The European Union’s General Data Privacy Regulation, known as the GDPR, requires companies around the world to win consent from consumers to use their data, explain what they do with their data, and alert them every time that data is breached. 

The regulation impacts all countries that trade with the 27 EU countries. Europe allows data only to be transferred freely to countries with equivalent data privacy protections, which Brussels calls “adequacy.”

The US has no national privacy law, and Europeans fear that US security services could gain access to their data. European judges regularly have vetoed transatlantic workarounds such as Safe Harbor and Privacy Shield.

​​​Elsewhere, countries around the globe have preferred to adopt European-style privacy regulations, in part because many share the same concerns as Europe, and in part to keep data flowing with Europe.

This interactive map builds on CEPA’s work tracking the Brussels effect, the EU’s ability to set global standards through its regulations. The map tracks the spread of the EU’s General Data Privacy Regulation specifically and does not include all global data privacy laws. If you see something about which you would like to inform us, please email TechPol@cepa.org.

Countries

Albania 

The Albanian Parliament passed ​the​ Personal Data Protection Law in December 2024, explicitly stat​ing​ Albania​’​s alignment with the GDPR.1 The law, which entered into force in February 2025, repealed Albania’s first legislation on data protection from March 2008.2 The Information and Data Protection (IDP) Commissioner is the independent supervisory authority that oversees implementation and compliance with Albania’s data protection law.

Argentina 

In 2003, Argentina became one of the earliest Latin American nations to receive a data adequacy decision from the European Commission ​​​(EC)​. Argentina​’​s data protection law has been in place since 2000 and rather comprehensively addresses matters ​central to the GDPR, ​like informed consent and purpose limitation for processing.3 However, this regulation needs modernization. Unlike more recent data protection laws, Argentina​’​s framework does not include accountability measures or Data Protection Impact Assessments (DPIAs). Some modernization reforms have been proposed in recent years, including a 2022 draft law focused on implementing GDPR-style justification systems, but legislation has yet to be passed.4 on implementing GDPR-style justification systems, but legislation has yet to be passed. 

Armenia 

Armenia adopted its Protection of Personal Data Law in 2015.5 The Personal Data Protection Agency, a subdivision of Armenia’s Ministry of Justice, issues and implements guidelines and supervises compliance with the law and decrees related to the protection of personal data.6 Armenia also amended its Constitution in 2012 to include the right to protection of personal data as a fundamental right of the human being and of the citizen. Nevertheless, civil society groups have recently stated that data protection in Armenia is at risk, pointing to personal data leaks and the inefficiency of the Ministry of Justice in responding to data breaches to argue that current legislation is outdated.7 

Australia 

Australia’s Privacy Act of 1988 outlines a series of privacy principles that establish basic disclosure requirements surrounding data collection and that give individuals the right to access and correct their personal information.8 In 2019, the Australian Parliament passed the Consumer Data Rights Act, which designates data standards and consumer rights by industry sector.9 Despite these laws and the series of amendments passed in 2024, Australia has yet to adopt a fully comprehensive framework for data portability, opting for a more competition-driven approach to data protection​ that contrasts​ with the GDPR’s rights-driven approach.10  

Austria 

All European Union members are subject to the GDPR. 

Belgium 

All European Union members are subject to the GDPR. 

Bosnia and Herzegovina 

Bosnia and Herzegovina​’​s 2006 data protection law was amended in 2011 to include regulations on cross-border transfer and to clarify permissible uses of personal data.11 Bosnia and Herzegovina was granted EU candidacy in 2022; however, implementing a GDPR-aligned data protection law will likely be part of the reforms necessary for the country​’​s full accession to the EU.12 Sources expect the implementation of such a law within the next year.  

Brazil 

The Federative Republic of Brazil enacted its General Law of Data Protection (LGPD) in 2018​,​ which became fully enforceable in 2021.13 The LGPD is regulated by the National Authority of Personal Data Protection (ANPD), whose Council of Directors is chosen by the ​p​resident and subject to approval by the Federal Senate.14 The GDPR was cited as a model for the LGPD in discussions around the initial draft bill and in recent documents issued by the National Authority, though the LGPD differentiates itself from the GDPR on issues like the legal basis to process data, fines, and procedures to report breaches and fines.15 Companies have had difficulty complying with the data processing and consent measures of the LBPD, posing an enforcement challenge for the National Authority. ​A​ case ​is ​pending in the Supreme Federal Court related to the regulation of digital platforms that might affect issues such as cryptography and privacy.16 

Bulgaria 

All European Union members are subject to the GDPR. 

Canada 

Canada is home to one of the older privacy laws, having implemented the Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000.17 PIPEDA deployed a legal framework for consent mechanisms and processing procedures and, while it was well ahead of its time, has yet to be significantly modernized to align with the GDPR’s individual control measures and transparency requirements.18 A new bill aims to update PIPEDA with a Consumer Privacy Protection Act and reaffirm Canada​’​s data adequacy, but Parliament has yet to pass it.  

China 

On August 20, 2021, the People’s Republic of China adopted the Personal Information Protection Law (PIPL), which entered into force on November 1, 2021.19 Though similar to the GDPR, its legal provisions are not as detailed. The Cyberspace Administration of China, the primary regulatory body, is responsible for supervising implementation of regulations, issuing regulatory guidelines, and proposing regulatory revisions.20 According to analysts, PIPL is intended to protect individuals, Chinese society, and national security from potential abuse of personal information, but it does not directly address privacy, which is a separate concept in Chinese law​​​​.21 

Croatia 

All European Union members are subject to the GDPR. 

Cyprus 

All European Union members are subject to the GDPR. 

The Czech Republic 

All European Union members are subject to the GDPR. 

Denmark 

All European Union members are subject to the GDPR.  

Egypt 

Egypt​’​s Personal Data Protection Law has existed since 2020, but implementation of its provisions has been extremely limited.22 While the law carves out detailed rights for data subjects, the lack of a regulatory body and ​of ​government guidance has rendered it less than useful. Additionally, human rights advocates have been quick to point out the authoritarian surveillance regime in Egypt, raising concerns about the efficacy and legitimacy of such a law.23 

Estonia 

All European Union members are subject to the GDPR. 

Finland 

All European Union members are subject to the GDPR. 

France 

All European Union members are subject to the GDPR. 

Georgia 

Georgia replaced its 2011 data privacy law with the 2022 Personal Data Protection Law (PDPL), strengthening its bid for​,​ and ultimate succession to​,​ EU candidacy.24 The PDPL includes a framework heavily inspired by the GDPR and establishes an independent supervisory authority called the State Inspector​’​s Service. No EU adequacy decision has been granted yet​,​ and Georgia has faced enforcement difficulties​;​ however, the law​’​s framework follows the GDPR closely.25 

Germany 

All European Union members are subject to the GDPR. 

Greece 

All European Union members are subject to the GDPR. 

Hungary 

All European Union members are subject to the GDPR. 

Iceland 

All members of the European Economic Area are subject to the GDPR. 

