Skip to Navigation Skip to Content

In recent years, the landscape of data privacy in the United States has evolved significantly, with various states enacting their own comprehensive data privacy laws. This patchwork of legislation reflects a growing recognition of the importance of consumer data protection and the need for businesses to adapt to a complex regulatory environment. With the absence of a unified federal privacy law, states have taken the lead in crafting laws that address the collection, use, and protection of personal data. 

In this article, we offer a brief overview of these state privacy laws, providing critical information on their effective dates, key provisions, and a brief overview of each law.

Generate your own Privacy Policy in under 5 minutes

Get Started

U.S. State Data Privacy Laws

As of 2024, US states have enacted consumer data privacy laws. These laws generally apply across industries, with some exceptions, and grant individuals various rights concerning their personal data. Below is an overview of each state’s legislation:

California Consumer Privacy Act (CCPA)

  • Effective Date: January 1, 2020
  • State Data Privacy Law: CCPA Link

Key Provisions

The CCPA was the first comprehensive data privacy law in the U.S., setting a high standard for consumer privacy rights. It grants California residents the right to know what personal data is being collected about them, the right to request deletion of their data, the right to opt out of the sale of their data, and the right to non-discrimination for exercising these rights. Businesses are required to provide clear notices about data collection practices and offer an easy way for consumers to opt out of data sales. The CCPA applies to businesses that meet specific criteria, such as annual gross revenues exceeding $25 million, handling data of 50,000 or more consumers, or deriving 50% or more of their revenue from data sales.

Overview

As the first state-level data privacy law in the U.S., the CCPA set a precedent that influenced subsequent legislation both in the U.S. and internationally. The law focuses on transparency, consumer control, and accountability, requiring businesses to rethink their data practices. The CCPA also introduced the concept of “Do Not Sell My Personal Information” links, which have become a standard feature for companies doing business in California. The law’s impact extends beyond state lines, as many businesses have opted to extend CCPA protections to all U.S. consumers to simplify compliance.

California Privacy Rights Act (CPRA)

  • Effective Date: January 1, 2023
  • State Data Privacy Law: CPRA Link

Key Provisions

The CPRA, often referred to as “CCPA 2.0,” builds upon and strengthens the original CCPA. It introduces new rights for California residents, such as the right to correct inaccurate personal information and the right to limit the use of sensitive personal information. The CPRA also establishes the California Privacy Protection Agency (CPPA), an independent body tasked with enforcing the law and providing guidance to businesses. The CPRA expands the definition of personal information to include “sensitive personal information,” such as race, religion, sexual orientation, and health data, and imposes stricter obligations on businesses, including the requirement to conduct regular data protection assessments.

Overview

The CPRA significantly enhances consumer privacy protections in California, making the state one of the most stringent jurisdictions for data privacy in the world. By establishing the CPPA, California has created a dedicated regulatory body that can adapt to emerging privacy issues and provide clearer guidance to businesses. The CPRA’s expanded rights and obligations reflect a growing recognition of the need to protect sensitive information and ensure that consumers have greater control over how their data is used. The law also introduces more severe penalties for violations, particularly concerning the mishandling of sensitive personal information.

Virginia Consumer Data Protection Act (VCDPA)

  • Effective Date: January 1, 2023
  • State Data Privacy Law: VCDPA Link

Key Provisions

The VCDPA provides Virginia residents with several privacy rights, including the right to access their data, the right to correct inaccuracies, the right to delete personal data, and the right to opt out of the processing of personal data for targeted advertising, sale, or profiling. The law applies to businesses that control or process the personal data of at least 100,000 consumers or derive over 50% of their gross revenue from the sale of personal data. The VCDPA also requires businesses to conduct data protection assessments for processing activities that present a heightened risk to consumers, such as targeted advertising and profiling. The law is enforced by the Virginia Attorney General, with penalties including fines of up to $7,500 per violation.

Overview

The VCDPA positions Virginia as a leader in data privacy regulation on the East Coast, offering a model that balances consumer protections with business flexibility. Unlike the CCPA, the VCDPA includes exemptions for certain types of data and entities, such as data covered by HIPAA and financial institutions subject to the Gramm-Leach-Bliley Act. This makes the VCDPA more business-friendly, particularly for companies that already adhere to other regulatory frameworks. The law’s emphasis on data protection assessments and risk-based approaches reflects a growing trend in privacy regulation, where businesses are expected to proactively manage and mitigate privacy risks. The VCDPA also allows businesses to cure violations within 30 days of being notified by the Attorney General, which provides an opportunity for companies to address issues before facing penalties.

