U.S. State Data Privacy Laws – Map & Quick Facts

State legislatures nationwide are racing to create consumer data privacy laws, due to the lack of a comprehensive federal law, to give U.S. consumers control over companies’ use of their personal data. Nine states including California and Virginia already have extensive data privacy laws. At least 16 states introduced privacy bills in the 2022-23 session, aiming to protect subjects like biometrics and health data. 

Unlike GDPR in the EU, this decentralized approach in the US could pose risks for companies operating in multiple states. Bills proposed in several states echo pre-existing laws’ rights but with different enforcement. A state data privacy map below indicates narrow and comprehensive legislation status to keep you updated on regulatory changes. 

Which States Have Data Privacy Laws?

US States with Data Privacy Laws & Proposed Legislation 

California – CCPA 

The California Consumer Privacy Act (CCPA) empowers California residents with the right to request knowledge about their personal data collected and shared by companies. It also facilitates legal action against companies violating privacy norms, even without a data breach.

The California Privacy Rights Act provides transparency about data collection, processing, and third-party sharing. It also enables consumers to prevent companies from selling their data without repercussions, like denial of service.

The law ensures companies adhere to rules protecting consumer data and holds them accountable for data breaches, driving businesses to be more cognizant of customer data protection. 

Quick Facts: California Consumer Privacy Act 

Colorado – CPA 

The Colorado Privacy Act (CPA) went into effect in July 2023. The CPA guarantees Colorado consumers five key rights: data access, correction, deletion, portability, and the choice to opt out. It protects data that can identify individuals, excluding anonymized and public data.  

The Act applies to entities conducting targeted business in Colorado controlling yearly personal data of at least 100,000 consumers, or deriving revenue from the personal data of a minimum of 25,000 consumers.

State and local governments, higher education, and certain other entities are exempted. Controllers must adhere to duties involving transparency, data minimization, and avoiding unlawful discrimination, among others. Activities involving high-risk personal data processing necessitate a data protection assessment. 

Connecticut – CTDPA 

Connecticut’s Data Privacy Act (CTDPA) recently became the latest comprehensive state consumer privacy law, requiring companies in the state to comply within two years. Similar to laws in other states like Virginia and Colorado, CTDPA is consumer-oriented and applies to “controllers” and “processors” of data.

Aside from payment transactions, it impacts businesses in Connecticut or produces Connecticut-targeted services that process over 100,000 consumers’ data annually. Still, businesses with more than 25% of their total gross revenue generated by selling personal data of over 25,000 consumers are also regulated.  

Unlike, California or Utah privacy laws, there’s no revenue threshold for applicability. However, the CTDPA’s 25% gross revenue from data sales threshold is lower than the 50% limit in other states’ laws. It grants consumers broad rights including appealing denials of requests by controllers and opting out of targeted advertising or personal data sales processing.

Connecticut’s law also assures rights to access, correct, and delete personal data, as well as data portability, and opt out of automated decision processing, similar to other comprehensive privacy laws. 

Quick Facts: Connecticut Data Privacy Act

Maine – Maine Privacy Act

Maine protects privacy under common law rather than constitutionally, recognizing four types of privacy invasion claims, including unreasonable intrusion upon one’s seclusion, name or likeness appropriation, unreasonable disclosure of one’s private life, and unreasonably creating a misleading public perception of an individual.

The Maine Privacy Act, effective from July 2020, regulates online consumer data privacy by limiting broadband providers’ actions, such as prohibiting the use, sale, or distribution of or granting access to customers’ personal information without clear customer consent. 

Quick Facts: Maine Privacy Act

Virginia – VCDPA 

The Virginia Consumer Data Protection Act sets guidelines for handling personal data within the state. It applies to entities conducting business in Virginia that either process personal data of at least 100,000 consumers or derive over 50% of revenue from personal data sales and control or process data of at least 25,000 consumers.  