India 

India passed the Digital Personal Data Protection Act (DPDPA), its first standalone framework governing data protection, in 2023.26 Given the heightened attention to data privacy in the European market after the GDPR went into effect, India​’​s IT Act (2000) and its associated Privacy Rules needed an update. The DPDPA achieved this, introducing consent requirements and data subject rights for individual citizens.27 However, India has yet to regulate on some key GDPR measures, including purpose limitation and data minimization. The government is also the subject of a vast array of exemptions to the DPDPA, drawing concerns from privacy advocates. 

Indonesia 

Indonesia​’​s Personal Data Protection Law (PDP)​,​ passed in 2022​,​ bears many structural similarities to the GDPR. The requirements for data protection officers​ ​aim to bring organizations under compliance with its robust consent measures and ​​​with ​new regulations around individual rights to access, correction, and erasure.28 Some legal nuances are lacking when compared with the EU framework, but the most striking difference is that the PDP delayed the formation of an independent supervisory authority until 2024 — the supervisory body has yet to be established in mid-2025, severely limiting the law​’​s enforcement capacity.29 

Ireland 

All European Union members are subject to the GDPR. 

Israel 

Israel is home to an assortment of data privacy laws, including the Protection of Privacy Law of 1981, one of the world​’​s oldest digital rights laws.30 Israel​’​s robust patchwork of laws earned it a data adequacy decision from the ​EC​ in 2011, which was consequently reaffirmed in 2024.31 Recently, Israel has taken steps toward modernizing the PPL with ​A​mendment 13, which aims to introduce stronger enforcement measures and some data protection officer requirements.32 

Italy 

All European Union members are subject to the GDPR. 

Japan 

Japan​’​s Protection of Personal information Act (PPIA) was originally enacted in 2003.33 Following the GDPR, the PPIA was amended in 2020 to include regulation around pseudonymization, data breach notifications, and other GDPR-style concerns.34 Japan was recognized by the EC as data adequate in 2019 and has successfully maintained this status in subsequent reviews.35 Despite the data adequacy decision and the law’s close alignment with the GDPR, the PPIA still falls behind the EU when it comes to ​Personally Identifiable Information (​PII​)​ collection consent requirements and enforcement measures.36 

Kenya 

Kenya has explicitly followed the GDPR in creating a rights-based legal framework for data privacy regulation, codifying the necessary safeguards via the Data Privacy Act of 2019 (KDPA).37 The KDPA is one of the strongest data privacy frameworks in Africa, and its implementation was likely inspired by the economic motivations of participating in the EU market. 

Kosovo 

The 2019 Protection of Personal Data Law (PPDL) states that the Republic of Kosovo will comply with the GDPR.38 

Latvia 

All European Union members are subject to the GDPR. 

Liechtenstein 

All members of the European Economic Area are subject to the GDPR.39 

Lithuania 

All European Union members are subject to the GDPR. 

Luxembourg 

All European Union members are subject to the GDPR. 

Malta 

All European Union members are subject to the GDPR. 

Mexico 

Mexico enacted the Federal Law on Protection of Personal Data Held by Private Parties in 2010 and has since replaced it with a 2025 Data Protection Reform.40 The law governs via a consent-based framework, providing definitions for controllers and processors and introducing new rights applicable to automated processing activities. The 2025 reform introduces a right to object to certain data collection and processing, which is its most notable inspiration from the GDPR.41 However, it still falls behind the EU​,​ lacking independent oversight and limited enforcement capacity. 

Moldova 

Moldova​’​s Personal Data Protection Law has governed the country​’​s data practices since 2011.42 Its most notable departure from the EU framework is a lack of applicability for public bodies; the law can only be enforced against private actors.43 

Montenegro 

Montenegro enacted its Personal Data Protection Law (PDPL) in 2008.44 The agency is engaged in the Twinning+ instrument to strengthen Montenegro​’​s capacity to implement data protection regulations and align existing legislation with the GDPR. To this end, the PDPL has gone through multiple amendments since its enactment, several of which brought the law closer to EU standards.45 

Netherlands 

All European Union members are subject to the GDPR. 

New Zealand 

New Zealand replaced its 1993 law on data protection with the GDPR-inspired Privacy Act of 2020, which modernized the country​’​s legal digital privacy framework.46 Despite meeting international standards and being granted data adequacy status by the ​EC​, the Privacy Act does not include data portability measures or a right to object to processing. Additionally, enforcement has been limited, and New Zealand’s digital legal framework contains no comprehensive conditions for consent like those included in the GDPR. 

Nigeria 

Nigeria replaced its 2019 data privacy framework with the Data Protection Act of 2023 to develop a more rights-based approach following the enactment ​of the ​GDPR. The new law provides for multiple consumer rights in addition to data portability measures and lawful conditions directly in line with the EU​’​s framework. While Nigeria has not been granted a data adequacy decision by the EC, it maintains its own standards for cross-border transfers.47 

North Macedonia 

North Macedonia enacted its Personal Data Protection Law (PDPL) in 2020. The law requires certain data collectors and processors to establish data protection officers​ ​and delegates enforcement measures to its national data protection agency. While the PDPL contains specific international transfer laws that differ from those in the EU, its framework is largely inspired by the GDPR.48 

Norway 

All members of the European Economic Area are subject to the GDPR.

Poland 

All European Union members are subject to the GDPR. 

Portugal 

All European Union members are subject to the GDPR. 

Romania 

All European Union members are subject to the GDPR. 

Russia 

Russian law dictates specific consent measures that must be in place to collect and process citizen data.49 While these consent measures appear to be in line with much of the GDPR, they lack key elements to regulate personal data processing, including purpose limitation, data minimization, and the right to object. Multiple human rights organizations have flagged Russia for violations of citizen privacy due to government surveillance and the prohibition of privacy-enhancing technologies.50 

Rwanda 

Rwanda enacted the Protection of Personal Data and Privacy Law in October 2021, joining the wave of African countries enacting digital rights frameworks inspired, most likely, by EU market participation. The law provides for consumer rights via a predominantly consent-oriented legal basis; however, it also includes multiple GDPR-style provisions surrounding cross-border transfers and rights to access, rectification, and deletion. While the law largely aligns with the GDPR, it falls behind in data portability and automated decision-making measures.51 

Serbia 

Serbia​’​s Personal Data Protection Law (LPDP) includes legal conditions for processing and data subject rights (access, correction, and erasure), as well as provisions on data transfers, consent, and supervisory authority independence.52 

Singapore 

Singapore enacted the Personal Data Protection Act in 2012, which underwent significant amendments in 2020 and 2021 to strengthen enforcement and consumer rights.53 The law and its amendments are clearly inspired by the GDPR in areas like consent-oriented processing, cross-border transfers, and imposing meaningful penalties. Singapore​’​s law remains more business-friendly in many respects, including the lack of certain GDPR-style data subject rights and a limited legal basis framework for data collection and processing.54 

Slovakia 

All European Union members are subject to the GDPR. 

Slovenia 

All European Union members are subject to the GDPR. 