Colorado Privacy Act (CPA)

  • Effective Date: July 1, 2023
  • State Data Privacy Law: CPA Link

Key Provisions

The CPA grants Colorado residents several key rights, including the right to access their data, correct inaccuracies, delete personal data, opt out of data sales, and opt out of the processing of personal data for targeted advertising and profiling. The law applies to entities that conduct business in Colorado or produce products or services targeted at Colorado residents, provided they either control or process the personal data of 100,000 or more consumers or derive revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers. The CPA also requires businesses to provide transparent information about their data practices and to implement reasonable security measures to protect personal data.

Overview 

The CPA is closely modeled after the CCPA and VCDPA but includes some unique provisions that set it apart. For example, the CPA mandates that businesses obtain consumer consent before processing sensitive personal data, which includes information about racial or ethnic origin, religious beliefs, sexual orientation, and health conditions. The CPA also requires businesses to provide consumers with a universal opt-out mechanism for targeted advertising, making it easier for individuals to exercise their privacy rights. The law’s focus on consent and transparency aligns with global privacy trends, particularly those seen in the European Union’s General Data Protection Regulation (GDPR). The CPA also includes a strong enforcement mechanism, with the Colorado Attorney General and district attorneys authorized to enforce the law and impose fines for non-compliance.

Connecticut Data Privacy Act (CTDPA)

  • Effective Date: July 1, 2023
  • State Data Privacy Law: CTDPA Link

Key Provisions

The CTDPA provides Connecticut residents with rights similar to those found in the CCPA, CPRA, and VCDPA, including the right to access, correct, delete, and port personal data, as well as the right to opt out of data sales and targeted advertising. The law applies to businesses that control or process the personal data of 100,000 or more consumers, or derive over 25% of their revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers. The CTDPA requires businesses to conduct data protection assessments for high-risk processing activities, such as targeted advertising, and mandates that businesses obtain consumer consent before processing sensitive data.

Overview

The CTDPA represents a significant step forward for data privacy in Connecticut, aligning the state with other leading privacy regimes in the U.S. The law is designed to be interoperable with other state privacy laws, making it easier for businesses to comply across multiple jurisdictions. The CTDPA also includes strong protections for children’s data, requiring businesses to obtain parental consent before processing the personal data of children under the age of 13. The law’s emphasis on consumer rights and transparency reflects a broader trend toward empowering individuals to take control of their personal information. The CTDPA is enforced by the Connecticut Attorney General, who has the authority to seek penalties for non-compliance, including fines of up to $7,500 per violation.

Delaware Personal Data Privacy Act (DPDPA)

  • Effective Date: January 1, 2025
  • State Data Privacy Law: DPDPA Link

Key Provisions

The DPDPA provides Delaware residents with rights to access, correct, delete, and port their personal data, as well as the right to opt out of the sale of personal data, targeted advertising, and profiling. The law applies to businesses that process the personal data of 100,000 or more consumers or derive more than 50% of their revenue from the sale of personal data. The DPDPA also includes provisions for the protection of sensitive personal data, requiring businesses to obtain consumer consent before processing such data. The law mandates that businesses implement reasonable data security practices and conduct data protection assessments for high-risk processing activities.

Overview

The DPDPA marks a significant development in Delaware’s approach to data privacy, bringing the state’s laws in line with leading privacy regimes across the U.S. The law emphasizes the protection of sensitive personal data, which includes information related to race, religion, health, sexual orientation, and other sensitive categories. The DPDPA also provides robust protections for children’s data, requiring businesses to obtain parental consent before processing the personal data of children under 13. The law’s focus on consumer rights and data security reflects Delaware’s commitment to safeguarding personal information in an increasingly digital world. The DPDPA is enforced by the Delaware Department of Justice, which has the authority to impose fines and penalties for non-compliance.

Florida Digital Bill of Rights (FDBR)

  • Effective Date: July 1, 2024
  • State Data Privacy Law: FDBR Link

Key Provisions

The FDBR is a comprehensive data privacy law that focuses on the rights of Florida residents to control their personal data. It provides consumers with rights to access, correct, delete, and port their data, as well as the right to opt out of the sale of personal data and targeted advertising. The law applies to businesses that meet specific thresholds, such as controlling or processing the personal data of 100,000 or more consumers or deriving 50% or more of their revenue from the sale of personal data. The FDBR also includes provisions that require businesses to be transparent about their data practices and implement reasonable security measures to protect personal data.

Overview

The FDBR positions Florida as a key player in the national data privacy landscape. The law’s focus on consumer rights and business obligations mirrors trends seen in other states, but it also includes unique provisions aimed at protecting digital privacy in the context of emerging technologies. For example, the FDBR requires businesses to disclose whether they use automated decision-making technologies, such as artificial intelligence, and provides consumers with the right to opt out of such processes. The law’s strong focus on transparency and accountability reflects Florida’s commitment to ensuring that residents have control over their personal data in the digital age. The FDBR is enforced by the Florida Attorney General, who has the authority to impose penalties for violations, including fines of up to $7,500 per violation.

