Last Updated: 19 May 2023View ChartView MapView Enacted Laws

State-level momentum for comprehensive privacy bills is at an all-time high. The IAPP Westin Research Center actively tracks the proposed and enacted comprehensive privacy bills from across the United States to help our members stay informed of the changing state privacy landscape. This information is compiled into a map, a detailed chart identifying key provisions in the legislation, and links to enacted state comprehensive privacy laws. Please note these resources only include those bills intended to be comprehensive approaches to governing the use of personal information. Industry, information-specific, or narrowly scoped bills (e.g., data security bills) are not included.

Click To View Chart

Although many of the proposed bills will fail to become law, comparing the key provisions helps to understand how privacy is developing in the United States. The chart identifies thirteen provisions that commonly appear in comprehensive privacy laws. If a bill includes a provision, an "X" is placed in the corresponding column. The provisions are broken into two categories — consumer rights and business obligations — and are described more fully in the chart.

The IAPP additionally published a 2022 state privacy legislation wrap-up infographic titled "Privacy Matters in the US States."

The Westin Research Center will periodically update this table, and previous versions are available for 2018-19, 2020, 2021 and 2022. If you are aware of a proposed state bill (with formally introduced language) that is absent from our list, please share it with us at research@iapp.org.

Additional IAPP State Privacy Resources



Enacted State Comprehensive Privacy Laws

Only includes laws with comprehensive approaches to governing the use of personal information.

California

California Consumer Privacy Act
(effective 1 Jan 2020)

As amended by the:

California Privacy Rights Act
(effective 1 Jan 2023)

Colorado

Colorado Privacy Act
(effective 1 July 2023)

Iowa

Iowa Consumer
Data Protection Act

(effective 1 Jan. 2025)

Tennessee

Tennessee Information Protection Act
(effective 1 July 2024)

Utah

Utah Consumer Privacy Act
(effective 31 Dec. 2023)

Virginia

Virginia Consumer
Data Protection Act

(effective 1 Jan. 2023)