South Africa 

The Protection of Personal Information Act (POPIA) was signed into law in 2013 but was only gradually implemented until it became fully enforceable on June 30, 2021.55 The Information Regulator, an independent statutory body whose members are appointed by the president on the recommendation of the National Assembly, monitors and enforces compliance with POPIA.56 POPIA was amended a few times. Its interpretations, regulatory guidance, and enforcement approaches make it similar to the GDPR. Other laws related to data protection in South Africa are the Cybercrimes Act (2020) and the Promotion of Access to Information Act (PAIA, 2020).5758  

South Korea 

The Republic of Korea enacted its Personal Information Protection Act (PIPA) in 2011, which included the establishment of the Personal Information Protection Commission (PIPC) as an independent regulatory body.59 Following the GDPR, PIPA was amended in 2020 to include additional data protection measures and to vest all data protection authorities within the PIPC.60 This amendment earned South Korea a data adequacy ruling, deeming PIPA essentially equivalent to EU law.61 Further amendments in 2023 strengthened data subject rights and introduced economic sanctions as penalties​;​ however​,​ PIPA still falls behind the GDPR in data portability rights and enforcement scope. ((Peter Oladimeji, “South Korea Data Protection Law (PIPA): Everything You Need to Know,” Didomi Blog, May 3, 2023, https://www.didomi.io/blog/south-korea-pipa-everything-you-need-to-know. )) 

Spain 

All European Union members are subject to the GDPR. 

Sri Lanka 

Sri Lanka passed Personal Data Protection Act (PDPA) No. 9 in 2022, directly modeled after the GDPR. Sri Lanka implemented the PDPA in phases over three years, and the law became fully enforceable in March 2025.62 After several rounds of revisions, the PDPA has a robust, rights-based framework that is well​ ​aligned with that of the EU. 

Sweden 

All European Union members are subject to the GDPR. 

Switzerland 

Originally enacted in 1992, Switzerland​’​s Federal Act on Data Protection (FADP)63 was comprehensively revised in 2020 in response to the GDPR, better aligning Switzerland’s privacy law with the EU and giving its regulatory agency more enforcement power.64 These FADP revisions led the EC to reaffirm Switzerland’s data adequacy status in 2020 and 2024. There are notable differences between Swiss and EU law surrounding notice-and-consent frameworks.65 

Thailand 

Thailand​’​s Personal Data Protection Act (PDP) came into effect in 2022, preceding a larger plan announced in 2024 to implement a more holistic data protection framework. The PDP grants consumer rights and explicitly follows the GDPR in many respects, including providing legal conditions for processing and establishing an independent regulatory body.66 

Turkey 

Turkey’s Personal Data Protection Law (PDPL) was enacted in 2016, based on the amendment of the Turkish Constitution in 2010 to include the protection of personal data as a fundamental right and inspired by the EU​’​s 1995 Data Protection Directive, which preceded the GDPR.67 Turkey has sought international alignment on data protection — ​i​t ratified the Council of Europe Convention 108 in 2016 and issued an Action Plan on Human Rights in March 2021, which emphasizes the protection of personal data. Turkey intends for the PDPL to fully align with the GDPR — ​i​n March 2024, Turkey introduced an amendment to PDPL to address data transfers abroad, define the conditions for processing special categories of personal data, and introduce administrative fines.68 The ​​Kişisel Verileri Koruma Kurumu (​​KVKK​)​, the Personal Data Protection Authority, is responsible for overseeing data protection laws and by-laws and ​for ​issuing resolutions.69 

Uganda 

Uganda​’​s Data Protection Act of 2019 introduced data privacy law to the country. Many of the Data Protection Act​’​s provisions align with the GDPR, but critics have pointed out that a lack of clear penalties have impeded the independent supervisory body​’​s authority and delayed revisions and new amendments.70 

Ukraine 

Ukraine advanced a new draft law on Personal Data Protection in 2024 but has not yet passed it.71 The law aims to replace Ukraine​’​s 2010 data protection law with a more GDPR-friendly framework. The law includes expanded data subject rights, mandatory data protection officers, and — most notably — a number of legal conditions for data processing, which many countries have failed to achieve in their legislation. However, until the law is passed, Ukraine is subject to its 2010 law, which provides limited and dated regulation of consent and processing mechanisms.72 

United Arab Emirates 

The United Arab Emirates enacted its first comprehensive data privacy law, the Personal Data Protection Law (PDPL), in 2021.73 The PDPL is a rights-based approach heavily inspired by the GDPR, and it includes EU-mirrored legal bases along with multiple avenues for consumer consent controls and processing limitations. 

United Kingdom 

After its departure from the EU in 2020, the UK updated its 2018 Data Protection Act to become the UK-GDPR. The UK-GDPR retains the GDPR in the UK​’​s domestic law​ and includes ​the key aspects of the EU legislation.74 

Vietnam 

Vietnam issued a Decree on Personal Data Protection in 2023, aiming to bring the country in line with modern digital rights movements. While the decree is not a law, the framework is heavily inspired by the GDPR​’​s approach to granting consumer privacy rights and establishing limits for processing activity. The decree is regulated through Vietnam​’​s Department of Cybersecurity and High-Tech Crime Prevention.75 

Zambia 

Zambia passed a GDPR-inspired data protection law in 2021; however, many measures fall behind global norms.76 Zambia​’​s law includes a consent-oriented framework for legal conditions and multiple data subject rights. However, a lack of enforcement mechanisms, fines, or an independent regulatory body render application of the law weak.77 The framework for strong data privacy regulation is in place, but revisions are necessary to bring it fully in line with advanced EU law. 

United States 

Although the US has no federal privacy law, European-style privacy protections have caught on at the state level. California has taken the lead​,​ with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). 

Although the US has no federal privacy law, European-style privacy protections have caught on at the state level. California has taken the lead​,​ with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). 

California 

California enacted the California Consumer Privacy Act in 2018, immediately after the GDPR came into effect, making it the first comprehensive US state privacy law. The CCPA was strengthened in 2020 by the California Privacy Rights Act. The CCPA and CPRA have incorporated EU trends into California​’​s data privacy regulatory approach, granting consumers extensive rights over their personal data by providing California residents with an opt-out mechanism to prevent companies from selling their personal data.78 ​The transparency​ requirements for the use of data apply only to California businesses. California has made amendments to the CCPA in the past few years to include data minimization, purpose limitation, and privacy impact assessments. In contrast, the GDPR provides more rights for citizens to opt out from companies​’​ specific uses of data while retaining others. The CCPA serves as the gold standard for US state privacy law and has become a useful framework for state legislatures writing their own digital privacy legislation. The CCPA is enforced by the state​’​s ​a​ttorney ​g​eneral. California is also the only state to have established an independent regulatory body for data privacy.  

Colorado 

The Colorado Privacy Act (CPA) took effect in 2023, granting consumers an enormous expansion of their digital rights.79 Taking after the CCPA and GDPR, the CPA provides extensive data control rights for consumers and internet users, emphasizing collection consent mechanisms and targeted advertising. On the processing side, Colorado’s law differs from the CCPA by requiring data processors to implement data protection assessments. Unlike the CCPA, the CPA does not establish an independent regulatory body or provide any private right of action for data breaches. 