Virginia’s law doesn’t apply to state or local governmental entities and certain federal law-governed data. It endows consumers with rights like access, correction, deletion, and copying of personal data and also, the ability to opt out of targeted advertising, data sales, or profiling.

Enforcement falls solely under the Attorney General’s purview, backed by the Consumer Privacy Fund. A workgroup established by the Joint Commission on Technology and Science is tasked with reviewing the Act’s implementation and submitting a report by November 1, 2021.

Quick Facts: Virginia Consumer Data Protection Act

Utah – UCPA 

The Utah Consumer Privacy Act safeguards the privacy rights of Utah residents and stipulates data privacy duties for businesses processing Utah residents’ data. UCPA applies to personal data sales and targeted advertising, defining a sale as exchanging personal data for monetary consideration to a third party.  

Unlike the California Act, it doesn’t include non-monetary transactions or data sharing but incorporates targeted advertising. The Utah Consumer Privacy Act operates on an opt-out model, allowing data collection, sales, or targeted advertising without consumers’ consent unless it’s child-related data.  

Consumers have the right and should be provided with an option, to opt out of data sales or its use for targeted advertising. Utah’s law excludes publicly available, deidentified, anonymized, or aggregated data from being considered personal data. 

Quick Facts: Utah Consumer Privacy Act

States with New Data Privacy Laws Going into Effect Soon 

Passed on June 30, 2023, the Delaware Personal Data Privacy Act (DPDPA), targets entities engaged in business within Delaware or providing Delaware-targeted products/services. Its criteria for applicability cover entities processing data of over 35,000 consumers (excludes payment transactions) or ones controlling data of above 10,000 consumers while earning over 20% gross revenue from personal data sales in the previous year.  

It includes data-level exemption for protected health information under HIPAA, but not an entity-level exemption for businesses covered by GLBA. Non-profits committed exclusively to countering insurance crime or providing services to witnesses or victims of certain types of abuse or violent felonies are also exempted. Among obligations for businesses covered, common ones include data protection assessments, transparency requirements, and consumer rights.  

Delaware’s new regulation uniquely defines sensitive data and mandates businesses to secure valid consent before processing such data. It also enlists consumer rights parallel to those in other U.S. state laws, including processing confirmation, data correction, deletion, portability, third-party disclosure information, opt-out from targeted advertising, personal data sales, and profiling. Businesses are required to display a conspicuous opt-out link and honor universal opt-out signals. 

The Indiana Consumer Data Privacy Law, akin to US state laws, stipulates transparency and disclosure duties for “controllers” (those determining personal data processing means and purpose) and “processors” (entities processing data on behalf of a controller) engaged in business or providing products/services in Indiana.

It applies if they control or process personal data of at least 100,000 or 25,000 Indiana residents respectively and derive over 50% gross revenue from personal data sales annually, without a revenue threshold.  

It doesn’t apply to certain entities like government bodies, nonprofits, HIPAA-covered entities, higher education institutions, and certain types of data, including health and job records. The act grants Indiana consumers access to and control rights for personal data.

The law sets personal data limits, mandates reasonable security practices, sensitive data consent, non-discriminatory data processing, transparent privacy policy provision, targeted advertising, or consumers’ personal data sales disclosures, refusal appeal process establishment, and risk-prone data processing impact assessment. 

Florida – FDBR

Effective: July 1, 2024

The Florida Digital Bill of Rights has a higher jurisdictional threshold compared with the other US State Data Privacy Laws. While the FDBR acts similarly to other data privacy laws – to provide consumers control over how their data will be obtained and processed – the law applies to a more specific type of business.

The law requires firms to limit the collection of data, provide security measures to consumer data, and provide a clear privacy notice. The main difference between the law and other data privacy acts is it only applies to controllers with more than $1 billion in gross annual revenue.

In addition to the limit pertaining to gross annual revenue, the law further limits its application to controllers that derive at least 50% of their revenue from digital ad sales.

