Tools and Trackers

The IAPP develops, maintains and houses a variety of tools to help members keep up with the rapid developments in privacy and their impact on business and the profession, from global privacy legislation comparisons to enforcement trackers and glossaries.

Featured Tools and Trackers


US State Privacy Legislation Tracker

This tool tracks proposed comprehensive US state privacy bills from across the country.
Read More


US Federal Privacy Legislation Tracker

This tracker organizes privacy-related bills proposed in the U.S. Congress to keep our members informed of developments within the federal privacy landscape.
Read More


Key Terms for AI Governance

This glossary provides definitions and explanations for some of the most common terms related to AI governance.
Read More


Global AI Legislation Tracker

This tracker identifies AI legislative policy and related developments in a subset of jurisdictions. It is not globally comprehensive, nor does it include all AI initiatives within each jurisdiction.
Read More


International Definitions of Artificial Intelligence

This chart provides a snapshot of some of the definitions of AI from various global and sectoral (government, civil society and industry) perspectives.
Read More


Global data transfer contracts

This infographic shows the jurisdictions that have taken steps to standardize draft contractual clauses for transferring personal data internationally.
Read More

Latest Tools and Trackers

Global Privacy Law and DPA Directory
Data protection laws exist across the globe. This tool has an interactive map identifying those countries with data protection laws. Within each country’s listing, if available, you can link to a resource containing the data protection law, the data protection authority, and relevant IAPP resources.

The IAPP “Glossary” is your go-to place to find definitions of important privacy terms.

Global Privacy and Data Protection Enforcement Database
The IAPP’s “Global Privacy and Data Protection Enforcement Database” is a collection of enforcement actions from all over the world.

Top 6 operational impacts of India’s DPDPA
This six-part article series serves as a walkthrough of the most important components of India's Digital Personal Data Protection Act.

Implementing Transatlantic Transfers
This chart outlines the key changes and requirements for U.S. organizations participating in the Data Privacy Framework, and for EU organizations transferring to U.S. organizations.

Global Cross-Border Privacy Rules
This page will stay updated with the latest guidance documents and resources covering global cross-border privacy rules.

European Strategy for Data – Overview of New Regulations
This is a multipart series intended to provide privacy professionals with an overview of new EU legislation adopted since May 2022 under the European Union’s Strategy for Data.

EU-US Data Privacy Framework
This page will stay updated with the latest resources covering the long-awaited EU-U.S. Data Privacy Framework.

CCPA-/CPRA-Related Legislation Tracker
There are bills pending in the California Legislature that would amend the CCPA and/or the CPRA or otherwise impact how organizations understand or approach each law. This tracker includes the bill number and a brief summary of the proposed legislation, as well as the status and last legislative action.

European Institutions Privacy Stakeholder Map
To better understand the entities involved in EU privacy rulemaking, this chart provides an overview of the institutions, the nature of their role, the specific areas of responsibilities, and current leadership.

EU Data Initiatives in Context
This infographic provides an update on the various European Union data initiatives and draft legislation. From the EU General Data Protection Regulation to the proposed Digital Services Act and Digital Markets Act, the infographic highlights important details of these initiatives and where the most recent proposals stand.

EU decision-making at a glance: How do EU laws get approved?
This chart describes the main steps of the codecision procedure, the most common decision-making procedure among EU Institutions.

Global adequacy capabilities
This infographic shows the jurisdictions that vest powers in either the data privacy regulator or a government authority to designate other jurisdictions as having “adequate” data privacy standards.

UK data protection reform: An overview
The U.K. government introduced the Data Protection and Digital Information (No. 2) Bill. This article sets summarizes the changes in comparison to the GDPR.

US Institutions Privacy Stakeholder Map
This infographic is designed to help privacy professionals understand the myriad of entities involved in setting policy and enforcing privacy rules across the three branches of the federal system.

Key Dates of Federal Data Privacy Reform in Australia
This infographic presents a brief overview of federal privacy reform efforts in Australia and what might be expected in 2023.

