CIAM Compliance Frameworks.

Jurisdiction:

California, US

Tier:

Tier 1 (closest to GDPR)

Regulator:

Dedicated (CPPA)

In force:

2020 (CPRA amendments 2023)

Applies to:

Businesses meeting California thresholds

California's consumer privacy law (CCPA), expanded by the CPRA: the strongest US state privacy law and the closest US equivalent to GDPR, granting access, correction, deletion, and opt-out of sale rights, with a dedicated regulator and data-broker rules.

For CIAM: The US benchmark for opt-out, data access/correction/deletion, and do-not-sell/share signals in CIAM.

Official source →

Jurisdiction:

Colorado, US

Tier:

Tier 1 (closest to GDPR)

Rights:

Access, correct, delete, portability, opt-out

Notable:

Universal opt-out mechanism, data protection assessments, sensitive-data consent.

Colorado's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.

For CIAM: Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM.

Official source →

Jurisdiction:

Connecticut, US

Tier:

Tier 1 (closest to GDPR)

Rights:

Access, correct, delete, portability, opt-out

Notable:

Honors Global Privacy Control signals; strong consumer rights.

Connecticut's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.

For CIAM: Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM.

Official source →

Jurisdiction:

Delaware, US

Tier:

Tier 2 (strong modern)

Rights:

Access, correct, delete, portability, opt-out

Notable:

Access, deletion, portability, opt-out; sensitive-data protections.

Delaware's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.

For CIAM: Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM.

Official source →

Jurisdiction:

Maryland, US

Tier:

Tier 2 (strong modern)

Rights:

Access, correct, delete, portability, opt-out

Notable:

Strict data minimization; among the most restrictive state laws.

Maryland's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.

For CIAM: Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM.

Official source →

Jurisdiction:

Minnesota, US

Tier:

Tier 2 (strong modern)

Rights:

Access, correct, delete, portability, opt-out

Notable:

Adds a right to question the result of profiling decisions.

Minnesota's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.

For CIAM: Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM.

Official source →

Jurisdiction:

Montana, US

Tier:

Tier 2 (strong modern)

Rights:

Access, correct, delete, portability, opt-out

Notable:

In force Oct 2024; low thresholds, honors universal opt-out signals.

Montana's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.

For CIAM: Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM.

Official source →

Jurisdiction:

New Hampshire, US

Tier:

Tier 2 (strong modern)

Rights:

Access, correct, delete, portability, opt-out

Notable:

In force Jan 2025; honors universal opt-out signals.

New Hampshire's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.

For CIAM: Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM.

Official source →

Jurisdiction:

New Jersey, US

Tier:

Tier 2 (strong modern)

Rights:

Access, correct, delete, portability, opt-out

Notable:

Opt-out of profiling; sensitive-data consent; data protection assessments.

New Jersey's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.

For CIAM: Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM.

Official source →

Jurisdiction:

Oregon, US

Tier:

Tier 2 (strong modern)

Rights:

Access, correct, delete, portability, opt-out

Notable:

Right to a list of specific third parties; sensitive-data protections.

Oregon's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.

For CIAM: Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM.

Official source →

Jurisdiction:

Rhode Island, US

Tier:

Tier 2 (strong modern)

Rights:

Access, correct, delete, portability, opt-out

Notable:

In force Jan 2026; adds third-party disclosure transparency.

Rhode Island's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.

For CIAM: Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM.

Official source →

Jurisdiction:

Virginia, US

Tier:

Tier 2 (strong modern)

Rights:

Access, correct, delete, portability, opt-out

Notable:

Opt-out of profiling and sensitive-data protections; data protection assessments.

Virginia's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.

For CIAM: Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM.

Official source →

Jurisdiction:

Iowa, US

Tier:

Tier 3 (more business-friendly)

Rights:

Access, correct, delete, portability, opt-out

Notable:

Narrower rights; weaker opt-out and no correction right.

Iowa's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.

For CIAM: Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM.

Official source →

Jurisdiction:

Kentucky, US

Tier:

Tier 3 (more business-friendly)

Rights:

Access, correct, delete, portability, opt-out

Notable:

In force Jan 2026; Virginia-model opt-out rights.

Kentucky's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.

For CIAM: Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM.

Official source →

Jurisdiction:

Nebraska, US

Tier:

Tier 3 (more business-friendly)

Rights:

Access, correct, delete, portability, opt-out

Notable:

In force Jan 2025; Texas-model with SMB carve-out.

