Lots of countries have multiple privacy acts, typically sector or issue specific. Some define ‘privacy’ or refer to informational privacy. Some use audit for enforcement, others are complaint based. Fines may apply to violations in some legislation, others allow for civil or even criminal penalties. Even within a given country, different rules may apply.
Graham Greenleaf does an excellent job of tracking these each year; here’s 2023.
Read with caution however, because this inventory includes privacy laws – not necessarily laws which have a privacy impact, e.g. identity assurance requirements, age verification etc. In consideration of those, without scientific confirmation, my guess would be triple or even quadruple the obligations globally.
The most critical difference amongst legislation is the mechanisms that authorize collection of personal information. There are two types of collection practices: (1) consent or (2) notice (usually) plus authority.
Private sector companies typically are required to use a consent based collection mechanism. If a company wants to collect, use and disclose a data subject’s personal information as defined in a given law, they must ask consent first. The type of consent can vary: it may be in writing or oral, and it may be explicit or implicit.
Typically, legislation that governs Government activities operate using a notice function. This allows Government to bypass consent requirements by providing a notice of collection, which typically states: (a) what information is being collected, (b) the reason for collection, and (c) a contact person to ask questions.
See ‘Notices‘ for some of my own terrible personal photography for examples.