Resource Center / Reports and Research Articles
IAPP Reports and Research Articles
TOPIC PAGE
This page hosts a collection of reports, research articles, article series and white papers published by the IAPP.
Navigate Page
IAPP Reports and Research Articles
Reports
AI Governance in Practice Report 2024
IAPP-EY Professionalizing Organizational AI Governance Report
2023 IAPP Privacy Professionals Salary Survey
IAPP Privacy and Consumer Trust Report
Privacy and AI Governance Report
IAPP Privacy Tech Vendor Report
Privacy in M&A transactions: The playbook
Privacy in the Wake of COVID-19
Benefits, Attributes and Habits of Mature Privacy and Data Protection Programs
How Privacy Tech Is Bought and Deployed
Getting to GDPR Compliance: Risk Evaluation and Strategies for Mitigation
The Market for Data Privacy Legal Services
How IT and Infosec Value Privacy
The Top 10 Operational Impacts of the EU’s General Data Protection Regulation
View More
Research Articles
Global AI Governance Law and Policy: India
Emerging trends, insights from public enforcement of US state privacy laws
Global AI law and policy trends update
New threads in the patchwork: Key trends in US comprehensive state privacy law amendments
The final days of grace: Preparing for the U.S. sensitive data rule
Digital risk: Nothing ventured, nothing gained
The ethical use of AI in advertising
How different jurisdictions approach AI regulatory sandboxes
Compliance technology adoption: Navigating and overcoming challenges
Policy analysis: US House committee seeks moratorium on state AI rules
The increasing need to address digital governance
TAKE IT DOWN Act: The next bipartisan US federal privacy, AI law
New developments in global adequacy capabilities
US Data Privacy Litigation: Litigating accountability through shareholder action
US Data Privacy Litigation: Data brokers and judicial privacy litigation
Benchmarking salary for digital responsibility
US Data Privacy Litigation: Biometrics and consumer health data litigation
US Data Privacy Litigation: Security breach litigation
Peering through the US state privacy law kaleidoscope
US Data Privacy Litigation: Website tracking litigation
US Data Privacy Litigation: Breach of contract and warranties litigation
Data protection and privacy laws now in effect in 144 countries
IAPP Global Legislative Predictions 2025
Biden’s final order on cybersecurity represents evolution, not revolution
HHS proposes major overhaul of HIPAA security rule
How 119th US Congress committee leadership could shape digital policy
Ghost jobs: The phantom hiring trend with data privacy implications
New laws in California look to the future of privacy and AI
Tracking evolving policy paradigms in a hallmark year for AI governance
Top 10 operational impacts of the EU AI Act – Leveraging GDPR compliance
Council of Europe’s Framework Convention on AI and its global implications
Top operational impacts of reforms to the Australian Privacy Act
OMB seeks input on policies for commercially available data and AI
FTC adds right to delete to cybersecurity settlement
Workplace privacy in US laws and policies
Scrutiny continues as the AI Act reaches implementation
The FCC issues cybersecurity model for the mobile telecommunications industry
AI and digital governance: Exploring platform liability laws in the EU
Top 10 operational impacts of the EU AI Act – AI Assurance across the risk categories
Cybersecurity and the cloud: Lessons from FCC cloud breach enforcement
AI and digital governance: Platform liability laws in the US
The DNA of privacy and the privacy of DNA
Top 10 operational impacts of the EU AI Act – Governance: EU and national stakeholders
Top 10 operational impacts of the EU AI Act – Obligations for general-purpose AI models
Top 10 operational impacts of India’s DPDPA – Data breaches
Implementing kids’ privacy protections around the world
Top 10 operational impacts of the EU AI Act – Obligations on nonproviders of high-risk AI systems
Precision nutrition and biometric privacy in health tech
Top 10 operational impacts of India’s DPDPA – Data protection impact assessments
Top 10 operational impacts of the EU AI Act – Obligations on providers of high-risk AI systems
Top 10 operational impacts of India’s DPDPA – Data audits for significant fiduciaries
Top 10 operational impacts of the EU AI Act – Understanding and assessing risk
AI and digital governance: Exploring platform liability
