Fifteen US States have introduced privacy laws to protect the personal data of consumers. In this blog post, we will outline these 15 state data protection laws in the United States. While some of these laws are currently in effect, others are still pending implementation.
In the absence of a federal law to protect the personal data of US citizens, many states have implemented their own privacy laws with regulations similar to the EU’s General Data Protection Regulation (GDPR).
Currently, 15 states – California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, Texas, Delaware, Florida, New Jersey, and New Hampshire – have implemented or announced data protection regulations to protect consumers’ personal data.
In this article, we will explore each law in detail to help businesses understand the applicable laws and how to comply with them.
Let’s dive in.
State | Regulation | Effective date |
California | California Privacy Rights Act (CPRA) | 01 January, 2023 |
Virginia | Virginia Consumer Data Protection Act (VCDPA) | 01 January, 2023 |
Connecticut | Connecticut Data Privacy Act (CTDPA) | 01 July, 2023 |
Colorado | Colorado Privacy Act (CPA) | 01 July, 2023 |
Utah | Utah Consumer Privacy Act (UCPA) | 31 December, 2023 |
Iowa | Iowa Consumer Data Protection Act (ICDPA) | 01 January, 2025* |
Indiana | Indiana Consumer Data Protection Act (ICDPA) | 01 January, 2026* |
Tennessee | Tennessee Information Protection Act (TIPA) | 01 July, 2025* |
Oregon | Oregon Consumer Privacy Act (OCPA) | 01 July, 2024* |
Montana | Montana’s Consumer Data Privacy Act (MCDPA) | 01 October, 2024* |
Texas | Texas Data Privacy and Security Act (TDPSA) | 01 July, 2024* |
Delaware | Delaware Personal Data Privacy Act (DPDPA) | 01 January, 2025* |
Florida | Florida Digital Bill of Rights (FDBR) | 01 July, 2024* |
New Jersey | New Jersey Data Privacy Act (NJDPA) | 15 January, 2025* |
New Hampshire | New Hampshire Privacy Act (NHPA) | 01 January, 2025 |
Now, let’s explore each law in detail.
Reference: CPRA official text
Effective date: 01 January, 2023
The California Privacy Rights Act (CPRA) is an amendment to the California Consumer Privacy Act (CCPA). It expanded the scope to accommodate more types of business and modified the rights of consumers within the state of California.
Who Needs to Comply With CPRA?
The law applies to businesses in California that collect or control how the personal information of California consumers is used and meet one or more of the following conditions:
- Generated an annual revenue of twenty-five million dollars ($25,000,000) or more in the previous calendar year.
- Deals with buying, selling, or sharing the personal information of 100,000 consumers each year.
- At least 50 percent of its annual revenue is earned from selling or sharing consumers’ personal information.
Major Principles of CPRA
- Show accountability in data processing
- Ensure transparency
- Provide control to users
- Minimize data collection
- Limit the purpose of data collection
- Limit the data retention period
Rights of Data Subjects Under CPRA
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to know what personal information is being collected
- Right to access personal information
- Right to know what personal information is sold and to whom
- Right to opt-out of sharing personal information
- Right to know and opt out of automated decision-making
- Right to limit the use of sensitive personal information (SPI)
Check out the articles below to learn more about CCPA and CPRA:
- California Privacy Rights Act (CPRA) – A Comprehensive Guide for Businesses
- California Consumer Privacy Act (CCPA) and Cookies: What you need to know
Reference: VCDPA official text
Effective date: 01 January, 2023
The Virginia Consumer Data Protection Act (VCDPA) is a statewide privacy regulation that regulates the companies that collect, use, share, or sell the personal information of people residing in Virginia. It is the second statewide data protection regulation in the US.
Who Needs to Comply With VCDPA?
The VCDPA applies to any businesses that operate in Virginia or serve products or services to Virginia residents and meets any of the following conditions:
- Control or process the personal data of at least 100,000 consumers in Virginia,
- Control or process the personal data of at least 25,000 consumers and earn 50% of their gross revenue from selling the personal data of Virginian citizens.
