Tools and Trackers

The IAPP develops, maintains and houses a variety of tools to help members keep up with the rapid developments in privacy and their impact on business and the profession, from global privacy legislation comparisons to enforcement trackers and glossaries.

Global Comprehensive Privacy Law Mapping Chart
Comprehensive data protection laws exist across the globe. The Westin Research Center has created this chart mapping several comprehensive data protection laws, including the laws in the U.S., to assist our members in understanding how data protection is being approached around the world.

US Federal Privacy Legislation Tracker
The IAPP's "US Federal Privacy Legislation Tracker" compiles a list of privacy-related bills proposed in Congress to keep our members informed about developments within the federal privacy landscape.

US State Privacy Legislation Tracker
The IAPP’s "US State Privacy Legislation Tracker" consists of proposed and enacted comprehensive privacy bills from across the U.S. to aid our members’ efforts to stay abreast of the changing state-privacy landscape.

GDPR Genius
The “GDPR Genius” is an interactive tool that provides IAPP members with access to critical EU General Data Protection Regulation–related resources, by mapping requirements to relevant recitals, EU and member state guidance, relevant court cases, enforcement actions, and other resources and tools.

CCPA and CPRA Genius
The “CCPA and CPRA Genius” is an interactive tool that helps IAPP members navigate the CCPA and CPRA by mapping legal requirements, while providing access to critical resources, analysis, compliance guidance and more.

The IAPP “Glossary” is your go-to place to find definitions of important privacy terms.

Data Protection Authorities
The IAPP “Data Protection Authorities” directory is the most comprehensive list of DPAs we’ve ever compiled with more than 150 enforcement authorities listed. The information included consists of websites, head authorities, data protection legislation and contact info.

Global Privacy and Data Protection Enforcement Database
The IAPP’s “Global Privacy and Data Protection Enforcement Database” is a collection of enforcement actions from all over the world.

2021 Proposed Comprehensive US Privacy Legislation
This chart compares recent proposals for comprehensive federal privacy legislation.

Key Dates from US Comprehensive State Privacy Laws
The IAPP created a timeline of the key dates from the comprehensive data privacy laws in California, Virginia and Colorado. This tool is for informational purposes and is not legal advice. Particular dates and deadlines should always be verified.

Transfer Impact Assessment Templates
Organizations around the world have begun conducting transfer impact assessments. The IAPP has published a collection templates as one resource to assist privacy professionals in conducting TIAs, and welcome additional templates that can be shared with the privacy community.

Frequently Asked Questions & Resources on ‘Schrems II’
The IAPP received hundreds of questions during its five LinkedIn Live sessions on the Court of Justice of the European Union's "Schrems II" ruling. In response, the IAPP has published a frequently asked questions page to address some of these inquires.

Data Protection Officer Requirements by Country
Increasingly, privacy and data protection laws around the world require organizations to designate a data protection officer to translate legal protections into practical reality. This chart catalogues those requirements but does not include the many additional instances in which a DPO is recommended but not required.

How Defendants Are Attacking CCPA Claims
This graphic identifies some of the arguments raised by defendants seeking to avoid liability for alleged violations of the CCPA.

Comparison of Comprehensive Data Privacy Laws in Virginia, California and Colorado
The IAPP created a chart comparing the comprehensive data privacy laws in California, Virginia and Colorado. It provides an overview of each law’s requirements, highlighting their similarities and differences.

Article 49 Derogations — Summary Table with Examples
There are specific recitals that relate to the derogations in Article 49 of the GDPR, as well as detailed guidance from the EDPB. Before attempting to rely on the derogations, organizations need to be aware of these additional considerations. This table summarizes this material so readers can see at a glance the factors relevant for each derogation.

State Data Breach Notification Chart
U.S. data breach notification laws vary across all 50 states and U.S. territories. Each law must be applied to every factual scenario to determine if a notification requirement is triggered. To assist practitioners, the IAPP created a chart containing information from each state or territory’s data breach notification law concerning entities that own, control or process personal data.

CCPA-/CPRA-Related Legislation Tracker
To help keep track of all this activity, the IAPP has put together the "CCPA-/CPRA-Related Legislation Tracker." The grid includes the bill number with a link to the full bill, a brief summary of the amendment, subject, lead author, status and last legislative action.

How to Provide DPO Contact Information to Your DPA
Article 37(7) of the EU General Data Protection Regulation requires that “the controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.” But how does one go about communicating this information to relevant authority? The IAPP has compiled a list of each country’s requested DPO notification process.

Opt in or opt out? State privacy bills introduced in 2021
The IAPP published this chart that outlines the opt-in and opt-out mechanisms for U.S. state privacy bills introduced in 2021.

Summary of CPRA Contractual Obligations
The California Privacy Rights Act aims to provide a continuing level of protection for personal information as it flows from covered businesses to third parties, service providers, contractors, and even their sub-processors. This chart provides a summary of the CPRA's contractual requirements.

CCPA Litigation Overview
The IAPP developed a chart illustrating the differences among the CCPA cases being filed. The "CCPA Litigation Overview" includes the alleged conduct the plaintiff(s) claim violated the CCPA, whether a CCPA count is specifically included in the complaint and the other California statutes raised by plaintiffs.

DPA and government guidance on ‘Schrems II’
Data protection authorities and government agencies are publishing initial guidance for how to handle the post-“Schrems II” data transfer world. This IAPP Resource Center page collects together DPA and government guidance as it comes out.

Checklist: Expedited Vendor Privacy and Security Assessment
As companies, educational institutions, governments and other organizations shift to remote work environments during the COVID-19 pandemic, the need for technologies to facilitate engagement has exploded. Though not meant to serve as an exhaustive assessment for organizations, this quick-hit checklist includes key questions for privacy professionals to consider as they navigate this process.

DPA guidance on COVID-19
The IAPP has rounded up COVID-19 guidance published by DPAs to date. The guidance on this page provides information and frequently asked questions pertaining to data processing and COVID-19.

Cookie Guidance from Greece
On 25 February 2020, the Hellenic Data Protection Authority published guidance on the use of cookies (and similar technologies). The guidance reiterates the rules around consent and provides examples of cookies which fall into the consent exemptions. The cookie guidance can be found in the IAPP Resource Center in both English and Greek.

Comparison: Indian Personal Data Protection Bill 2019 vs. GDPR
This chart provides a high-level comparison between the GDPR and India’s PDPB, which includes a scale that color codes the degree of operational change from the EU regulation.

ICO, CNIL, German and Spanish DPA revised cookies guidelines: Convergence and divergence
Regulators in France, Germany, Spain and the U.K. have published new guidance on the use of cookies and similar tracking technologies. This table outlines the respective differences and similarities between guidance from the above countries.

Legal bases for processing under the GDPR
This chart offers the various legal bases for processing personal data under the GDPR and offers links the the specific recitals and articles in the law that correlate to the bases.

Approved Binding Corporate Rules
Links to some approved Binding Corporate Rules documentation.

U.S. State Data Breach Lists
Many U.S. state agencies publish lists of reported data breaches in their respective state.