Nebraska's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.

For CIAM: Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM.

Official source →

Jurisdiction:

Tennessee, US

Tier:

Tier 3 (more business-friendly)

Rights:

Access, correct, delete, portability, opt-out

Notable:

Consumer rights with a safe harbor for NIST-aligned privacy programs.

Tennessee's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.

For CIAM: Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM.

Official source →

Jurisdiction:

Texas, US

Tier:

Tier 3 (more business-friendly)

Rights:

Access, correct, delete, portability, opt-out

Notable:

Full consumer rights but broad SMB exemptions; less restrictive than California.

Texas's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.

For CIAM: Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM.

Official source →

Jurisdiction:

Utah, US

Tier:

Tier 3 (more business-friendly)

Rights:

Access, correct, delete, portability, opt-out

Notable:

Lightest-touch comprehensive law; opt-out model, no assessments.

Utah's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.

For CIAM: Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM.

Official source →

Jurisdiction:

US (FTC)

In force:

2000 (Rule amended 2025)

Applies to:

Online services directed at under-13s

The US Children's Online Privacy Protection Act, enforced by the FTC, governing the collection of personal data from children under 13.

For CIAM: Requires verifiable parental consent and age assurance before children's data is collected, driving age-gating and parental-consent flows in CIAM.

Official source →

Jurisdiction:

US (HHS OCR)

In force:

1996 (Security Rule 2005)

Applies to:

Covered entities and business associates handling PHI

The US Health Insurance Portability and Accountability Act, governing the privacy and security of protected health information (PHI).

For CIAM: The Security Rule requires access controls, unique user identification, and authentication for systems handling PHI, which patient-facing CIAM in healthcare must satisfy.

Official source →

Jurisdiction:

New York, US

In force:

2017 (amended 2023)

Applies to:

NYDFS-regulated financial institutions

New York's cybersecurity regulation for financial services (23 NYCRR 500).

For CIAM: Requires MFA and access controls for covered financial institutions; a US benchmark.

Official source →

Jurisdiction:

Canada

Status:

PIPEDA federal; Quebec Law 25 (2021-2024)

Regulator:

OPC / CAI

Canada's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.

For CIAM: Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Canada users must support.

Official source →

Jurisdiction:

EU

In force:

January 2025

Applies to:

EU financial entities and ICT providers

The EU's Digital Operational Resilience Act for the financial sector.

For CIAM: Requires strong access controls, authentication, and ICT resilience for financial entities and their providers.

Official source →

Jurisdiction:

EU

Key date:

Member-state EUDI wallets by end 2026

Scope:

Digital identity & trust services

The EU regulation establishing the European Digital Identity framework and the EUDI Wallet.

For CIAM: Mandates member-state digital identity wallets that CIAM buyers serving EU users will need to accept.

Official source →

Jurisdiction:

EU

In force:

Aug 2024 (phased)

Key date:

High-risk incl. biometrics: 2026-2027

Scope:

Risk-tiered AI obligations

The EU's Artificial Intelligence Act (Regulation 2024/1689), the first comprehensive AI law, with risk-tiered obligations.

For CIAM: Classifies biometric identification and categorization as high-risk and restricts remote biometric ID, directly governing the AI behind identity proofing and fraud.

Official source →

Jurisdiction:

United Arab Emirates

Status:

In force 2021 (+ DIFC/ADGM)

Regulator:

UAE Data Office

United Arab Emirates's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.

For CIAM: Sets consent, data-subject-rights, and cross-border requirements that CIAM serving United Arab Emirates users must support.

Official source →

Jurisdiction:

EU / EEA

In force:

2018

Applies to:

Any org processing EU residents' personal data

The EU's General Data Protection Regulation governing how personal data is processed, with strict consent and rights requirements.

For CIAM: Sets the bar for consent capture, data subject rights (DSAR), and data residency that CIAM must enforce.

Official source →

Jurisdiction:

EU

In force:

2024 (national transposition)

Applies to:

Essential and important entities

The EU's second Network and Information Security Directive.

For CIAM: Mandates access control and multi-factor authentication for essential and important entities.

Official source →

Jurisdiction:

Saudi Arabia

Status:

In force 2023

Regulator:

SDAIA

Saudi Arabia's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.

For CIAM: Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Saudi Arabia users must support.

