The US data privacy landscape has often been characterized by its constant state of evolution. In the absence of a comprehensive federal law, state legislators all across the map are working to enact data privacy laws in the hopes of better protecting American consumers data privacy rights and giving them more control over how companies collect and use their personal data.
At present, nine states have implemented comprehensive data privacy laws. In 2023 alone, eight additional states introduced privacy bills that cover various aspects, such as safeguarding biometric identifiers and health data. Get up to speed on all the latest state privacy legislation in this guide.
Currently enacted state laws
California took the lead by becoming the first state to enact comprehensive data privacy legislation through the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). The CCPA was signed into law on June 8, 2018, and came into effect on January 1, 2020. It establishes privacy rights for Californians and imposes business requirements on the collection and sale of their personal information. On November 3, 2020, California voters approved the CPRA, which amended and expanded the CCPA. While the CPRA took effect on December 16, 2020, most of its revisions to the CCPA did not become effective until January 1, 2023.
On March 21, 2021, Virginia became the second state to pass comprehensive data privacy legislation, with the enactment of Virginia Consumer Data Protection Act (VCDPA). The law went into effect on Jan. 1, 2023, giving Virginians the right to access their data and request that their personal information be deleted by businesses. It also requires companies to conduct data protection assessments to process personal data for targeted advertising and sales purposes.
Colorado entered as the third state, passing Colorado Privacy Act (CPA) on June 8, 2021, with an effective date of July 1, 2023. The CPA outlines five fundamental rights for Colorado consumers, which include the right to access, right to correction, right to delete, right to data portability, and right to opt out. This legislation safeguards personal information that can be linked to a specific individual while excluding de-identified data and publicly available information.
On March 24, Governor Spencer Cox of Utah signed the Utah Consumer Privacy Act (UCPA) into law, making Utah the fourth state to implement comprehensive consumer privacy legislation. The UCPA will become effective on December 31, 2023.
While the UCPA draws inspiration and incorporates elements from its privacy law predecessors, UCPA takes a more business-friendly approach to consumer privacy. It applies to controllers or processors conducting business in Utah or targeting Utah residents, with specific revenue and consumer data thresholds to meet.
Connecticut joined the ranks on May 10, 2022, becoming the fifth state to introduce an extensive data privacy law. The Connecticut Personal Data Privacy and Online Monitoring Act, scheduled to take effect on July 1, 2023— empowers Connecticut consumers with options regarding the personal data collected by companies operating within the state. Additionally, the law places additional responsibilities on businesses that handle the data of Connecticut consumers.
On March 29, 2023, Iowa joined the ranks as the sixth state to pass a comprehensive privacy law. The Iowa Consumer Data Protection Act goes into effect January 1, 2025. The Iowa privacy law applies to businesses that control or process personal data of at least 100,000 Iowa consumers or derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 Iowa consumers. This law sets a threshold based on the number of consumers and the revenue generated from the sale of personal data.
Indiana became the seventh state to pass a comprehensive privacy law, following closely behind Iowa on May 1 of this year. The Indiana Consumer Data Protection Act, shares similarities with privacy laws in Colorado, Connecticut, and Virginia regarding rights and requirements. However, Indiana sets itself apart by providing organizations with more than two and a half years to achieve compliance, as the law will take effect on January 1, 2026. The scope of the law applies to businesses operating in Indiana or serving Indiana residents, with specific thresholds for controlling or processing personal data. The law covers personal data linked to an identifiable individual, excluding de-identified, aggregate, or publicly available data.
Governor Bill Lee signed the Tennessee Information Protection Act (TIPA) into law on May 11, making Tennessee the eighth state to implement a comprehensive privacy law. The TIPA will become effective on July 1, 2024, earlier than the implementation dates for Indiana and Iowa. It applies to individuals conducting business in Tennessee or targeting Tennessee residents, with thresholds similar to privacy laws in Virginia, Iowa, and Indiana. The TIPA includes exemptions for governmental entities, financial institutions under the Gramm-Leach-Bliley Act, HIPAA-compliant businesses, nonprofits, and higher education institutions. It also exempts specific data types, including protected health information and employment-related data.
Montana has recently become the ninth state to enact a comprehensive consumer privacy law, with the signing of the Montana Consumer Data Privacy Act on May 19, 2023 with an effective date of October 1, 2024. It applies to individuals or businesses conducting business in Montana and requires consumers between the age of 13 – 16 to opt-in to the sale of personal data and targeted advertising. The “sale” of personal data is defined as the exchange of personal information for monetary or other valuable consideration by the business to a third party. Montana consumers have rights to confirm, access, delete, obtain a copy, and opt-out of certain processing activities.
Texas on the horizon
The Texas Senate has approved HB 4, also known as the Texas Data Privacy and Security Act, which is expected to make Texas the tenth state to enact comprehensive privacy legislation. The bill is modeled after the Virginia Consumer Data Protection Act but also incorporates elements from Colorado and Connecticut laws. The Act will soon be presented to the Texas Governor Abbott and —if signed— will go into effect on March 1, 2024.
