmark for Consumer Privacy
The California Consumer Privacy Act (CCPA, Cal. Civ. Code ยง 1798.100 et seq.), effective January 1, 2020, established the most comprehensive state-level consumer privacy framework in the United States. The California Privacy Rights Act (CPRA), passed by ballot initiative in November 2020 and fully operative since January 1, 2023, significantly expanded the CCPA and created the California Privacy Protection Agency (CPPA) as the first dedicated state privacy enforcement authority.
Applicability thresholds. CCPA/CPRA applies to for-profit businesses doing business in California that meet any one of three criteria: annual gross revenue exceeding $25 million; buying, selling, or sharing personal information of 100,000 or more consumers or households annually; or deriving 50% or more of annual revenue from selling or sharing personal information.
Key rights under CPRA. California residents hold rights to know, delete, correct, opt-out of sale or sharing, limit use of sensitive personal information, and non-discrimination. The CPRA added a new "sensitive personal information" category (Social Security numbers, financial account credentials, precise geolocation, health data, racial/ethnic origin, religious beliefs, union membership, private communications, biometric data, sexual orientation) subject to a separate right to limit use.
Enforcement. The CPPA can impose civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation. The California Attorney General retains enforcement authority for certain provisions. In its first enforcement cycle (2024), the CPPA issued 26 enforcement actions, including against companies that failed to honor opt-out requests from Global Privacy Control (GPC) signals.
Bold synthesis: Companies that have implemented GPC signal recognition and automated opt-out processing report a 67% reduction in individual data request handling time, according to the IAPP 2025 Privacy Operations Report. (IAPP โ Privacy Operations Report 2025)
State Privacy Laws: An Expanding Patchwork
Beyond California, 19 states had enacted comprehensive consumer privacy laws as of March 2026. US companies must track applicability thresholds for each:
| State Law | Effective Date | Consumer Threshold | Revenue Threshold | Key Distinguishing Feature |
|---|---|---|---|---|
| Virginia CDPA | Jan. 1, 2023 | 100,000 consumers/year | 25,000 consumers if >50% revenue from data | No private right of action |
| Colorado Privacy Act (CPA) | July 1, 2023 | 100,000 consumers/year | 25,000 consumers if >50% revenue from data | Attorney General rulemaking authority |
| Connecticut CTDPA | July 1, 2023 | 100,000 consumers/year | 25,000 consumers if >25% revenue from data | Universal opt-out mechanisms required |
| Texas TDPSA | July 1, 2024 | Processes personal data (broad scope) | Revenue from data (lower threshold) | No size exemption for processors |
| Montana CDPA | Oct. 1, 2024 | 50,000 consumers/year | โ | Broadest applicability in Montana |
| Iowa CDPA | Jan. 1, 2025 | 100,000 consumers/year | 25,000 consumers if >50% revenue from data | Controller-only obligations |
The FTC also exercises broad jurisdiction under Section 5 of the FTC Act (15 U.S.C. ยง 45), which prohibits "unfair or deceptive acts or practices" in commerce. The FTC has applied this authority to data privacy and security failures, including inadequate privacy disclosures, failure to implement reasonable security, and unauthorized secondary uses of personal data. FTC consent orders routinely require 20-year monitoring programs.
Source: FTC โ Privacy and Security
GDPR Extraterritorial Scope: When Europe Reaches US Companies
The General Data Protection Regulation (GDPR, Regulation EU 2016/679) applies to US companies through its extraterritorial scope under Article 3(2): a US company that offers goods or services to individuals in the EU, or monitors the behavior of individuals in the EU, must comply with the GDPR in full โ regardless of having no physical presence in Europe.
Fines reach up to โฌ20 million or 4% of global annual turnover, whichever is higher. Meta Platforms was fined โฌ1.2 billion by the Irish DPC in May 2023 โ the largest GDPR fine to date โ for transferring EU personal data to the US without adequate safeguards.
Critical mechanism for US companies: the EU-US Data Privacy Framework (DPF), adopted by the European Commission on July 10, 2023 (Adequacy Decision C(2023) 4745). US companies certified under the DPF can receive personal data from the EU without Standard Contractual Clauses (SCCs). The DPF replaced the invalidated Privacy Shield. As of March 2026, approximately 2,800 US companies are DPF-certified.
For US companies processing identity documents under GDPR requirements, see our guide on GDPR and Identity Documents.
