IAPP Reports and Research Articles

Global AI Governance Law and Policy: India


IAPP Summer Reading List 2025


Emerging trends, insights from public enforcement of US state privacy laws


Global AI law and policy trends update


New threads in the patchwork: Key trends in US comprehensive state privacy law amendments


The final days of grace: Preparing for the U.S. sensitive data rule


Digital risk: Nothing ventured, nothing gained


The ethical use of AI in advertising


How different jurisdictions approach AI regulatory sandboxes


Compliance technology adoption: Navigating and overcoming challenges


Policy analysis: US House committee seeks moratorium on state AI rules


The increasing need to address digital governance


TAKE IT DOWN Act: The next bipartisan US federal privacy, AI law


New developments in global adequacy capabilities


US Data Privacy Litigation: Litigating accountability through shareholder action


US Data Privacy Litigation: Data brokers and judicial privacy litigation


Benchmarking salary for digital responsibility


US Data Privacy Litigation: Biometrics and consumer health data litigation


US Data Privacy Litigation: Security breach litigation


Peering through the US state privacy law kaleidoscope


US Data Privacy Litigation: Website tracking litigation


US Data Privacy Litigation: Breach of contract and warranties litigation


Data protection and privacy laws now in effect in 144 countries


Adtech 2024: A look back


IAPP Global Legislative Predictions 2025


Biden’s final order on cybersecurity represents evolution, not revolution


HHS proposes major overhaul of HIPAA security rule


How 119th US Congress committee leadership could shape digital policy


Free speech battles and age-appropriate balance: Maryland and Connecticut try again for youth safety rules


Ghost jobs: The phantom hiring trend with data privacy implications


New laws in California look to the future of privacy and AI


Tracking evolving policy paradigms in a hallmark year for AI governance


Top 10 operational impacts of the EU AI Act – Leveraging GDPR compliance


Council of Europe’s Framework Convention on AI and its global implications


Top operational impacts of reforms to the Australian Privacy Act


OMB seeks input on policies for commercially available data and AI


Top 10 operational impacts of the EU AI Act – Regulatory implementation and application alongside EU digital strategy


FTC adds right to delete to cybersecurity settlement


Top 10 operational impacts of the EU AI Act – Post-market monitoring, information sharing, and enforcement


Workplace privacy in US laws and policies


Scrutiny continues as the AI Act reaches implementation


The FCC issues cybersecurity model for the mobile telecommunications industry


AI and digital governance: Exploring platform liability laws in the EU


Top 10 operational impacts of the EU AI Act – AI Assurance across the risk categories


Cybersecurity and the cloud: Lessons from FCC cloud breach enforcement


AI and digital governance: Platform liability laws in the US


The DNA of privacy and the privacy of DNA


Top 10 operational impacts of the EU AI Act – Governance: EU and national stakeholders


Top 10 operational impacts of the EU AI Act – Obligations for general-purpose AI models


Top 10 operational impacts of India’s DPDPA – Data breaches


Implementing kids’ privacy protections around the world


Top 10 operational impacts of the EU AI Act – Obligations on nonproviders of high-risk AI systems


Precision nutrition and biometric privacy in health tech


Top 10 operational impacts of India’s DPDPA – Data protection impact assessments


Top 10 operational impacts of the EU AI Act – Obligations on providers of high-risk AI systems


Top 10 operational impacts of India’s DPDPA – Data audits for significant fiduciaries


Top 10 operational impacts of the EU AI Act – Understanding and assessing risk


AI and digital governance: Exploring platform liability


Top 10 operational impacts of the EU AI Act – Subject matter, definitions, key actors and scope


Top 10 operational impacts of India’s DPDPA – Consent management


Global AI Governance Law and Policy: Canada


Ceiling or floor? State law preemption and preservation in U.S. federal privacy bills