Connecticut 

Connecticut​’​s Data Privacy Act of 2023 grants extensive privacy rights to consumers around consent and processing.80 Connecticut​’​s law closely resembles the Colorado model and therefore mostly aligns with the CCPA​;​ however​,​ a recent set of amendments made on June 30, 2025, vastly lowered the law​’​s applicability thresholds and introduced a new right to contest certain profiling decisions.81 

Delaware 

Delaware​’​s Personal Data Privacy Act (DPDPA) went into effect in January 2025, closely following the models of its predecessors.82 One notable difference in the DPDPA is its applicability threshold, which targets any entity processing the data of more than 35,000 individuals​ — ​a much lower threshold than California and Colorado​’​s 100,000-person requirement. 

Florida 

Florida passed a limited digital privacy law in 2023 titled the Florida Digital Bill of Rights (FDBR).83 The FDBR focuses mainly on consent mechanisms, requiring large tech companies processing personal data to provide consent notices and opt-out mechanisms for the use and sale of data to conduct profiling or targeted advertisements. Unlike the CCPA, Florida​’​s bill does not provide general consumer rights surrounding personal data processing.84 

Indiana 

Indiana​’​s Consumer Data Privacy Act of 2023 has a heavily CCPA-influenced framework. With rights to access, deletion, and correction as well as multiple consent and privacy notice requirements, Indiana​’​s law is comprehensive and similar to other US state laws.85 

Iowa 

Iowa​’​s Consumer Data Protection Act includes the right to consent opt-outs and processing mechanisms but notably lacks the right to data correction and to opt​ ​out of profiling.86Otherwise, the law follows the framework of most other state laws and takes after the CCPA. 

Kentucky 

Kentucky​’​s Consumer Data Protection Act (KCDPA) will go into effect at the beginning of 2026, making Kentucky the 15th state to enact a digital privacy law. It contains extensive user rights and applicability, making it a GDPR-style law with a CCPA framework.87 Notably, the KCDPA does not include a provision mandating that businesses respect universal opt-out mechanisms for consent preferences, which symbolizes a slight departure from more recent state laws. 

Maine 

Maine passed the Act to Protect the Privacy of Online Customer Information (APPOCI) in 2019 and has not passed any significant digital privacy laws since.88 The APPOCI mandates consent requirements for Internet service providers to collect personal information but does not extend this to broader categories of data processors like businesses and advertising companies. Additionally, the act focuses solely on consent mechanisms, ignoring processing rights like those included in the CCPA. 

Maryland 

Maryland​’​s Online Data Privacy Act goes into effect on October 1, 2025, and will be one of the strongest US privacy laws to date.89 

Minnesota 

The Minnesota Consumer Data Privacy Act will come into effect in late July 2025. It provides for multiple consumer rights and focused consent regulations, such as the prohibition of dark patterns. While the CDPA follows the models of previous state laws, it has slightly less strict data minimization rules than states like Maryland do.90 

Montana 

The Montana Consumer Data Privacy Act of 2023 provides extensive rights to consumer consent preferences and data processing requests.91 

Nebraska 

Nebraska joined the wave of states implementing data privacy laws with its 2024 Data Privacy Act (NDPA).92 Notably, the NDPA does not require revenue or subject-processing thresholds, instead applying to all businesses collecting and processing the personal information of Nebraska residents.93 

New Hampshire 

The New Hampshire Data Privacy Act (NHDPA) of 2024 closely follows the CCPA framework.94 New Hampshire​’​s law includes extensive consumer rights, including the right of access, correction, deletion, and even data portability. Additionally, like Delaware​’s law​, the NHDPA has a lower applicability threshold for companies that sell data, making it slightly stricter than the California and Colorado frameworks. The law also closely follows the GDPR and CCPA when it comes to regulating and honoring universal opt-out mechanisms.95 

New Jersey 

New Jersey​’​s Data Privacy Act closely follows the CCPA framework, absent an independent regulatory agency.96 

Oregon 

​​In 2023 t​he Oregon legislature passed the Oregon Consumer Privacy Act (OCPA), ​which​ came into effect in 2024 after several years of work by an AG-appointed Consumer Privacy Task Force. Following the steps of other state privacy laws, the OCPA focuses on GDPR- and CCPA-style consumer rights to access and deletion, with regulatory measures for both processing and consent. Its applicability thresholds and opt-in style of consent for sensitive data put it squarely in line with California.97 

Rhode Island 

The Rhode Island Data Transparency and Privacy Protection Act will go into effect in early 2026.98 The law is different ​from​ most other privacy laws in the US, as it has no general data minimization requirements, a broad and extensive applicability threshold, and a focused information-sharing notice requirement as opposed to the usual privacy notice provision. Despite ​these differences​, it still focuses on consumer rights surrounding consent and processing, making it a CCPA-inspired framework with a few notable twists.99 

Tennessee 

The Tennessee Information Protection Act was passed in 2023 in accordance with the standard for many other state privacy laws,100 The IPA robustly protects consumer rights; however, it also includes a somewhat controversial ​element — ​​t​he ​“​Safe Harbor​”​ provision guarantees affirmative defense to any of the law​’​s violations if a business complies with the NIST privacy framework, a first among state laws.101 

Texas 

Texas passed the Data Privacy and Security Act (DPSA) in 2023, which largely mirrors the CCPA-inspired model that other states have adopted.102 One notable difference is the applicability threshold, which regulates any business processing information and conducting business in the state so long as it is not recognized as a small business. Otherwise, Texas​’s​ DPSA gives consumers the standard digital privacy rights and requires businesses to produce multiple different records of processing to regulators upon request.  

Utah 

Utah was one of the earliest states to enact a privacy law, passing the Consumer Privacy Act in 2022.103 Utah’s law grants consumer rights under the standard opt-out model but notably does not include a right to correction or mention of profiling. A recent amendment set to go into effect at the beginning of 2026 will install a right to correction​;​ however​,​ the amendment will not add any mention o​​​f​ rights surrounding the opt-out mechanisms for profiling.104 rights surrounding the opt-out mechanisms for profiling. 

Virginia 

Virginia was the first state to pass a privacy law after the CCPA when it enacted the Virginia Consumer Data Privacy Act (VCDPA) in 2021.105 The VCDPA follows the CCPA framework very closely, differing only in nuanced measures surrounding universal opt-out signaling and in Virginia’s lack of an independent enforcement agency. 

Puerto Rico 

Due to the lack of US federal privacy law, Puerto Rico’s data privacy landscape is quite limited. Other than a data breach notification law passed in 2007, Puerto Rico has no legislation regulating consent mechanisms and personal data processing.106 

US Virgin Islands 

Due to the lack of US federal privacy law, the US Virgin Islands do not have legal mechanisms regulating consent for collecting or processing personal data. The US Virgin Islands do have territorial legislation in place surrounding data breach notifications but have not enacted a comprehensive privacy law.107 

Ronan Murphy is the Director of the Tech Policy Program at the Center for European Policy Analysis (CEPA).

Jack Maketa and Rafael Lemos provided research. Jack and Rafael are students at Yale University.

CEPA is a nonpartisan, nonprofit, public policy institution. All opinions expressed are those of the author(s) alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.

Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.

