October 3, 2008 US confirmed
US (Illinois) · BIPA: the country's first law on biometric data and facial recognition
The Illinois Biometric Information Privacy Act (BIPA), enacted in October 2008, was the first US law to establish regulatory language on facial recognition and biometric data. It arose after a company collected fingerprints at cash registers and, upon going bankrupt, tried to sell that data as an asset. The law defines as a biometric identifier a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry, and requires written consent to collect them. Its most powerful feature is that it grants a person a private right of action, with damages of $1,000 per negligent violation and $5,000 per intentional one —which has led companies to halt or seek explicit consent for biometric use—. Taking the arrival of commercial biometric technology (early 2000s) as a reference, the gap is short: Illinois regulated early and pioneeringly, though the rule only applies to private entities (not government agencies) and the US still lacks a federal biometrics law.
November 21, 2009 US confirmed
US · GINA: a federal law against genetic discrimination, before mass DNA testing
The Genetic Information Nondiscrimination Act (GINA), enacted on 21 May 2008 and in force from 21 November 2009, prohibits discrimination based on genetic information in health insurance and employment. Its sponsors called it 'the first civil rights act of the 21st century'. It protects family genetic history, genetic-test results and participation in genetic research, and bars employers and insurers from requesting or accessing that information without consent. It is a notable case in the record for two reasons: first, the US DID legislate federally (unlike its open gaps in data privacy or AI); second, it arrived relatively early: the concern was born with the advance of genetics in the 1990s and the sequencing of the human genome, before the explosion of direct-to-consumer DNA tests (23andMe and the like, mainstreamed in the 2010s). Taking the advance of genomics (1990s) as a reference, the gap is around fifteen years, but anticipating mass commercial use.
August 29, 2016 US confirmed
US · The FAA regulates commercial drones (Part 107): rules of the sky for the unmanned
The Federal Aviation Administration's (FAA) 14 CFR Part 107 rule, known as the 'Small UAS Rule', took effect on 29 August 2016 and for the first time systematically regulated commercial and government operations of drones under 25 kg in US airspace. It establishes, among other rules, keeping the drone within sight, not flying recklessly and avoiding manned aircraft, plus requiring certification of remote pilots. Taking the mainstreaming of commercial and consumer drones (around 2013, with the arrival of affordable models) as a reference, the gap until a specific federal framework is around three years: a relatively fast response, partly because drones operate in a space —the air— already heavily regulated, which made it easier to fit the new technology into an existing authority (the FAA). It contrasts with autonomous vehicles, which travel on roads and still lack a comprehensive federal framework.
January 1, 2020 US confirmed
US (California) · The CCPA takes effect: the country's first strong consumer-privacy law
The California Consumer Privacy Act (CCPA) took effect on 1 January 2020, partly inspired by Europe's GDPR. It gave California residents the right to access, delete and opt out of the sale of their personal data, and is the only one of its kind to establish a private right of action and a dedicated regulator (the California Privacy Protection Agency). Against a consumer-data industry that had operated in the US for over two decades without a federal privacy law —which still does not exist— California acted as a state-level substitute. By 2026, nineteen states already have comprehensive privacy laws.
November 2, 2021 US confirmed
US · OPEN GAP: autonomous vehicles on the streets without comprehensive federal regulation
This record documents another OPEN gap. Although autonomous vehicles already operate in testing and commercial services in several US cities, there is as of this date no comprehensive federal regulation of this technology. The absence of a federal framework has created a patchwork of state regulations: manufacturers and developers concentrate in states with moderate regulation such as Arizona and Florida, while other states impose different rules or none. Both the House of Representatives and the Senate have introduced bipartisan legislation to regulate the industry, without a national framework being passed. Sector analysts note the paradox: the lack of federal regulatory certainty can hinder both safety and investment. This record's date is indicative of the ongoing legislative debate; the gap will keep counting until a federal framework exists. This record will be updated.
June 25, 2024 US confirmed
US · OPEN GAP: ~25 years of mass data without a federal privacy law
This record documents a gap that remains OPEN: as of this entry's date, the United States has no comprehensive federal data-privacy law, even though the consumer-data economy has operated in the country since the late 1990s. The most ambitious legislative attempts failed: the American Data Privacy and Protection Act (ADPPA), introduced in 2022, cleared committee but did not advance in Congress; and the American Privacy Rights Act (APRA), in 2024, also stalled. In both cases the blockage came down to two persistent disagreements: preemption (whether the federal law would override stronger state laws, like California's) and the private right of action (whether citizens could sue). In the absence of a federal rule, nearly twenty states have passed their own laws, creating a fragmented regulatory patchwork. This record's date corresponds to the APRA legislative cycle (2024); the ~25-year gap will keep counting until a federal law exists. This record will be updated when, and if, that law arrives.