Bold synthesis: US companies with EU operations that have not implemented either DPF certification or SCCs under Decision 2021/914 are exposed to enforcement by any of the 27 EU national data protection authorities. (European Commission โ EU-US Data Privacy Framework)
LGPD: Compliance Requirements for US Companies Operating in Brazil
Brazil's Lei Geral de Proteรงรฃo de Dados Pessoais (LGPD, Lei nยฐ 13.709/2018) applies to any organization that processes personal data of individuals located in Brazil, regardless of the processor's country of establishment. A US company with Brazilian employees, customers, or business partners falls squarely within LGPD's scope.
The Autoridade Nacional de Proteรงรฃo de Dados (ANPD) has been actively enforcing since 2023. Its first major penalty โ 14.4 million BRL against Serasa Experian in May 2023 โ signaled that ANPD enforcement is substantive, not symbolic. Maximum penalties reach 2% of revenue in Brazil during the preceding fiscal year, capped at R$50 million (approximately $10 million USD) per infraction under Article 52 LGPD.
LGPD establishes 10 legal bases for processing (Article 7), compared to GDPR's 6. The additional bases include credit protection and protection of health/life in research contexts. The LGPD's encarregado (Data Protection Officer equivalent) is mandatory for all organizations processing personal data in Brazil โ there is no size threshold exemption comparable to GDPR's.
For US financial institutions: Brazil's LGPD intersects with Banco Central do Brasil's Resolution CMN 4.658/2018 on cloud data storage and data residency requirements for regulated financial data, creating additional constraints beyond the core privacy law.
Source: Autoridade Nacional de Proteรงรฃo de Dados โ ANPD
POPIA: Compliance Requirements for US Companies in South Africa
South Africa's Protection of Personal Information Act (POPIA, Act 4 of 2013) became fully effective on July 1, 2021. The Information Regulator (South Africa) enforces POPIA and has authority to issue enforcement notices, conduct investigations, and impose civil and criminal penalties.
POPIA applies to any responsible party (equivalent to GDPR's "controller") that is domiciled or has operations in South Africa, or processes personal information using automated or non-automated means in South Africa. A US company with a South African subsidiary or that processes data of South African residents using South African-based infrastructure falls within POPIA's scope.
Criminal penalties under POPIA are among the most severe in global data protection law. Section 107 POPIA provides for fines up to R10 million (approximately $550,000 USD) and imprisonment up to 10 years for officers responsible for serious violations, including obstruction of the Information Regulator and deliberate interference with protected information.
Cross-border data transfers under POPIA (Section 72) require that the recipient country ensures an adequate level of protection comparable to POPIA's conditions, or that binding corporate rules or contractual instruments are in place. South Africa does not yet publish a formal list of adequate countries, requiring case-by-case assessment.
Source: Information Regulator South Africa โ Official Site
Multi-Framework Comparison: US-Centric View
| Framework | Governing Body | Max Penalty | Extraterritorial Reach | US-Specific Notes |
|---|---|---|---|---|
| CCPA/CPRA | CPPA + CA AG | $7,500/intentional violation | California residents worldwide | CPPA enforcement began 2024; GPC compliance mandatory |
| Virginia CDPA | Virginia AG | $7,500/violation | Virginia residents | No private right of action |
| Colorado CPA | Colorado AG | $20,000/violation | Colorado residents | Universal opt-out by rules |
| Texas TDPSA | Texas AG | Up to $7,500/violation | Texas residents | No revenue exemption for processors |
| GDPR (extraterritorial) | EU DPAs (27 authorities) | โฌ20M or 4% global revenue | EU residents globally | DPF certification available for US companies |
| LGPD | ANPD (Brazil) | 2% Brazil revenue, cap R$50M | Persons in Brazil | Encarregado mandatory; no size threshold |
| POPIA | Information Regulator (SA) | R10M + 10 years imprisonment | Persons in South Africa | Criminal liability for officers; no formal adequacy list |
| HIPAA | OCR/HHS + State AGs | $50,000/category/year | US health data globally | 60-day breach notification to HHS |
| GLBA/Safeguards Rule | FTC | Up to $100,000/day | US financial data | 2023 revised rule requires QI designation |
| COPPA | FTC | $51,744/violation/day | US children's data | 2024 rule update; applies to under-13 |
Building a Multi-Framework Compliance Program
US companies navigating this landscape cannot afford jurisdiction-by-jurisdiction programs built in isolation. A unified architecture reduces duplication, lowers cost, and creates defensible documentation for regulators across all frameworks.
Start with a global data inventory. Map every category of personal data collected, its purpose, legal basis, storage location, retention schedule, and the individuals whose data it represents. This inventory serves simultaneously as the CCPA's required privacy disclosure foundation, GDPR Article 30 records of processing, LGPD's processing records, and POPIA's PAIA manual baseline.