Connected Cars: The legislative environment, potential reform and privacy issues


Understanding ‘sensitive covered data’ under the APRA discussion draft


How privacy and data protection laws apply to AI: Guidance from global DPAs


Global AI Governance Law and Policy: EU


Pay, OK or a third way: Context, analysis from the EDPB’s opinion


US state AI governance bills: Reflecting on the 2024 cycle with a new resource


The Colorado AI Act: What you need to know


The 2024 IAPP Governance Survey: What the data can show on AI


Private Rights of Action in US Privacy Legislation


Pursuit of app-iness: the legal considerations of SDKs


The American Privacy Rights Act’s definition of covered data


FTC enforcement trends: From straightforward actions to technical allegations


Luminos.AI wants to take on AI management woes


Global AI Governance Law and Policy: US


FISA Section 702’s Reauthorization Era


Major trends in US cybersecurity law and policy


Top takeaways from the draft American Privacy Rights Act


IAPP launches 2024 Governance Survey


EU elections explainer: Heading into the next term, reading the smoke signals


Global AI Governance Law and Policy: UK


EU elections explainer: 2024, a transition year into EU leadership overhaul


Checking in on proposed California privacy and AI legislation


OECD privacy, AI leaders come together to bridge gaps


Identifying global privacy laws, relevant DPAs


A new era of US privacy policy? National security restrictions on personal data transactions


Defining ‘comprehensive’: Florida, Washington and the scope of state tracking


Consumer Perspectives of Privacy and Artificial Intelligence


Opting In-n-Out: Five key analyses for adtech privacy law compliance


Amending Australia’s Privacy Act: Small businesses, bigger responsibilities


The truth about privacy: The FTC’s stance on accuracy as a privacy interest


Meta’s new digs: A deep dive into practical considerations of consent


Biased AI systems face the music: Analyzing the FTC’s Rite Aid enforcement


US federal AI governance: Laws, policies and strategies


UK GDPR reforms move forward in UK Parliament


Implications of the AI executive order for business


California privacy: 2022-23 legislative wrap-up


CPPA’s draft automated decision-making rules unpacked


Children’s privacy laws and freedom of expression: Lessons from the UK Age-Appropriate Design Code


Training AI on personal data scraped from the web


Data without borders: EU e-Evidence package facilitates access to private data across jurisdictions


Top 10 operational impacts of India’s DPDPA – Comparative analysis with the EU General Data Protection Regulation and other major data privacy laws


Top 10 operational impacts of India’s DPDPA – Cross-border data transfers


Bipartisan consensus in US privacy lawmaking


Top 10 operational impacts of India’s DPDPA – Enforcement and the Data Protection Board


The CPPA’s upcoming rulemaking process


Top 10 operational impacts of India’s DPDPA – Obligations of data processing entities


Top 10 operational impacts of India’s DPDPA – Individual rights


The Kids Are All Rights: The Conflict between Free Speech and Youth Privacy Laws


UK-US Data Bridge becomes law, takes effect 12 Oct.


Top 10 operational impacts of India’s DPDPA – Scope, key definitions and lawful data processing


EU-US data adequacy litigation begins


Contentious areas in the EU AI Act trilogues


5 things to know about AI model cards


Addressing the duty of care in state privacy laws


AI regulatory enforcement around the world


Regulators’ rulebook for AI: Bit by bit


U.S. privacy legislation in 2023: Something old, something new?


The half-baked future of cookies and other tracking technologies


Privacy governance: A problem solved or an ongoing challenge?


The Snowden disclosures, 10 years on


What dancing taught me about privacy in the metaverse


What’s harm got to do with it?


A practical comparison of the EU, China and ASEAN standard contractual clauses


The Atlantic Declaration: Data bridges, privacy and AI


A trans-Atlantic comparison of a real struggle: Anonymized, deidentified or aggregated?


Ireland DPC’s data transfers decision: Pragmatic punch or knockout blow?


Aspiring privacy professionals compete in moot court


Indiana governor signs a comprehensive privacy act into law


Washington’s My Health, My Data Act


How should mobile apps prepare for California’s privacy scrutiny?


The latest in homomorphic encryption: A game-changer shaping up


Going back to basics for the EDPB’s year of the DPO


Iowa becomes sixth US state to enact comprehensive consumer privacy legislation


Filling the void? The 2023 state privacy laws and consumer health data


Generative AI: Privacy and tech perspectives


Standardization landscape for privacy: Part 3 — W3C and IEEE


Most consumers want data privacy and will act to defend it


California legislative wrap-up: CCPA amendments, children’s privacy and more


CNIL’s Secretary General rolls out plans for 2023 at DPI France


Top ten takeaways from the draft UK GDPR reform


Federated learning: Supporting data minimization in AI


The process behind the EDPB’s coordinated enforcement framework


Practical considerations from EU enforcement: One-stop shop


A healthy dose of consent: Takeaways from the FTC’s GoodRx case


Practical considerations from EU enforcement: legal bases and transparency


Cheering emerging PETs: Global privacy tech support on the rise


What the DPC-Meta decision tells us about the EU GDPR dispute resolution mechanism


