In November, the BCBS announced plans to review the standards, after the US and UK refused to implement them. FATF also underscored the growing use of emerging technologies by threat actors, emphasizing the need for capacity building and stronger public-private partnerships to ensure regulators and industry can keep pace in combating financial crime. In a bid to encourage foreign investment, the government introduced a five-year tax exemption on capital gains from crypto trades on regulated exchanges in September. Earlier in August, it also launched Tourist DigiPay, which will enable visitors to pay Thai businesses using crypto.
European Union (EU)
You have 30 calendar days from discovery or notification of a data breach to inform affected California residents. And you must submit a breach notification report to the Attorney General within 15 calendar days of notifying individuals. The result has been a cautious approach to both AI and ML, with the majority of implementations focusing on non-customer-facing applications. This limited usage, compounded by the lack of regulation around AI, leaves new legal questions mounting while regulators work to sort matters out. Many regional and community financial institutions have been hesitant to embrace GenAI due to well-known errors that have been documented in the early days of the technology. While generative AI (GenAI) stands poised to improve everything from risk management to profit margins, the banking world has been understandably hesitant to adopt the technology in light of ongoing regulatory changes and perspectives.
The California Consumer Privacy Act (CCPA)
- Pham has stressed collaboration with the US SEC’s Project Crypto, with both agencies issuing joint statements on spot products, hosting joint roundtables, and harmonizing definitions — an unprecedented level of interagency coordination.
- It establishes the guidelines for how healthcare entities and businesses handle patients’ personal health information (PHI) to guarantee its confidentiality and security.
- The Montana Consumer Data Privacy Act, in effect since 2024 and amended in April 2025, applies to entities that conduct business in Montana or provide products or services to Montana residents.
- Some essential tools and technologies that enhance data compliance capabilities are discussed in the following sections.
- The introduction of new statutes in states such as Indiana, Kentucky, and Rhode Island — along with ongoing updates in states like California and Connecticut — demonstrates a nationwide shift toward stronger privacy governance.
Secure Transmit offers end-to-end encryption, immutable audit reporting, and customizable access controls, the primitives teams need to build workflows that meet standards like GDPR and HIPAA. Compliance ensures data protection, reduces the risk of breaches, and prevents costly penalties. Data compliance refers to adhering to legal, regulatory, and industry-specific standards for handling sensitive information securely and responsibly. The platform allows organizations to define granular access permissions based on roles, ensuring that only authorized personnel can view or manipulate sensitive data. Companies operating in heavily regulated industries like finance or healthcare must meet specific standards to collaborate with global partners.
U.S. data privacy protection laws: 2026 guide
- In 2026, we will be watching for progress on the implementation of the Virtual Asset Services Act, and how greater regulatory clarity could drive growth in Taiwan’s crypto industry.
- Companies that do not follow mandatory regulatory compliance practices face numerous possible repercussions, such as being forced to participate in remediation programs that include on-site compliance audits and inspections by the appropriate regulatory agency.
- As more industry players enter and navigate the licensing process, we will be watching in 2026 to see if Hong Kong’s policy moves will indeed fuel its crypto hub ambitions.
- The authority imposed a deadline for compliance by June 19, 2025, allowing firms a 30-day transition period, underscoring the regulator’s shift from sandbox experimentation to mature supervision.
- Even small businesses collecting basic customer data have to meet GDPR or CCPA requirements depending on where their customers live.
- Chatbots engaging in healthcare-related communications raise unique compliance concerns, including, for example, a risk of engaging in the unlicensed practice of medicine.
The Minnesota Consumer Data Privacy Act went into effect on July 1, 2025, and addresses how consumers can access, correct and delete their data, https://fla-real-property.com/business/advantages-and-rules-for-renting-virtual-dedicated-servers.html opt out of targeted advertising, and obtain information about which third parties their data has been sold to. Organizations conducting business in the U.S. are expected to adopt specific practices for managing information. The expansion of state privacy regulation has created several new compliance challenges for organizations. We previously wrote about the stalled federal data privacy law, American Data Privacy and Protection Act, here.
Recent amendments address joint controllers, records of processing, AI and automated decision-making, and intra-group transfer mechanics. If your business has any federal licenses, permits, or certificates, you’ll need to keep those up to date. John and Kelly’s business is also required to display certain posters that inform employees of their rights. Some of their employees have been trained and certified by EPA-approved organizations on the proper way to handle hazardous materials. However, they are generally advised to maintain an updated operating agreement, issue membership shares, record all membership interest transfers, and hold annual meetings.
The structured approach to data compliance provides an overview detailing the implementation of the relevant regulation and establishes a data protection culture, including effective security measures. However, unlike the GDPR, CCPA—and many other US data protection laws—are opt-out rather than opt-in, meaning that businesses can use consumer information in California until specifically told otherwise. The CCPA also only applies to companies that exceed a specific annual revenue threshold or handle large volumes of personal data, making it relevant for many, though not all, California businesses.