Last Updated: May 12, 2022
State-level momentum for comprehensive privacy bills is at an all-time high. The IAPP Westin Research Center actively tracks the proposed and enacted comprehensive privacy bills from across the United States to help our members stay informed of the changing state privacy landscape. This information is compiled into a map and a detailed chart identifying key provisions in the legislation. Please note these resources only include those bills intended to be comprehensive approaches to governing the use of personal information. Industry, information-specific, or narrowly scoped bills (e.g., data security bills) are not included.
Although many of the proposed bills will fail to become law, comparing the key provisions helps to understand how privacy is developing in the United States. The chart identifies thirteen provisions that commonly appear in comprehensive privacy laws. If a bill includes a provision, an "X" is placed in the corresponding column. The provisions are broken into two categories — consumer rights and business obligations — and are described more fully below.
The Westin Research Center will periodically update this table. If you are aware of a proposed state bill (with formally introduced language) that is absent from our list, please share it with The Westin Research Center, email@example.com. The IAPP Resource Center also hosts a "US State Privacy" topic page, which provides a curated collection of news and resources covering US state privacy developments.
The IAPP also tracks “The Growth of State Privacy Legislation” since 2018, showing the comprehensive privacy bills considered annually by state.
The US State Privacy Legislation Tracker chart contains terms regarding the legislative process, consumer rights and business obligations. To better understand these terms and how IAPP is using them in the chart, see below.
Each state legislature has a unique legislative calendar and different legislative procedures. This set of columns generalizes those different legislative procedures into six categories:
Introduced — A bill has been introduced on a legislative chamber floor but has not yet moved into committee.
In Committee — A bill is moving through the various committees in its chamber of origin.
In Cross Chamber — A bill has passed a vote in its chamber of origin and moved to the opposite chamber of the legislature (e.g., a state house of representatives passed a bill and it moved to the state senate).
In Cross Committee — A bill is moving through the various committees in its non-originating chamber.
Passed — Both chambers of the legislature have passed the bill.
Signed — The governor signed the bill and it is now law.
Right of access — The right for a consumer to access from a business/data controller the information or categories of information collected about a consumer, the information or categories of information shared with third parties, or the specific third parties or categories of third parties to which the information was shared; or, some combination of similar information.
Right of rectification — The right for a consumer to request that incorrect or outdated personal information be corrected but not deleted.
Right of deletion — The right for a consumer to request deletion of personal information about the consumer under certain conditions.
Right of restriction — The right for a consumer to restrict a business's ability to process personal information about the consumer.
Right of portability — The right for a consumer to request personal information about the consumer be disclosed in a common file format.
Right to opt-out of sales — The right for a consumer to opt out of the sale of personal information about the consumer to third parties.
Right against automated decision making — A prohibition against a business making decisions about a consumer based solely on an automated process without human input.
Private right of action — The right for a consumer to seek civil damages from a business for violations of a statute.
Opt-in default (requirement age) — A restriction placed on a business to treat consumers under a certain age with an opt-in default for the sale of their personal information.
Notice/transparency requirement — An obligation placed on a business to provide notice to consumers about certain data practices, privacy operations, and/or privacy programs.
Risk assessments — An obligation placed on a business to conduct formal risk assessments of privacy and/or security projects or procedures.
Prohibition on discrimination (exercising rights) — A prohibition against a business treating a consumer who exercises a consumer right differently than a consumer who does not exercise a right.
Purpose/processing limitation — An EU General Data Protection Regulation–style restrictive structure that prohibits the collection/processing of personal information except for a specific purpose.