2025 CEPA Forum Tech & Security Conference

Explore the latest from the conference.

Learn More
Read More From Bandwidth
CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy.
Read More
  1. Republic of Albania, Law No. 124/2024 on Personal Data Protection, Official Gazette No. 9, January 17, 2025, accessed August 1, 2025, https://idp.al/wp-content/uploads/2025/04/Law-no.124-2024-DP.pdf.   []
  2. DLA Piper, Data Protection Laws of the World, Albania, accessed August 1, 2025, https://www.dlapiperdataprotection.com/?t=law&c=AL. []
  3. Argentina, Personal Data Protection Act, Law No. 25.326 (2000), accessed August 1, 2025, https://sherloc.unodc.org/cld/uploads/res/uncac/LegalLibrary/Argentina/Laws/Argentina%20Personal%20Data%20Protection%20Act%202000.pdf. []
  4. Gergana Dimitrova, “Draft Law on the Protection of Personal Data in Argentina,” European Commission Intellectual Property Helpdesk, January 9, 2024, accessed August 1, 2025, https://intellectual-property-helpdesk.ec.europa.eu/news-events/news/draft-law-protection-personal-data-argentina-2024-01-09_en. []
  5. Republic of Armenia, Law on Protection of Personal Data, No. HO-49-N, adopted May 18, 2015, signed June 13, 2015, effective July 1, 2015, accessed August 1, 2025, https://www.arlis.am/en/acts/117034.   []
  6. Personal Data Protection Agency, Official Website, accessed August 1, 2025, https://www.pdpa.am/en/agency.   []
  7. https://cyberhub.am/en/blog/2023/01/28/armenias-personal-data-protection-in-a-state-of-disrepair/ []
  8. Australia, Privacy Act 1988 (Cth), accessed August 1, 2025, https://www.legislation.gov.au/C2004A03712/latest/versions. []
  9. Australia, Treasury Laws Amendment (Consumer Data Right) Act 2019, No. 63 (Cth), accessed August 1, 2025, https://www.oaic.gov.au/consumer-data-right/consumer-data-right-legislation,-regulation-and-definitions/consumer-data-right-legislation. []
  10. OneTrust DataGuidance, Comparing Privacy Laws: GDPR v Australia, accessed August 1, 2025, https://www.dataguidance.com/sites/default/files/gdpr_v_australia.pdf. []
  11. Bosnia and Herzegovina, Act of 14 September 2011 to Amend and Supplement the Act on Protection of Personal Data, Official Gazette No. 76/2011, accessed August 1, 2025, https://natlex.ilo.org/dyn/natlex2/r/natlex/fe/details?p3_isn=89449&cs=1vvXmXPrPURPBZJr4tNhpZ8H2EL_d06pTkdsgkCNy1AZgSNtoZvcItv1Xk3jc0YIzhf6rOc-swdKRpJkzhSoavw. []
  12. DLA Piper, Data Protection Laws of the World, Bosnia and Herzegovina, accessed August 1, 2025, https://www.dlapiperdataprotection.com/?t=law&c=BA. []
  13. Brazil, Lei Ordinária nº 13.709, de 14 de agosto de 2018, Diário Oficial, accessed August 1, 2025, https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm. []
  14. Autoridade Nacional de Proteção de Dados (ANPD), Estudo Técnico sobre Anonimização de Dados na LGPD: Uma Visão de Processo Baseado em Risco e Técnicas Computacionais, January 2024, accessed August 1, 2025, https://www.gov.br/anpd/pt-br/centrais-de-conteudo/documentos-tecnicos-orientativos/estudo_tecnico_sobre_anonimizacao_de_dados_na_lgpd_uma_visao_de_processo_baseado_em_risco_e_tecnicas_computacionais.pdf. []
  15. GDPR.eu, “GDPR vs. LGPD: What’s the Difference Between the European GDPR and Brazil’s LGPD,” accessed August 1, 2025, https://gdpr.eu/gdpr-vs-lgpd/. []
  16. Ayres Britto, “STF pautará julgamento da ADI 5527 e da ADPF 403 com impacto no Marco Civil da Internet e regulamentação digital, November 25, 2024, accessed August 1, 2025, https://ayresbritto.adv.br/stf-pautara-julgamento-da-adi-5527-e-da-adpf-403-com-impacto-no-marco-civil-da-internet-e-regulamentacao-digital/. []
  17. Canada, Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, accessed August 1, 2025, https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/. []
  18. DeAndra‑Demoyne George, “Modernizing PIPEDA,” IAPP News, October 18, 2019, accessed August 1, 2025, https://iapp.org/news/a/modernizing-pipeda/. []
  19. China, Personal Information Protection Law of the People’s Republic of China (2021), accessed August 1, 2025, http://en.npc.gov.cn.cdurl.cn/2021-12/29/c_694559_3.htm. []
  20. Huseyn Panahov, “Privacy Regulations: EU’s GDPR vs. China’s PIPL,” Gnovis Journal The Gnovis Blog, November 21, 2021, accessed August 1, 2025, https://gnovisjournal.georgetown.edu/the-gnovis-blog/privacy-regulations-eus-gdpr-vs-chinas-pipl/. []
  21. Alexa Lee et al., “Seven Major Changes in China’s Finalized Personal Information Protection Law,” DigiChina: China Cyber Policy Center (Stanford University), September 15, 2021, https://digichina.stanford.edu/work/seven-major-changes-in-chinas-finalized-personal-information-protection-law/. []
  22. Egypt, Personal Data Protection Law (Law No. 151 of 2020), Official Gazette No. 30, July 15, 2020, accessed August 1, 2025, https://www.acc.com/sites/default/files/program-materials/upload/Data%20Protection%20Law%20-%20Egypt%20-%20EN%20-%20MBH.PDF.   []
  23. “Egypt: Freedom on the Net 2024 Country Report,” Freedom House, accessed August 1, 2025, https://freedomhouse.org/country/egypt/freedom-net/2024. []
  24. Georgia, Law of Georgia on Personal Data Protection, No. 1437, adopted June 14, 2023, entered into force March 1, 2024, with certain provisions effective June 1, 2024, and January 1, 2025, accessed August 1, 2025, https://pdps.ge/files/content/LAW%20OF%20GEORGIA%20ON%20PERSONAL%20DATA%20PROTECTION_en_1711020422.pdf. []
  25. “Data protection laws in Georgia, DLA Piper, January 6, 2025, https://www.dlapiperdataprotection.com/?t=law&c=GE. []
  26. India, Digital Personal Data Protection Act, No. 22 of 2023, August 11, 2023, accessed August 1, 2025, https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf []
  27. India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison, Latham & Watkins LLP, December 2023, https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-Data-Protection-Act-2023-vs-the-GDPR-A-Comparison.pdf. []
  28. Indonesia, Undang‑undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi, accessed August 1, 2025, https://peraturan.bpk.go.id/Details/229798/uu-no-27-tahun-2022. []
  29. Indonesia: Trends and Developments in Data Protection & Privacy 2025, Chambers and Partners, accessed August 1, 2025, https://practiceguides.chambers.com/practice-guides/data-protection-privacy-2025/indonesia/trends-and-developments. []