This act does not apply to the following organizations:
- Commonwealth or its political subdivisions
- Financial institutions regulated by the Gramm-Leach-Bliley Act
- Entities governed by US Department of Health and Human Services rules
- Nonprofit organizations
- Higher education institutions
Major Principles of VCDPA
- Data minimization and purpose limitation
- Lawful purpose for data collection
- Implement proper security measures
- Do not discriminate consumers for exercising consumer rights
- Do not process sensitive personal data without consent
- Provide a clear and meaningful privacy notice
- Disclose selling or sharing personal data of consumers
Rights of Data Subjects Under VCDPA
- Right to know and access the personal data shared with businesses
- Right to correct inaccurate personal data
- Right to delete the personal data obtained by businesses
- Right to obtain a copy of personal data held by businesses
- Right to opt-out of processing of personal data
Reference: CTDPA official text
Effective date: 01 July, 2023
The Connecticut Data Privacy Act (CTDPA) is a data protection law that implements several measures to protect the personal data of consumers in Connecticut. It grants individuals several rights to protect their personal information shared with businesses. The law focuses on consumers’ data privacy and aligns closely with the California Privacy Rights Act (CPRA).
Who Needs to Comply With CTDPA?
The CTDPA applies to businesses that operate in Connecticut or serve products or services to Connecticut residents and:
- involved in processing the personal data of at least 100,000 consumers;
- or earned 25% of their gross revenue from selling personal data of at least 25,000 consumers in the previous calendar year.
It also applies to service providers that handle personal data for covered businesses.
The CTDPA does not apply to the following organizations:
- Government agencies
- Nonprofits
- Financial firms regulated by GLBA
- Registered securities associations
- Health organizations governed by HIPAA
- Higher education institutions
Major Principles of CTDPA
- Minimize the data collection
- Limit the purpose for collecting personal data
- Implement proper data security measures
- Do not process sensitive personal data without explicit consent
- Do not discriminate against consumers for exercising their rights
- Allow users to revoke consent
- Provide a clear and meaningful privacy notice
- Do not process personal data for targeted advertising without explicit consent
Rights of Data Subjects Under CTDPA
- Right to know and access the personal data shared with businesses
- Right to rectify inaccurate personal information
- Right to delete personal data gathered by businesses
- Right to obtain a copy of personal data held by businesses
- Right to opt out of processing personal data
Reference: CPA Senate Bill 21-190
Effective date: 01 July, 2023
The Colorado Privacy Act (CPA) 2021 is the third US state to implement a privacy law after California and Virginia. The act grants several rights to Colorado residents to protect their personal data shared with businesses. It also regulates businesses that collect, use, disclose, and share personal information of Colorado residents.
Who Needs to Comply With CPA?
The CPA applies to businesses operating in Colorado or serving products or services to Colorado residents and meets any of the following criteria:
- Controls or processes the personal data of 100,000 consumers during a calendar year.
- Earns revenue or gains discounted pricing for selling personal data of at least 25,000 consumers in a year.
The act does not apply to the following organizations:
- Government agencies
- Airlines
- Higher education institutions
- Consumer reporting agencies
- Other entities that process de-identified data
Major Principles of CPA
- Provide a clear and meaningful privacy notice
- Disclose the purpose for collecting personal data
- Minimize the data collection
- Do not use personal data other than the original purpose
- Implement proper measures to protect personal data
- Avoid unlawful discrimination against consumers for exercising their rights
- Do not collect or process sensitive personal data without explicit consent
- Conduct data protection risk assessment
Rights of Data Subjects Under CPA
- Right to opt out of the processing of personal data
- Right to access personal data held by organizations
- Right to correct inaccurate personal data
- Right to delete personal data held by organizations
- Right to obtain a copy of personal data in a portable format
Reference: Utah Senate Bill 277
Effective date: 31 December, 2023
The Utah Consumer Privacy Act (UCPA) regulates businesses handling the personal data of Utah residents. While other state privacy laws are consumer-focused, UCPA adopts a business-friendly approach. It provides some exceptions to businesses processing personal data and is less strict than other state privacy laws in the US.
Who Needs to Comply With UCPA?
The UCPA applies to any businesses operating in Utah or serving products or services to Utah residents that have an annual revenue of $25,000,000 and meet one or more of the following conditions:
- Controls or process personal data of at least 100,000 consumers
- Earns over 50% of the gross revenue from selling the personal data of at least 25,000 consumers.
