Compliance8 min read

What Privacy Laws Apply to AI? A Practical Map

Three questions decide: who you are, where your people are, and what data you touch. A practical map of the GDPR, the EU AI Act and the US regimes.

By Pierre de ONYRI

There is no single law for AI and privacy. What applies depends on three things. Who you are. Where the people whose data you handle live. What data you touch. The GDPR covers people located in the European Union, whatever country you sit in. The UK runs a near-identical regime. The EU AI Act governs AI systems by risk tier, and it does not replace the GDPR. The United States has no general federal privacy law: a patchwork of state laws and sector statutes fills the gap. One thread runs through all of it. The less personal data you feed the AI, the fewer obligations land on you.

The three questions that decide

Before you reach for a statute, answer three questions. They almost always tell you where you stand.

  1. 1WHO are you? A company, a hospital, a school, a bank? Several US laws only bind specific kinds of organisation.
  2. 2WHERE are your people? Not your head office: the people whose data you handle. The GDPR follows the person, not the postcode.
  3. 3WHAT data do you touch? An email address, a medical file, a school record, a bank account? The category triggers the regime.

Those three answers put you on the map. The rest is detail.

EU and UK: the GDPR follows the person

The GDPR (Regulation (EU) 2016/679) does not apply by your address. It applies by reference to the people whose data you touch. Article 3 extends it to organisations based outside the EU. Two cases are enough: you offer goods or services to people in the EU, or you monitor their behaviour. So a US or UK company pasting an EU customer's details into an AI tool is in scope. The UK runs a twin regime: the UK GDPR, read together with the Data Protection Act 2018.

Whenever personal data goes into an AI tool, the same four duties bite.

  • A lawful basis (Article 6). You must be able to say why the processing is lawful.
  • Data minimisation (Article 5(1)(c)). The data must be adequate, relevant and limited to what is necessary.
  • A processing agreement (Article 28). If a vendor processes the data on your behalf, you need a written contract with binding terms.
  • Extra protection for special-category data (Article 9). Health, biometrics, religion, union membership, sex life, political opinions: prohibited by default, unless a narrow exception applies.

That is the baseline. It holds for a CRM and for a prompt pasted into a chatbot alike.

The EU AI Act: a rulebook for systems, not a privacy law

The EU AI Act (Regulation (EU) 2024/1689) is widely misread. It is not a data protection law. It regulates AI systems by risk tier: unacceptable (banned), high-risk, limited-risk (transparency), minimal. It sits alongside the GDPR rather than replacing it. You can easily fall under both at once.

Annex III lists the uses classed as high-risk. Employment and worker management are on it: recruitment, screening, evaluating candidates. So are education, credit scoring, and certain public-service and law-enforcement uses.

The obligations do not all land at once. The regulation entered into force in August 2024. The prohibited-practice rules and the AI-literacy duty applied first. General-purpose AI model obligations followed. The bulk of the high-risk regime comes later, and product-embedded systems last of all. The European Commission has publicly floated adjusting parts of the timetable. So check the current position when you read this.

United States: no single federal law

The US has no general federal privacy law. Instead, a patchwork. State laws on one side. Sector-specific federal statutes on the other. Each has a narrow, defined scope.

  • CCPA, as amended by the CPRA (California). The California Attorney General states it applies to for-profit businesses doing business in California that meet a threshold: over $25 million in gross annual revenue; buying, selling or sharing the personal information of 100,000 or more California residents or households; or deriving 50% or more of annual revenue from selling residents' personal information.
  • HIPAA (health). It binds covered entities — health plans, most health-care providers, health-care clearinghouses — and their business associates handling protected health information. An HR team or a fitness app usually is not covered.
  • COPPA (children). It covers online services directed to children under 13, or that knowingly collect personal information from them. It requires verifiable parental consent.
  • FERPA (education). It governs education records at schools and institutions receiving US Department of Education funding. AI vendors are typically bound by contract instead.
  • GLBA and the FTC's Safeguards Rule (finance). They apply to financial institutions handling customer financial information.

Californians get real rights: to know, to delete, to correct, to opt out of sale or sharing, and to limit the use of sensitive personal information. The Attorney General's page lists Social Security numbers, financial account credentials, precise geolocation, and genetic and biometric data among that sensitive category. Many other states have since passed comparable laws, and the list keeps growing.

