At Termageddon we’ve have created a privacy bill tracker that will help you better understand what bills are being proposed and how they may affect your business. The privacy bill tracker discloses all bills that have been proposed by lawmakers around the world states that could affect Privacy Policy disclosures and business obligations. We do not include bills that have become law, nor bills that are dead.
Here is a list of the laws that require you to have a Privacy Policy that affect how that Privacy Policy is written.
This list changes frequently, so be sure to check back to see the latest in privacy.
Table of Contents
U.S. Federal Bill Tracker (3 bills)
United States
–
Introduced: 2022-06-21
American Data Privacy and Protection Act
The Act imposes a baseline duty on all covered entities not to unnecessarily collect or use covered data in the first instance, regardless of any consent or transparency requirements. Specifically, covered entities are prohibited from collecting, processing, or transferring covered data beyond what is reasonably necessary, proportionate, and limited to provide specific products and services requested by individuals, communicate with individuals in a manner they reasonably anticipate given the context of their relationship with the covered entity, or for a purpose expressly permitted by the Act.
Does law require Privacy Policy Changes?: Yes
More Details:
Overrides state laws
Enforced by the FTC
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Introduced: 2023-11-15
DATA Privacy Act (US S 3337)
To establish national data privacy standards in the United States, and for other purposes.
Does law require Privacy Policy Changes?: Yes
More Details:
Overrides state laws
Enforced by the FTC
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Introduced: 2024-04-09
American Privacy Rights Act
To establish protections for covered data of individuals, and for other purposes.
Does law require Privacy Policy Changes?: Yes
More Details:
Overrides state laws
Enforced by the FTC
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
U.S. State Bill Tracker (16 bills)
United States
–
Arkansas
Introduced: 2025-02-19
AR – Arkansas Digital Responsibility, Safety, and Trust Act
To Create The Arkansas Digital Responsibility, Safety, And Trust Act.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Georgia
Introduced: 2025-02-06
GA – Georgia Consumer Privacy Protection Act (SB111)
A BILL to be entitled an Act to amend Title 10 of the Official Code of Georgia Annotated, relating to commerce and trade, so as to enact the “Georgia Consumer Privacy Protection Act”; to protect the privacy of consumer personal data in this state; to provide for definitions; to provide for applicability; to provide for exemptions; to provide for responsibilities of processors and controllers; to provide for notice and disclosure; to provide for security practices to protect consumer personal data; to allow a controller to offer different goods or services under certain conditions; to provide for limitations; to provide for statutory construction; to provide for preemption of local regulation; to provide for related matters; to provide an effective date; to repeal conflicting laws; and for other purposes.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Hawaii
Introduced: 2025-01-17
HI – Consumer Data Protection Act (SB1037)
Establishes a framework to regulate controllers and processors with access to personal consumer data. Establishes penalties. Establishes the Consumer Privacy Special Fund to be administered by the Department of the Attorney General. Appropriates funds.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Illinois
Introduced: 2023-03-10
IL – Illinois Data Privacy and Protection Act (HB3385)
Creates the Illinois Data Privacy and Protection Act. Provides that a covered entity (any entity or any person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data) may not collect, process, or transfer covered data unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate. Provides that a covered entity and a service provider shall establish, implement, and maintain reasonable policies, practices, and procedures concerning the collection, processing, and transferring of covered data. Contains provisions concerning retaliation; transparency; individual data rights; consent; data protection for children and minors; civil rights; data security; small business protections; executive responsibility; service providers and third parties; enforcement; severability; and rulemaking. Effective 180 days after becoming law.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Illinois
Introduced: 2024-02-09
IL – Illinois Privacy Rights Act (SB3517)
