Since the introduction of the European Union’s General Data Protection Regulation (GDPR) and its expansive reach, U.S. businesses have been faced with comprehensive data protection and privacy considerations like never before. As you may know, there were no such laws (federal or state) in the United States at that time, and U.S. businesses questioned the GDPR’s reach and applicability. Well, since then, U.S. states took it upon themselves to bring a wave of new data protection legislation, forcing U.S. businesses to consider the topic yet again (and this time it’s in their backyard).

Over the past five years, 12 new comprehensive U.S. state privacy laws have been passed. And there are more in the pipeline. Consider, for example, the influx in bills introduced over recent years—in 2018 only two bills were introduced on this topic, compared to the 59 that were introduced in 2023. This wave is not limited to the United States either—in recent years at least 10 countries have enacted new laws or amended their current laws to take a more comprehensive approach. And this wave is only likely to gain momentum (e.g., IAPP 2023 global legislative predictions report predicts parliaments around the world will continue introducing new legislation or building upon existing legislation, and according to the United Nations Conference on Trade and Development an additional 9% of countries have draft legislation on the table). Gone are the days when businesses (especially in this interconnected world) can ignore these comprehensive data protection and privacy laws without placing a certain level of risk upon themselves.