Then add the sector regulators. Finance, health, insurance, education: each layers its own rules on top. A European bank can therefore face the GDPR, the AI Act and its banking supervisor on a single AI project.

The decision map

Who you are / what dataWhich lawWhat it mainly requires
Personal data of people located in the EU or the UKGDPR; UK GDPR + Data Protection Act 2018Lawful basis (Art. 6), minimisation (Art. 5), processing agreement (Art. 28), extra protection for special-category data (Art. 9)
Personal information of California consumers, if your business crosses a thresholdCCPA, as amended by the CPRARights to know, delete, correct, opt out of sale or sharing, and limit the use of sensitive personal information
Protected health information, if you are a covered entity or a business associateHIPAASafeguards for protected health information and contracts with business associates
Personal information from children under 13 onlineCOPPA (Federal Trade Commission)Verifiable parental consent before collection
Education records at an institution funded by the US Department of EducationFERPAThe institution controls disclosure; vendors are bound by contract
Customer financial information at a financial institutionGLBA / Safeguards Rule (FTC)A written information security programme protecting customer information
The AI system itself, used in the EUEU AI Act (Regulation (EU) 2024/1689)Duties by risk tier; Annex III uses such as recruitment are high-risk; obligations phase in over time
A reading map — each regime has a narrow scope, so always check whether you fall inside it before you conclude.
Decision map: at top, a data record in the clear (amber) passes through two gates — a diamond jurisdiction gate and a hexagonal sector gate — then fans out to five differently shaped shields standing for distinct legal regimes, with an amber alert; at bottom, the same record minimised to cobalt token chips takes a short, clean route through both gates and arrives with a checkmark.
After the GDPR and EU AI Act texts published on EUR-Lex and the California Attorney General's CCPA page.

The thread through every regime: data minimisation

One principle runs through all of these regimes. Less personal data in, less legal surface out. The GDPR makes minimisation a binding principle. The CCPA gives consumers a right to limit the use of sensitive personal information. The US sector laws only fire on identifiable, regulated categories of data.

The practical consequence is simple. Strip the identifiers before the prompt reaches the model. Most of the obligations shrink at once. The real lever is not which AI vendor you pick. It is what you give the model to read.

  1. 1Answer the three questions: who, where, what data.
  2. 2Spot the identifiers in your text before you send it.
  3. 3Replace them with reversible tokens, in the browser.
  4. 4Send only the anonymized text to the model.
  5. 5Restore the real values in the reply, locally.

That is exactly what ONYRI Sanitize is for. The engine detects sensitive data — names, emails, identifiers, health details, bank credentials — and replaces it with reversible tokens before sending. Detection and the mapping stay in your browser. Only anonymized text reaches the model. You keep the help of AI, while shrinking the legal surface each of these laws comes to measure.

Frequently asked questions

What privacy laws apply to AI?
It depends on three questions: who you are, where the people are, and what data you touch. The GDPR covers people located in the EU, whatever country you sit in; the UK runs the UK GDPR with the Data Protection Act 2018. The EU AI Act governs AI systems by risk tier, alongside the GDPR. The US has no single federal law: the CCPA, HIPAA, COPPA, FERPA and the GLBA each have a narrow scope.
Does the EU AI Act replace the GDPR?
No. The EU AI Act (Regulation (EU) 2024/1689) is not a data protection law. It regulates AI systems by risk tier: unacceptable, high-risk, limited-risk, minimal. Annex III classes recruitment, education and credit scoring as high-risk. It sits alongside the GDPR, which still applies to all personal data. Its obligations phase in over time rather than landing all at once.
Does HIPAA cover any health data I put into an AI tool?
No, and that is the most common error. HIPAA binds covered entities — health plans, most health-care providers, health-care clearinghouses — and their business associates handling protected health information. An HR team, a wellness app or a software vendor holding health data is usually not covered. Other rules may still apply, starting with the GDPR if the people are in the EU.

Sources & references

Keep your sensitive data in your browser

ONYRI Sanitize detects and masks your sensitive data before it reaches the AI, then restores the answer — from names to API keys.

Anonymize my prompt

Read next