Takeaways from Epic Games settlement: Teen privacy arrives at the FTC


View More


Top 10 operational impacts of India’s DPDPA


Standardization landscape for privacy


State Attorneys General on privacy, cybersecurity, enforcement and legislation


Top 5 Operational Impacts of China’s PIPL


Top 10 operational impacts of the CPRA


Top 5 operational impacts of Brazil’s LGPD


Guidance notes for responding to ‘Schrems II’


How to Build a Culture of Privacy


Top 5 Operational Impacts of the California Consumer Privacy Act


Countdown to GDPR


Outsourcing your DPO


Top 10 operational responses to the GDPR


On Monetizing Personal Information


How I Got My Start in Privacy


Benchmarking your Privacy Incident Management Program


The General Data Protection Regulation Matchup Series


How to Shop Smart for Cyberinsurance


Incident Response series


The Economics of Cybercrime


The Ransomware Epidemic


Building a Program that Provides Value


For a Successful Privacy Program, Use these Three A’s


How the C-Suite Should Talk About Cybersecurity


Starting up privacy at a start-up


Monitoring Your Privacy Program


Third-Party Vendor Management Means Managing Your Own Risk


Ten Steps to a Quality Privacy Program


View More


The Rise of Prescriptive Technical Safeguards in FTC Settlements


Self-sovereign identity as future privacy by design solution in digital identity?


Negotiating privacy: Bipartisan agreement on US privacy rights in the 117th Congress


Privacy as a competitive differentiator: Building an effective and strategic healthcare privacy program


Privacy Leaders’ Views – The Impact of COVID-19 on Privacy Priorities, Practices and Programs


The Skill Set Technologists Need to Implement a Privacy Risk Management Framework


An Overview of US Surveillance in Light of “Schrems II”


The Skill Set Needed to Implement the NIST Privacy Framework


Privacy Risks to Individuals in the Wake of COVID-19


Assessing the Right to Personal Data Portability in Mexico


DPAs on the Ground


COPRA and CDPA: Similarities, Gray Areas and Differences


Negotiating with Service Providers and Third Parties under CCPA


Privacy 2030: A New Vision for Europe


The Skill Set Needed to Implement a Global Privacy Standard: ISO/IEC 27701 alignment with IAPP CIPM and CIPP/E certifications


5 Steps You Must Take to Prepare for the CCPA


CCPA Compliance Operation: Delivering Data Access via Accounts


Timelines and budgets for GDPR compliance: A meta-analysis


Consensus and Controversy in the Debate Over US Federal Data Privacy Legislation


Talking Tech for Privacy Pros


Building Ethics into Privacy Frameworks for Big Data and AI


Applying the Positive-Sum Principle for Successful Privacy by Design Outcomes


6 Ways Privacy Awareness Training Will Transform Your Staff


Five Lessons I Learned Transitioning from Security to Privacy


Getting Started with Privacy in Canada


Must-Have Privacy Training Features for Your Team


Privacy and Data Security is for Everyone


They Did What? Top Privacy Mistakes To Watch Out For (and How To Avoid Them)


Some Privacy Practices May Result in Under-Reporting of Breach Incidents


What the GDPR Requires of and Leaves to the Member States


Consent for the Collection, Use, and/or Disclosure of Children’s Personal Information


Bridging ISO 27001 to GDPR


How DPA Budget and Staffing Levels Mirror National Differences in GDP and Population


How Privacy Awareness Builds Trust


IAPP Privacy 101 White Paper Series


The UX Guide to Getting Consent


Check or Mate? Strategic Privacy by Design


The legal risks for the DPO


Applying VPPA to Online Video Privacy


Assessing Mobile App Data Privacy Risk


From Here to DPO: Building a Data Protection Officer


Getting to the ROI of Privacy


Preparing for the GDPR: DPOs, PIAs, and Data Mapping


The Risk-Based Approach in the GDPR: Interpretation and Implications


Top 45 Security and Privacy Blind Spots


Privacy, Security and Practical Considerations for Developing or Enhancing a BYOD Program


Managing Your Data Breach


Privacy 101 for SMEs: The Best Defense is a Good Offense


Privacy Policies: How To Communicate Effectively with Consumers


A Call for Agility: The Next-Generation Privacy Professional


View More


Back to Top