US State Privacy Legislation Tracker
This tool tracks comprehensive US state privacy bills to help our members stay informed of the changing state privacy landscape. The tracker only includes bills intended to be comprehensive approaches to governing the use of personal information.
Published: 18 April 2019
Last updated: 24 Nov. 2025
State-level momentum for comprehensive privacy bills is at an all-time high. The IAPP Westin Research Center actively tracks the proposed and enacted comprehensive privacy bills from across the U.S. to help our members stay informed of the changing state privacy landscape. This information is compiled into a chart, map , and a directory with information specific to states with enacted laws.
If you are aware of a comprehensive bill absent from the tracker, please share it with us at research@iapp.org.
For more information on the IAPP's stance concerning which state privacy laws are considered comprehensive, view the text in the below dropdown.
As state privacy legislation grows in number and complexity, questions arise with respect to those bills that occupy the fuzzy gray area between comprehensive and not — namely, Florida's Digital Bill of Rights and Washington state's My Health My Data Act.
As defined in the tracker, a bill is not considered comprehensive if "it does not qualify due to its scope, coverage, rights or purpose."
A bill is narrow in scope if it applies only to a specific set of data types, like financial or health data, or data subjects, like children. A bill is narrow in coverage if its applicability includes only a single industry, like the automotive industry, or if its thresholds apply, in practice, to only a handful of companies. A bill is narrow in rights if it is targeted at providing only one or two consumer data rights, such as deletion or correction.
For further information, this full-length article outlines the IAPP's current stance. The IAPP may adjust this position in the future in light of new information, bills, stakeholders or member feedback. The IAPP will annually reassess its position on the definition of "comprehensive" to best stay current with state legislation trends.
State privacy law chart
Comprehensive consumer privacy bills
This chart tracks U.S. state comprehensive consumer privacy bills across the legislative process, identifying and mapping out fourteen provisions that commonly appear in comprehensive privacy laws. If a bill includes a provision, an "X" is placed in the corresponding column. The provisions are broken into two categories — consumer rights and business obligations — and are described more fully in the chart. Although many of the proposed bills will fail to become law, comparing the key provisions helps break down how privacy is developing in the U.S.The chart only includes bills intended to be comprehensive approaches to governing the use of personal information. If a bill does not appear on the chart, it does not qualify due to its scope, coverage or rights. Industry-specific, information-specific and narrowly scoped bills, e.g., data security bills, are not included. The IAPP additionally published an article providing further details on the scope of bills included in this tracker.
State privacy law map
This map tracks the status of statutes and bills that are enacted or in the legislative process.
State privacy law report
This report is limited to comprehensive U.S. state privacy laws enacted as of July 2025.
The US State Comprehensive Privacy Laws Report analyzes the scope, applicability, exemptions, consumer rights, business obligations, rulemaking activities, enforcement duties and key definitions for comprehensive state privacy laws. The report sketches the contours of the nationwide portrait of privacy regulation that has emerged, while highlighting the idiosyncrasies of each state law that constitutes the U.S. privacy regime patchwork. Overall, this report aims to keep privacy professionals informed about all the comprehensive privacy bills that have become law, the rights they offer to consumers and the obligations they require from regulated entities.
This report does not update as frequently as the map, chart and state law directory, and it only includes enacted state comprehensive privacy laws as of the last update.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
US State Privacy Legislation Tracker
This tool tracks comprehensive US state privacy bills to help our members stay informed of the changing state privacy landscape. The tracker only includes bills intended to be comprehensive approaches to governing the use of personal information.
Published: 18 April 2019
Last updated: 24 Nov. 2025
Contributors:
David Botero
Westin Fellow, IAPP
State-level momentum for comprehensive privacy bills is at an all-time high. The IAPP Westin Research Center actively tracks the proposed and enacted comprehensive privacy bills from across the U.S. to help our members stay informed of the changing state privacy landscape. This information is compiled into a chart, map , and a directory with information specific to states with enacted laws.
If you are aware of a comprehensive bill absent from the tracker, please share it with us at research@iapp.org.
For more information on the IAPP's stance concerning which state privacy laws are considered comprehensive, view the text in the below dropdown.
As state privacy legislation grows in number and complexity, questions arise with respect to those bills that occupy the fuzzy gray area between comprehensive and not — namely, Florida's Digital Bill of Rights and Washington state's My Health My Data Act.
As defined in the tracker, a bill is not considered comprehensive if "it does not qualify due to its scope, coverage, rights or purpose."
A bill is narrow in scope if it applies only to a specific set of data types, like financial or health data, or data subjects, like children. A bill is narrow in coverage if its applicability includes only a single industry, like the automotive industry, or if its thresholds apply, in practice, to only a handful of companies. A bill is narrow in rights if it is targeted at providing only one or two consumer data rights, such as deletion or correction.
For further information, this full-length article outlines the IAPP's current stance. The IAPP may adjust this position in the future in light of new information, bills, stakeholders or member feedback. The IAPP will annually reassess its position on the definition of "comprehensive" to best stay current with state legislation trends.
State privacy law chart
Comprehensive consumer privacy bills
This chart tracks U.S. state comprehensive consumer privacy bills across the legislative process, identifying and mapping out fourteen provisions that commonly appear in comprehensive privacy laws. If a bill includes a provision, an "X" is placed in the corresponding column. The provisions are broken into two categories — consumer rights and business obligations — and are described more fully in the chart. Although many of the proposed bills will fail to become law, comparing the key provisions helps break down how privacy is developing in the U.S.The chart only includes bills intended to be comprehensive approaches to governing the use of personal information. If a bill does not appear on the chart, it does not qualify due to its scope, coverage or rights. Industry-specific, information-specific and narrowly scoped bills, e.g., data security bills, are not included. The IAPP additionally published an article providing further details on the scope of bills included in this tracker.
State privacy law map
This map tracks the status of statutes and bills that are enacted or in the legislative process.
State privacy law report
This report is limited to comprehensive U.S. state privacy laws enacted as of July 2025.
The US State Comprehensive Privacy Laws Report analyzes the scope, applicability, exemptions, consumer rights, business obligations, rulemaking activities, enforcement duties and key definitions for comprehensive state privacy laws. The report sketches the contours of the nationwide portrait of privacy regulation that has emerged, while highlighting the idiosyncrasies of each state law that constitutes the U.S. privacy regime patchwork. Overall, this report aims to keep privacy professionals informed about all the comprehensive privacy bills that have become law, the rights they offer to consumers and the obligations they require from regulated entities.
This report does not update as frequently as the map, chart and state law directory, and it only includes enacted state comprehensive privacy laws as of the last update.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Tags:
Related resources
Organizational Digital Governance Report 2025
US State Comprehensive Privacy Laws Report
US Data Privacy Litigation
Global AI Sandboxes: Overview