  30. Israel, Protection of Privacy Law, 5741-1981, unofficial English translation, accessed August 1, 2025, https://www.gov.il/BlobFolder/legalinfo/legislation/en/ProtectionofPrivacyLaw57411981unofficialtranslatio.pdf.   []
  31. Israeli Government, Adequacy Decision, accessed August 1, 2025, https://www.gov.il/en/pages/adequacy.   []
  32. Goldfarb Gross Seligman & Co., Amendment 13 to the Israeli Privacy Protection Law, accessed August 1, 2025, https://www.goldfarb.com/amendment-13-to-the-israeli-privacy-protection-law/. []
  33. Japan, Act on the Protection of Personal Information, Act No. 57 of May 30, 2003, accessed August 1, 2025, https://www.japaneselawtranslation.go.jp/en/laws/view/4241/en. []
  34. “Amendments to Japan’s APPI Effective April 2022,” IAPP, March 25, 2021, accessed August 1, 2025, https://iapp.org/news/b/amendments-to-japans-appi-effective-april-2022/. []
  35. Aselle Ibraimova and Alicja Lysik, “EU May Expand the Scope of the Adequacy Decision for Japan Following Its First Review,” Technology Law Dispatch, April 19, 2023, https://www.technologylawdispatch.com/2023/04/global-data-transfers/eu-may-expand-the-scope-of-the-adequacy-decision-for-japan-following-its-first-review/. []
  36. “Japan APPI vs GDPR: What’s the Difference?” Captain Compliance, January 24, 2023, https://captaincompliance.com/education/japan-appi-vs-gdpr/. []
  37. “The Data Protection Act,” KenTrade, November 24, 2019, https://www.kentrade.go.ke/wp-content/uploads/2022/09/Data-Protection-Act-1.pdf. ) []
  38. “L-082 PËR MBROJTJEN E TË DHËNAVE PERSONALE,” LIGJI NR. 06/L-082 PËR MBROJTJEN E TË DHËNAVE PERSONALE, accessed August 1, 2025, https://gzk.rks-gov.net/ActDetail.aspx?ActID=18616.)) The independent Information and Privacy Agency is responsible for supervising and implementing the PPDL and the Law on Access to Public Documents, monitoring the compliance of public institutions, and issuing recommendations. ((“About Us,” AIP, accessed August 1, 2025, https://aip.rks-gov.net/en/about-us/. []
  39. “Lex – 22018D1022 – En – EUR-Lex,” EUR-Lex, July 19, 2018, https://eur-lex.europa.eu/eli/dec/2018/1022/oj/eng.)) ((1. Data protection act – datenschutzstelle, December 7, 2018, https://www.datenschutzstelle.li/application/files/4515/8641/2923/DSG_English_final.pdf. []
  40. Carlos Vela‑Trevino et al., “Mexico: From 2010 to 2025 – Evolution of the New Federal Law on the Protection of Personal Data Held by Private Parties,” Baker McKenzie, April 2, 2025, https://insightplus.bakermckenzie.com/bm/data-technology/mexico-from-2010-to-2025-evolution-of-the-new-federal-law-on-the-protection-of-personal-data-held-by-private-parties. []
  41. Enrique Espejel et al., “Mexico Enacts New Data Protection Regime,” White & Case LLP, March 27, 2025, https://www.whitecase.com/insight-alert/mexico-enacts-new-data-protection-regime. []
  42. “Law No. 133 on Personal Data Protection,” NATLEX, July 8, 2011, https://natlex.ilo.org/dyn/natlex2/r/natlex/fe/details?p3_isn=89948.)) This law has worked in concert with Moldova​’​s constitution, among other government decisions, to adequately adapt to modern developments in data collection and processing. In 2024, the ​Moldova P​arliament adopted the New Data Protection Law, which is largely modeled after the GDPR. ((Law No. 195 of 2024 on personal data protection, July 25, 2024, https://datepersonale.md/wp-content/uploads/2024/09/Law-no.-195-2024-on-personal-data-protection-1.pdf. []
  43. GDPR VS PDPA : Understanding the differences, May 12, 2024, https://www.neumetric.com/gdpr-vs-pdpa/#:~:text=Both%20laws%20are%20comprehensive%20&%20set,public%20agencies%20from%20its%20scope. []
  44. “PERSONAL DATA PROTECTION LAW  .” Official Gazette of Montenegro. Accessed August 1, 2025. https://www.azlp.me/docs/zajednicka/zakoni/personaldataprotectionlaweng.pdf.)) The Agency for Personal Data Protection and Free Access to Information is an autonomous and independent institution responsible for overseeing enforcement and compliance with PDPL, monitoring breach notifications, issuing recommendations for the improvement of data protection, and delivering opinions concerning the application of the law. ((Agency for personal data Protection and free access to information, accessed August 1, 2025, https://www.azlp.me/en/about-agency. []
  45. “Press Release from the 76th Cabinet Session,” Government of Montenegro, April 11, 2025, https://www.gov.me/en/article/press-release-from-the-76th-cabinet-session. []
  46. New Zealand, Privacy Act 2020, Public Act 2020 No. 31, assented June 30, 2020, accessed August 1, 2025, https://www.legislation.govt.nz/act/public/2020/0031/69.0/096be8ed819ba366.pdf. []
  47. Nigeria Data Protection Act, 2023, 2023, https://placng.org/i/wp-content/uploads/2023/06/Nigeria-Data-Protection-Act-2023.pdf. []
  48. LAW ON PERSONAL DATA PROTECTION, 2020, https://rm.coe.int/lpdp-republic-of-north-macedonia-2020/1680a9ac8a. []
  49. Russia, Federal’nyi zakon ot 27 iyulya 2006 g. N 152-FZ “O personal’nykh dannykh” // Sobranie zakonodatel’stva Rossiiskoi Federatsii, 2006, No. 31, st. 3451, accessed August 1, 2025, https://www.dataguidance.com/sites/default/files/en_20190809_russian_personal_data_federal_law_2.pdf. []
  50. Russia: Freedom on the Net 2024 Country Report,” Freedom House, accessed August 1, 2025, https://freedomhouse.org/country/russia/freedom-net/2024. []
  51. “Data Protection and Privacy Law,” RISA, October 15, 2021, https://www.risa.gov.rw/data-protection-and-privacy-law. []
  52. “2018 Law on Personal Data Protection,” Refworld, November 13, 2018, https://www.refworld.org/legal/legislation/natlegbod/2018/en/123513.)) Although the law is robust, the LPDP has faced enforcement challenges in large part due to the absence of recitals, creating difficulty for courts trying to interpret the law. ((Petar Mijatovic, “The State of Serbia’s Personal Data Protection Law after Two Years,” IAPP, August 18, 2021, https://iapp.org/news/a/serbian-law-on-personal-data-protection-law-after-two-years-of-implementation-and-harmonization-with-gdpr. []
  53. “PDPC: PDPA Overview,” Personal Data Protection Commission, 2021, https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act. []