The act does not apply to the following organizations:
- Government agencies
- Tribes
- Higher education institutions
- Non-profit organizations
- Covered entities
Major Principles of UCPA
- Provide clear and meaningful privacy notice
- Disclose the purpose of data collection
- Minimize the data collection
- Obtain consent from consumers
- Implement proper data security measures
- Do not discriminate against consumers for exercising their rights
- Allow users to opt-out and revoke consent
Rights of Data Subjects Under UCPA
- Right to know and access the personal data gathered by businesses
- Right to delete the personal data held by businesses
- Right to obtain a copy of personal data held by businesses in a portable format
- Right to opt out of the processing of personal data
Reference: Senate File 262
Effective date: 01 January, 2025
The Iowa Consumer Data Protection Act (ICDPA) grants several rights to consumers to protect their personal data and implements several obligations for businesses in the state. Similar to other state privacy laws in the US, Iowa also follows an opt-out approach for personal data processing.
Who Needs to Comply With ICDPA?
The ICDPA applies to businesses operating in Iowa or serving products or services to Iowa residents, handles the personal information of Iowa citizens, and meets one or more of the following criteria:
- Controls or process the personal information of at least 100,000 consumers
- Controls or process personal information of at least 25,000 consumers and earns 50 percent of gross revenue from selling personal information
The act does not apply to the following organizations:
- State and its political subdivisions
- Financial institutions and their affiliates, or data under the Gramm-Leach-Bliley Act
- Organizations regulated by HIPAA and HITECH
- Nonprofit organizations
- Higher education institutions
Major Principles of ICDPA
- Implement proper security measures to protect personal information
- Do not process sensitive personal information without explicit consent
- Avoid unlawful discrimination against consumers
- Any contract or agreement to restrict consumer rights will be deemed void
- Provide clear and meaningful privacy notice
- Disclose the selling or sharing of personal information
- Provide options to consumers to exercise their rights
Rights of Data Subjects Under ICDPA
- Right to know about the processing of personal data
- Right to access the gathered personal data
- Right to delete the personal data shared with organizations
- Right to obtain a copy of personal data held by organizations
- Right to opt out of processing
Reference: Senate Bill 5
Effective date: 01 January, 2026
The Indiana Consumer Data Protection Act (Indiana CDPA) is a comprehensive data protection law in Indiana that regulates businesses handling the personal information of Indiana consumers. It grants several rights to consumers and establishes several obligations for businesses.
Who Needs to Comply With Indiana CDPA?
The Indiana CDPA applies to businesses operating in Indiana or serving products or services to Indiana residents and meets any of the following criteria:
- Controls or processes personal information of at least 100,000 Indiana residents,
- Controls or processes personal information of at least 25,000 Indiana residents and earns more than 50 percent of gross revenue from selling the personal information.
The law does not apply to the following organizations:
- The state, its agencies, or any local government bodies
- Financial institutions or data protected under the Gramm-Leach-Bliley Act
- Health organizations under HIPAA
- Nonprofit organizations
- Higher education institutions
- Public utilities or their associated service companies
Major Principles of Indiana CDPA
- Minimize data collection
- Limit the purpose for collecting data
- Establish and implement proper data security measures
- Avoid unlawful discrimination against consumers
- Do not process sensitive personal information without consent
Rights of Data Subjects Under Indiana CDPA
- Right to know about the processing of personal data
- Right to access the gathered personal data
- Right to correct inaccurate personal data
- Right to delete the personal data gathered by organizations
- Right to obtain a copy or summary of the data held by organizations
- Right to opt out of the processing of personal data
Reference: HOUSE BILL 1181
Effective date: 01 July, 2025
The Tennessee Information Protection Act (TIPA) is a statewide consumer data protection law in Tennessee. It will regulate the businesses handling the personal data of Tennessee residents and ensure similar standards of data protection as in other states of the US.
Who Needs to Comply With TIPA?
The TIPA applies to businesses operating in Tennessee or serving products or services to Tennessee residents and meets any of the following criteria:
- Controls or process the personal information of at least 100,000 consumers in a calendar year
- Controls or processes personal information of at least 25,000 consumers and earns more than 50 percent of gross revenue from selling personal information
Major Principles of TIPA
- Minimize the data collection
- Limit the purpose of data collection
- Establish and implement proper data security measures
- No need to delete the data if it can’t be directly linked to an individual
- Avoid unlawful discrimination against consumers
- Do not process sensitive personal information without explicit consent
Rights of Data Subjects Under TIPA
- Right to know whether their personal data is collected or processed
- Right to access the personal data gathered by organizations
- Right to delete the personal data held by organizations
- Right to obtain a copy of personal data held by organizations
- Right to know if personal data is sold or shared with third parties
- Right to opt out of the processing of personal data
Reference: Senate Bill 619
Effective date: 01 July, 2024
The Oregon Consumer Privacy Act (OCPA) is the principal data protection regulation in Oregon. The act aims to protect the privacy rights of individuals residing in Oregon State in the US. It establishes several obligations for businesses operating and handling the personal data of Oregon residents.