The Iowa Act Relating to Consumer Data Protection (ICDPA) allows consumers to opt out of personal data sales or its use in targeted advertisements. It doesn’t provide an opt-out right for profiling. Controllers must contract with processors to stipulate data processing instructions and obligations, and they can ask processors to delete or return personal data.

The legislation requires consumer notification and an opt-out opportunity before processing sensitive data and provides a 90-day period to cure alleged law violations.  The act applies to “controllers” who decide the purpose and means of personal data processing, and “processors” processing on behalf of the controller.

It covers entities conducting business in Iowa or providing Iowa-targeted products/services that control or process the personal data of at least 100,000 Iowan consumers or derive over 50% revenue from selling personal data of a minimum of 25,000 Iowan consumers.  

The ICDPA extends data privacy rights like processing verification, data access, deletion, obtaining a copy, and sales opt-out to consumers. There are specific exemptions for employment-related data, de-identified, aggregate, and public data, and certain entities such as nonprofits, higher education institutions, financial institutions, and entities under certain federal regulations. 

The Montana Consumer Data Privacy Act encompasses transparency and disclosure duties for “controllers” conducting business or providing services in Montana. The Act applies if they either control or process personal data of no less than 50,000 Montana residents (excluding payment transaction data) or of at least 25,000 residents while deriving more than 25% of their gross revenue from data sales.  

There’s no revenue threshold for compliance. It generally doesn’t apply to government entities, nonprofits, higher education institutions, entities regulated by the HIPAA or Gramm-Leach-Bliley Act, and certain types of data. The Act grants Montana, consumers, the right to verify their data processing, access, correct, delete, obtain a copy of personal data, and opt out of targeted advertising, personal data sales, or purely automated decision-making profiling. 

Tennessee Information Protection Act applies to those doing business in Tennessee or offering Tennessee-targeted products/services that either control or process personal information of at least 100,000 consumers annually or process information of a minimum of 25,000 consumers and generate over 50% gross revenue from personal information sales.  

Similar to other state laws, TIPA excludes governmental entities, Gramm-Leach-Bliley Act-governed financial institutions, HIPAA-governed businesses, nonprofits, higher education institutions, and certain types of data. It mandates controllers to undergo data protection impact assessments for processing activities involving personal information used in targeted advertising, personal information sales, profiling, sensitive data, or data carrying serious consumer harm risks.  

Controllers and processors must create, adhere to, and maintain a written privacy program, with National Institute of Standards and Technology (NIST) privacy framework conformity safeguarding them. A year is allowed for updating the privacy program to align with the revised NIST framework. Companies have 45 days (extendable by an additional 45 days) to respond to consumers’ requests and 60 days for appeals. 

Texas – TDPSA

Effective: July 2024

The Texas Data Privacy and Security Act is one of the recently passed comprehensive data privacy laws in the state of Texas. The law was particularly established to create a framework that will comprehensively protect the personal data of the state’s residents while ensuring that businesses have strict data security measures.

The law was fashioned after the Virginia Consumer Data Protection Act. The key difference is that the Texas Data Privacy and Security Act provides provisions that will also protect the interest of small businesses within the state.

The TDPSA applies to all businesses engaging in lawful trade within the state of Texas. This includes all businesses that deal with the sale of sensitive personal data given explicit consent by consumers. However, the law does not apply to businesses deemed by the Small Business Administration as a “small business.”

States Considering New Bills for Data Privacy Laws  

The proposed IDPPA inspired by the American Data Protection and Privacy Act, is a robust national privacy legislation aiming to regulate the data industry via critical controls. The law applies to covered entities – anyone other than individuals in non-commercial contexts who control the collection, processing, or transfer of covered data.

It restricts covered data collection, processing, or transfer, mandating it to be reasonably necessary and proportionate. Entities and service providers have to maintain sensible policies, practices, and procedures for handling covered data.  