Top 10 operational impacts of the EU AI Act – Subject matter, definitions, key actors and scope
Top 10 operational impacts of India’s DPDPA – Consent management
Global AI Governance Law and Policy: Canada
Ceiling or floor? State law preemption and preservation in U.S. federal privacy bills
Connected Cars: The legislative environment, potential reform and privacy issues
Understanding ‘sensitive covered data’ under the APRA discussion draft
How privacy and data protection laws apply to AI: Guidance from global DPAs
Global AI Governance Law and Policy: EU
Pay, OK or a third way: Context, analysis from the EDPB’s opinion
US state AI governance bills: Reflecting on the 2024 cycle with a new resource
The Colorado AI Act: What you need to know
The 2024 IAPP Governance Survey: What the data can show on AI
Private Rights of Action in US Privacy Legislation
Pursuit of app-iness: the legal considerations of SDKs
The American Privacy Rights Act’s definition of covered data
FTC enforcement trends: From straightforward actions to technical allegations
Luminos.AI wants to take on AI management woes
Global AI Governance Law and Policy: US
FISA Section 702’s Reauthorization Era
Major trends in US cybersecurity law and policy
Top takeaways from the draft American Privacy Rights Act
IAPP launches 2024 Governance Survey
EU elections explainer: Heading into the next term, reading the smoke signals
Global AI Governance Law and Policy: UK
EU elections explainer: 2024, a transition year into EU leadership overhaul
Checking in on proposed California privacy and AI legislation
OECD privacy, AI leaders come together to bridge gaps
Identifying global privacy laws, relevant DPAs
A new era of US privacy policy? National security restrictions on personal data transactions
Defining ‘comprehensive’: Florida, Washington and the scope of state tracking
Consumer Perspectives of Privacy and Artificial Intelligence
Opting In-n-Out: Five key analyses for adtech privacy law compliance
Amending Australia’s Privacy Act: Small businesses, bigger responsibilities
The truth about privacy: The FTC’s stance on accuracy as a privacy interest
Meta’s new digs: A deep dive into practical considerations of consent
Biased AI systems face the music: Analyzing the FTC’s Rite Aid enforcement
US federal AI governance: Laws, policies and strategies
UK GDPR reforms move forward in UK Parliament
Implications of the AI executive order for business
California privacy: 2022-23 legislative wrap-up
CPPA’s draft automated decision-making rules unpacked
Children’s privacy laws and freedom of expression: Lessons from the UK Age-Appropriate Design Code
Training AI on personal data scraped from the web
Data without borders: EU e-Evidence package facilitates access to private data across jurisdictions
Top 10 operational impacts of India’s DPDPA – Cross-border data transfers
Bipartisan consensus in US privacy lawmaking
Top 10 operational impacts of India’s DPDPA – Enforcement and the Data Protection Board
The CPPA’s upcoming rulemaking process
Top 10 operational impacts of India’s DPDPA – Obligations of data processing entities
Top 10 operational impacts of India’s DPDPA – Individual rights
The Kids Are All Rights: The Conflict between Free Speech and Youth Privacy Laws
UK-US Data Bridge becomes law, takes effect 12 Oct.
Top 10 operational impacts of India’s DPDPA – Scope, key definitions and lawful data processing
EU-US data adequacy litigation begins
Contentious areas in the EU AI Act trilogues
5 things to know about AI model cards
Addressing the duty of care in state privacy laws
AI regulatory enforcement around the world
Regulators’ rulebook for AI: Bit by bit
U.S. privacy legislation in 2023: Something old, something new?
The half-baked future of cookies and other tracking technologies
Privacy governance: A problem solved or an ongoing challenge?
The Snowden disclosures, 10 years on
What dancing taught me about privacy in the metaverse
What’s harm got to do with it?
A practical comparison of the EU, China and ASEAN standard contractual clauses
The Atlantic Declaration: Data bridges, privacy and AI
A trans-Atlantic comparison of a real struggle: Anonymized, deidentified or aggregated?
Ireland DPC’s data transfers decision: Pragmatic punch or knockout blow?
Aspiring privacy professionals compete in moot court
Indiana governor signs a comprehensive privacy act into law
Washington’s My Health, My Data Act
How should mobile apps prepare for California’s privacy scrutiny?