June 30, 2025 US confirmed
US · OPEN GAP: AI advances without a federal law; debate over halting the states
This record documents a second OPEN gap. Unlike the European Union (AI Act) or China (generative-AI measures), the United States has, as of this date, no comprehensive federal law regulating artificial intelligence. Federal action has been limited, leading several states to legislate on their own. In June 2025, the House of Representatives approved a ten-year moratorium on enforcing state laws targeting AI and automated decision-making systems; that provision was removed by the Senate in the final amendments to the budget bill, but the episode revealed an open debate: whether to halt state legislation without a national standard to fill the void. As analysts note, a pause on state laws could arrive without a national baseline to cover the gaps, a departure from the usual logic of preemption. This record's date corresponds to that mid-2025 legislative episode. The gap keeps counting; this record will be updated if a federal AI law emerges.
July 25, 2025 GB confirmed
UK · The Online Safety Act takes effect: online-safety duties ~20 years after social media
The Online Safety Act, granted Royal Assent on 26 October 2023 after seven years of passage, began effective enforcement gradually through the regulator Ofcom during 2025: the enforcement programme for illegal-content duties opened on 3 March 2025, and the child-protection codes and age-verification measures took effect on 25 July 2025. The law imposes legal responsibilities on social networks, search engines and platforms to protect users —especially minors— from illegal and harmful content, with fines of up to 10% of global turnover. Taking the birth of modern social media (mid-2000s) as a reference, the gap until a binding regulatory response on online safety is around two decades. By February 2026, Ofcom had opened more than 80 investigations into adult sites over age-verification rules.
July 2, 2014 SG confirmed
Singapore · The PDPA takes full effect: 'light-touch' data protection in Asia
The Personal Data Protection Act (PDPA), passed by Singapore's Parliament on 15 October 2012, took full effect on 2 July 2014 in its data-protection component. It regulates the collection, use and disclosure of personal data by private organizations, with extraterritorial reach, and established the 'Do Not Call' registry against telemarketing. Unlike the GDPR, it is described as a 'light-touch' regime: it offers individuals some control but without a private right of action (people complain to the data-protection commission, the PDPC). A 2020 amendment added the data-breach notification obligation. Taking the consolidation of Singapore's digital economy (late 1990s and early 2000s) as a reference, the gap until a binding data-protection framework is around fifteen years. Singapore was also an Asian pioneer with a voluntary AI-governance model.
January 22, 2026 KR confirmed
South Korea · The AI Basic Act enters into force: the world's second comprehensive AI law
The Framework Act on the Development of Artificial Intelligence and the Establishment of a Trust Foundation (AI Basic Act), passed by the National Assembly on 27 December 2024, entered into force on 22 January 2026 along with its enforcement decree. It is the world's second comprehensive AI law after the EU AI Act, and the first in Asia. It combines promotion of the AI industry with binding requirements for safety, trust and accountability, and has extraterritorial reach. The Ministry of Science and ICT (MSIT) can investigate, issue corrective orders and fines of up to 30 million won, though it granted a one-year grace period before imposing penalties. Taking ChatGPT's launch (November 2022) as a reference, the gap until entry into force is around three years, in line with the accelerated pace of AI regulation compared with other technologies.
May 28, 2025 JP confirmed
Japan · The AI Promotion Act: an 'innovation-first' approach, without strict penalties
Japan's Parliament approved the AI Promotion Act on 28 May 2025, with a deliberately different approach from Europe's: 'innovation-first', principle-based and light-touch, designed to drive adoption while shaping behavior. The law empowers the government to issue warnings but lacks strict punitive penalties, prioritizing development over rigid safety guarantees. As analysts note, 'non-punitive' does not mean 'non-serious': the model relies on reputational pressure, guidance and cooperation duties. Taking ChatGPT's launch (November 2022) as a reference, the gap is around two and a half years. Japan's case is valuable in the record because it shows that regulating early does not imply regulating harshly: it illustrates a regulatory path distinct from both the European (comprehensive and punitive) and the Chinese (control-oriented), centered on promotion.
November 13, 2025 IN confirmed
India · The DPDP Act gets going: ~800 million users under a privacy law, full by 2027
The Digital Personal Data Protection Act (DPDP Act), passed on 11 August 2023, had its operational rules notified on 13 November 2025, finally setting the timeline: the law will be fully applicable to all entities and government departments on 13 May 2027. It is India's first comprehensive digital-privacy law, with a consent-based, rights-based framework. With its notification, around 800 million internet users in India —close to 15% of the world's digital population— came under the scope of a privacy law. Taking the mainstreaming of consumer internet in India (mid-2000s, with the post-2010 mobile explosion) as a reference, the gap until a binding data-protection framework is around two decades. India also follows a sectoral regulatory model for AI rather than a single law.