The Act addresses retaliation, transparency, data rights, consent, data protection for minors, civil rights, data security, small business protections, executive responsibility, dealings with service providers and third parties, enforcement, severability, and rulemaking. The law comes into force 180 days post-enactment. 

Kentucky Bill 15 introduces measures that define consumer rights regarding data collection, including access, deletion, data portability, and the right to opt out of targeted advertising, tracking, and personal data sale or sharing.

It mandates data controllers to fulfill consumer rights requests and/or their appeals against refusal to exercise such rights and to carry out Data Protection Impact Assessments (DPIAs). 

The Maryland bill applies to businesses in the state or those targeting its residents, processing personal data of specific minimum consumer numbers, and earning a certain percentage of revenue from personal data sales. It excludes particular entities and information types while granting consumers rights like data processing confirmation, access, and deletion, as well as targeted advertising, data sales, and opt-out.

It requires privacy by design adherence, sensitive data processing consent, extra biometric data handling measures, and data protection risk assessments.  

The Act would be enforced by the state Attorney General and the Division of Consumer Protection, defining violations as deceptive trade practices and permitting limited private lawsuits for biometric data sale/leasing/trade injuries. The bill suggests setting up a task force to study online data privacy areas. 

Massachusetts – MDPPA 

Potential Effective Date: TBD 

There are multiple data privacy bills that are currently working their way through the Commonwealth’s legislative bodies. These include the Massachusetts Data Privacy Protection Act (MDPPA), the Massachusetts Information Privacy and Security Act (MISPA), and the Internet Bill of Rights, which are making progress in the Massachusetts State House. 

MDPPA, a new proposal inspired by the American Data Privacy Protection Act, would be enforced on companies with average annual gross revenues exceeding $20 million in the past three years, those collecting or processing over 75,000 individuals’ covered data annually in the past three years, and those profiting from data transfers.

It offers consumers rights to access, correct, and delete personal data, opt out of data transfers and targeted advertising, and portability of personal data. MDPPA also proposes a ban on targeted advertising to minors and requires data broker registration. 

MISPA, reintroduced from last year, shares some of these rights. The Internet Bill of Rights resembles Europe’s General Data Protection Regulation (GDPR). MIPSA also mirrors GDPR in requiring a lawful basis, like consent or a contract, for data processing.

The Michigan Personal Data Privacy Act governs entities (individuals or corporations) conducting business in Michigan or offering Michigan-targeted products/services, controlling or processing personal data of a minimum of 100,000 consumers or 25,000 consumers with over 50% gross annual revenue from personal data sales.

It mandates businesses to post understandable and accessible privacy policies, offers opt-in consent for all personal data processing, executes data protection impact assessments for sensitive personal data processing, sets contractual obligations concerning third-party data processors, and fulfills data broker registration requirements. 

The proposed bill mandates that companies conducting business in Minnesota or creating Minnesota-targeted products or services must not collect, use, or reveal a consumer’s personal information without their consent. Moreover, to secure the consumer’s consent, businesses must provide comprehensive information as outlined in the bill, at or before the point of personal information collection. 

The Nevada Consumer Health Data Privacy Bill applies to consumer health data, defined as identifiable information linked to a consumer’s past, present, or future health status. This broad definition includes various health indicators, geolocation data used for healthcare services, and health-related data derived using algorithms or machine learning, but excludes data on shopping habits or gaming.  

The law would impact any entity operating in Nevada or targeting Nevada consumers, without data collection limitations found in state consumer data protection acts. Exemptions exist for entities under HIPAA, GLBA, FCRA, and FERPA-governed information. The law would prohibit collecting or sharing consumer health data without voluntary consumer consent, geofencing, and selling consumer health data without valid authorization containing specific sale and purchaser details. 

Senate Bill 365, the New York Privacy Act, passed the New York State Senate on June 8, 2023, and was forwarded to the New York State Assembly. It sets out data subject rights, data controller duties, including conducting a Data Protection Impact Assessment (DPIA), and responsibilities for processors and data brokers. 

