Last Updated: 8 April 2024View ChartView MapView Enacted Laws

State-level momentum for comprehensive privacy bills is at an all-time high. The IAPP Westin Research Center actively tracks the proposed and enacted comprehensive privacy bills from across the U.S. to help our members stay informed of the changing state privacy landscape. This information is compiled into a map, a detailed chart identifying key provisions in the legislation, and links to enacted state comprehensive privacy laws.

Click To View Chart

Although many of the proposed bills will fail to become law, comparing the key provisions helps break down how privacy is developing in the U.S. The chart identifies fourteen provisions that commonly appear in comprehensive privacy laws. If a bill includes a provision, an "X" is placed in the corresponding column. The provisions are broken into two categories — consumer rights and business obligations — and are described more fully in the chart.

The Westin Research Center periodically updates this table, and previous versions are available for 2018-19, 2020, 2021, 2022 and 2023. If you are aware of a comprehensive bill absent from the tracker, please share it with us at

Please note: This tracker only includes bills intended to be comprehensive approaches to governing the use of personal information. If a bill does not appear on the tracker, it does not qualify due to its scope, coverage, or rights. Industry-specific, information-specific and narrowly scoped bills, e.g., data security bills, are not included. For more information on which bills the IAPP includes in the tracker, please see "Defining 'comprehensive': Florida, Washington and the scope of state tracking."

Enacted State Comprehensive Privacy Laws

Only includes laws with comprehensive approaches to governing the use of personal information.


California Consumer Privacy Act
(effective 1 Jan 2020)

As amended by the:

California Privacy Rights Act
(effective 1 Jan 2023)


Colorado Privacy Act
(effective 1 July 2023)


Delaware Personal
Data Privacy Act

(effective 1 Jan. 2025)


Indiana Consumer
Data Protection Act

(effective 1 Jan. 2026)


Iowa Consumer
Data Protection Act

(effective 1 Jan. 2025)


Kentucky Consumer
Data Protection Act

(effective 1 Jan. 2026)


Montana Consumer
Data Privacy Act

(effective 1 Oct. 2024)

New Hampshire

SB 255
(effective 1 Jan. 2025)

New Jersey

SB 332
(effective 15 Jan. 2025)


Oregon Consumer
Privacy Act

(effective 1 July 2024)


Tennessee Information
Protection Act

(effective 1 July 2025)


Texas Data Privacy
and Security Act

(effective 1 July 2024)


Utah Consumer Privacy Act
(effective 31 Dec. 2023)


Virginia Consumer
Data Protection Act

(effective 1 Jan. 2023)