At Termageddon we’ve have created a privacy bill tracker that will help you better understand what bills are being proposed and how they may affect your business. The privacy bill tracker discloses all bills that have been proposed by lawmakers around the world states that could affect Privacy Policy disclosures and business obligations. We do not include bills that have become law, nor bills that are dead.
Here is a list of the laws that require you to have a Privacy Policy that affect how that Privacy Policy is written.
This list changes frequently, so be sure to check back to see the latest in privacy.
Table of Contents
U.S. Federal Bill Tracker (3 bills)
United States
–
Introduced: 2022-06-21
American Data Privacy and Protection Act
The Act imposes a baseline duty on all covered entities not to unnecessarily collect or use covered data in the first instance, regardless of any consent or transparency requirements. Specifically, covered entities are prohibited from collecting, processing, or transferring covered data beyond what is reasonably necessary, proportionate, and limited to provide specific products and services requested by individuals, communicate with individuals in a manner they reasonably anticipate given the context of their relationship with the covered entity, or for a purpose expressly permitted by the Act.
Does law require Privacy Policy Changes?: Yes
More Details:
Overrides state laws
Enforced by the FTC
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Introduced: 2023-11-15
DATA Privacy Act (US S 3337)
To establish national data privacy standards in the United States, and for other purposes.
Does law require Privacy Policy Changes?: Yes
More Details:
Overrides state laws
Enforced by the FTC
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Introduced: 2024-04-09
American Privacy Rights Act
To establish protections for covered data of individuals, and for other purposes.
Does law require Privacy Policy Changes?: Yes
More Details:
Overrides state laws
Enforced by the FTC
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
U.S. State Bill Tracker (16 bills)
United States
–
Illinois
Introduced: 2023-03-10
IL – Illinois Data Privacy and Protection Act (HB3385)
Creates the Illinois Data Privacy and Protection Act. Provides that a covered entity (any entity or any person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data) may not collect, process, or transfer covered data unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate. Provides that a covered entity and a service provider shall establish, implement, and maintain reasonable policies, practices, and procedures concerning the collection, processing, and transferring of covered data. Contains provisions concerning retaliation; transparency; individual data rights; consent; data protection for children and minors; civil rights; data security; small business protections; executive responsibility; service providers and third parties; enforcement; severability; and rulemaking. Effective 180 days after becoming law.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Illinois
Introduced: 2024-02-09
IL – Illinois Data Privacy and Protection Act (HB3385)
Creates the Privacy Rights Act. Sets forth duties and obligations of businesses that collected consumers’ personal information and sensitive personal information to keep such information private. Sets forth consumer rights in relation to the collected personal information and sensitive personal information, including the right to: delete personal information; correct inaccurate personal information; know what personal information is sold or shared and to whom; opt out of the sale or sharing of personal information; limit use and disclosure of sensitive personal information; and no retaliation for exercising any rights. Sets forth enforcement provisions. Creates the Consumer Privacy Fund. Allows the Attorney General to create rules to implement the Act. Establishes the Privacy Protection Agency. Includes provisions regarding remedies and fines for violations of the Act. Makes a conforming change in the State Finance Act.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Massachusetts
Introduced: 2023-02-16
MA – Massachusetts Data Privacy Protection Act (HD2281/SD 745)
By Representatives Vargas of Haverhill and Rogers of Cambridge, a petition (accompanied by bill, House, No. 83) of Andres X. Vargas, David M. Rogers and Carmine Lawrence Gentile for legislation to establish the Massachusetts data privacy protection act. Advanced Information Technology, the Internet and Cybersecurity.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Massachusetts
Introduced: 2023-02-16
MA – Massachusetts Information Privacy and Security Act (HD3263/SD1971)
By Representative Carey of Easthampton, a petition (accompanied by bill, House, No. 60) of Daniel R. Carey and Mindy Domb relative to the security and the protection of personal information by establishing the Massachusetts information privacy and security act. Advanced Information Technology, the Internet and Cybersecurity.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Massachusetts
Introduced: 2023-02-16
MA – Internet Bill of Rights (HD3245)
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Michigan
Introduced: 2023-11-09
MI – Michigan Personal Data Privacy Act (SB659)
Consumer protection: privacy; personal data privacy act.
