Scope of the draft American Data Privacy and Protection Act
This IAPP table aims to present a high-level breakdown of the American Data Privacy and Protection Act, a federal comprehensive data privacy bill.

The Growth of State Privacy Legislation
Since 2018, the IAPP has closely tracked privacy legislation developments in the U.S. at the state level. This resource shows the rapid growth of U.S. state-level privacy initiatives from 2018 through 2022 to provide historical context.

Key Dates from US Comprehensive State Privacy Laws
The IAPP created a timeline of key dates from the comprehensive data privacy laws in California, Colorado, Connecticut, Utah and Virginia.

UK DPDI Bill: Comparative analysis with the EU GDPR and ePrivacy framework
In July 2022, the U.K. government introduced the Data Protection and Digital Information Bill. This comparative analysis considers the changes proposed by the DPDI Bill by reference to the relevant EU law provisions.

UK Data Protection Reform
This chart aims to provide a snapshot of all the proposals the government is planning to proceed with in some way as it attempts to “establish the UK as the most attractive global data marketplace.”

Global Comprehensive Privacy Law Mapping Chart
Comprehensive data protection laws exist across the globe. The Westin Research Center has created this chart mapping several comprehensive data protection laws, including the laws in the U.S., to assist our members in understanding how data protection is being approached around the world.

Data Protection Officer Requirements by Country
Increasingly, privacy and data protection laws around the world require organizations to designate a data protection officer to translate legal protections into practical reality. This chart catalogues those requirements but does not include the many additional instances in which a DPO is recommended but not required.

Privacy in M&A transactions: The playbook
Mergers and acquisitions has been central to us for a long time. Given our group emphasis on the importance of privacy in data-centric transactions, consideration of data protection and other associated issues in an M&A context is essential. However, unlike employment or IP matters, teams across the group may lack well-established precedents for how to approach privacy risks that arise in M&A. This playbook aims to address this need by consolidating our group’s experiences and learnings to date in this domain.

BIPA Legislation Introduced in 2021
The Illinois Biometric Information Privacy Act, in effect since 2008, is the first comprehensive biometric privacy statute in the United States. Over the past few years, BIPA litigation has significantly increased, revealed several enforcement challenges and given rise to numerous legislative initiatives. We will continue to monitor any further developments and update this tracker as there is new activity.

GDPR Genius
This interactive tool provides IAPP members ready access to critical EU General Data Protection Regulation resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location.

2021 Proposed Comprehensive US Privacy Legislation
This chart compares recent proposals for comprehensive federal privacy legislation.

Transfer Impact Assessment Templates
Organizations around the world have begun conducting transfer impact assessments. The IAPP has published a collection templates as one resource to assist privacy professionals in conducting TIAs, and welcome additional templates that can be shared with the privacy community.

How Defendants Are Attacking CCPA Claims
This graphic identifies some of the arguments raised by defendants seeking to avoid liability for alleged violations of the CCPA.

Frequently Asked Questions & Resources on ‘Schrems II’
The IAPP received hundreds of questions during its five LinkedIn Live sessions on the Court of Justice of the European Union's "Schrems II" ruling. In response, the IAPP has published a frequently asked questions page to address some of these inquires.

Comparison of Comprehensive Data Privacy Laws in Virginia, California and Colorado
The IAPP created a chart comparing the comprehensive data privacy laws in California, Virginia and Colorado. It provides an overview of each law’s requirements, highlighting their similarities and differences.

Article 49 Derogations — Summary Table with Examples
There are specific recitals that relate to the derogations in Article 49 of the GDPR, as well as detailed guidance from the EDPB. Before attempting to rely on the derogations, organizations need to be aware of these additional considerations. This table summarizes this material so readers can see at a glance the factors relevant for each derogation.

State Data Breach Notification Chart
U.S. data breach notification laws vary across all 50 states and U.S. territories. Each law must be applied to every factual scenario to determine if a notification requirement is triggered. To assist practitioners, the IAPP created a chart containing information from each state or territory’s data breach notification law concerning entities that own, control or process personal data.

How to Provide DPO Contact Information to Your DPA
Article 37(7) of the EU General Data Protection Regulation requires that “the controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.” But how does one go about communicating this information to relevant authority? The IAPP has compiled a list of each country’s requested DPO notification process.

Opt in or opt out? State privacy bills introduced in 2021
The IAPP published this chart that outlines the opt-in and opt-out mechanisms for U.S. state privacy bills introduced in 2021.

Summary of CPRA Contractual Obligations
The California Privacy Rights Act aims to provide a continuing level of protection for personal information as it flows from covered businesses to third parties, service providers, contractors, and even their sub-processors. This chart provides a summary of the CPRA's contractual requirements.

CCPA Litigation Overview
The IAPP developed a chart illustrating the differences among the CCPA cases being filed. The "CCPA Litigation Overview" includes the alleged conduct the plaintiff(s) claim violated the CCPA, whether a CCPA count is specifically included in the complaint and the other California statutes raised by plaintiffs.

