For too long, as soon as they were able to do so, businesses took the following approach to gathering data: ‘Harvest what we can now, and figure out what we’re going to do with it later.’ The concept of data privacy was something of an afterthought, but that’s all changed recently.

To misquote Willy Wonka, “Come with me, and we’ll be in a world of data regulation.”

More and more US states and other countries now have data privacy regulations in place, with plenty more in the works right now. Ignoring these pieces of legislation can result in public backlash, hefty fines, and even potential legal action. They are not, in other words, to be taken lightly.

Hackers are increasingly targeting APIs since they are so instrumental in the exchange of data. It follows that many API developers are concerned about being held accountable for data breaches or other failures to comply with legislation around data privacy.

Notable examples of such API misfires include an exploit that scraped user data (to the tune of 700 million users) from LinkedIn’s API in 2021 and a vulnerability in Facebook’s API that exposed the phone numbers of more than 500 million users.

Compliance is vital not just to protect user data and avoid regulatory action but also to avoid the erosion of trust in your business and backlash. Below, we’ll look at ten data privacy and security regulations that every API developer should know about. And, even if they’re not relevant to you right now, the pace at which data regulation is evolving means that it might be relevant soon…

1. GDPR (General Data Protection Regulation) and ePrivacy Directive

Although it wasn’t the first piece of data legislation to be introduced — Sweden’s Data Protection Authority outlawed the unlicensed handling of personal data all the way back in 1973 — GDPR was a true game-changer when it was rolled out in 2018.

Laying out how data can lawfully be collected with explicit consent, GDPR gives users the right to have their data removed and requires companies to notify users about data breaches. If an API collects or processes data from EU citizens, regardless of where you’re based, GDPR applies.

We’ve previously extensively written about what GDPR means for API developers, but the headlines are these: strict access controls (ideally using zero-trust architecture), logging and internal audits, encryption, and data minimization to limit the impact of data breaches.

The EU’s ePrivacy Directive, aka the Cookie Law, was designed to reduce intrusive or unsolicited marketing efforts online. If your API deals with cookies or collects information about users, you’ll need to consider consent to comply with this as well as GDPR.

2. CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)

CCPA currently applies only to fairly large businesses — with revenue in the tens of millions of dollars or handling the personal information of 100,000+ California residents/households or deriving 50% of annual revenue from selling California residents’ personal information. However, this could change in the future.

Indeed, the CCPA has already been extended by the CPRA to tighten restrictions on sharing data and expand definitions around “sensitive personal information.” In addition to adding mechanisms for handling deletion or opt-out requests to APIs, developers also need to ensure that sensitive data is properly flagged and handled with the appropriate safeguards.

3. HIPAA (Health Insurance Portability and Accountability Act)

Some assume that HIPAA applies only to healthcare providers or public health authorities, but that isn’t quite true. Any API that handles protected health information (PHI) must be HIPAA compliant. PHI can include biometric identifiers like fingerprints, although that doesn’t necessarily mean that every API that deals with biometric data needs to be HIPAA compliant.

However, it demonstrates how cautious providers need to be when dealing with creating, sending, or receiving health data in any capacity. A fintech API used to handle healthcare payments, for example, would need to be HIPAA-compliant in case of data breaches.

4. FERPA (Family Educational Rights and Privacy Act)

Think of FERPA as an equivalent of HIPAA that applies to education records instead of health information. Information about healthcare within an education setting, like information about visits to the nurse’s office, is covered by FERPA rather than HIPAA. Schools can share information with healthcare providers in some circumstances, usually with written consent from a student or parent, and remain compliant.

While this might sound like a fairly niche piece of legislation, it’s one that API providers and consumers may need to consider if there’s a possibility their audience includes those of school or college age.

5. PSD2 (Revised Payment Services Directive)

This EU regulation focuses on APIs and open banking. If you’re an API developer working with financial institutions or payment processing, it’s (hopefully!) doubtful that this is the first you’re hearing of PSD2, or PSD3 for that matter. Throughout certain European countries, PSD2 mandates strong customer authentication (SCA) and bank-grade security deployed throughout any APIs used for third-party access.