December 30, 2024 EU confirmed
EU · MiCA regulates crypto-assets: binding framework ~15 years after Bitcoin
The Markets in Crypto-Assets Regulation (MiCA) became fully applicable on 30 December 2024 (provisions on asset-referenced and e-money tokens from 30 June 2024). It is the first comprehensive, harmonized regulatory framework for crypto-asset service providers in the EU, with a single authorization regime. Taking the launch of Bitcoin in January 2009 as a reference, the gap until a comprehensive, binding regulatory framework is around fifteen years, a period during which the sector grew, collapsed and grew again several times without harmonized rules.
May 25, 2018 EU confirmed
EU · GDPR becomes applicable: data protection catches up with the internet era, ~20 years later
The General Data Protection Regulation became applicable on 25 May 2018, replacing the 1995 Data Protection Directive, which had become obsolete due to the rise of the internet and new technologies. Taking the consolidation of the commercial web and the data economy in the late 1990s as a reference, the gap between the mainstreaming of mass personal-data processing and a modern, binding regulatory response is around two decades. The GDPR introduced fines of up to 4% of global turnover and became a global benchmark: more than two-thirds of countries now have data-protection laws.
November 25, 2009 EU confirmed
EU · The 'cookie law': consent for ad tracking is born in 2009
The Privacy and Electronic Communications Directive (Directive 2002/58/EC), popularly known as the 'cookie law', was adopted in 2002 and decisively amended in 2009 (Directive 2009/136/EC). That 2009 amendment introduced the prior-consent (opt-in) requirement for storing or accessing information on a user's device —except strictly necessary cookies—, which triggered the proliferation of the cookie banners that today appear on virtually all of the European web. It is the rule that directly governs ad tracking and profile-building for targeted advertising. Taking the consolidation of cookie-based behavioral advertising via third-party cookies (early 2000s) as a reference, the gap until the consent requirement is around seven years. For context: its planned successor, the ePrivacy Regulation, has gone years without passing —it was withdrawn and its rules were proposed within the GDPR itself—, making it a mixed case: there is a law in force, but its modernization remains pending.
August 25, 2023 EU confirmed
EU · The DSA binds the largest platforms: content accountability ~19 years after Facebook
The Digital Services Act (DSA) began applying to very large platforms and search engines (over 45 million monthly EU users) on 25 August 2023, and to other services on 17 February 2024. It imposes systemic-risk assessments, algorithmic transparency and independent audits on platforms like Facebook, YouTube, TikTok and X. Taking the birth of modern social media (Facebook, 2004) as a reference, the gap until a binding regulatory response on content moderation and systemic risks is around nineteen years. It was the first time the EU exercised structured extraterritorial regulatory power over US platforms.
March 6, 2024 EU confirmed
EU · The DMA binds the 'gatekeepers': digital competition after two decades of concentration
The Digital Markets Act (DMA) became fully applicable to 'gatekeepers' on 6 March 2024, designating 22 core platform services from six large companies. It mandates interoperability of messaging services, prohibits self-preferencing and requires consent for targeted advertising. On 25 March 2024, just weeks later, the Commission opened formal investigations into Alphabet, Apple and Meta for suspected non-compliance. Against a digital-market concentration that consolidated throughout the 2000s and 2010s, the structural antitrust response specific to platforms arrived with two decades of sector development behind it.
August 1, 2024 EU confirmed
EU · The AI Act enters into force: the world's first comprehensive AI law, ~2 years after ChatGPT
The Artificial Intelligence Act (AI Act) entered into force on 1 August 2024, as the world's first comprehensive regulatory framework for AI. Its obligations apply in phases: prohibited practices (such as social scoring) from 2 February 2025, obligations for general-purpose AI models (GPAI) from 2 August 2025, and requirements for high-risk systems from 2 August 2026, with full application in August 2027. Taking the launch of ChatGPT in November 2022 —which mainstreamed generative AI— as a reference, the gap until entry into force is under two years: the shortest in this record, reflecting an unusually fast regulatory reaction to a technology that spread at unprecedented speed.
August 15, 2023 CN confirmed
China · Generative AI measures: in force almost a year before the EU AI Act
The Interim Measures for the Management of Generative Artificial Intelligence Services, issued by the CAC together with six other agencies, took effect on 15 August 2023. They were China's first comprehensive generative-AI regulation, with obligations on content moderation, training-data requirements, labeling of generated content and data protection. The comparative figure is revealing: these measures took effect on 15 August 2023, almost a year before the EU AI Act entered into force (1 August 2024). Taking ChatGPT's launch (November 2022) as a reference, the gap is under a year, comparable to or even shorter than the EU's. The final version turned out less restrictive than the draft, in an effort to balance control and innovation.
