Midway along my drive to work each morning, I gain the freedom to unbuckle. New Hampshire, known for its \u201cLive Free or Die\u201d motto, is the only state in the union that views my seatbelt use as optional. As I cross state lines from Maine to New Hampshire, the rules of the road change.Increasingly, the same can be said for the laws governing privacy. While those patrolling the beat might understand the jurisdictional boundaries; technologically, they\u2019re often irrelevant, forcing many organizations to pay attention to all such laws at once.It\u2019s a winding road ahead.As privacy professionals driving new technologies forward peer beyond their dashboards, a rapidly changing US landscape is unfolding. The US privacy regime is already complex. It features a host of sectoral laws at the federal level, FTC enforcement of unfair and deceptive practices to plug the holes, 50 plus data breach notification laws, mini state-level FTC acts, a smattering of state privacy laws, and an aggressive plaintiff\u2019s bar. While that\u2019s a lot to grapple with, the pace of change in privacy laws, and the technologies they seek to regulate, is only accelerating.It\u2019s worth looking at where we are, where we\u2019re headed and what might help those who are behind the wheel or just along for the ride.State-level momentumAs CCPA 1.0, 2.0 and a multitude of state-level privacy proposals crowd the horizon, US Supreme Court Justice Louis Brandeis\u2019 introduction of both the US \u201cright to privacy\u201d and the notion of state legislatures as \u201claboratories of democracy\u201d seems increasingly prescient.CCPA 1.0Right now, the California Consumer Privacy Act is front and center. CCPA goes into effect January 1, 2020. Enforcement is slated to begin six months later. The CCPA is unprecedented in some respects, requiring covered businesses to allow California residents to opt out of the \u201csale\u201d of their personal information to third parties via a mandated \u201cDo Not Sell\u201d button on their websites. The impact of that novel requirement might be minimal if the term \u201csell\u201d were narrowly defined, but it isn\u2019t. A sale occurs when an organization shares personal information with a third party for \u201cvaluable consideration.\u201d While there are exceptions, the breadth of valuable consideration could capture a lot. Other CCPA requirements are more familiar and reminiscent of the EU General Data Protection Regulation, including access, deletion and transparency requirements. However, they are still new under US law, difficult to provide to only one geographic locale and will require companies across the US and around the globe to once again update privacy policies and data processing agreements. Understanding and implementing these new requirements will require close collaboration across and between organizations.CCPA 2.0As privacy professionals awaited CCPA regulations from California\u2019s Attorney General and geared up to discuss necessary updates with colleagues on engineering, design, security, legal and product teams, the landscape shifted once again. On September 24, Alastair Mactaggart, who launched the ballot initiative that led to CCPA, launched yet another. The California Privacy Rights and Enforcement Act of 2020, or CCPA 2.0 as it\u2019s been termed, would amend the CCPA. If adopted, it would create new privacy rights, many aligned with the EU GDPR, and heightened protections for sensitive personal information. The CPREA would establish a new privacy enforcement agency, impose stronger penalties for misuse of children\u2019s data, and mandate disclosure of the logic involved when profiling has a significant adverse effect on the consumer. Greater transparency related to personal data use in election campaigns is also envisioned. While Mactaggart faces an uphill battle and a requirement for 623,212 signatures to place his initiative on the ballot in 2020, polling suggests Californians are overwhelmingly with him.Other state legislationState-level privacy legislation is gaining momentum quickly. Developments in California are understandably the number one focus right now, but many other states have put forward or are contemplating legislation. Maine and Nevada have already adopted new laws. Current proposals have some major commonalities. These include consumer rights to access, opt-out, deletion, and the portability of their data. Many include business transparency obligations and a prohibition on discrimination. Industry interest in the private right of action included in over a handful of them is high. Some proposals also feature unique elements with the potential to create conflicting requirements as data moves across those invisible state lines. Several of those without legislation just yet have established task forces to study the issue and plan to put forward recommendations soon.The federal traffic jamThe US Congress is a bit of a traffic jam. There are a multitude of proposals, but considerably less momentum. Still, privacy has traditionally transcended partisan politics, so a sufficiently large state law collision could propel a bill forward quickly. It\u2019s an arena well-worth tracking. This year alone, Senators Rubio, Klobuchar, Mastro and others have all sponsored privacy bills and strengthened FTC oversight and enforcement authority are a common theme among them. Privacy groups, industry associations and even private companies have also offered up their own legislative discussion drafts. These include proposals from the Center for Democracy and Technology, the US Chamber of Commerce, Intel and others. While the immediate next step is unclear, rapid change in the state landscape could lead to federal action. \u00a0Intersections aheadWith the potential for many divergent state-level laws, and federal lawmaking somewhat stalled, privacy professionals are searching for areas of convergence. A few paths ahead merit consideration.One federal initiative is moving forward quickly. The National Institute of Standards and Technology plans to publish version 1.0 of its Privacy Framework before year\u2019s end. The NIST Privacy Framework aims to bridge the gap between security and privacy. It is designed to be implemented alongside NIST\u2019s Cybersecurity Framework to help organizations identify and manage privacy risks. Its authors seek to forge a common language to help privacy professionals across an organization communicate effectively. By outlining a set of privacy controls, presenting considerations for privacy engineering rather than a rights-based regime, the Framework could also rise above legislative differences.International standards and certification regimes could play a similar role. The International Standards Organization recently released ISO 27701, a privacy information management standard, as an extension to ISO\/IEC 27001 and 27002 security standards. ISO 27701 was designed with an eye to GDPR certification but is now being mapped to privacy laws around the world. The IAPP\u2019s Westin Research Center has also mapped it to the IAPP\u2019s CIPM and CIPP\/E certifications to offer insight into the professional skillset necessary to implement a global privacy standard. Other privacy standards remain under development, including within ISO, IEEE and elsewhere.Academic scholars too are charting new paths and identifying areas of intersection. Cybersecurity and privacy are increasingly taught in tandem in higher ed. Engineering programs are just beginning to team up with law schools to offer interdisciplinary training. And, leading scholars are pointing to other legal and non-legal disciplines for solutions. Woody Hartzog, for example, cites product safety law and design as inspiration for the next generation of privacy rules. I might note that while each state in the union has taken its own stance on my right to unbuckle, the federal government made crystal clear through the Motor Vehicle Safety Act that the seat belt must be installed.We best buckle up. It\u2019s a busy road ahead.