Indiana Consumer Data Protection Act (INCDPA)

  • Effective Date: January 1, 2026
  • State Data Privacy Law: INCDPA Link

Key Provisions

The INCDPA grants Indiana residents rights to access, correct, delete, and port their personal data, as well as the right to opt out of the sale of personal data and targeted advertising. The law applies to businesses that control or process the personal data of 100,000 or more consumers or derive more than 50% of their revenue from the sale of personal data. The INCDPA requires businesses to obtain consumer consent before processing sensitive personal data and mandates that businesses conduct data protection assessments for high-risk processing activities.

Overview

The ICDPA is designed to provide robust privacy protections for Indiana residents while allowing businesses to operate with flexibility. The law’s emphasis on consumer rights and data security reflects a broader trend in U.S. privacy regulation, where states are increasingly adopting comprehensive privacy frameworks. The ICDPA also includes provisions that allow businesses to cure violations within 30 days of being notified by the Attorney General, providing a pathway for companies to address compliance issues without facing immediate penalties. The law’s focus on transparency, consent, and accountability aligns with national and international privacy trends, positioning Indiana as a leader in data protection.

Iowa Consumer Data Protection Act (ICDPA)

  • Effective Date: January 1, 2025
  • State Data Privacy Law: ICDPA Link

Key Provisions

The Iowa ICDPA grants residents basic privacy rights, including the right to access their data, opt out of data sales, and request the deletion of personal information. However, the law does not provide rights to correct inaccurate data or delete data held by third parties, which makes it one of the more business-friendly privacy laws. The ICDPA applies to businesses that control or process the personal data of 100,000 or more consumers or derive more than 50% of their revenue from the sale of personal data.

Overview

The Iowa ICDPA is notable for its balance between protecting consumer rights and minimizing the regulatory burden on businesses. While it offers fundamental privacy protections, it stops short of some of the more stringent requirements seen in other state privacy laws, such as the right to correct data or the need for explicit consent before processing sensitive personal information. This approach makes the ICDPA more attractive to businesses operating in Iowa but has drawn criticism from privacy advocates who argue that it does not go far enough to protect consumers. The law is enforced by the Iowa Attorney General, who has the authority to seek penalties for non-compliance.

Kentucky Consumer Data Protection Act (KCDPA)

  • Effective Date: January 1, 2026
  • State Data Privacy Law: KCDPA Link

Key Provisions

The KCDPA provides Kentucky residents with rights to access, correct, delete, and port their personal data, as well as the right to opt out of data sales, targeted advertising, and profiling. The law applies to businesses that control or process the personal data of 100,000 or more consumers or derive more than 50% of their revenue from the sale of personal data. The KCDPA also requires businesses to implement reasonable data security measures and to conduct data protection assessments for high-risk processing activities.

Overview

The KCDPA reflects a growing trend in U.S. state privacy laws toward comprehensive consumer protections and accountability for businesses. The law’s focus on consumer rights, data security, and transparency aligns with other leading privacy regimes, while also providing businesses with the flexibility to cure violations within 30 days of being notified by the Attorney General. The KCDPA’s provisions for data protection assessments and high-risk processing activities reflect a recognition of the increasing importance of privacy in the digital age. The law is enforced by the Kentucky Attorney General, who has the authority to impose penalties for non-compliance, including fines of up to $7,500 per violation.

Maryland Online Data Privacy Act (MODPA)

  • Effective Date: October 1, 2025
  • State Data Privacy Law: MODPA Link

Key Provisions

The MODPA introduces stringent data privacy requirements, including the need for businesses to minimize data collection and obtain consumer consent before processing sensitive personal information. The law provides Maryland residents with rights to access, correct, delete, and port their personal data, as well as the right to opt out of data sales and targeted advertising. The MODPA also mandates that businesses conduct data protection assessments for high-risk processing activities and implement reasonable security measures to protect personal data.

Overview

The MODPA positions Maryland as one of the most progressive states in terms of data privacy. The law’s emphasis on data minimization, consent, and transparency aligns with international privacy standards, such as the GDPR. The MODPA’s provisions for high-risk processing activities reflect a growing concern about the impact of emerging technologies, such as artificial intelligence and big data, on privacy. The law is enforced by the Maryland Attorney General, who has the authority to impose significant penalties for non-compliance, including fines of up to $10,000 per violation.