  54. Paul Lanois, “The Personal Data Protection Framework in Singapore,” IAPP, October 2, 2014, https://iapp.org/news/a/the-personal-data-protection-framework-in-singapore. []
  55. South Africa, Protection of Personal Information Act, 4 of 2013, Government Gazette, vol. 581, no. 37067, November 26, 2013, https://popia.co.za/. []
  56. “Information Regulator of South Africa,” accessed August 1, 2025, https://inforegulator.org.za/. []
  57. South Africa, Cybercrimes Act 19 of 2020, accessed August 1, 2025, https://www.gov.za/documents/acts/cybercrimes-act-19-2020-english-afrikaans-01-jun-2021 []
  58. South Africa, Promotion of Access to Information Act, 2 of 2000, accessed August 1, 2025, https://www.gov.za/documents/promotion-access-information-act. []
  59. South Korea, Personal Information Protection Act (Act No. 16930, Feb. 4, 2020), accessed August 1, 2025, https://elaw.klri.re.kr/eng_service/lawView.do?hseq=53044&lang=ENG. []
  60. Peter Oladimeji, “South Korea Data Protection Law (PIPA): Everything You Need to Know,” Didomi Blog, May 3, 2023, https://www.didomi.io/blog/south-korea-pipa-everything-you-need-to-know. []
  61. European Commission, Commission Implementing Decision (EU) 2022/254 of 17 December 2021 Pursuant to Regulation (EU) 2016/679 on the Adequate Protection of Personal Data by the Republic of Korea under the Personal Information Protection Act, accessed August 1, 2025, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022D0254. []
  62. DLA Piper. “Data Protection Laws in Sri Lanka.” Data Protection Laws of the World. Last modified January 10, 2025. Accessed August 1, 2025. https://www.dlapiperdataprotection.com/index.html?t=law&c=LK. []
  63. Switzerland, Federal Act of 25 September 2020 on Data Protection (Data Protection Act, FADP), SR 235.1, accessed August 1, 2025, https://www.fedlex.admin.ch/eli/cc/2022/491/en. []
  64. “Switzerland Privacy Law,” OERCS (UC Berkeley), accessed August 1, 2025, https://oercs.berkeley.edu/privacy/international-privacy-laws/switzerland-privacy-law   []
  65. “EU Adequacy Decision Regarding Switzerland,” Federal Data Protection and Information Commissioner (FDPIC), January 15, 2024, https://www.edoeb.admin.ch/en/15012024-eu-adequacy-decision-regarding-switzerland. []
  66. KPMG Phoomchai Tax Ltd., Thailand’s Personal Data Protection Act (PDPA) Brochure (Bangkok: KPMG Phoomchai Tax Ltd., November 2019), accessed August 1, 2025, https://assets.kpmg.com/content/dam/kpmg/th/pdf/2019/11/pdpa-brochure-english.pdf. []
  67. Turkey, Personal Data Protection Law No. 6698, enacted April 7, 2016, accessed August 1, 2025, https://www.kvkk.gov.tr/Icerik/6649/Personal-Data-Protection-Law. []
  68. Furkan Güven Taştan, “Turkey’s Data Protection Amendments for 2024: A Closer Look,” International Association of Privacy Professionals, March 26, 2024, accessed August 1, 2025, https://iapp.org/news/a/turkeys-data-protection-amendments-for-2024-a-closer-look. []
  69. Turkey. Personal Data Protection Authority (KVKK). Accessed August 1, 2025. https://www.kvkk.gov.tr/. []
  70. Unwanted Witness Uganda. Data Protection and Privacy Law Analysis. Kampala: Unwanted Witness Uganda, 2019. Accessed August 1, 2025. https://www.unwantedwitness.org/download/uploads/Data-Protection-and-Privacy-Law-Analysis.pdf. []
  71. European Commission for Democracy through Law (Venice Commission) and OSCE Office for Democratic Institutions and Human Rights (OSCE/ODIHR), Joint Opinion on the Draft Law Amending Certain Legislative Acts of Ukraine Which Restrict the Participation in the State Power of Persons Associated with Political Parties Whose Activities Are Prohibited by Law (CDL-AD(2023)025), adopted October 7, 2023, accessed August 1, 2025, https://www.venice.coe.int/webforms/documents/default.aspx?pdffile=CDL-AD(2023)025-e. []
  72. Ukraine, Law No. 2297-VI on Protection of Personal Data, enacted June 1, 2010, effective January 1, 2011, accessed August 1, 2025, https://zakon.rada.gov.ua/laws/show/2297-17#top. []
  73. United Arab Emirates, Federal Decree‑Law No. 45 of 2021 Concerning the Protection of Personal Data, enacted September 20, 2021, effective January 2, 2022, accessed August 1, 2025, https://www.uaelegislation.gov.ae/en/legislations/1972/download. []
  74. United Kingdom, Data Protection Act 2018, c. 12. Enacted May 23, 2018, Accessed August 1, 2025, https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted. []
  75. DLA Piper, “Data Protection Laws in Vietnam,” last modified January 20, 2025, accessed August 1, 2025, https://www.dlapiperdataprotection.com/?c=VN&t=law []
  76. National Assembly of Zambia, Data Protection Act, 2021, (Lusaka: Government of the Republic of Zambia, 2021), accessed August 1, 2025, https://www.parliament.gov.zm/node/8853 []
  77. “Understanding Zambia’s Data Protection Act (DPA),” Securiti, accessed August 1, 2025, https://securiti.ai/zambia-data-protection-act-dpa/ []
  78. https://oag.ca.gov/privacy/ccpa []
  79. Colorado Attorney General’s Office, Colorado Privacy Act (CPA), Senate Bill 21‑190: Protect Personal Data Privacy (PDF), signed July 7, 2021; entered into effect July 1, 2023; accessed August 1, 2025, https://coag.gov/app/uploads/2022/01/SB‑21‑190‑CPA_Final.pdf. []
  80.  Connecticut General Assembly, An Act Concerning Personal Data Privacy and Online Monitoring, Pub. Act No. 22‑15 (May 4, 2022; signed by Gov. Ned Lamont May 10, 2022; effective July 1, 2023), SB 6, accessed August 1, 2025, https://www.cga.ct.gov/2022/act/pa/pdf/2022PA‑00015‑R00SB‑00006‑PA.pdf []
  81. Future of Privacy Forum, “The Connecticut Data Privacy Act Gets an Overhaul (Again),” Future of Privacy Forum Blog, accessed August 1, 2025, https://fpf.org/blog/the‑connecticut‑data‑privacy‑act‑gets‑an‑overhaul‑again/.   []
  82. Delaware General Assembly, An Act to Amend Title 6 of the Delaware Code Relating to Personal Data Privacy and Consumer Protection (House Bill No. 154; enacted September 11, 2023; effective January 1, 2025), accessed August 1, 2025, https://legis.delaware.gov/json/BillDetail/GenerateHtmlDocument?legislationId=140388&legislationTypeId=1&docTypeId=2&legislationName=HB154 []
  83. Florida Legislature, Senate Bill No. 262: “Technology Transparency; creating the ‘Florida Digital Bill of Rights’” (Ch. 2023‑201; approved June 6, 2023; effective July 1, 2024), accessed August 1, 2025, https://www.flsenate.gov/Session/Bill/2023/262/BillText/er/HTML legiscan.com+4flsenate.gov+4fl  []
