Last Updated: 8 December 2023View ChartView MapView Enacted Laws

State-level momentum for comprehensive privacy bills is at an all-time high. The IAPP Westin Research Center actively tracks the proposed and enacted comprehensive privacy bills from across the U.S. to help our members stay informed of the changing state privacy landscape. This information is compiled into a map, a detailed chart identifying key provisions in the legislation, and links to enacted state comprehensive privacy laws.

Click To View Chart

Although many of the proposed bills will fail to become law, comparing the key provisions helps break down how privacy is developing in the U.S. The chart identifies fourteen provisions that commonly appear in comprehensive privacy laws. If a bill includes a provision, an "X" is placed in the corresponding column. The provisions are broken into two categories — consumer rights and business obligations — and are described more fully in the chart.

The IAPP additionally published a 2022 state privacy legislation wrap-up infographic titled "Privacy Matters in the US States."

Please note: This tracker only includes bills intended to be comprehensive approaches to governing the use of personal information. If a bill does not appear on the tracker, it does not qualify due to its scope, coverage, rights or purpose. Industry-specific, information-specific and narrowly scoped bills, e.g., data security bills, are not included.

The Westin Research Center periodically updates this table, and previous versions are available for 2018-19, 2020, 2021 and 2022. If you are aware of a comprehensive bill absent from the tracker, please share it with us at

Enacted State Comprehensive Privacy Laws

Only includes laws with comprehensive approaches to governing the use of personal information.


California Consumer Privacy Act
(effective 1 Jan 2020)

As amended by the:

California Privacy Rights Act
(effective 1 Jan 2023)


Colorado Privacy Act
(effective 1 July 2023)


Delaware Personal
Data Privacy Act

(effective 1 Jan. 2025)


Indiana Consumer
Data Protection Act

(effective 1 Jan. 2026)


Iowa Consumer
Data Protection Act

(effective 1 Jan. 2025)


Montana Consumer
Data Privacy Act

(effective 1 Oct. 2024)


Oregon Consumer
Privacy Act

(effective 1 July 2024)


Tennessee Information
Protection Act

(effective 1 July 2025)


Texas Data Privacy
and Security Act

(effective 1 July 2024)


Utah Consumer Privacy Act
(effective 31 Dec. 2023)


Virginia Consumer
Data Protection Act

(effective 1 Jan. 2023)