Creates the Privacy Rights Act. Sets forth duties and obligations of businesses that collected consumers’ personal information and sensitive personal information to keep such information private. Sets forth consumer rights in relation to the collected personal information and sensitive personal information, including the right to: delete personal information; correct inaccurate personal information; know what personal information is sold or shared and to whom; opt out of the sale or sharing of personal information; limit use and disclosure of sensitive personal information; and no retaliation for exercising any rights. Sets forth enforcement provisions. Creates the Consumer Privacy Fund. Allows the Attorney General to create rules to implement the Act. Establishes the Privacy Protection Agency. Includes provisions regarding remedies and fines for violations of the Act. Makes a conforming change in the State Finance Act.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Illinois
Introduced: 2025-01-13
IL – Privacy Rights Act (SB52)
Creates the Privacy Rights Act. Sets forth duties and obligations of businesses that collected consumers’ personal information and sensitive personal information to keep such information private. Sets forth consumer rights in relation to the collected personal information and sensitive personal information, including the right to: delete personal information; correct inaccurate personal information; know what personal information is sold or shared and to whom; opt out of the sale or sharing of personal information; limit use and disclosure of sensitive personal information; and no retaliation for exercising any rights. Sets forth enforcement provisions. Creates the Consumer Privacy Fund. Allows the Attorney General to create rules to implement the Act. Establishes the Privacy Protection Agency. Includes provisions regarding remedies and fines for violations of the Act. Makes a conforming change in the State Finance Act.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Illinois
Introduced: 2025-02-06
IL – Illinois Data Privacy and Protection Act (HB3041)
Creates the Illinois Data Privacy and Protection Act. Provides that a covered entity (any entity or any person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data) may not collect, process, or transfer covered data unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate. Provides that a covered entity and a service provider shall establish, implement, and maintain reasonable policies, practices, and procedures concerning the collection, processing, and transferring of covered data. Contains provisions concerning retaliation; transparency; individual data rights; consent; data protection for children and minors; civil rights; data security; small business protections; executive responsibility; service providers and third parties; enforcement; severability; and rulemaking. Effective 180 days after becoming law.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Maine
Introduced: 2025-03-14
ME – Maine Consumer Data Privacy Act (HB1088)
An Act to Enact the Maine Consumer Data Privacy Act
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Massachusetts
Introduced: 2025-02-27
MA – Massachusetts Consumer Data Privacy Act
For legislation to establish the comprehensive Massachusetts consumer data privacy act. Advanced Information Technology, the Internet and Cybersecurity.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Massachusetts
Introduced: 2025-02-27
MA – Massachusetts Data Privacy Act
For legislation to establish the Massachusetts data privacy act. Advanced Information Technology, the Internet and Cybersecurity.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
New York
Introduced: 2023-01-19
NY – Digital Fairness Act (S2277)
Enacts the “digital fairness act”; requires any entity that conducts business in New York and maintains the personal information of 500 or more individuals to provide meaningful notice about their use of personal information; establishes unlawful discriminatory practices relating to targeted advertising.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
New York
Introduced: 2023-01-04
NY – New York Privacy Act (SB365)
Enacts the New York privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
New York
Introduced: 2023-01-30
NY – Consumer Right to Request Disclosure of Information (SB3162)
Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
New York
Introduced: 2023-02-14
NY – Personal Information Collection (AB4374)
Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
North Carolina
Introduced: 2025-03-19
NC – North Carolina Personal Data Privacy Act
Personal Data Privacy/Social Media Safety
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Oklahoma
Introduced: 2025-02-03
OK – Computer Data Privacy Act (HB1012)
Data privacy; Oklahoma Computer Data Privacy Act; consumer protection; civil penalties; effective date.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Pennsylvania
Introduced: 2025-01-14
PA – Pennsylvania Consumer Data Privacy Act (HB78)
An Act providing for consumer data privacy, for duties of controllers and for duties of processors; and imposing penalties.
Does law require Privacy Policy Changes?: Yes
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Vermont
Introduced: 2025-02-12
VT – Vermont Data Privacy and Online Surveillance Act
An act relating to consumer data privacy and online surveillance.
Does law require Privacy Policy Changes?: Yes
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Vermont
Introduced: 2025-02-27
VT – Vermont Data Privacy Act
An act relating to consumer data privacy.
