{ "@context": "https://schema.org", "@type": "Dataset", "@id": "https://ciam.wiki/compliance#dataset", "name": "CIAM Compliance Frameworks Dataset", "description": "A vendor-neutral reference of the regulations and standards that set CIAM authentication, consent, and data-rights requirements, with a CIAM-relevance note for each.", "url": "https://ciam.wiki/compliance", "creator": { "@type": "Organization", "name": "CIAM.wiki", "url": "https://ciam.wiki" }, "isAccessibleForFree": true, "license": "https://creativecommons.org/licenses/by/4.0/", "dateModified": "2026-06-23", "keywords": [ "CIAM", "customer identity", "IAM" ], "variableMeasured": [ { "@type": "PropertyValue", "name": "Framework" }, { "@type": "PropertyValue", "name": "Kind" }, { "@type": "PropertyValue", "name": "Summary" }, { "@type": "PropertyValue", "name": "CIAM relevance" } ], "distribution": [ { "@type": "DataDownload", "encodingFormat": "text/csv", "contentUrl": "https://ciam.wiki/data/ciam-compliance.csv" }, { "@type": "DataDownload", "encodingFormat": "application/json", "contentUrl": "https://ciam.wiki/data/ciam-compliance.json" } ], "columns": [ { "key": "name", "label": "Framework" }, { "key": "kind", "label": "Kind" }, { "key": "summary", "label": "Summary" }, { "key": "ciamRelevance", "label": "CIAM relevance" } ], "frameworks": [ { "name": "APPI (Japan)", "kind": "regulation", "summary": "Japan's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.", "ciamRelevance": "Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Japan users must support." }, { "name": "CCPA / CPRA", "kind": "regulation", "summary": "California's consumer privacy law (CCPA), expanded by the CPRA: the strongest US state privacy law and the closest US equivalent to GDPR, granting access, correction, deletion, and opt-out of sale rights, with a dedicated regulator and data-broker rules.", "ciamRelevance": "The US benchmark for opt-out, data access/correction/deletion, and do-not-sell/share signals in CIAM." }, { "name": "Colorado Privacy Act (CPA)", "kind": "regulation", "summary": "Colorado's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.", "ciamRelevance": "Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM." }, { "name": "Connecticut Data Privacy Act (CTDPA)", "kind": "regulation", "summary": "Connecticut's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.", "ciamRelevance": "Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM." }, { "name": "COPPA", "kind": "regulation", "summary": "The US Children's Online Privacy Protection Act, enforced by the FTC, governing the collection of personal data from children under 13.", "ciamRelevance": "Requires verifiable parental consent and age assurance before children's data is collected, driving age-gating and parental-consent flows in CIAM." }, { "name": "Delaware Personal Data Privacy Act (DPDPA)", "kind": "regulation", "summary": "Delaware's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.", "ciamRelevance": "Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM." }, { "name": "DORA", "kind": "regulation", "summary": "The EU's Digital Operational Resilience Act for the financial sector.", "ciamRelevance": "Requires strong access controls, authentication, and ICT resilience for financial entities and their providers." }, { "name": "DPDP Act 2023 (India)", "kind": "regulation", "summary": "India's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.", "ciamRelevance": "Sets consent, data-subject-rights, and cross-border requirements that CIAM serving India users must support." }, { "name": "eIDAS 2.0", "kind": "regulation", "summary": "The EU regulation establishing the European Digital Identity framework and the EUDI Wallet.", "ciamRelevance": "Mandates member-state digital identity wallets that CIAM buyers serving EU users will need to accept." }, { "name": "EU AI Act", "kind": "regulation", "summary": "The EU's Artificial Intelligence Act (Regulation 2024/1689), the first comprehensive AI law, with risk-tiered obligations.", "ciamRelevance": "Classifies biometric identification and categorization as high-risk and restricts remote biometric ID, directly governing the AI behind identity proofing and fraud." }, { "name": "Federal PDPL (UAE)", "kind": "regulation", "summary": "United Arab Emirates's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.", "ciamRelevance": "Sets consent, data-subject-rights, and cross-border requirements that CIAM serving United Arab Emirates users must support." }, { "name": "GDPR", "kind": "regulation", "summary": "The EU's General Data Protection Regulation governing how personal data is processed, with strict consent and rights requirements.", "ciamRelevance": "Sets the bar for consent capture, data subject rights (DSAR), and data residency that CIAM must enforce." }, { "name": "HIPAA", "kind": "regulation", "summary": "The US Health Insurance Portability and Accountability Act, governing the privacy and security of protected health information (PHI).", "ciamRelevance": "The Security Rule requires access controls, unique user identification, and authentication for systems handling PHI, which patient-facing CIAM in healthcare must satisfy." }, { "name": "Indiana Consumer Data Protection Act", "kind": "regulation", "summary": "Indiana's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.", "ciamRelevance": "Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM." }, { "name": "Iowa Consumer Data Protection Act (ICDPA)", "kind": "regulation", "summary": "Iowa's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.", "ciamRelevance": "Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM." }, { "name": "Kentucky Consumer Data Protection Act (KCDPA)", "kind": "regulation", "summary": "Kentucky's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.", "ciamRelevance": "Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM." }, { "name": "Law 1581 (Colombia)", "kind": "regulation", "summary": "Colombia's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.", "ciamRelevance": "Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Colombia users must support." }, { "name": "LFPDPPP (Mexico)", "kind": "regulation", "summary": "Mexico's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.", "ciamRelevance": "Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Mexico users must support." }, { "name": "LGPD (Brazil)", "kind": "regulation", "summary": "Brazil's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.", "ciamRelevance": "Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Brazil users must support." }, { "name": "Maryland Online Data Privacy Act (MODPA)", "kind": "regulation", "summary": "Maryland's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.", "ciamRelevance": "Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM." }, { "name": "Minnesota Consumer Data Privacy Act (MCDPA)", "kind": "regulation", "summary": "Minnesota's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.", "ciamRelevance": "Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM." }, { "name": "Montana Consumer