The full version of this report, available only to IAPP members, can be accessed here.

Published: January 2024Overview of Report (PDF)View Full Report (Members-Only)

Note: This report is limited to "comprehensive" U.S. state privacy laws that had been signed into law by 31 Dec. 2023. Further info on this methodology can be found here. The IAPP's US State Privacy Legislation Tracker lists any U.S. state privacy law developments since this report published. 

Keeping pace with US state privacy legislation

Each year since the passage of the California Consumer Privacy Act, the first comprehensive state law, in 2018, the number of proposed U.S. state privacy bills has increased. The IAPP aims to keep privacy professionals informed about when states introduce comprehensive privacy bills, when those bills progress into laws, what rights they offer consumers and what obligations they require from organizations.

In 2018, two bills were introduced in the U.S. and one became law in California. In 2019, 15 bills were introduced throughout the U.S. Of the 24 bills introduced in 2020, one was enacted, this time in the form of an update to the CCPA. In 2021, two of 29 introduced bills were enacted in Virginia and Colorado. In 2022, two of 59 introduced bills became laws in Utah and Connecticut. And in 2023, seven of 54 introduced bills became laws in Delaware, Indiana, Iowa, Montana, Oregon, Tennessee and Texas.

The growth of US state privacy legislation

Understandably, balancing compliance with passed laws while keeping track of newly introduced comprehensive privacy bills can be overwhelming for privacy pros. The IAPP US State Privacy Legislation Tracker provides a quick snapshot of new bills as each state's legislative session begins. This report provides a summary of relevant terms, applicability, exemptions, consumer rights, business obligations and enforcement duties for each of the 12 passed laws to date.

Methodology

This report is limited to "comprehensive" U.S. state privacy laws that had been signed into law by 31 Dec. 2023. Bills that are sectoral, targeted at a particular industry or are use-case specific are purposely omitted. This decision necessarily excludes narrower state laws that are relevant to privacy, such as Florida's Digital Bill of Rights and Washington state's My Health, My Data Act. While both of these laws, among others, may be applicable to the work of privacy pros, they are targeted at particular types of entities or types of data. Washington state's law, for example, regulates consumer health data.

Thus, to avoid comparing metaphorical apples to oranges, the analysis presented in this report, as well as in the IAPP US State Privacy Legislation Tracker, is limited to the U.S. state privacy laws the IAPP defines as "comprehensive," which carry omnibus sets of consumer rights and business obligations and apply to broad ranges of entities.

Territorial scope

This report analyzes similarities and differences between the 12 enacted comprehensive U.S. state privacy laws. These states have continued to propose updates to the definitions, scopes and enforceability of their passed laws. As such, guidance continues to change with future amendments.

Just two states — Colorado and California — give rulemaking authority to the state attorneys general or privacy enforcement agencies. The Colorado attorney general's office released the finalized Colorado Privacy Act Rules 1 July 2023 to implement the Colorado Privacy Act. In California, the enforcement date of the new CCPA Regulations was pushed to March 2024.

Two differing approaches

So far, the U.S. has seen two different approaches to state consumer privacy laws. While California followed its own approach, the other states, at least initially, generally based their laws on a version of the yet to-pass Washington Privacy Act. For example, California uses the term "business," whereas the other states use the term "controller" for certain entities subject to the law, which may include an individual, corporation, business trust, nonprofit, and other legal and commercial entities.

At this point, California is also the only state requiring notice at collection. The CCPA initially did not address sensitive data, but this was updated by the CPRA amendments. With the CPRA amending the CCPA, California is now the only state that gives consumers the right to limit the use and disclosure of sensitive personal information. Also, unlike the other states, California is the only one with a dedicated privacy agency, the California Privacy Protection Agency.

What's in the full report?

The full report, which is only available to IAPP members, contains sections covering the below topics:

More info