TCAI Guide to State Data Privacy Laws

Image by Gerd Altmann from Pixabay

The United States has no national data privacy law similar to the European Union’s General Data Protection Regulation (GDPR), which has been in effect since 2018. The GDPR governs how personal data of individuals in the EU may be processed and transferred.

In the absence of a national regulatory mechanism, many individual states have adopted their own digital privacy laws to protect their citizens from the misuse of personal data.

We’ve gathered information on potential federal laws, and individual state laws, in the TCAI guide below.

Federal Data privacy laws

There is no comprehensive federal data privacy law in the United States.

The federal Health Insurance Portability and Accountability Act of 1996, (HIPAA), which governs how medical professionals handle personal health care data, established a strong foundation and legal precedent for federal data privacy protection. But HIPAA covers only personal health care data handled by medical professionals. Since 1996, Congress has not passed any data privacy law of similar scope or strength.

A national data privacy law— the American Privacy Rights Act (APRA),  authored by Sen. Maria Cantwell (D-WA) and Rep. Cathy McMorris Rodgers (R-WA)—is before the current U.S. Congress through the end of 2024. If APRA were to be enacted, it would establish a national data privacy and security standard and preempt most state data privacy laws. It addresses some of the issues created by new state privacy laws, although other serious concerns would remain.

State data privacy laws

State data privacy laws fall into two broad categories: comprehensive and targeted.  

Comprehensive privacy laws cover all varieties of private data and apply broadly to nearly all companies, although exemptions for some small businesses are common.  

Targeted (narrow) privacy laws address specific types of data privacy concerns. Some targeted data privacy laws limit the collection and retention of biometric data, such as fingerprints or retinal measurements. Others create protections specifically for children or apply only to certain industries. 

Currently 19 states have comprehensive data privacy laws in place. Such laws generally apply across industries, with exceptions for certain data categories and entity types, and grant rights to individuals pertaining to the collection, use, and disclosure of their personal data by businesses. Six states have targeted (narrow) privacy laws in place.

Source: Bloomberg Law, updated Sept. 2024 

comprehensive state data privacy laws

california

California led the charge in being the first state to enact comprehensive data privacy legislation via the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). CCPA, signed into law on June 8, 2018, went into effect on Jan. 1, 2020. It establishes privacy rights and business requirements for collecting and selling Californians’ personal information. On Nov. 3, 2020, California voters approved the CPRA, which amended and expanded the CCPA. The CPRA took effect on Dec. 16, 2020 – although most of its CCPA revisions didn’t take effect until Jan. 1, 2023.

Colorado

The Colorado Privacy Act (CPA) became effective as of July 1, 2023. The CPA lays out five key rights for Colorado consumers:

  1. Right to access.

  2. Right to correction.

  3. Right to delete.

  4. Right to data portability.

  5. Right to opt out.

The CPA protects information that can be linked to an identifiable individual and excludes de-identifiable data and publicly available data.

connecticut

Connecticut became the fifth state to approve comprehensive consumer privacy legislation on May 10, 2022. The Connecticut Data Privacy Act (CTDPA), effective as of July 1, 2023, gives Connecticut residents certain rights over their personal data and establishes responsibilities and privacy protection standards for data controllers that process personal data. It protects a Connecticut resident acting in an individual or household context, such as browsing the Internet or making a purchase at a store. It does not protect an individual acting in an employment context, such as applying for a job.

delaware

Effective Jan. 1, 2025, the Delaware Personal Data Privacy Act has strong privacy rights for consumers, such as heightening protections for children’s data, broadening definitions of sensitive data, and the right to opt out of the processing of personal data for targeted advertising purposes.

florida

Florida legislators passed the Florida Digital Bill of Rights (FLDBOR) in June 2023. The FLDBOR came into effect on July 1, 2024.

While Florida adopted many of the same provisions as other states’ comprehensive privacy laws, there is reasonable debate as to whether it is truly comprehensive in scope. The FLDBOR tackles issues related to tech platforms, like addressing alleged censorship of conservative viewpoints. The law requires search engines to disclose if they prioritize results based on political ideology and prohibits government-mandated content moderation on social media. Florida’s law only regulates companies that make more than $1 billion in gross annual revenues and derive more than half their revenue from online ads.

indiana

The Indiana Consumer Data Protection Act will regulate businesses that process the personal data of at least 100,000 Indiana residents, or ones that handle the information of at least 25,000 state consumers but derive more than 50% of their revenue from selling data. Approved in 2023, the Act will take effect on Jan. 1, 2026. More analysis here.