Refresher: The GDPR's Six Legal Bases for Data Processing
This chart provides a refresher on the six bases for lawful processing under Article 6 of the EU General Data Protection Regulation. The chart explains the scope of the Article 6 lawful bases for processing, further considerations for determining when each applies, relevant recitals, additional IAPP guidance and resources from supervisory authorities.

The Growth of State Privacy Legislation
Since 2018, the IAPP has closely tracked privacy legislation developments in the U.S. at the state level. This resource shows the rapid growth of U.S. state-level privacy initiatives from 2018 through 2022 to provide historical context.

Key Dates from US Comprehensive State Privacy Laws
The IAPP created a timeline of key dates from the comprehensive data privacy laws in California, Colorado, Connecticut, Utah and Virginia.

Scope of the draft American Data Privacy and Protection Act
This IAPP table aims to present a high-level breakdown of the American Data Privacy and Protection Act, a federal comprehensive data privacy bill.

UK DPDI Bill: Comparative analysis with the EU GDPR and ePrivacy framework
In July 2022, the U.K. government introduced the Data Protection and Digital Information Bill. This comparative analysis considers the changes proposed by the DPDI Bill by reference to the relevant EU law provisions.

UK data protection reform: An overview
The U.K. government introduced the Data Protection and Digital Information (No. 2) Bill. This article sets summarizes the changes in comparison to the GDPR.

Global Comprehensive Privacy Law Mapping Chart
Comprehensive data protection laws exist across the globe. The Westin Research Center has created this chart mapping several comprehensive data protection laws, including the laws in the U.S., to assist our members in understanding how data protection is being approached around the world.

Data Protection Officer Requirements by Country
Increasingly, privacy and data protection laws around the world require organizations to designate a data protection officer to translate legal protections into practical reality. This chart catalogues those requirements but does not include the many additional instances in which a DPO is recommended but not required.

Privacy in M&A transactions: The playbook
Mergers and acquisitions has been central to us for a long time. Given our group emphasis on the importance of privacy in data-centric transactions, consideration of data protection and other associated issues in an M&A context is essential. However, unlike employment or IP matters, teams across the group may lack well-established precedents for how to approach privacy risks that arise in M&A. This playbook aims to address this need by consolidating our group’s experiences and learnings to date in this domain.

BIPA Legislation Introduced in 2021
The Illinois Biometric Information Privacy Act, in effect since 2008, is the first comprehensive biometric privacy statute in the United States. Over the past few years, BIPA litigation has significantly increased, revealed several enforcement challenges and given rise to numerous legislative initiatives. We will continue to monitor any further developments and update this tracker as there is new activity.

GDPR Genius
This interactive tool provides IAPP members ready access to critical EU General Data Protection Regulation resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location.

U.S. State Data Breach Lists
Many U.S. state agencies publish lists of reported data breaches in their respective state. This resource contains links to the published lists.

2021 Proposed Comprehensive US Privacy Legislation
This chart compares recent proposals for comprehensive federal privacy legislation.

Transfer Impact Assessment Templates
Organizations around the world have begun conducting transfer impact assessments. The IAPP has published a collection templates as one resource to assist privacy professionals in conducting TIAs, and welcome additional templates that can be shared with the privacy community.

DPA and government guidance on ‘Schrems II’
Data protection authorities and government agencies are publishing initial guidance for how to handle the post-“Schrems II” data transfer world. This IAPP Resource Center page collects together DPA and government guidance as it comes out.

EU Standard Contractual Clauses (Word documents)
The IAPP’s Research and Insights Team created four separate Word documents, one for each transfer scenario accommodated by the new SCCs, incorporating only the modules relevant to that scenario into each document.

How Defendants Are Attacking CCPA Claims
This graphic identifies some of the arguments raised by defendants seeking to avoid liability for alleged violations of the CCPA.