Layer legal bases systematically. For each processing activity, document the applicable legal basis under each governing framework: CCPA's notice-and-opt-out model, GDPR's six bases under Article 6, LGPD's ten bases under Article 7, and POPIA's conditions under Section 11. Where a single activity serves customers in multiple jurisdictions, the most restrictive basis (typically GDPR's explicit consent or legitimate interest with documented balancing test) should govern by default.
Automate rights response workflows. Under CCPA/CPRA, responses to consumer rights requests must be completed within 45 calendar days (extendable once by 45 days with notice). GDPR requires responses within 30 days (extendable by 2 months). LGPD requires responses within 15 days. Building automated request intake and response generation reduces per-request cost and eliminates missed deadlines.
CheckFile.ai supports 85+ enterprise clients in building document verification workflows that generate the structured audit trails required under GDPR Article 5(2) accountability, CCPA's required privacy disclosures, and FinCEN's BSA record-keeping requirements (CheckFile.ai โ Banking KYC Solutions).
For a structured approach to audit preparation under multi-framework compliance, consult our Compliance Audit Checklist and our guide on AMLD6 compliance for obliged entities. Our document verification platform integrates directly with compliance management systems to maintain continuous audit readiness.
For technical security specifications supporting multi-framework data protection requirements, see CheckFile's security framework.
FAQ โ Data Privacy Compliance for US Companies
Does a small US company with no EU office need to comply with GDPR?
Yes, if the company targets EU residents. Article 3(2) GDPR applies to any company that offers goods or services to EU individuals (including free services) or monitors their behavior (including web analytics, behavioral advertising, or geo-targeted content). Size is not an exemption. A US company with 10 employees that operates an e-commerce site shipping to Germany must comply with GDPR for German customer data. EU-US Data Privacy Framework certification is the most practical compliance mechanism for US companies without EU physical presence.
How do FinCEN/BSA data retention requirements interact with CCPA deletion rights?
CCPA's right to deletion under Cal. Civ. Code ยง 1798.105 contains an exception for data retained to comply with a legal obligation. FinCEN's BSA regulations (31 C.F.R. ยง 1010.430) require financial institutions to retain records โ including customer identification program documents, Currency Transaction Reports, and Suspicious Activity Reports โ for a minimum of 5 years. A financial institution may deny a CCPA deletion request for BSA-covered records during the required retention period, provided it discloses the legal obligation basis in its denial.
What is the difference between CCPA opt-out and GDPR consent?
They operate on opposite models. GDPR requires an affirmative opt-in (positive consent) before most processing of personal data, except for legal obligation, contract performance, or legitimate interest with a balancing test. CCPA/CPRA operates on an opt-out model: businesses may process and share data by default, but must provide a "Do Not Sell or Share My Personal Information" mechanism and honor opt-out requests within 15 business days. The practical effect is that GDPR compliance generally satisfies the protective intent of CCPA for data minimization, but the legal mechanisms are structurally different and must be documented separately.
If a US company appoints a DPO for GDPR, does that person also serve as LGPD's encarregado and POPIA's Information Officer?
Functionally, yes โ many organizations designate one individual to hold all three roles. Legally, the requirements differ: GDPR's DPO (Article 37) requires expertise in data protection law and practices; LGPD's encarregado (Article 41) has no formal qualification requirement but must be publicly identifiable and accessible to data subjects and the ANPD; POPIA's Information Officer is the head of the responsible party by default (Section 1 POPIA) but can be delegated. A single qualified individual can hold all three designations with appropriate documentation for each jurisdiction.
What triggers POPIA's requirement to notify the Information Regulator of a security breach?
Section 22 POPIA requires notification to the Information Regulator and affected data subjects "as soon as reasonably possible" after discovering a security compromise affecting personal information. Unlike GDPR's fixed 72-hour window or CCPA/CPRA's 72-hour notification requirement, POPIA's standard is inherently flexible โ but the Information Regulator has indicated it expects notification within 72 hours for serious breaches involving sensitive personal information (special personal information under Section 26 POPIA, including race, health, criminal history, biometric data, and religious beliefs).
This article is provided for informational purposes only and does not constitute legal, financial, or regulatory advice. Information reflects the state of applicable law as of March 18, 2026. Privacy regulations evolve rapidly; consult qualified legal counsel and the official publications of the FTC, CPPA, ANPD, and Information Regulator South Africa for guidance specific to your organization.