Which regulation mandates a 72-hour timeframe for reporting data breaches?

The General Data Protection Regulation (GDPR) mandates a 72-hour timeframe for reporting data breaches. Specifically, Article 33 of the GDPR requires that data controllers notify the relevant supervisory authority of a personal data breach without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. This requirement underscores the importance of rapid response to data breaches to mitigate potential harm to individuals and uphold their rights.

In contrast, the other regulations listed do have their own provisions for data breach notifications, but they differ significantly in their requirements or timeframes. For example, the California Privacy Rights Act (CPRA) outlines obligations for consumer rights and business responsibilities but does not specify a 72-hour reporting requirement for breaches. The Children’s Online Privacy Protection Act (COPPA) focuses on the protection of children's data but also lacks the 72-hour mandate. The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada has a requirement for timely reporting but sets different timelines and conditions for breach notifications. Each regulation has its own focus and specific requirements tailored to its jurisdiction and objectives.