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Prohibits discrimination
Imposes fiduciary duty
Right to be forgotten
United States
–
New York
Introduced: 2023-01-19
NY – Digital Fairness Act (S2277)
Enacts the “digital fairness act”; requires any entity that conducts business in New York and maintains the personal information of 500 or more individuals to provide meaningful notice about their use of personal information; establishes unlawful discriminatory practices relating to targeted advertising.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
New York
Introduced: 2023-01-04
NY – New York Privacy Act (SB365)
Enacts the New York privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
New York
Introduced: 2023-01-30
NY – Consumer Right to Request Disclosure of Information (SB3162)
Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
New York
Introduced: 2023-02-14
NY – Personal Information Collection (AB4374)
Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
North Carolina
Introduced: 2023-04-03
NC – North Carolina Consumer Privacy Act (SB525)
Consumer Privacy Act
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Ohio
Introduced: 2023-12-06
OH – Ohio HB 345
To amend section 1345.51 and to enact sections 1357.01, 1357.02, 1357.03, 1357.04, 1357.05, 1357.06, 1357.07, 1357.08, 1357.09, 1357.10, and 1357.11 of the Revised Code to enact the Ohio Personal Privacy Act.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Pennsylvania
Introduced: 2023-03-27
PA – Consumer Data Protection Act (HB708)
An Act providing for protection of certain personal data of consumers; imposing duties on controllers and processors of personal data of consumers; providing for enforcement; prescribing penalties; and establishing the Consumer Privacy Fund.
Does law require Privacy Policy Changes?: Yes
More details:
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Pennsylvania
Introduced: 2023-05-19
PA – Consumer Data Privacy Act (HB1201)
An Act providing for consumer data privacy, for duties of controllers and for duties of processors; and imposing penalties.
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Pennsylvania
Introduced: 2024-01-09
PA – Consumer Data Privacy Act (HB1947)
An Act providing for consumer data privacy, for rights of consumers and duties of businesses relating to the collection of personal information and for duties of the Attorney General.
Does law require Privacy Policy Changes?: Yes
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United States
–
Pennsylvania
Introduced: 2024-07-12
PA – Pennsylvania Consumer Data Privacy Act (SB1279)
An Act providing for consumer data privacy, for rights of consumers and duties of businesses relating to the collection of personal information and for duties of the Attorney General.
Does law require Privacy Policy Changes?: Yes
Business size limit
Consumers can sue
Right to access data
Right to delete data
Right to correct data
Right to restrict processing
Right to opt-out
Opt-in consent required
Right to portability
Against automated decision making
Imposes fiduciary duty
Prohibits discrimination
Right to be forgotten
United Kingdom Privacy Bill Tracker (1 Bill)
United Kingdom
Introduced: 2022-23
United Kingdom Data Protection and Digital Information Bill
A Bill to make provision for the regulation of the processing of information relating to identified or identifiable living individuals; to make provision about services consisting of the use of information to ascertain and verify facts about individuals; to make provision about access to customer data and business data; to make provision about privacy and electronic communications; to make provision about services for the provision of electronic signatures, electronic seals and other trust services; to make provision about the disclosure of information to improve public service delivery; to make provision for the implementation of agreements on sharing information for law enforcement purposes; to make provision about the keeping and maintenance of registers of births and deaths; to make provision about information standards for health and social care; to establish the Information Commission; to make provision about oversight of biometric data; and for connected purposes.
Details:
- Amends definition of “personal data”
- Clarifies “legitimate interests”
- Reduces need for cookie consent banners;
- Amends automated decision-making requirements;
- Removes the requirement for UK representatives;
- Removes requirement to appoint a Data Protection Officer;
- Provides the Information Commissioner’s Office with additional enforcement powers;
- Increases fines for nuisance calls;
- Requires new disclosures to be added to Privacy Policies.
Canada Privacy Bill Tracker (1 Bill)
Canada
Introduced: 2023-03-23
Canada Bill C-27
An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts
Details:
- Requires companies to implement and maintain a privacy management program
- Grants the Privacy Commissioner ability to impose fines
- Increases fine amounts for violations
- Includes a private right of action, allowing consumers to sue businesses directly for privacy violations
- Includes right of portability
- Includes right of deletion
- Requires new disclosures to be added to Privacy Policies
- Regulates automated decision-making systems
- Includes a “legitimate interest” exception to consent requirements
Australia Privacy Bill Tracker (1 Bill)
Australia
Introduced: 2023-03-23
Australia Privacy Act 1988 reform
The proposed reforms are aimed at strengthening the protection of personal information and the control individuals have over their information. Stronger privacy protections would support digital innovation and enhance Australia’s reputation as a trusted trading partner.
Details:
- Expands definition of “personal information”
- Removes small business exemption
- Requires new disclosures to be added to Privacy Policies
- Provides right to withdraw consent
- Expands right to access
- Includes right to object to the collection, use or disclosure of personal information
- Expands the right of correction
- Includes right to delete
- Includes right to de-index online search results containing certain personal information
- Includes right to opt out of targeted advertising
- Introduces concepts of processor and controller
- Expands scrutiny of transfers of data outside of Australia
- Includes lower and mid-tier civil penalty provisions
Please note that this chart does not include bills that are dead nor does it include bills that do not deal with the subject matter that pertains to our customers. For example, a bill has been proposed that deals with facial recognition. We have not included this bill in our tracker since it’s not relevant to our customers.
As the proposed bills are always changing, make sure to check this post often to keep up to date! Or don’t if you’re a Termageddon customer, because we’ll update your policies automatically for you when the bills become law. So you can leave all the tracking and privacy-bill-reading up to us by using our Privacy Policy Generator.