The proposed law applies to businesses operating in Texas or providing products/services to Texas residents, without a minimum revenue or data processing requirement. The bill grants consumers several rights, including the right to confirm whether their data is being processed, correct inaccuracies, delete personal data, obtain a copy of their data, and opt-out of certain processing activities. Data controllers are required to respond to consumer requests within 45 days and must conduct data protection assessments for specific types of processing activities that pose risks to consumers.
Other key provisions include data minimization, consent for processing sensitive data, nondiscrimination, privacy notice requirements, targeted advertising, privacy by design principles and data protection assessments— with violations enforceable up to $7,500 each.
It sets a stronger tone compared to more business-friendly privacy laws in other states like Utah and Iowa.
States with active bills in contention
The regulatory landscape is in constant flux, with a handful of states contending introduced bills including:
On May 12, 2023, Delaware introduced the Delaware Personal Data Privacy Act (HB154) to establish consumer rights regarding personal data. It grants Delaware residents the rights to access, correct, and request deletion of their personal information held by in-state businesses. The Delaware Department of Justice will conduct public outreach to educate consumers and businesses about the Act starting at least six months before its effective date.
Introduced April 4, 2023, the Louisiana Consumer Privacy Act applies to businesses in the state or targeting its residents with an annual revenue of $25 million or more. It requires compliance from entities that control or process personal data of at least 100,000 Louisiana residents or derive over 50% of revenue from selling personal data and process data of at least 25,000 residents. It grants consumers rights such as accessing, correcting, and deleting their personal data, opting out of targeted advertising and data sales.
The Maine Consumer Privacy Act (LD 1973) applies to businesses in Maine or targeting Maine residents, with specific thresholds for data processing and revenue from personal data sales. It includes exemptions for certain entities and data types regulated by other privacy laws. The act grants consumer rights for accessing, correcting, deleting, and obtaining personal data. It prohibits certain processing activities without consumer opt-in and emphasizes privacy by design principles such as purpose limitation and data security practices.
Massachusetts is considering a comprehensive data privacy bill called the Massachusetts Information Privacy and Security Act (MIPSA), a bill introduced in February of 2022. If enacted, MIPSA would apply to businesses earning $25 million or more in annual revenue or processing the personal information of at least 100,000 individuals or more. It expands residents’ rights and introduces regulations on biometric and sensitive data.
Introduced January 19, 2023— New Hampshire bill SB 255, is designed to align the state’s privacy and cybersecurity laws with those of other states and countries. New Hampshire residents would gain rights such as being informed about the handling of their personal information, accessing and correcting their data, opting out of data collection and use, requesting data deletion, and protection against discrimination for exercising privacy rights.
Assembly Bill A505, known as the New Jersey Disclosure and Accountability Transparency Act, was introduced in the New Jersey State General Assembly. The bill aims to establish requirements for the processing and disclosure of personally identifiable information and create the Office of Data Protection and Responsible Use. It includes provisions for obtaining consent, ensuring transparency, granting data subject rights, regulating automated decision-making, securing consumer personal data, and fines up to $20,000.
Senate Bill SB 365, known as the New York Privacy Act, has been reintroduced in the New York State Senate January 6, 2022. The bill grants consumers new rights, such as access, correction, and challenging automated decision-making. It also imposes obligations on businesses to provide clear notice, maintain data security, obtain consent, conduct regular assessments, and notify consumers of foreseeable harms.
The proposed Consumer Privacy Act of North Carolina (CPA) was introduced in 2021. If enacted, CPA would apply to businesses operating in or targeting North Carolina and processing personal data of a certain number of consumers. There are exemptions for certain entities and types of data, primarily protected under federal laws like HIPAA.
In early January 2023, Oregon introduced SB 619 — which if enacted— will apply to residents engaging in non-commercial activities and businesses operating in Oregon or providing services to Oregon residents that process personal data of consumers. Key provisions include the right to request information from controllers, correct inaccuracies, delete data, and required opt-in consent for sensitive personal data.
The Pennsylvania Consumer Data Protection Act, introduced as HB 708 on January 20, 2022, aims to grant consumers rights such as access, deletion, correction, opt-out, and portability of their personal data. It also establishes data processing principles, mandates security practices, enforces contracts between controllers and processors, requires data protection assessments, and designates the Pennsylvania Attorney General for enforcement.
On March 23, 2023 SB754 was introduced as the Rhode Island Data Transparency and Privacy Protection Act. The bill would give Rhode Island consumers important new protections, including the right to know the information companies have collected about them, the right to access, correct, and delete that information, as well as the ability to require businesses to honor authorized agents’ opt-out requests.
To see how BigID can help you stay ahead of evolving privacy legislation— schedule a 1:1 demo today.