US State Comprehensive Privacy Law Comparison

Image

Last Updated: January 14, 2021

State-level momentum for comprehensive privacy bills is at an all-time high. After the California Consumer Privacy Act passed in 2018, multiple states proposed similar legislation to protect consumers in their states. The IAPP Westin Research Center compiled the below list of proposed and enacted comprehensive privacy bills from across the country to aid our members' efforts to stay abreast of the changing state-privacy landscape.

Screen Shot 2017-04-14 at 3.02.11 PM

Although many of the bills included in the table will fail to become law, comparing the key provisions in each bill can be helpful in understanding how privacy is developing in the United States. Bills that are voted down or die in committee will not be immediately removed because their inclusion helps illustrate how states are thinking about privacy. We identified 16 provisions that commonly appear in comprehensive privacy statutes and placed an "x" in the corresponding column if a particular bill is included the provision. The 16 common privacy provisions are broken into two categories — consumer rights and business obligations — and are described below the table.

The table includes bills intended to be comprehensive approaches to governing the use of personal information in a state — industry-, information-specific, or narrowly scoped bills (e.g., data security bills) are not included unless they have a companion piece of legislation that collectively creates a comprehensive structure applicable to an industry central to the data-sharing economy (e.g., internet service providers or technology companies).

The Westin Research Center will periodically update this table. If you are aware of a proposed state bill (with formally introduced language) that is absent from our list, please share it with The Westin Research Center, research@iapp.org.

Explanation of select table elements

  • Legislative Process — Each state legislature has a unique legislative calendar and different legislative procedures; this set of columns generalizes those different legislative procedures into six categories:
    • Introduced — A bill has been introduced on a legislative chamber floor but has not yet moved into committee.
    • In Committee — A bill is moving through the various committees in its chamber of origin.
    • Crossed Chamber — A bill has passed a vote in its chamber of origin and moved to the opposite chamber of the legislature (e.g., a state house of representatives passed a bill and it moved to the state senate).
    • Cross Committee — A bill is moving through the various committees in its non-originating chamber.
    • Passed — Both chambers of the legislature have passed the bill.
    • Signed — The governor signed the bill and it is now law.
  • In Session — List of the state legislatures that are currently in session or only on a temporary (as compared to an extended) recess.

The 16 common privacy provisions include the following:

  • The right of access to personal information collected or shared – The right for a consumer to access from a business/data controller the information or categories of information collected about a consumer, the information or categories of information shared with third parties, or the specific third parties or categories of third parties to which the information was shared; or, some combination of similar information.
  • The right to rectification — The right for a consumer to request that incorrect or outdated personal information be corrected but not deleted.
  • The right to deletion — The right for a consumer to request deletion of personal information about the consumer under certain conditions.
  • The right to restriction of processing — The right for a consumer to restrict a business's ability to process personal information about the consumer.
  • The right to data portability — The right for a consumer to request personal information about the consumer be disclosed in a common file format.
  • The right to opt out of the sale of personal information — The right for a consumer to opt out of the sale of personal information about the consumer to third parties.
  • The right against solely automated decision making — A prohibition against a business making decisions about a consumer based solely on an automated process without human input.
  • A consumer private right of action — The right for a consumer to seek civil damages from a business for violations of a statute.
  • A strict opt-in for the sale of personal information of a consumer less than a certain age — A restriction placed on a business to treat consumers under a certain age with an opt-in default for the sale of their personal information.
  • Notice/transparency requirements — An obligation placed on a business to provide notice to consumers about certain data practices, privacy operations, and/or privacy programs.
  • Data breach notification — An obligation placed on a business to notify consumers and/or enforcement authorities about a privacy or security breach.
  • Mandated risk assessment — An obligation placed on a business to conduct formal risk assessments of privacy and/or security projects or procedures.
  • A prohibition on discrimination against a consumer for exercising a right — A prohibition against a business treating a consumer who exercises a consumer right differently than a consumer who does not exercise a right.
  • A purpose limitation — An EU General Data Protection Regulation–style restrictive structure that prohibits the collection of personal information except for a specific purpose.
  • A processing limitation — A GDPR-style restrictive structure that prohibits the processing of personal information except for a specific purpose.
  • Fiduciary duty — An obligation imposed on a business/controller to exercise the duties of care, loyalty, and confidentiality (or similar) and act in the best interest of the consumer.
Click to view

Comprehensive Privacy Law Directory by State

AK, AL, AR, AS, AZ, CA, CO, CT, DC, DE, FL, GA, HI, IA, ID, IL, IN, KS, KY, LA, MA, MD, ME, MI, MN, MO, MS, MT, NC, ND, NE, NH, NJ, NM, NV, NY, OH, OK, OR, PA, RI, SC, SD, TN, TX, UT, VA, VT, WA, WI, WV, WY

View the components of these laws and how they compare by accessing the IAPP State Comprehensive Privacy Law Comparison chart.

  Bill Died in Committee/Postponed

Statute/Bill: SB 1614 (click to view)


Statute/Bill: HB 2729 (click to view)


To view more IAPP news and resources on Arizona, click here.

  Passed Laws

Statute/Bill: AB 375/SB 1121 (click to view)
Common Name: California Consumer Privacy Act


Statute/Bill: California Privacy Rights Act (click to view)
Legislative Process: Enters into force January 2023, with a "look back" to January 2022.

To view more IAPP news and resources on California, click here.

  Other

Statute/Bill: RB 1008 (click to view)
Legislative Process: Task force submitted for comprehensive bill.

To view more IAPP news and resources on Connecticut, click here.

  Bill Died in Committee/Postponed

Statute/Bill: H 963 (click to view)

To view more IAPP news and resources on Florida, click here.

