Do all countries follow GDPR?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

No. GDPR is an EU law. Only the 27 EU member states (plus the three EEA countries: Norway, Iceland, Liechtenstein) are directly bound by it. The UK has its own near-identical version called UK GDPR after Brexit. The rest of the world is not under GDPR.

But here is the part people miss. GDPR follows the data, not the business. Article 3 of the GDPR text says the law applies to anyone processing personal data of people who are in the EU, regardless of where the processor is located. So a Texas company sending marketing emails to a subscriber in Berlin is on the hook for GDPR. The server location does not matter. The company HQ does not matter. The recipient's location is what triggers it.

That is why GDPR feels global even though it is technically regional. If you have any EU subscribers on your list, you are processing EU resident data, and GDPR applies to that slice of your sending.

Other countries have their own laws

Most major economies now have something. A short list of the ones you will actually run into:

  • Brazil: LGPD (Lei Geral de Proteção de Dados). Very GDPR shaped. Consent based, with data subject rights.
  • South Africa: POPIA (Protection of Personal Information Act). Similar consent model.
  • Singapore: PDPA (Personal Data Protection Act). Consent plus a national Do Not Call registry.
  • Canada: CASL (Canada's Anti-Spam Legislation) for email specifically, plus PIPEDA for general data. CASL is stricter than GDPR on the consent side for commercial email. See the official CRTC guidance.
  • California: CCPA and CPRA. Not consent based for email like GDPR, but gives residents rights to know, delete, and opt out of sale of their data.
  • Australia: Spam Act 2003 plus the Privacy Act. Express or inferred consent required.
  • Japan: APPI (Act on the Protection of Personal Information). Updated 2022.
  • United States: No federal GDPR equivalent. Just CAN-SPAM for email (opt out based, not opt in) and a patchwork of state privacy laws (Virginia, Colorado, Utah, Connecticut, Texas, and a growing list).

Some of these are GDPR clones. Some are nothing like it. CAN-SPAM in the US, for example, lets you email someone who never asked, as long as you give them a way to unsubscribe. GDPR would never allow that.

What this means for you

Figure out where your subscribers actually live. Not where your business is. Not where your servers are. Where the recipients are.

If you sell globally, you almost certainly have EU subscribers, which means GDPR applies to that portion of your list. If you have Canadian subscribers, CASL applies, and CASL is stricter than most people realize. If you have Californians, CCPA gives them rights you have to honor.

The safe default for most senders is to operate at the GDPR level for everyone. It is the strictest of the common regimes, and if your consent flow, data handling, and unsubscribe path satisfy GDPR, they will satisfy almost everything else. That does not mean GDPR is the only thing you need to know. CASL has anti-spam specifics that GDPR does not cover. CAN-SPAM has a physical postal address requirement. CCPA has "do not sell" mechanics.

This matters more than people think because the consent question feeds directly into deliverability. People who never asked to hear from you complain, mark as spam, or stay silent, and all three tank your sender reputation. The legal floor and the deliverability floor are the same floor. We have written about why purchased lists do not work and why rented lists are not safer, and the through line is the same: if you cannot prove consent, you have a legal problem and a reputation problem at the same time.

Do not assume GDPR is everywhere. Do not assume it is nowhere. Look at where your list lives, then look at the law that covers those people. If you are not sure, talk to a lawyer who handles data protection, not a marketer who read a blog post.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Map privacy laws to your actual customer geography.

I sell to customers across Europe, Brazil, and Southeast Asia. From the answer, I know GDPR isn't the only law that matters. Can you break down which privacy laws apply to each region I operate in, and what the key differences are between them? I want to know which ones are strictest and where I should focus compliance effort first.

Edit the yellow boxes, then send to the AI of your choice.