Who Needs to Comply With OCPA?
The OCPA applies to any businesses that operate in Oregon or serve products or services to Oregon residents and meet any of the following criteria:
- Collect or process the personal information of at least 100,000 consumers
- Collect or process the personal information of at least 25,000 consumers and earn 25 percent of their annual gross revenue from selling personal data
The act does not apply to the following organizations:
- Government agencies
- Health institutions regulated by HIPPA
- Credit evaluation organizations under the Fair Credit Reporting Act
- Consumer reporting agencies or Information providers
- Other organizations that use personal data for health services
Major Principles of OCPA
- Provide a clear and meaningful privacy notice
- Minimize the data collection
- Implement proper security measures to protect personal information
- Allow consumers to revoke consent
- Limit the purpose of data collection
- Do not process sensitive personal information without explicit consent
- Do not discriminate against consumers for exercising their rights
Rights of Data Subjects Under OCPA
- Right to know whether their data is processed or not
- Right to access the personal data processed by organizations
- Right to know who has access to their personal data
- Right to rectify inaccurate personal data
- Right to delete personal data held by organizations
- Right to opt out of the processing of personal data
Reference: 68th Legislature Bill
Effective date: 01 October, 2024
The Montana Consumer Data Privacy Act (MCDPA) is a privacy regulation applicable within the state of Montana in the US. The law aims to protect the privacy rights of Montana residents and implements several obligations to businesses operating in Montana.
Who Needs to Comply With MCDPA?
The MCDPA applies to businesses operating in Montana or serving Montana residents and falls under any of the following criteria:
- Controls or processes personal data of at least 50,000 consumers
- Controls or processes personal data of at least 25,000 consumers and earns more than 25% of their gross revenue from selling personal data
The act does not apply to the following organizations:
- State or local government agencies
- Nonprofit organizations
- Higher education institutions
- Registered national securities associations under the Federal Securities Exchange Act
- Financial institutions and their affiliates governed by the Gramm-Leach-Bliley Act
- Covered entities regulated by federal health privacy regulations
Major Principles of MCDPA
- Limit the data collection
- Implement proper security measures to protect personal data
- Provide consumers with the option to revoke consent
- Limit the purpose for collecting or processing personal data
- Do not process sensitive personal data without consent
- Avoid unlawful discrimination against consumers
- Do not share personal data with third parties without consent
Rights of Data Subjects Under MCDPA
- Right to know whether the personal data is processed or not
- Right to access personal data gathered by organizations
- Right correct inaccurate personal data
- Right to delete personal data held by organizations
- Right to obtain a copy of personal data held by organizations
- Right to opt out of the processing of personal data
Reference: TDPSA official text
Effective date: 01 July, 2024
The Texas Data Privacy and Security Act (TDPSA) is a data protection regulation in Texas that grants several rights to consumers residing in Texas. It also establishes certain obligations for businesses to protect the personal data of Texas residents.
Who Needs to Comply With TDPSA?
The TDPSA applies to any business that operates in Texas or serves products or services to Texas residents and engages in selling or sharing personal data with third parties.
The act does not apply to the following organizations:
- State agencies and its subdivisions
- Financial institutions regulated by the Gramm-Leach-Bliley Act
- Covered entities or business associates under HIPAA
- Non-profit organizations
- Higher education institutions
- Electric utilities, power generator companies, or retail electric providers
Major Principles of TDPSA
- Limit the collection of personal data to only what is required
- Implement and maintain proper data security measures and practices
- Limit the purpose for collecting or processing personal data
- Avoid unlawful discrimination against consumers
- Do not process sensitive personal information without explicit consent
Rights of Data Subjects Under TDPSA
- Right to know about personal data processing
- Right to access the personal data collected by organizations
- Right to correct inaccurate personal data
- Right to delete the personal data held by organizations
- Right to obtain a copy of personal data in a portable and readable format
- Right to opt out of the processing of personal data
Reference: HOUSE BILL NO. 154
Effective date: 01 January, 2025
The Delaware Personal Data Privacy Act (DPDPA) is the principal data protection regulation in Delaware. The law regulates how businesses collect and use personal personal data of Delaware residents. It grants several rights to consumers and implements several obligations for businesses.