The latest in homomorphic encryption: A game-changer shaping up
Going back to basics for the EDPB’s year of the DPO
Iowa becomes sixth US state to enact comprehensive consumer privacy legislation
Filling the void? The 2023 state privacy laws and consumer health data
Generative AI: Privacy and tech perspectives
Standardization landscape for privacy: Part 3 — W3C and IEEE
Most consumers want data privacy and will act to defend it
California legislative wrap-up: CCPA amendments, children’s privacy and more
CNIL’s Secretary General rolls out plans for 2023 at DPI France
Top ten takeaways from the draft UK GDPR reform
Federated learning: Supporting data minimization in AI
The process behind the EDPB’s coordinated enforcement framework
Practical considerations from EU enforcement: One-stop shop
A healthy dose of consent: Takeaways from the FTC’s GoodRx case
Practical considerations from EU enforcement: legal bases and transparency
Cheering emerging PETs: Global privacy tech support on the rise
What the DPC-Meta decision tells us about the EU GDPR dispute resolution mechanism
Takeaways from Epic Games settlement: Teen privacy arrives at the FTC
View More
Article Series
Top 10 operational impacts of India’s DPDPA
Standardization landscape for privacy
State Attorneys General on privacy, cybersecurity, enforcement and legislation
Top 5 Operational Impacts of China’s PIPL
Top 10 operational impacts of the CPRA
Top 5 operational impacts of Brazil’s LGPD
Guidance notes for responding to ‘Schrems II’
How to Build a Culture of Privacy
Top 5 Operational Impacts of the California Consumer Privacy Act
Top 10 operational responses to the GDPR
On Monetizing Personal Information
Benchmarking your Privacy Incident Management Program
The General Data Protection Regulation Matchup Series
How to Shop Smart for Cyberinsurance
Building a Program that Provides Value
For a Successful Privacy Program, Use these Three A’s
How the C-Suite Should Talk About Cybersecurity
Starting up privacy at a start-up
Monitoring Your Privacy Program
Third-Party Vendor Management Means Managing Your Own Risk
Ten Steps to a Quality Privacy Program
View More
White Papers
The Rise of Prescriptive Technical Safeguards in FTC Settlements
Self-sovereign identity as future privacy by design solution in digital identity?
Negotiating privacy: Bipartisan agreement on US privacy rights in the 117th Congress
Privacy Leaders’ Views – The Impact of COVID-19 on Privacy Priorities, Practices and Programs
The Skill Set Technologists Need to Implement a Privacy Risk Management Framework
An Overview of US Surveillance in Light of “Schrems II”
The Skill Set Needed to Implement the NIST Privacy Framework
Privacy Risks to Individuals in the Wake of COVID-19
Assessing the Right to Personal Data Portability in Mexico
COPRA and CDPA: Similarities, Gray Areas and Differences
Negotiating with Service Providers and Third Parties under CCPA
Privacy 2030: A New Vision for Europe
5 Steps You Must Take to Prepare for the CCPA
CCPA Compliance Operation: Delivering Data Access via Accounts
Timelines and budgets for GDPR compliance: A meta-analysis
Consensus and Controversy in the Debate Over US Federal Data Privacy Legislation
Building Ethics into Privacy Frameworks for Big Data and AI
Applying the Positive-Sum Principle for Successful Privacy by Design Outcomes
6 Ways Privacy Awareness Training Will Transform Your Staff
Five Lessons I Learned Transitioning from Security to Privacy
Getting Started with Privacy in Canada
Must-Have Privacy Training Features for Your Team
Privacy and Data Security is for Everyone
They Did What? Top Privacy Mistakes To Watch Out For (and How To Avoid Them)
Some Privacy Practices May Result in Under-Reporting of Breach Incidents
What the GDPR Requires of and Leaves to the Member States
Consent for the Collection, Use, and/or Disclosure of Children’s Personal Information
How DPA Budget and Staffing Levels Mirror National Differences in GDP and Population
How Privacy Awareness Builds Trust
IAPP Privacy 101 White Paper Series
The UX Guide to Getting Consent
Check or Mate? Strategic Privacy by Design
Applying VPPA to Online Video Privacy
Assessing Mobile App Data Privacy Risk
From Here to DPO: Building a Data Protection Officer
Preparing for the GDPR: DPOs, PIAs, and Data Mapping
The Risk-Based Approach in the GDPR: Interpretation and Implications
Top 45 Security and Privacy Blind Spots
Privacy, Security and Practical Considerations for Developing or Enhancing a BYOD Program
Privacy 101 for SMEs: The Best Defense is a Good Offense
Privacy Policies: How To Communicate Effectively with Consumers
A Call for Agility: The Next-Generation Privacy Professional
View More