Data Privacy Act", "kind": "regulation", "summary": "Montana's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.", "ciamRelevance": "Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM." }, { "name": "Nebraska Data Privacy Act", "kind": "regulation", "summary": "Nebraska's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.", "ciamRelevance": "Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM." }, { "name": "New Hampshire Privacy Act", "kind": "regulation", "summary": "New Hampshire's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.", "ciamRelevance": "Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM." }, { "name": "New Jersey Data Privacy Act (NJDPA)", "kind": "regulation", "summary": "New Jersey's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.", "ciamRelevance": "Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM." }, { "name": "NIS2", "kind": "regulation", "summary": "The EU's second Network and Information Security Directive.", "ciamRelevance": "Mandates access control and multi-factor authentication for essential and important entities." }, { "name": "NYDFS 500", "kind": "regulation", "summary": "New York's cybersecurity regulation for financial services (23 NYCRR 500).", "ciamRelevance": "Requires MFA and access controls for covered financial institutions; a US benchmark." }, { "name": "Oregon Consumer Privacy Act (OCPA)", "kind": "regulation", "summary": "Oregon's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.", "ciamRelevance": "Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM." }, { "name": "PCI DSS", "kind": "regulation", "summary": "The Payment Card Industry Data Security Standard, maintained by the PCI Security Standards Council, governing how cardholder data is protected.", "ciamRelevance": "Requirement 8 mandates strong authentication and MFA for access to the cardholder data environment, a direct CIAM authentication requirement." }, { "name": "PDPA (Singapore)", "kind": "regulation", "summary": "Singapore's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.", "ciamRelevance": "Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Singapore users must support." }, { "name": "PDPA (Thailand)", "kind": "regulation", "summary": "Thailand's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.", "ciamRelevance": "Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Thailand users must support." }, { "name": "PDPA Law 25.326 (Argentina)", "kind": "regulation", "summary": "Argentina's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.", "ciamRelevance": "Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Argentina users must support." }, { "name": "PDPL (Saudi Arabia)", "kind": "regulation", "summary": "Saudi Arabia's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.", "ciamRelevance": "Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Saudi Arabia users must support." }, { "name": "Personal Data Protection Law (Chile)", "kind": "regulation", "summary": "Chile's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.", "ciamRelevance": "Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Chile users must support." }, { "name": "PIPA (South Korea)", "kind": "regulation", "summary": "South Korea's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.", "ciamRelevance": "Sets consent, data-subject-rights, and cross-border requirements that CIAM serving South Korea users must support." }, { "name": "PIPEDA + Quebec Law 25 (Canada)", "kind": "regulation", "summary": "Canada's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.", "ciamRelevance": "Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Canada users must support." }, { "name": "PIPL (China)", "kind": "regulation", "summary": "China's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.", "ciamRelevance": "Sets consent, data-subject-rights, and cross-border requirements that CIAM serving China users must support." }, { "name": "POPIA (South Africa)", "kind": "regulation", "summary": "South Africa's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.", "ciamRelevance": "Sets consent, data-subject-rights, and cross-border requirements that CIAM serving South Africa users must support." }, { "name": "Privacy Act 1988 (Australia)", "kind": "regulation", "summary": "Australia's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.", "ciamRelevance": "Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Australia users must support." }, { "name": "PSD2 / SCA", "kind": "regulation", "summary": "The EU's revised Payment Services Directive and its Strong Customer Authentication mandate.", "ciamRelevance": "Requires multi-factor strong customer authentication for electronic payments, a direct CIAM auth requirement." }, { "name": "PSD3 / PSR", "kind": "regulation", "summary": "The EU's third Payment Services Directive and accompanying Payment Services Regulation, modernizing payments rules, fraud controls, and strong customer authentication. Not yet in force.", "ciamRelevance": "Updates and strengthens Strong Customer Authentication and fraud-prevention expectations for payments, extending the SCA mandate that CIAM must enforce." }, { "name": "Revised FADP (Switzerland)", "kind": "regulation", "summary": "Switzerland's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.", "ciamRelevance": "Sets consent, data-subject-rights, and cross-border requirements that CIAM serving Switzerland users must support." }, { "name": "Rhode Island Data Transparency and Privacy Protection Act", "kind": "regulation", "summary": "Rhode Island's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.", "ciamRelevance": "Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM." }, { "name": "Tennessee Information Protection Act (TIPA)", "kind": "regulation", "summary": "Tennessee's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.", "ciamRelevance": "Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM." }, { "name": "Texas Data Privacy and Security Act (TDPSA)", "kind": "regulation", "summary": "Texas's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.", "ciamRelevance": "Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM." }, { "name": "UK GDPR & DPA 2018", "kind": "regulation", "summary": "United Kingdom's comprehensive data protection law, broadly aligned with the GDPR model of consent, data-subject rights, and accountability.", "ciamRelevance": "Sets consent, data-subject-rights, and cross-border requirements that CIAM serving United Kingdom users must support." }, { "name": "Utah Consumer Privacy Act (UCPA)", "kind": "regulation", "summary": "Utah's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.", "ciamRelevance": "Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM." }, { "name": "Virginia Consumer Data Protection Act (VCDPA)", "kind": "regulation", "summary": "Virginia's comprehensive consumer privacy law granting end users access, correction, deletion, portability, and opt-out rights.", "ciamRelevance": "Drives self-service data rights (DSAR), consent and preference management, and honoring opt-out signals in CIAM." } ] }