  84. Computer & Communications Industry Association, CCIA Summary – Florida Digital Bill of Rights (PDF; July 6, 2023), accessed August 1, 2025, https://ccianet.org/wp‑content/uploads/2023/07/CCIA‑Summary‑Florida‑Digital‑Bill‑of‑Rights.pdf. []
  85. Indiana General Assembly, Indiana Code Title 24, Article 15: Consumer Data Protection (PDF; effective January 1, 2026), accessed August 1, 2025, https://iga.in.gov/ic/2024/Title_24/Article_15.pdf. []
  86. Iowa General Assembly, Senate File 262: An Act Relating to Consumer Data Protection (enacted March 28, 2023; effective January 1, 2025; published as PDF), accessed August 1, 2025, https://www.legis.iowa.gov/docs/publications/LGE/90/SF262.pdf []
  87.  Clifford Chance, “Kentucky Consumer Data Protection Act – An Overview,” Talking Tech blog (August 2024), accessed August 1, 2025, https://www.cliffordchance.com/insights/resources/blogs/talking-tech/en/articles/2024/08/kentucky-consumer-data-protection-act–an-overview.html []
  88. Maine Legislature, An Act To Protect the Privacy of Online Customer Information, Pub. Law No. 216 (2019), accessed August 1, 2025, https://legislature.maine.gov/legis/bills/bills_129th/chapters/PUBLIC216.asp []
  89. Maryland General Assembly, Maryland Online Data Privacy Act of 2024, Ch. 454 (approved May 9, 2024; effective January 1, 2025), accessed August 1, 2025, https://mgaleg.maryland.gov/2024RS/Chapters_noln/CH_454_hb0567e.pdf. While it follows a mostly CCPA-inspired framework, Maryland’s law has a stricter, more substantive approach to data minimization, limiting the collection of data to what is “reasonable and proportionate” to providing specific products or services. This is indicative of recent data minimization trends in US state privacy law. ((Jordan Francis, Data Minimization’s Substantive Turn: Key Questions & Operational Challenges Posed by New State Privacy Legislation (Washington, DC: Future of Privacy Forum, June 2025), https://fpf.org/wp-content/uploads/2025/06/FPF_Data-Minimization.pdf []
  90. Clifford Chance, “Minnesota Data Privacy Law – An Overview,” Talking Tech blog, August 2024, accessed August 1, 2025, https://www.cliffordchance.com/insights/resources/blogs/talking-tech/en/articles/2024/08/minnesota-data-privacy-law–an-overview.html []
  91. Blackbaud, Montana Consumer Data Privacy Act: The Basics (PDF; effective October 1, 2024), accessed August 1, 2025, https://sky.blackbaudcdn.net/skyuxapps/privacy/assets/pdfs/montana-privacy.6f0801f1d842d4fe6b4d2066ef374712.pdf []
  92. Nebraska Legislature, Nebraska Data Privacy Act (LB 1074; approved April 17, 2024; effective January 1, 2025), accessed August 1, 2025, https://nebraskalegislature.gov/FloorDocs/108/PDF/Slip/LB1074.pdf []
  93. Ketch, “Who Must Comply with the NDPA?” Nebraska Data Privacy Act (NDPA), accessed August 1, 2025, https://www.ketch.com/regulatory-compliance/nebraska-data-privacy-act-ndpa#:~:text=and%20consumer%20rights.-,Who%20must%20comply%20with%20the%20NDPA?,data%20activities%20are%20particularly%20impacted. []
  94. New Hampshire Department of Justice, Data Privacy FAQs (revised July 2024), accessed August 1, 2025, https://www.doj.nh.gov/sites/g/files/ehbemt721/files/inline-documents/sonh/data-privacy-faqs-revised_0.pdf []
  95. Morgan Sullivan, “Navigating New Hampshire’s Data Privacy Law: Compliance Requirements for Businesses,” Transcend, October 18, 2024, accessed August 1, 2025, https://transcend.io/blog/new-hampshire-privacy-law []
  96. New Jersey Legislature, Public Law 2023, Chapter 266 (S332; approved January 16, 2024), accessed August 1, 2025, https://pub.njleg.state.nj.us/Bills/2022/PL23/266_.PDF []
  97. Oregon Department of Justice, Oregon Consumer Privacy Act – SB 619, Public Testimony Document 59856, accessed August 1, 2025, https://olis.oregonlegislature.gov/liz/2023R1/Downloads/PublicTestimonyDocument/59856 []
  98. Computer & Communications Industry Association (CCIA), CCIA Summary – Rhode Island Data Transparency and Privacy Protection Act, July 10, 2024, accessed August 1, 2025, https://ccianet.org/wp-content/uploads/2024/07/CCIA-Summary-Rhode-Island-Data-Privacy-Law.pdf. []
  99. Jordan Francis, “Comprehensive Privacy Anchors in the Ocean State,” Future of Privacy Forum, June 27, 2024, accessed August 1, 2025, https://fpf.org/blog/comprehensive-privacy-anchors-in-the-ocean-state/ []
  100. Tennessee General Assembly, HB1181 – Tennessee Information Protection Act, 113th General Assembly, 2023–2024, enacted May 24, 2023, accessed August 1, 2025, https://www.capitol.tn.gov/Bills/113/Bill/HB1181.pdf []
  101. John DiGiacomo, “Evaluating the ‘NIST Safe Harbor’ in the Tennessee Information Protection Act,” Revision Legal, September 23, 2024, accessed August 1, 2025, https://revisionlegal.com/internet-law/evaluating-the-nist-safe-harbor-in-the-tennessee-information-protection-act/ []
  102. Texas Attorney General, Texas Data Privacy and Security Act, accessed August 1, 2025, https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint/consumer-privacy-rights/texas-data-privacy-and-security-act []
  103. Utah State Legislature, Senate Bill 227 – Consumer Privacy Act, 2022 General Session, enacted March 24, 2022, accessed August 1, 2025, https://le.utah.gov/~2022/bills/sbillenr/SB0227.pdf []
  104. Practical Law, Utah Amends Consumer Privacy Law to Add Correction Rights and Enacts Data Sharing Requirements for Social Media Companies, accessed August 1, 2025, https://content.next.westlaw.com/practical-law/document/Ia07a7b050be611f082a5ae4bb4582a09/Utah-Amends-Consumer-Privacy-Law-to-Add-Correction-Rights-and-Enacts-Data-Sharing-Requirements-for-Social-Media-Companies?viewType=FullText&transitionType=Default&contextData=(sc.Default)&bhcp=1&firstPage=true []
  105. Virginia General Assembly, Code of Virginia, Title 59.1, Chapter 53, Consumer Data Protection Act, accessed August 1, 2025, https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/ []
  106. DataGuidance, Puerto Rico, accessed August 1, 2025, https://www.dataguidance.com/jurisdictions/puerto-rico []
  107. DataGuidance, U.S. Virgin Islands, accessed August 1, 2025, https://www.dataguidance.com/jurisdictions/us-virgin-islands []