Who Needs to Comply With DPDPA?
The DPDPA applies to businesses operating in Delaware or providing products or services to Delaware residents and meet any of the following criteria in the previous calendar year:
- Control or process the personal data of at least 35,000 consumers
- Control or process the personal data of at least 10,000 consumers and derive more than 20 percent of their gross revenue from selling personal data.
The act does not apply to the following organizations:
- State and local government bodies, excluding higher education institutions
- Financial institutions are subject to the Gramm-Leach-Bliley Act
Other exclusions from the act include:
- Protected health information under HIPAA
- Patient-identifying information for specific purposes
- Identifiable private information for federal human subjects protection
- Personal information used for consumer credit reporting under the Fair Credit Reporting Act
Major Principles of DPDPA
- Limit the data collection to only what is required
- Limit the purpose of data collection
- Implement proper security measures to protect personal data
- Do not process sensitive personal information without explicit consent
- Avoid unlawful discrimination against consumers
- Allow consumers to revoke their consent
- Do not process the personal data of children between 13-16 for targeted advertising and marketing without consent
- Provide a clear and meaningful privacy notice
Rights of Data Subjects Under DPDPA
- Right to know whether their personal information is processed
- Right to access the personal information collected by organizations
- Right to correct inaccurate personal information
- Right to delete personal information held by organizations
- Right to obtain a copy of personal information held by organizations
- Right to obtain a list of third parties who have access to their personal information
- Right to opt out of the processing of personal information
Reference: Session bill
Effective date: 01 July, 2024
The Florida Digital Bill of Rights (FDBR) is a comprehensive data protection law in Florida that regulates businesses handling the personal information of Florida residents. It establishes several guidelines for organizations and government employees who handle personal information. The law also grants special rights to data subjects to protect their personal data.
Who Needs to Comply With FDBR?
The FDBR applies to businesses operating in Florida or serving products or services to Florida residents and engages in the selling of personal information.
The act does not apply to the following organizations:
- State agencies or political subdivisions
- Financial institutions subject to Title V of the Gramm-Leach-Bliley Act
- Covered entities or business associates governed by HIPAA regulations
- Nonprofit organizations
- Higher education institutions
- Personal data processed for personal or household activities or for measuring advertising performance
- Controllers or processors complying with the Children’s Online Privacy Protection Act for online data collection
Major Principles of FDBR
- Limit the data collection
- Limit the purpose of data collection
- Implement proper data security measures
- Avoid unlawful discrimination against consumers
- Do not process sensitive personal information without consent
Rights of Data Subjects Under FDBR
- Right to know about the processing of personal information
- Right to access the personal information held by businesses
- Right to correct inaccurate personal information
- Right to delete any or all personal information shared with businesses
- Right to opt out of personal data processing
- Right to opt out of collection of sensitive personal information
- Right to opt out of personal information collected through voice or facial recognition
Reference: New Jersey Data Protection Act
Effective date: 15 January, 2025
The New Jersey Data Protection Act (NJDPA) is a data protection regulation that protects the privacy rights of individuals residing in New Jersey. It implements several obligations for businesses operating in the state and grants several rights to New Jersey citizens.
Who Needs to Comply With NJDPA?
The NJDPA applies to businesses operating in New Jersey or providing products or services to New Jersey residents and meet any of the following criteria:
- Controls or processes personal data of at least 100,000 consumers
- Controls or processes personal data of at least 25,000 consumers and earns revenue or receives discounts for selling personal data.
Major Principles of NJDPA
- Disclose the purpose of data collection
- Minimize data collection
- Limit the purpose of data collection
- Implement proper data security measures
- Do not process sensitive personal data without explicit consent
- Avoid unlawful discrimination against consumers
- Provide consumers with the option to revoke consent
- Obtain explicit consent for processing personal data for targeted advertising and marketing
- Do not process personal data that present a high risk of harm to consumers without conducting data protection assessments
Rights of Data Subjects Under NJDPA
- Right to know about the processing of personal data
- Right to access personal data
- Right to rectify inaccurate personal data
- Right to delete personal data
- Right to obtain a copy of personal data held by organizations
- Right to opt out of the processing of personal data
Reference: New Hampshire Senate Bill 255
Effective date: 01 January 2025
The New Hampshire Privacy Act (NHPA) regulates businesses operating in New Hampshire that handle the personal information of New Hampshire residents. It grants several rights to consumers to protect their personal data shared with businesses. The law aims to establish privacy standards similar to CCPA and other state privacy laws.