6. UK Open Banking Standard (And Beyond)

Similar to PSD2, the UK’s Open Banking Standard requires several UK banks to open up certain financial data and banking capabilities to licensed third-party providers (TPPs). The expectations are described in the CMA Order and are overseen by Open Banking Limited (OBL). In the UK, open banking regulations have significantly altered how challenger banks and established players compete.

Beyond open banking regulations in the UK, countless other similar open banking regulations are popping up across the globe — from Fintech Law (Mexico) to Open Banking (Brazil), Consumer Data Right Rules (Australia), and beyond. The US’s Section 1033 could set a precedent for open banking requirements in the US as well.

7. LGPD (Lei Geral de Proteção de Dados)

Brazil’s LGPD (rolled out in 2020 and enforced in 2021) requires consent to process user data and broadly aligns with the EU’s GDPR. Like GDPR does to those based in Europe, it applies to Brazilian users regardless of where the company (or API) processing the data is located.

It expands on the GDPR’s six legal bases for processing data — consent, contractual obligation, legal obligation, vital interests, public task, and legitimate interests — to add research, judicial proceedings, protection of health, and credit protection. As of February 2022, data protection is now encompassed by Brazil’s Federal Constitution as a fundamental right.

8. PIPEDA (Personal Information Protection and Electronic Documents Act)

Unlike in the U.S., where data privacy regulation has primarily been managed on a state-by-state basis, all of Canada has blanket coverage from PIPEDA. That said, Alberta, British Columbia, and Quebec have expanded on PIPEDA with additional private sector privacy laws.

The Canadian government states that all businesses “that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities are subject to PIPEDA.” Still, it’s worth abiding by when you’re dealing with the personal information of Canadians, wherever your company — and its API(s) — are based.

9. PIPL (Personal Information Protection Law)

Rolled out in China towards the end of 2021, PIPL outlines rules around the collection, use, storage, transfer, and disclosure of user information. Like GDPR, it promotes transparency, data minimization, and purpose limitation. It protects the personal information of those located in China, regardless of the location of the data processor.

According to High Wire: How China Regulates Big Tech and Governs Its Economy by Angela Zhang, an authority on Chinese tech regulation, the text of the EU’s GDPR was used as a model for drafting PIPL. For services hosted or accessed within China, API providers should also acquire a mandatory ICP (Internet Content Provider) Filing to reach Chinese users.

10. DPDP (Digital Personal Data Protection Act)

Passed in 2023, India’s DPDP is in the middle of a phased rollout. At the beginning of 2025, draft DPDP rules were released for public comment. Once again, much like the GDPR, the text focuses on notice requirements, security safeguards, and data breach intimation.

Any API providers or consumers who deal with data originating in India should be paying close attention to this draft, as it’s likely implementation will continue moving forward this year.

The Future of Data Regulation and APIs

The list above is far from exhaustive and is growing at a fast pace. Within the US, we’re seeing other states adopt data protection regulations comparable to California’s CCPA and CPRA. In New York, for example, we have the Stop Hacks and Improve Electronic Data Security Act. And its acronym, SHIELD… which feels like something straight out of the first Avengers movie.

Around half of US states currently have privacy legislation signed, passed, or in committee, and we should reasonably expect to see others follow suit in the coming years.

Elsewhere, we have countries looking to supplement GDPR with additional legislation — like Germany and its Federal Data Protection Act (BDSG) — or introduce their own measures, such as South Africa’s Protection of Personal Information Act (POPIA) or the UAE’s Data Protection Law (DPL 2021).

If navigating data regulation is starting to sound like a minefield, especially for companies operating internationally, there is some good news: although they’re different in name and scope, much of this legislation is designed to accomplish the same thing — namely, user consent, purpose limitation, reasonable safeguarding, and data breach notification.

While it’s always important to consider the individual requirements of markets you’re operating in, following the best practices of API development — encrypting all traffic, proper authorization and authentication via OAuth 2.0 or similar, using the principle of least privilege, minimizing data exposure, etc. — will often be enough to meet compliance requirements, or at least get you most of the way there.

As we can see from the above, however, managing data regulations appropriately is far from “set it and forget it.” New legislation is being introduced regularly, and staying on top of compliance should be considered an ongoing process. Because, and it bears repeating, failing to do so can be very costly indeed…