Frequently Asked Questions & Resources on ‘Schrems II’
The IAPP received hundreds of questions during its five LinkedIn Live sessions on the Court of Justice of the European Union's "Schrems II" ruling. In response, the IAPP has published a frequently asked questions page to address some of these inquires.

Article 49 Derogations — Summary Table with Examples
There are specific recitals that relate to the derogations in Article 49 of the GDPR, as well as detailed guidance from the EDPB. Before attempting to rely on the derogations, organizations need to be aware of these additional considerations. This table summarizes this material so readers can see at a glance the factors relevant for each derogation.

Opt in or opt out? State privacy bills introduced in 2021
The IAPP published this chart that outlines the opt-in and opt-out mechanisms for U.S. state privacy bills introduced in 2021.

State Data Breach Notification Chart
U.S. data breach notification laws vary across all 50 states and U.S. territories. Each law must be applied to every factual scenario to determine if a notification requirement is triggered. To assist practitioners, the IAPP created a chart containing information from each state or territory’s data breach notification law concerning entities that own, control or process personal data.

How to Provide DPO Contact Information to Your DPA
Article 37(7) of the EU General Data Protection Regulation requires that “the controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.” But how does one go about communicating this information to relevant authority? The IAPP has compiled a list of each country’s requested DPO notification process.

Summary of CPRA Contractual Obligations
The California Privacy Rights Act aims to provide a continuing level of protection for personal information as it flows from covered businesses to third parties, service providers, contractors, and even their sub-processors. This chart provides a summary of the CPRA's contractual requirements.

Approved Binding Corporate Rules
Links to some approved Binding Corporate Rules documentation.

CCPA Litigation Overview
The IAPP developed a chart illustrating the differences among the CCPA cases being filed. The "CCPA Litigation Overview" includes the alleged conduct the plaintiff(s) claim violated the CCPA, whether a CCPA count is specifically included in the complaint and the other California statutes raised by plaintiffs.

ICO, CNIL, German and Spanish DPA revised cookies guidelines: Convergence and divergence
Regulators in France, Germany, Spain and the U.K. have published guidance on the use of cookies and similar tracking technologies. This table outlines the respective differences and similarities between guidance from the above countries.

Checklist: Expedited Vendor Privacy and Security Assessment
As companies, educational institutions, governments and other organizations shift to remote work environments during the COVID-19 pandemic, the need for technologies to facilitate engagement has exploded. Though not meant to serve as an exhaustive assessment for organizations, this quick-hit checklist includes key questions for privacy professionals to consider as they navigate this process.

Cookie Guidance from Greece
On 25 February 2020, the Hellenic Data Protection Authority published guidance on the use of cookies (and similar technologies). The guidance reiterates the rules around consent and provides examples of cookies which fall into the consent exemptions.

Comparison: Indian Personal Data Protection Bill 2019 vs. GDPR
This chart provides a high-level comparison between the GDPR and India’s PDPB, which includes a scale that color codes the degree of operational change from the EU regulation.

DPO Report Template
This slide deck created by the IAPP Research and Insights team offers a customizable template for a report to organizational leadership to help Data Protection Officers show the activities of the data protection team as well as record compliance with the General Data Protection Regulation.

Sample DPO Service Agreement
The IAPP offers this sample document as a starting point for organizations considering the engagement of an external DPO.

Consumer Privacy Notice Template
This template website privacy notice, produced and maintained by Docular Limited, is designed to be customizable and can help controllers to comply with the transparency requirements of the GDPR – in both its EU and post-Brexit UK forms - in relation to personal data collected through websites. It may be used with respect to both website visitors and individuals using website-based services.

Sample Data Processing Agreement
The IAPP published this model DPA for its members to use and share.

DPO Job Description
Using information from the GDPR and Article 29 Working Party guidance, the IAPP has developed this sample DPO job description. The DPO is not a one-size-fits-all role, but the official guidance provides insight on some of the necessary components for your appointment. This description is intended to be a jumping off point for you to create one that fits the needs of your organization.