Who Needs to Comply With NHPA?
The New Hampshire Privacy Act (NHPA) applies to businesses in New Hampshire state that provide products and services to New Hampshire residents and meet any of the following criteria:
- Control or process the personal data of not less than 100,000 consumers
- Control or process the personal data of not less than 25,000 consumers and earn more than 25% of their gross revenue from selling personal data.
This act does not apply to the following organizations:
- State or local government bodies
- Nonprofit organizations
- Higher education institutions
- Registered national securities associations
- Financial institutions subject to Title V of the Gramm-Leach-Bliley Act
- Covered entities or business associates
Major Principles of NHPA
- Limit the collection of personal data
- Limit the purpose of collecting personal data
- Implement and maintain proper security measures to protect personal data
- Obtain prior consent for processing sensitive personal data
- Avoid unlawful discrimination against consumers
- Allow consumers to revoke their consent
- Do not process personal data of children between 13-16 for targeted advertising and marketing without explicit consent
- Provide a clear and meaningful privacy notice
Rights of Data Subjects Under NHPA
- Right to know whether their data is processed or not
- Right to access their personal data collected by organizations
- Right to correct inaccurate personal information
- Right to delete personal data shared with businesses
- Right to obtain a copy of personal data held by businesses
- Right to opt out of data processing
Does the US Have a GDPR?
No. Till now, the US does not have a federal data protection law like the EU’s GDPR.
How Can I Check if a Law in My State Has Changed Recently?
To stay updated on the law, visit the state legislature website. There you can find information on any new changes or updates to the law. We also recommend that you seek professional advice from a legal advisor to learn the law in detail.
When Will the American Data Privacy and Protection Act (ADPPA) Come into Effect?
The American Data Privacy and Protection Act (ADPPA) is a draft bill proposed in June 2022. It is the closest legislation to be implemented by the US government. The bill was supposed to be introduced in the 117th Congress, but the session ended before the bill could be formally considered.
As of now, we can’t say an exact date for the implementation of ADPPA. We recommend you seek professional advice to stay up to date with the law.
How to Handle Data Breaches According to US State Privacy Laws?
When there’s a data breach on your business that affected the personal data of your consumers, follow the below steps:
- Identify the cause of the data breach
- Inform concerned authorities and state representatives
- Inform affected consumers if required
- Eliminate any vulnerabilities
- Implement additional security measures
- Update data protection policies and procedures
- Keep a record of all aspects of the data breach response process
- Seek professional help from experts
Our GDPR Cookie Consent Plugin is a native Consent Management Solution for WordPress websites. It helps you comply with US state privacy laws for cookie compliance. You can obtain prior consent from your site visitors for using cookies on your website.
It lets you display an opt out cookie consent banner as required by CPRA and other privacy laws. You can add a “Do not sell my personal information” link to your cookie banner to let your site visitors opt out of cookies.
The plugin allows you to scan and list all the cookies used on your website. You can add the cookie list to your cookie policy and privacy policy pages. It also offers free templates to create cookie policy for your website.
The plugin provides the option to revoke consent. You can let your customers revisit or modify their consent preferences at any time. The plugin also helps in compliance with the EU’s GDPR and supports integration with Google Consent Mode v2. It is also listed as a certified CMP by Google.
Overall, this plugin offers an easy solution for ensuring cookie compliance with US state privacy laws.
The United States does not have a federal law to regulate personal data processing in the country. However, currently, fifteen states have implemented their own privacy laws to protect the personal information of their citizens. These fifteen states includes California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, Texas, Delaware, Florida, New Jersey, and New Hampshire.
This article provides an overview of the scope of these laws, outlines key obligations for businesses, and highlights important rights granted to data subjects. While some of these privacy laws are already in effect, others are pending implementation.
The effective dates for pending laws are subject to change. It is advisable to visit the respective state legislature websites for the most up-to-date information.
This article is written based on the publicly available information about these laws. Actual details may vary upon implementation. Therefore, seeking professional advice from legal experts is recommended to ensure full compliance with the law.
If you find this to be helpful, please let us know your thoughts in the comments section. We also recommend that you read our article on New Zealand Privacy Act 2020
Disclaimer: This article was intended for informational purposes only and does not represent legal advice. We have no intention of obtaining any kind of attorney-client relationship. If you are looking for legal advice, we recommend you contact a professional.