I was recently giving a presentation about new privacy laws, and I created the infographic above to catalog the various elements that privacy laws often have. Going through this list can help to assess how complete a privacy law is. For example, the California Consumer Privacy Act (CCPA) is often compared to the General Data Protection Regulation (GDPR), and I’ve heard it sometimes referred to as a GDPR in the United States. But the CCPA is far different from the GDPR, as the GDPR is significantly more comprehensive and has many more dimensions than the CCPA. For example, the GDPR has a broader scope (covers more types of entities) and has many provisions about responsibilities and governance that the CCPA lacks. Indeed, the GDPR has most of the elements in this list. In the US, HIPAA comes the closest to the GDPR in terms of how many items it has from the last, but HIPAA is just limited to certain forms of health data.
The vast majority of privacy laws have provisions relating to their scope and applicability, a definition of the personal information that they regulate, individual rights and organizational responsibilities, enforcement provisions, and a particular position with regard to preemption.