Montana Consumer Data Privacy Act (MTCDPA)

  • Effective Date: October 1, 2024
  • State Data Privacy Law: MTCDPA Link

Key Provisions

The MTCDPA limits data collection to what is “adequate, relevant, and reasonably necessary” and grants Montana residents rights to access, correct, delete, and port their personal data. The law also includes provisions for opting out of the sale of personal data, targeted advertising, and profiling. The MTCDPA applies to businesses that control or process the personal data of 100,000 or more consumers or derive more than 50% of their revenue from the sale of personal data.

Overview

The MTCDPA is designed to protect Montana residents’ personal data while allowing businesses to operate within a clear regulatory framework. The law’s focus on data minimization and relevance reflects a broader trend in privacy regulation toward limiting the amount of data that businesses collect and process. The MTCDPA also includes strong protections for sensitive personal data, requiring businesses to obtain consumer consent before processing such information. The law is enforced by the Montana Attorney General, who has the authority to seek penalties for non-compliance, including fines of up to $10,000 per violation.

This comprehensive overview of U.S. state data privacy laws provides a detailed analysis of the legal landscape, highlighting key provisions, effective dates, and the overall impact of each law. As more states enact their own privacy laws, businesses must stay informed and adapt their practices to ensure compliance across multiple jurisdictions.

Narrow Privacy Legislation

In addition to comprehensive laws, several states have introduced narrower privacy bills targeting specific data types or industry practices.

Biometric Information Privacy Laws

  1. Illinois Biometric Information Privacy Act (BIPA)
    • Effective Date: October 2008
    • Key Provisions: Regulates the collection, use, and storage of biometric data. Requires informed consent and imposes strict penalties for violations.
  2. Texas Capture or Use of Biometric Identifier Act (CUBI)
    • Effective Date: 2009
    • Key Provisions: Similar to BIPA but with fewer requirements. Mandates consent and provides guidelines for the use and protection of biometric identifiers.
  3. Washington Biometric Privacy Protection Act (HB 1493)
    • Effective Date: May 2017
    • Key Provisions: Requires notice and consent for biometric data collection and restricts the use of biometric identifiers for commercial purposes.

Proposed & Upcoming Bills

Several states are considering or have introduced bills that address privacy concerns but are not yet enacted into law. These include proposals in Massachusetts, Pennsylvania, North Carolina, and other states that aim to enhance consumer privacy protections or address specific data issues.

Compliance Challenges & Strategies

Navigating the complex landscape of state privacy laws can be challenging for businesses. To ensure compliance, companies should consider the following strategies:

  1. Stay Informed: Regularly update policies and practices in response to new laws and amendments.
  2. Conduct Data Protection Assessments: Evaluate data processing activities and implement necessary changes to meet legal requirements.
  3. Develop Comprehensive Privacy Policies: Clearly disclose data collection, use, and protection practices to consumers.
  4. Implement Robust Security Measures: Ensure that data protection practices are in line with legal standards and industry best practices.
  5. Prepare for Enforcement: Be aware of potential penalties and enforcement mechanisms associated with each state law.

Frequently Asked Questions (FAQs)

  1. What is the main purpose of state data privacy laws?
    State data privacy laws aim to protect consumer privacy by regulating how businesses collect, use, and manage personal data. They grant consumers rights over their data and impose obligations on businesses to ensure data protection.
  2. How do state privacy laws differ from each other?
    While state privacy laws share many similarities, they can differ in their scope, enforcement mechanisms, and specific requirements. Some laws focus on comprehensive data protection, while others address specific data types or industry practices.
  3. What should businesses do to comply with these laws?
    Businesses should stay informed about relevant privacy laws, conduct regular data protection assessments, develop clear privacy policies, implement robust security measures, and be prepared for potential enforcement actions.
  4. Are there any federal privacy laws in the U.S.?
    As of now, there is no comprehensive federal privacy law in the U.S. However, the American Data Privacy and Protection Act (ADPPA) is being considered in Congress and could preempt state laws if enacted.
  5. What are the penalties for non-compliance?
    Penalties for non-compliance vary by state and can include fines, enforcement actions, and legal claims. Businesses should be aware of the specific penalties associated with each state law.

Wrapping Up

The landscape of data privacy in the U.S. is rapidly evolving, with states taking the lead in enacting comprehensive and targeted privacy laws. Businesses operating in multiple states must navigate a complex web of regulations to ensure compliance and protect consumer data. By staying informed and proactive, companies can effectively manage their privacy obligations and build trust with their customers.

As privacy legislation continues to develop, both businesses and consumers must remain vigilant and adaptable to the changing regulatory environment. Keeping abreast of new laws, amendments, and enforcement actions will be crucial in maintaining compliance and safeguarding personal data.

Generate your own Privacy Policy in under 5 minutes

Get Started