January 10, 2023 CN confirmed
China · 'Deep synthesis' rules: mandatory deepfake labeling from 2023
The Administrative Provisions on Deep Synthesis in Internet Information Services, jointly issued by the CAC, the Ministry of Industry and the Ministry of Public Security on 25 November 2022, took effect on 10 January 2023. They regulate deep-synthesis technologies (deepfakes) and require conspicuous labels on artificially generated or synthesized content, while prohibiting their use to create fake news. The timing is notable: the rule was finalized on 25 November 2022, just five days before ChatGPT's launch. Taking the emergence of accessible deepfakes (around 2017-2019) as a reference, the gap is around five years. China was among the first jurisdictions in the world to mandate labeling of synthetic content.
March 1, 2022 CN confirmed
China · Recommendation-algorithm rules: reining in the 'feed' before the West
The Administrative Provisions on Recommendation Algorithms in Internet Information Services, issued by the Cyberspace Administration of China (CAC) and three other regulators on 31 December 2021, took effect on 1 March 2022. They require operators to register their algorithms in a state registry, prohibit excessive price discrimination, and protect the rights of workers subject to algorithmic scheduling (such as delivery riders). Taking the consolidation of recommendation systems that dominate platform content (mid-2010s) as a reference, the gap until a dedicated binding regulatory response is around seven years. China acted on recommendation algorithms before any Western jurisdiction with a dedicated rule of this scope. As with all Chinese digital rules, information control and 'core socialist values' are a declared objective alongside consumer protection.
October 25, 2021 CL confirmed
Chile · Neurorights in the Constitution: the world's first country to regulate neurotechnology
In October 2021, Chile became the world's first country to incorporate 'neurorights' into its Constitution, through a reform of Article 19 (Law No. 21,383) that protects mental integrity and immunity against the advances of neurotechnologies. The initiative, driven by the Senate's Future Challenges Commission with support from Columbia University's Neurorights Initiative, seeks to give brain data a status similar to that of an organ —so it cannot be sold or manipulated— and to protect mental privacy, free will and equitable access to neurotechnology. This is the most singular case in the record because the gap is practically nil or even negative: Chile regulated a technology still in its infancy (brain-machine interfaces like Neuralink's), anticipating its mainstreaming instead of reacting late. In 2023, Chile's Supreme Court also issued the world's first ruling on 'neurodata' (the Girardi/Emotiv case). It shows that regulating before mainstreaming is possible, though it has also been debated for legislating on a still-nascent technology.
January 6, 2025 CA confirmed
Canada · OPEN GAP: its AI law (AIDA) died in Parliament without being passed
This record documents an OPEN gap with a twist: there was a serious attempt that failed. The Artificial Intelligence and Data Act (AIDA), introduced in 2022 as part of Bill C-27, sought to establish a risk-based regulatory framework for 'high-impact' AI systems. After years of passage and criticism for its lack of specificity, the bill died on 6 January 2025, when Prime Minister Justin Trudeau's resignation and the prorogation of Parliament caused all pending bills to lapse. As of this date, Canada has no general law regulating AI; the government maintains a voluntary code of conduct and provinces like Ontario are advancing their own rules. Analysts note it is unlikely Canada will pass federal AI regulation in the coming years. Taking ChatGPT's launch (November 2022) as a reference, the gap remains open and counting. This record will be updated if Canada revives and passes an AI law.
June 23, 2014 BR confirmed
Brazil · The Marco Civil da Internet: a world-pioneering 'internet constitution' (2014)
The Marco Civil da Internet (Law 12,965/2014), signed by President Dilma Rousseff on 24 April 2014 and in force from 23 June 2014, established for the first time in Brazil the rights and obligations of internet users and providers. Considered Brazil's digital 'internet constitution' or 'magna carta', it enshrined principles of free expression, net neutrality and privacy protection, and limited providers' liability for third-party content. It was driven partly by the revelations of US espionage and is regarded as one of the world's most pioneering digital-rights laws. Taking the mainstreaming of commercial internet in Brazil (late 1990s) as a reference, the gap until a digital-rights framework is around fifteen years, but its globally pioneering nature sets it apart: it arrived years before equivalent rules in most countries.
September 18, 2020 BR confirmed
Brazil · The LGPD takes effect: comprehensive data protection inspired by the GDPR
The General Data Protection Law (LGPD, Law 13,709), enacted in August 2018, took effect on 18 September 2020 (administrative sanctions from 1 August 2021). It is Brazil's first comprehensive data-protection law and broadly aligns with Europe's GDPR, regulating the processing of personal data by individuals and legal entities. Its entry into force suffered several postponements due to the Covid-19 pandemic. In February 2022, Brazil took a further step by incorporating personal-data protection as a fundamental right in its Federal Constitution. Taking the consolidation of the data economy (late 1990s) as a reference, the gap is around two decades, in line with Europe's GDPR, of which the LGPD is a conceptual heir.