Does law require Privacy Policy Changes?: Yes
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
West Virginia
Introduced: 2025-02-27
WV – Consumer Data Protection Act
The purpose of this bill is to protect consumer data privacy by establishing a consumer right to request copy of personal data collected; establishing a consumer right to have personal information deleted or corrected; establishing a consumer right to request personal data sold or shared; establishing a consumer right to opt-out of the sale or sharing of personal information to third parties; prohibiting discrimination against consumers who exercise their right under this article; establishing procedures for requests for personal information under this article; establish a form to opt-out of sale or sharing of personal information; creating a private cause of action; empowering the West Virginia Division of Consumer Protection to establish rules under this article for enforcement; and empowering the West Virginia Division of Consumer Protection to bring suit for violation of this article.
Does law require Privacy Policy Changes?: Yes
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United Kingdom Privacy Bill Tracker (1 Bill)
United Kingdom
Introduced: 2022-23
United Kingdom Data Protection and Digital Information Bill
A Bill to make provision for the regulation of the processing of information relating to identified or identifiable living individuals; to make provision about services consisting of the use of information to ascertain and verify facts about individuals; to make provision about access to customer data and business data; to make provision about privacy and electronic communications; to make provision about services for the provision of electronic signatures, electronic seals and other trust services; to make provision about the disclosure of information to improve public service delivery; to make provision for the implementation of agreements on sharing information for law enforcement purposes; to make provision about the keeping and maintenance of registers of births and deaths; to make provision about information standards for health and social care; to establish the Information Commission; to make provision about oversight of biometric data; and for connected purposes.
Details:
- Amends definition of “personal data”
- Clarifies “legitimate interests”
- Reduces need for cookie consent banners;
- Amends automated decision-making requirements;
- Removes the requirement for UK representatives;
- Removes requirement to appoint a Data Protection Officer;
- Provides the Information Commissioner’s Office with additional enforcement powers;
- Increases fines for nuisance calls;
- Requires new disclosures to be added to Privacy Policies.
Canada Privacy Bill Tracker (1 Bill)
Canada
Introduced: 2023-03-23
Canada Bill C-27
An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts
Details:
- Requires companies to implement and maintain a privacy management program
- Grants the Privacy Commissioner ability to impose fines
- Increases fine amounts for violations
- Includes a private right of action, allowing consumers to sue businesses directly for privacy violations
- Includes right of portability
- Includes right of deletion
- Requires new disclosures to be added to Privacy Policies
- Regulates automated decision-making systems
- Includes a “legitimate interest” exception to consent requirements
Australia Privacy Bill Tracker (1 Bill)
Australia
Introduced: 2023-03-23
Australia Privacy Act 1988 reform
The proposed reforms are aimed at strengthening the protection of personal information and the control individuals have over their information. Stronger privacy protections would support digital innovation and enhance Australia’s reputation as a trusted trading partner.
Details:
- Expands definition of “personal information”
- Removes small business exemption
- Requires new disclosures to be added to Privacy Policies
- Provides right to withdraw consent
- Expands right to access
- Includes right to object to the collection, use or disclosure of personal information
- Expands the right of correction
- Includes right to delete
- Includes right to de-index online search results containing certain personal information
- Includes right to opt out of targeted advertising
- Introduces concepts of processor and controller
- Expands scrutiny of transfers of data outside of Australia
- Includes lower and mid-tier civil penalty provisions
Please note that this chart does not include bills that are dead nor does it include bills that do not deal with the subject matter that pertains to our customers. For example, a bill has been proposed that deals with facial recognition. We have not included this bill in our tracker since it’s not relevant to our customers.
As the proposed bills are always changing, make sure to check this post often to keep up to date! Or don’t if you’re a Termageddon customer, because we’ll update your policies automatically for you when the bills become law. So you can leave all the tracking and privacy-bill-reading up to us by using our Privacy Policy Generator.