  Other

Statute/Bill: HCR 225 (click to view)
Legislative Process: Task force submitted for comprehensive bill.


  Bill Died in Committee/Postponed

Statute/Bill: SB 418 (click to view)


Statute/Bill: HB 2572 (click to view)


To view more IAPP news and resources on Hawaii, click here.

  Bill Died in Committee/Postponed

Statute/Bill: SB 2263 (click to view)
Common Name: Data Privacy Act


Statute/Bill: SB 2330 (click to view)
Common Name: Illinois Data Transparency and Privacy Act


Statute/Bill: HB 5603 (click to view)
Common Name: Consumer Privacy Act

To view more IAPP news and resources on Illinois, click here.

  Bill Died in Committee/Postponed

Statute/Bill: SF 2351 (click to view)
Common Name: Right to Be Forgotten Act

To view more IAPP news and resources on Iowa, click here.

  Other

Statute/Bill: HR 249 (click to view)
Legislative Process: Task force submitted for comprehensive bill.

To view more IAPP news and resources on Louisiana, click here.

  Passed Laws

Statute/Bill: LD 946 (click to view)
Common Name: An Act To Protect the Privacy of Online Customer Information

To view more IAPP news and resources on Maine, click here.

  Bill Died in Committee/Postponed

Statute/Bill: HB 249 (click to view)


Statute/Bill: HB 784 (click to view)
Common Name: Online Consumer Protection Act


Statute/Bill: HB 1656 (click to view)


To view more IAPP news and resources on Maryland, click here.

  Bill Died in Committee/Postponed

Statute/Bill: S 120 (click to view)

To view more IAPP news and resources on Massachusetts, click here.

  Bill Died in Committee/Postponed

Statute/Bill: HF 3936 (click to view)
Common Name: Minnesota Consumer Data Privacy Act

To view more IAPP news and resources on Minnesota, click here.

  Bill Died in Committee/Postponed

Statute/Bill: HB 1253 (click to view)
Common Name: Mississippi Consumer Privacy Act

To view more IAPP news and resources on Mississippi, click here.

  Bill Died in Committee/Postponed

Statute/Bill: LB 746 (click to view)
Common Name: Nebraska Consumer Data Privacy Act

To view more IAPP news and resources on Nebraska, click here.

  Passed Laws

Statute/Bill: SB 220/Ch. 603A (click to view)

To view more IAPP news and resources on Nevada, click here.

  Bill Died in Committee/Postponed

Statute/Bill: HB 1236 (click to view)


Statute/Bill: HB 1680 (click to view)

To view more IAPP news and resources on New Hampshire, click here.

  Bill Died in Committee/Postponed

Statute/Bill: S 2834 (click to view)
Legislative Process: Died in Committee


Statute/Bill: A 2188 (click to view)
Legislative Process: In Committee


Statute/Bill: A3255 (click to view)
Legislative Process: In Committee

To view more IAPP news and resources on New Jersey, click here.

  Bill Died in Committee/Postponed

Statute/Bill: SB 176 (click to view)
Common Name: Consumer Information Privacy Act

To view more IAPP news and resources on New Mexico, click here.

  Active Bills

Statute/Bill: A 680 (click to view)
Common Name: New York Privacy Act
Legislative Process: Introduced


Statute/Bill: SB 567
Legislative Process: Introduced


  Bill Died in Committee/Postponed

Statute/Bill: S 224 (click to view)
Common Name: Right to Know Act


Statute/Bill: S 5642 (click to view)
Common Name: New York Privacy Act

To view more IAPP news and resources on New York, click here.

  Other

Statute/Bill: HB 1485 (click to view)
Legislative Process: Task force substituted for comprehensive bill.

To view more IAPP news and resources on North Dakota, click here.

  Bill Died in Committee/Postponed

Statute/Bill: HB 1049 (click to view)
Common Name: Consumer Data Privacy Act

To view more IAPP news and resources on Pennsylvania, click here.

  Bill Died in Committee/Postponed

Statute/Bill: S 0234 (click to view)
Common Name: Consumer Privacy Protection Act

To view more IAPP news and resources on Rhode Island, click here.

  Bill Died In Committee/Postponed

Statute/Bill: H 4812 (click to view)
Common Name: South Carolina Biometric Data Privacy Act

To view more IAPP news and resources on South Carolina, click here.

  Other

Statute/Bill: HB 4390 (click to view)
Common Name: Texas Privacy Protection Act
Legislative Process: Task force substituted for comprehensive bill.


  Bill Died in Committee/Postponed

Statute/Bill: HB 4518 (click to view)
Common Name: Texas Consumer Privacy Act

To view more IAPP news and resources on Texas, click here.

  Bill Died in Committee/Postponed

Statute/Bill: HB 473 (click to view)
Common Name: Virginia Privacy Act

To view more IAPP news and resources on Virginia, click here.

  Active Bills

Statute/Bill: SB 5062 (click to view)
Common Name: Washington Privacy Act
Legislative Process: Introduced


  Bill Died in Committee/Postponed

Statute/Bill: HB 6281 (click to view)
Common Name: Washington Privacy Act


To view more IAPP news and resources on Washington, click here.

  Bill Died in Committee/Postponed

Statute/Bill: AB 870 (click to view)
Common Name: Wisconsin Data Privacy Act (I)


Statute/Bill: AB 871 (click to view)
Common Name: Wisconsin Data Privacy Act (II)


Statute/Bill: AB 872 (click to view)
Common Name: Wisconsin Data Privacy Act (III)

To view more IAPP news and resources on Wisconsin, click here.


Comprehensive Privacy Law Directory by State icons made by Freepik and mavadee  from www.flaticon.com