FPF Unveils Report on the Anatomy of State Comprehensive Privacy Law

November 22, 2024

Jordan Francis

Policy Counsel

Today, the Future of Privacy Forum (FPF) launched a new report—Anatomy of State Comprehensive Privacy Law: Surveying the State Privacy Law Landscape and Recent Legislative Trends. By distilling this broad landscape to identify the “anatomy” of state comprehensive privacy law, this report highlights the strong commonalities and the nuanced differences between the various laws, showing how they can exist within a common, partially-interoperable framework while also creating challenging compliance difficulties for companies within their overlapping ambits. Until a federal privacy law materializes, this ever changing state landscape will continue to evolve as lawmakers iterate upon the existing frameworks and add novel obligations, rights, and exceptions to respond to changing societal, technological, and economic trends.

Read the report here

Between 2018 and 2024, nineteen U.S. states enacted comprehensive consumer privacy laws. This rapid adoption of privacy legislation has caused the legal landscape to explode in depth and complexity as each new law iterates upon those that came before it. This report summarizes the legislative landscape and identifies the “anatomy” of state comprehensive privacy law by comparing and contrasting the two prevailing models for state laws and identifying commonalities and differences in the laws’ core components. These core components of a comprehensive privacy law include:

Definitions of covered entities (controllers and processors) and covered data (personal data and sensitive data);
Individual rights of access, correction, portability, deletion, and both opt-in and opt-out requirements for certain uses of personal data;
Business obligations such as transparency, data minimization, and data security; and
Enforcement by the attorney general.

The report concludes with an overview of five emerging legislative trends:

Changes to applicability thresholds;
Expanding scope of sensitive data;
Emergence of substantive data minimization requirements;
Heightened protections for consumer health data, adolescents’ personal data, and biometrics; and
New individual rights, like contesting adverse profiling decisions.

Explore

Issues

authors

dates

Posts by Jordan

cybernetic,attack,security,,banking,and,personal,data.,protecting,herself,from

FPF Unveils Report on the Anatomy of State Comprehensive Privacy Law

internet,security,and,a,personal,data,protection,concept.,protect,a

Do LLMs Contain Personal Information? California AB 1008 Highlights Evolving, Complex Techno-Legal Debate

Comprehensive Privacy Anchors in the Ocean State

FPF Unveils Report on the Anatomy of State Comprehensive Privacy Law

Explore

FPF Unveils Report on the Anatomy of State Comprehensive Privacy Law

The African Union’s Continental AI Strategy: Data Protection and Governance Laws Set to Play a Key Role in AI Regulation

U.S. Legislative Trends in AI-Generated Content: 2024 and Beyond

Processing of Personal Data for AI Training in Brazil: Takeaways from ANPD’s Preliminary Decisions in the Meta Case

Do LLMs Contain Personal Information? California AB 1008 Highlights Evolving, Complex Techno-Legal Debate

Future of Privacy Forum Convenes Over 200 State Lawmakers in AI Policy Working Group Focused on 2025 Legislative Sessions

Synthetic Content: Exploring the Risks, Technical Approaches, and Regulatory Responses

Out, Not Outed: Privacy for Sexual Health, Orientations, and Gender Identities

FPF Analysis of New Requirements for Generative AI Use by Healthcare Entities in Patient Communications