The proposed Oklahoma Computer Data Privacy Act applies to companies engaging in state business, processing Oklahoma residents’ personal information, with annual revenues exceeding $15,000,000, trading the personal information of over 50,000 consumers/households/devices, or earning over 25% of annual revenue from personal data sales. This lowers the revenue threshold from CCPA’s $25,000,000.  

The bill requires consent for personal data collection and mandates consumers to opt into personal data sales. It grants state residents rights to request disclosures from businesses about their personal information collection, request its deletion, know about its sale/disclosure, opt-out of its sale, and prevent businesses from discrimination for rights assertion.

Businesses are to publicize their privacy practices in their online privacy policies. The bill excludes, among others, PHI collected by HIPAA-covered entities and business associates, consumer reporting agencies under certain circumstances, and GLBA-subject financial institutions. 

If passed by the state Senate, the Oregon Consumer Privacy Act (OCPA) will apply to entities that conduct business in Oregon or provide products/services to residents and control or process the personal data of over 100,000 consumers (excluding payment transaction-only data) or at least 25,000 consumers while earning over 25% of annual gross revenue from personal data sales. 

The Act lacks some exemptions found in other state privacy laws. For instance, the initially introduced bill included both data and entity-level exemptions for GLBA-regulated financial institutions, but only the data-level exemption remains in the final draft.

The Act does not exempt HIPAA-covered entities but does include some data level exemptions due to concerns about entities being exempted based on a small number of HIPAA-covered activities they conduct. Non-profits aren’t exempt, although exceptions exist for organizations working to prevent fraudulent insurance activity or providing radio or television network programming. 

The Pennsylvania Consumer Data Protection Act targets entities conducting business in Pennsylvania, producing goods or services for residents, and processing personal data of a specific number of consumers or deriving substantial gross revenue from personal data sales. Exemptions include state government entities, financial institutions, HIPAA-governed entities, nonprofit organizations, higher education institutions, and data regulated by certain Acts.  

The Act grants individuals the rights to confirm, access, delete, and correct personal data; obtain data portability; and opt out of targeted advertising, data sales, or certain profiling. Controllers must follow privacy by design principles, secure sensitive data processing consent, provide notice describing data processing methods, and conduct a risk-involved data protection assessment. The state AG can request these assessments which remain confidential and public inspection exempt. 

This bill proposes several amendments to Title 9, Chapter 62 of Vermont Statutes dealing with personal information protection. It outlines data collection and use requirements, updates document destruction safety requirements, adds requirements for data brokers, introduces a new section on biometric information protection, and advocates for a study on public information.  

The bill adds a new section applicable to all data collectors handling personal information. It embodies data minimization, limiting data collection, use, retention, and sharing to what’s reasonably necessary for the purposes for which it was collected or processed or another disclosed context-compatible purpose. It also imposes restrictions on data collectors regarding the usage of personal information gathered from sources other than the consumer, ensuring consumer awareness, consent, and control. 

Stay Up to Date on Data Privacy Compliance Requirements 

These laws are constantly being updated and new regulations are being enacted around the country.

Our I.S. Partners team deals with these laws on a day-to-day basis. Allow our team to guide you through any necessary provisions of data privacy laws.

Follow I.S. Partners to stay on top of data privacy nationwide! 

About The Author

John DeCesare

John has over 22 years of experience working in the manufacturing, distribution, not-for-profit, governmental, insurance, public utilities and service industries. John has expertise in various aspects of the accounting, auditing and consulting disciplines. He has directed a full range of value-added services and has consulted to Senior Executives in middle market and Fortune 500 companies. His experience includes Sarbanes-Oxley compliance, SOC 1 audits, outsourcing and contract services, financial management, accounting and strategic planning, due diligence, business restructuring / re-engineering, process improvement and risk assessment.