Official source →

Jurisdiction:

South Africa

Status:

Fully in force 2021

Regulator:

Information Regulator

South Africa's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.

For CIAM: Sets consent, data-subject-rights, and cross-border requirements that CIAM serving South Africa users must support.

Official source →

Jurisdiction:

EU / EEA

In force:

SCA enforced 2021

Applies to:

Payment service providers

The EU's revised Payment Services Directive and its Strong Customer Authentication mandate.

For CIAM: Requires multi-factor strong customer authentication for electronic payments, a direct CIAM auth requirement.

Official source →

Jurisdiction:

EU

Status:

Trilogue agreed Nov 2025; adoption expected 2026

Applies:

~2028 (PSD3 national transposition)

Scope:

Payments, SCA, open banking

The EU's third Payment Services Directive and accompanying Payment Services Regulation, modernizing payments rules, fraud controls, and strong customer authentication. Not yet in force.

For CIAM: Updates and strengthens Strong Customer Authentication and fraud-prevention expectations for payments, extending the SCA mandate that CIAM must enforce.

Official source →

Jurisdiction:

Switzerland

Status:

In force 2023

Regulator:

FDPIC

Switzerland's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.

For CIAM: Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Switzerland users must support.

Official source →

Jurisdiction:

United Kingdom

Status:

In force 2018 (post-Brexit)

Regulator:

ICO

United Kingdom's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.

For CIAM: Sets consent, data-subject-rights, and cross-border requirements that CIAM serving United Kingdom users must support.

Official source →

Jurisdiction:

Colombia

Status:

In force 2012

Regulator:

SIC

Colombia's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.

For CIAM: Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Colombia users must support.

Official source →

Jurisdiction:

Mexico

Status:

In force 2010

Regulator:

Federal regulator

Mexico's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.

For CIAM: Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Mexico users must support.

Official source →

Jurisdiction:

Brazil

Status:

In force 2020

Regulator:

ANPD

Brazil's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.

For CIAM: Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Brazil users must support.

Official source →

Jurisdiction:

Argentina

Status:

In force 2000; reform pending

Regulator:

AAIP

Argentina's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.

For CIAM: Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Argentina users must support.

Official source →

Jurisdiction:

Chile

Status:

Enacted 2024; GDPR-aligned

Regulator:

New DPA

Chile's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.

For CIAM: Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Chile users must support.

Official source →

Jurisdiction:

Indiana, US

Tier:

Tier 3 (more business-friendly)

Rights:

Access, correct, delete, portability, opt-out

Notable:

In force Jan 2026; Virginia-model, business-friendly.

Indiana's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.

For CIAM: Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM.

Official source →

Jurisdiction:

Japan

Status:

GDPR-adequate; amended

Regulator:

PPC

Japan's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.

For CIAM: Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Japan users must support.

Official source →

Jurisdiction:

India

Status:

Enacted 2023; Rules 2025

Regulator:

Data Protection Board

India's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.

For CIAM: Sets consent, data-subject-rights, and cross-border requirements that CIAM serving India users must support.

Official source →

Jurisdiction:

Singapore

Status:

In force 2012 (amended 2020)

Regulator:

PDPC

Singapore's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.

For CIAM: Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Singapore users must support.

Official source →

Jurisdiction:

Thailand

Status:

In force 2022

Regulator:

PDPC

Thailand's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.

For CIAM: Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Thailand users must support.

Official source →

Jurisdiction:

South Korea

Status:

Amended (AI provisions)

Regulator:

PIPC

South Korea's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.

For CIAM: Sets consent, data-subject-rights, and cross-border requirements that CIAM serving South Korea users must support.

Official source →

Jurisdiction:

China

Status:

In force 2021

Regulator:

CAC

China's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.

For CIAM: Sets consent, data-subject-rights, and cross-border requirements that CIAM serving China users must support.

Official source →

Jurisdiction:

Australia

Status:

Amended 2022-2024

Regulator:

OAIC

Australia's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.

For CIAM: Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Australia users must support.

Official source →

Jurisdiction:

Global (card brands)

Current version:

v4.0.1

Key date:

v4.0 requirements effective 31 Mar 2025

Applies to:

Any org handling cardholder data

The Payment Card Industry Data Security Standard, maintained by the PCI Security Standards Council, governing how cardholder data is protected.

For CIAM: Requirement 8 mandates strong authentication and MFA for access to the cardholder data environment, a direct CIAM authentication requirement.

Official source →