DPA and government guidance on ‘Schrems II’
Data protection authorities and government agencies are publishing initial guidance for how to handle the post-“Schrems II” data transfer world. This IAPP Resource Center page collects together DPA and government guidance as it comes out.

Checklist: Expedited Vendor Privacy and Security Assessment
As companies, educational institutions, governments and other organizations shift to remote work environments during the COVID-19 pandemic, the need for technologies to facilitate engagement has exploded. Though not meant to serve as an exhaustive assessment for organizations, this quick-hit checklist includes key questions for privacy professionals to consider as they navigate this process.

Cookie Guidance from Greece
On 25 February 2020, the Hellenic Data Protection Authority published guidance on the use of cookies (and similar technologies). The guidance reiterates the rules around consent and provides examples of cookies which fall into the consent exemptions.

Comparison: Indian Personal Data Protection Bill 2019 vs. GDPR
This chart provides a high-level comparison between the GDPR and India’s PDPB, which includes a scale that color codes the degree of operational change from the EU regulation.

ICO, CNIL, German and Spanish DPA revised cookies guidelines: Convergence and divergence
Regulators in France, Germany, Spain and the U.K. have published guidance on the use of cookies and similar tracking technologies. This table outlines the respective differences and similarities between guidance from the above countries.

Legal bases for processing under the GDPR
This chart offers the various legal bases for processing personal data under the GDPR and offers links the the specific recitals and articles in the law that correlate to the bases.

Approved Binding Corporate Rules
Links to some approved Binding Corporate Rules documentation.

U.S. State Data Breach Lists
Many U.S. state agencies publish lists of reported data breaches in their respective state. This resource contains links to the published lists. 

Key Dates from US Comprehensive State Privacy Laws
The IAPP created a timeline of key dates from the comprehensive data privacy laws in California, Colorado, Connecticut, Utah and Virginia.

BIPA Legislation Introduced in 2021
The Illinois Biometric Information Privacy Act, in effect since 2008, is the first comprehensive biometric privacy statute in the United States. Over the past few years, BIPA litigation has significantly increased, revealed several enforcement challenges and given rise to numerous legislative initiatives. We will continue to monitor any further developments and update this tracker as there is new activity.

2021 Proposed Comprehensive US Privacy Legislation
This chart compares recent proposals for comprehensive federal privacy legislation.

Comparison of Comprehensive Data Privacy Laws in Virginia, California and Colorado
The IAPP created a chart comparing the comprehensive data privacy laws in California, Virginia and Colorado. It provides an overview of each law’s requirements, highlighting their similarities and differences.

State Data Breach Notification Chart
U.S. data breach notification laws vary across all 50 states and U.S. territories. Each law must be applied to every factual scenario to determine if a notification requirement is triggered. To assist practitioners, the IAPP created a chart containing information from each state or territory’s data breach notification law concerning entities that own, control or process personal data.

Opt in or opt out? State privacy bills introduced in 2021
The IAPP published this chart that outlines the opt-in and opt-out mechanisms for U.S. state privacy bills introduced in 2021.

U.S. State Data Breach Lists
Many U.S. state agencies publish lists of reported data breaches in their respective state.

Data Protection Officer Requirements by Country
Increasingly, privacy and data protection laws around the world require organizations to designate a data protection officer to translate legal protections into practical reality. This chart catalogues those requirements but does not include the many additional instances in which a DPO is recommended but not required.

How to Provide DPO Contact Information to Your DPA
Article 37(7) of the EU General Data Protection Regulation requires that “the controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.” But how does one go about communicating this information to relevant authority? The IAPP has compiled a list of each country’s requested DPO notification process.

Comparison: Indian Personal Data Protection Bill 2019 vs. GDPR
This chart provides a high-level comparison between the GDPR and India’s PDPB, which includes a scale that color codes the degree of operational change from the EU regulation.

ICO, CNIL, German and Spanish DPA revised cookies guidelines: Convergence and divergence
Regulators in France, Germany, Spain and the U.K. have published new guidance on the use of cookies and similar tracking technologies. This table outlines the respective differences and similarities between guidance from the above countries.

Consumer Privacy Notice Template
This template website privacy notice, produced and maintained by Docular Limited, is designed to be customizable and can help controllers to comply with the transparency requirements of the GDPR – in both its EU and post-Brexit UK forms - in relation to personal data collected through websites. It may be used with respect to both website visitors and individuals using website-based services.

Sample Data Processing Agreement
The IAPP published this model DPA for its members to use and share.

DPO Job Description
Using information from the GDPR and Article 29 Working Party guidance, the IAPP has developed this sample DPO job description. The DPO is not a one-size-fits-all role, but the official guidance provides insight on some of the necessary components for your appointment. This description is intended to be a jumping off point for you to create one that fits the needs of your organization.