Library / Jurisdictions

Jurisdiction references.

Privacy laws and what they require of vendor oversight. We focus on the practical question: what does this regulation expect a controller to monitor about its processors, and how often?

Comprehensive privacy laws

GDPR

General Data Protection Regulation (EU)

The EU's comprehensive data protection regime, in force since May 2018, with extraterritorial reach over any controller or processor handling EU resident data.

CCPA / CPRA

California Consumer Privacy Act / California Privacy Rights Act

California's consumer privacy regime, expanded by CPRA in 2023, with vendor and service-provider obligations distinct from GDPR's controller/processor model.

VCDPA

Virginia Consumer Data Protection Act

Virginia's consumer data protection law, the second comprehensive US state privacy regime, with controller/processor framing closer to GDPR than to CCPA.

CPA

Colorado Privacy Act

Colorado's comprehensive consumer privacy law, in force since July 2023, with a Universal Opt-Out Mechanism requirement that is the first of its kind in the US.

TDPSA

Texas Data Privacy and Security Act

Texas's comprehensive consumer privacy law, in force since July 2024, applying broadly to businesses with no consumer-count or revenue threshold for non-small businesses.

DPDP

Digital Personal Data Protection Act (India)

India's first comprehensive personal data protection law, enacted in 2023, with implementation phasing into effect through 2024-2025.

LGPD

Lei Geral de Proteção de Dados (Brazil)

Brazil's general personal data protection law, in force since 2020, modelled closely on GDPR but with Brazil-specific authority and enforcement structure.

Compliance frameworks

SOC 2

SOC 2 (Trust Services Criteria)

An attestation framework developed by the AICPA covering security, availability, processing integrity, confidentiality, and privacy of service organisations.

ISO 27001

ISO/IEC 27001 (Information Security Management Systems)

An international standard for information security management systems, certifiable by accredited bodies, with explicit supplier-relationship requirements in Annex A.5.

HIPAA

HIPAA — Health Insurance Portability and Accountability Act (US)

US sectoral law governing protected health information, with explicit Business Associate obligations that flow through to a covered entity's vendors.

PCI DSS

PCI DSS — Payment Card Industry Data Security Standard

A contractual security standard for any entity that stores, processes, or transmits payment card data, with explicit requirements on third-party service providers.