Data Privacy Laws Across U.S. States Reading time: 12 mins

Data Privacy Laws Across U.S. States

The landscape of data privacy legislation across the United States is marked by varying degrees of regulatory measures aimed at safeguarding individuals’ personal data. Currently, numerous states have enacted or are considering data privacy laws, creating a patchwork of regulations that companies must navigate. Below is an overview of some states that have implemented data privacy laws, those with upcoming legislation, and states contemplating new measures:

California – CCPA: The California Consumer Privacy Act (CCPA) provides Californian consumers with substantial rights concerning their personal data. It empowers individuals to request information about their data, take legal action against non-compliant companies, and exercise control over the use and sale of their data. The CCPA compels companies to adhere to strict data protection standards and be accountable for data breaches.

Colorado – CPA: The Colorado Privacy Act (CPA), effective from July 2023, guarantees key data rights to Colorado consumers. It applies to entities conducting business in the state and sets forth requirements for data access, correction, deletion, portability, and the ability to opt-out. The CPA emphasizes data protection, transparency, and responsible data processing practices.

Connecticut – CTDPA: Connecticut’s Data Privacy Act (CTDPA) is a recent comprehensive addition to state consumer privacy laws. Applicable to both “controllers” and “processors” of data, CTDPA requires companies to comply within two years. It grants consumers a range of rights, including access, correction, deletion, and opting out of targeted advertising. Unlike some other states, Connecticut’s law lacks a revenue threshold for applicability.

Maine – Maine Privacy Act: Maine regulates online consumer data privacy through common law principles. The Act, effective since July 2020, curtails broadband providers’ actions regarding personal information without clear consumer consent.

States with Upcoming Data Privacy Laws:

Several states have passed or are in the process of enacting data privacy laws that are set to take effect soon:

Delaware – DPDPA: The Delaware Personal Data Privacy Act (DPDPA), effective from January 2025, targets businesses operating in Delaware or offering Delaware-focused products/services. It sets criteria for applicability based on data processing volumes and revenue thresholds.

Indiana – ICDPA: The Indiana Consumer Data Privacy Law, effective from January 2026, introduces transparency and privacy obligations for entities engaged in business in Indiana. It emphasizes data access and control for consumers, reasonable security practices, and impact assessments for high-risk data processing.

Iowa – ICDPA: The Iowa Act Relating to Consumer Data Protection (ICDPA), effective from January 2025, grants consumers the right to opt-out of data sales and targeted advertising. It defines roles for “controllers” and “processors,” enforces data processing transparency, and outlines data privacy rights.

Montana – MTCDPA: The Montana Consumer Data Privacy Act, effective from October 2024, centers on transparency, data access, and consumers’ right to opt-out of targeted advertising and data sales.

Tennessee – TIPA: The Tennessee Information Protection Act (TIPA), effective from July 2024, mandates data protection impact assessments for personal information processing activities and establishes a framework for consumer data rights.

Utah – UCPA: The Utah Consumer Privacy Act, effective from December 2023, safeguards the privacy rights of Utah residents. It defines personal data sales and targeted advertising, allowing opt-out options for consumers.

Virginia – VCDPA: The Virginia Consumer Data Protection Act, effective from January 2023, governs entities conducting business in Virginia and grants consumers a suite of rights related to their personal data.

States Considering New Data Privacy Laws:

Several states are considering new data privacy legislation:

Illinois – IDPPA: The proposed Illinois Data Privacy and Protection Act, modeled after national privacy legislation, aims to regulate the data industry by imposing controls on data collection, processing, and transfer.

Kentucky – Bill 15: Kentucky’s Bill 15 focuses on consumer rights regarding data collection, including access, deletion, data portability, and opting out of targeted advertising.

Maryland – Online and Biometric Data Privacy Act: Maryland’s proposed bill grants consumers data processing rights, introduces privacy by design principles, and addresses biometric data protection.

Massachusetts – MDPPA, MISPA, Internet Bill of Rights: Massachusetts is considering multiple data privacy bills, including the Massachusetts Data Privacy Protection Act, the Massachusetts Information Privacy and Security Act, and the Internet Bill of Rights.

Michigan – MPDPA: The Michigan Personal Data Privacy Act outlines obligations for companies processing personal data, including data protection impact assessments and data broker registration.

Minnesota – SF 950: Minnesota’s proposed bill mandates consumer consent for personal data collection and comprehensive information disclosure.

Nevada – NCHDP/SB-370: Nevada’s Consumer Health Data Privacy Bill focuses on consumer health data protection and consent for data sharing.

New York – NYPA/SB365: The New York Privacy Act grants data subject rights, outlines duties for data controllers, and addresses responsibilities for processors and data brokers.

Oklahoma – OCDPA: The Oklahoma Computer Data Privacy Act emphasizes data collection consent, consumer rights, and privacy practices.

Oregon – OCPA/SB 619: The Oregon Consumer Privacy Act focuses on personal data processing transparency, consumer rights, and obligations for businesses.

Pennsylvania – Consumer Data Protection Act/HB 708: Pennsylvania’s proposed Act covers personal data protection, consumer rights, and enforcement mechanisms.

Vermont – H.121: Vermont’s bill proposes amendments to personal information protection laws, addressing data collection, use, and destruction requirements.