If your AI product has users in multiple countries, you’re subject to multiple privacy regimes. Here’s what developers need to know for each region.
Quick comparison
| Region | Law | AI-specific? | Max fine | Data residency required? |
|---|---|---|---|---|
| EU | GDPR + AI Act | ✅ AI Act | 7% revenue | No (but transfers restricted) |
| US (California) | CCPA/CPRA | ❌ General | $7,500/violation | No |
| UK | UK GDPR + AI framework | ⚠️ Guidance only | £17.5M or 4% | No |
| China | PIPL + AI regulations | ✅ Multiple | ¥50M or 5% | ✅ Yes (for certain data) |
| India | DPDP Act 2023 | ❌ General | ₹250 crore (~$30M) | ⚠️ Restricted transfers |
European Union
The strictest regime. Two laws apply:
GDPR — Covers all personal data processing. Requires consent or legitimate interest, DPAs with processors, and transfer mechanisms for data leaving the EU. See our GDPR guide for developers.
EU AI Act — Risk-based AI regulation. Full enforcement August 2026. High-risk AI systems need documentation, testing, and human oversight.
For developers: Use EU-based providers like Mistral or self-host to simplify compliance.
United States (California)
No federal AI law yet. California’s CCPA/CPRA is the strongest state-level regulation:
- Right to know what data is collected
- Right to delete personal data
- Right to opt out of data “sales” (including sharing with AI providers)
- Automated decision-making transparency requirements
For developers: If you send user data to AI APIs, disclose it in your privacy policy. Allow opt-out. California’s definition of “sale” is broad enough to cover sending data to third-party AI providers.
United Kingdom
Post-Brexit, the UK has its own GDPR (nearly identical to EU GDPR) plus a principles-based AI framework:
- No AI-specific legislation (yet)
- Sector regulators (FCA, Ofcom, etc.) apply existing rules to AI
- ICO guidance on AI and data protection
- Adequacy decision with EU (data can flow freely)
For developers: Treat UK like EU for data protection. The AI framework is guidance, not law — but regulators are watching.
China
The most complex regime for AI:
- PIPL (Personal Information Protection Law) — China’s GDPR equivalent
- AI regulations — Specific rules for generative AI, deepfakes, recommendation algorithms
- Data localization — Certain data must stay in China
- Algorithm registration — AI services must register with the government
For developers: If you serve Chinese users, data likely must stay in China. Using Chinese AI providers (DeepSeek, Qwen, Kimi) simplifies this but adds complexity for non-Chinese users.
India
The Digital Personal Data Protection (DPDP) Act 2023:
- Consent-based framework
- Data localization for “critical” personal data
- Right to erasure
- Penalties up to ₹250 crore (~$30M)
- Still being implemented — rules expected through 2026
For developers: Similar to GDPR in spirit but less prescriptive. Watch for implementation rules.
Practical advice for global products
- Default to GDPR compliance — it’s the strictest, and meeting it usually satisfies other regimes
- Use self-hosted models for maximum flexibility across regions
- Offer data residency options if serving EU and China
- Document everything — every regime requires demonstrable compliance
- Use Mistral for EU, local providers for China, any provider for US/UK
Related: AI and GDPR for Developers · EU AI Act for Developers · Which AI APIs Are GDPR Compliant? · Self-Hosted AI for GDPR