This tool tracks comprehensive US state privacy bills to help our members stay informed of the changing state privacy landscape. The tracker only includes bills intended to be comprehensive approaches to governing the use of personal information.
Last Updated: 4 November 2024
Contributor:
Navigate Tracker
State-level momentum for comprehensive privacy bills is at an all-time high. The IAPP Westin Research Center actively tracks the proposed and enacted comprehensive privacy bills from across the U.S. to help our members stay informed of the changing state privacy landscape. This information is compiled into a chart, map and a directory with information specific to states with enacted laws. The IAPP additionally hosts a "US State Privacy topic page, which regularly updates with the latest state privacy news and resources, and a US State AI Governance Legislation Tracker, which tracks US state cross-sectoral laws with direct application to the use of AI systems in the private sector.
If you are aware of a comprehensive bill absent from the tracker, please share it with us at research@iapp.org.
For more information on the IAPP's stance concerning which state privacy laws are considered comprehensive, view the text in the below dropdown.
-
expand_more
Scope of state law tracking
As state privacy legislation grows in number and complexity, questions arise with respect to those bills that occupy the fuzzy gray area between comprehensive and not — namely, Florida's Digital Bill of Rights and Washington state's My Health My Data Act.
As defined in the tracker, a bill is not considered comprehensive if "it does not qualify due to its scope, coverage, rights or purpose."
A bill is narrow in scope if it applies only to a specific set of data types, like financial or health data, or data subjects, like children. A bill is narrow in coverage if its applicability includes only a single industry, like the automotive industry, or if its thresholds apply, in practice, to only a handful of companies. A bill is narrow in rights if it is targeted at providing only one or two consumer data rights, such as deletion or correction.
For further information, this full-length article outlines the IAPP's current stance. The IAPP may adjust this position in the future in light of new information, bills, stakeholders or member feedback. The IAPP will annually reassess its position on the definition of "comprehensive" to best stay current with state legislation trends.
-
expand_more
Additional state privacy resources
Comprehensive consumer privacy bills
This chart tracks U.S. state comprehensive consumer privacy bills across the legislative process, identifying and mapping out fourteen provisions that commonly appear in comprehensive privacy laws. If a bill includes a provision, an "X" is placed in the corresponding column. The provisions are broken into two categories — consumer rights and business obligations — and are described more fully in the chart. Although many of the proposed bills will fail to become law, comparing the key provisions helps break down how privacy is developing in the U.S.
The chart only includes bills intended to be comprehensive approaches to governing the use of personal information. If a bill does not appear on the chart, it does not qualify due to its scope, coverage or rights. Industry-specific, information-specific and narrowly scoped bills, e.g., data security bills, are not included. The IAPP additionally published an article providing further details on the scope of bills included in this tracker.
Previous versions of this chart are available for 2018-19, 2020, 2021, 2022 and 2023.
State privacy law map
This map tracks the status of statutes and bills that are enacted or in the legislative process.
State privacy law directory
This section contains information specific to each state with enacted privacy laws.
-
expand_more
California -
expand_more
ColoradoComprehensive privacy law
-
expand_more
ConnecticutComprehensive privacy law
-
expand_more
DelawareComprehensive privacy law
-
expand_more
IndianaComprehensive privacy law
-
expand_more
IowaComprehensive privacy law
-
expand_more
KentuckyComprehensive privacy law
-
expand_more
MarylandComprehensive privacy law
-
expand_more
MinnesotaComprehensive privacy law
-
expand_more
MontanaComprehensive privacy law
-
expand_more
NebraskaComprehensive privacy law
-
expand_more
New HampshireComprehensive privacy law
-
expand_more
New JerseyComprehensive privacy law
-
expand_more
OregonComprehensive privacy law
-
expand_more
Rhode IslandComprehensive privacy law
-
expand_more
TennesseeComprehensive privacy law
-
expand_more
TexasComprehensive privacy law
-
expand_more
UtahComprehensive privacy law
-
expand_more
VirginiaComprehensive privacy law