iowa

Approved in March 2023, the Iowa Consumer Data Protection Act (ICDPA), is considered one of the nation’s most business-friendly data privacy laws, which privacy advocates say results in weaker data protections. Slated to go in effect Jan. 1, 2025, Iowa’s law does not grant consumers the right to delete or correct data collected by third parties.

kentucky

The Kentucky Consumer Data Act (KCDPA) applies to entities that conduct business in the state or target residents and manage the personal data of at least 100,000 consumers per year. That threshold drops to 25,000 consumers if a business derives more than half its gross revenue from selling personal data. Businesses will have the opportunity to remedy violations within 30 days without penalty. Exemptions under the law include government entities, federally regulated financial institutions, and nonprofits. Approved in April 2024, the law will go into effect Jan. 1, 2026.

maryland

Approved in May 2024, the Maryland Online Data Privacy Act (MODPA) imposes more stringent privacy standards on businesses than similar laws in other states. Consumer advocates say language requiring a company to minimize the data it holds from the outset marks a departure from industry-supported measures elsewhere. Maryland’s law applies to companies that handle the personal data of at least 35,000 residents per year, or 10,000 residents if more than 20% of the company’s revenue comes from selling personal data. Children will receive heightened data privacy protections, as will sensitive data related to a person’s religious beliefs, sexual orientation, immigration status, and other similar information. The law takes effect on Oct. 1, 2025.

Minnesota

On May 24, 2024, Minnesota Governor Tim Walz signed into law the nation's 19th comprehensive data privacy law, the Minnesota Consumer Data Privacy Act (the "Minnesota Act"), which will take effect on July 31, 2025. This law is similar to other US state data privacy laws, and efforts to comply with those laws will largely fulfill the requirements of the Minnesota Act. However, the Minnesota Act has several unique features, including an exemption for small businesses, and providing consumers with the right to question profiling decisions. Further analysis here and here.

montana

Modeled after Connecticut’s privacy law, Montana’s Consumer Data Privacy Act limits the collection of personal data to only “adequate, relevant, and reasonably necessary” information. Residents have the right to opt-out or decline the sale of their personal data. This law went into effect Oct. 1, 2024.

new hampshire

New Hampshire Governor Chris Sununu signed SB 255 into law on March 7, making New Hampshire the fourteenth state to enact a state consumer data privacy law. The New Hampshire Privacy Act (NHPA) will apply to companies that handle the data of at least 35,000 state residents a year, or 10,000 if more than a quarter of their gross revenue comes from selling personal data. Consumers will have the right to know what data a company collects and opt out of certain uses, such as targeted advertising. The new law will take effect Jan. 1, 2025. Worth noting: In Aug. 2024, New Hampshire Attorney General announced the creation of a new Data Privacy Unit to be housed within his office’s Consumer Protection and Antitrust Bureau. The Unit will be primarily responsible for enforcing compliance with the New Hampshire Data Privacy Act. 

nebraska

The Nebraska Data Privacy Act (NDPA), approved in April 2024, applies to companies that do business in the state or target its residents and also process or sell personal data. The law excludes federally defined small businesses and includes numerous exemptions, such as for federally regulated financial institutions. Residents have the right to request that companies correct or delete their data. They can opt out of having their personal data sold or used for targeted advertising or profiling. The law takes effect Jan. 1, 2025.

new jersey

The New Jersey Data Privacy Act (NJDPA) provides New Jersey residents with comprehensive privacy protections against how companies collect and use their personal information. The law applies to entities that do business in the state and handle the personal data of at least 100,000 consumers per year, or at least 25,000 if the company also sells personal data. NJDPA will take effect on Jan. 15, 2025.

oregon

One of the strongest data privacy laws passed to date, the Oregon Consumer Privacy Act (OCPA) includes provisions on biometric data, sensitive and personal data, and children’s data protections, and it doesn’t have the same exemptions found in other state privacy laws. The OCPA was approved in June 2023 and took effect on July 1, 2024.

tennessee

Backed with bipartisan support, the Tennessee Information Protection Act enables consumers to confirm that a business has collected their personal data, obtain a copy of the information, and request that inaccuracies be corrected. Approved in May 2023, Tennessee’s privacy law will be become effective July 1, 2025.

texas

Texas is the second-largest state after California to enact comprehensive privacy laws, giving residents more control over their personal data. The Texas Data Privacy and Security Act (TDPSA), which took effect July 1, 2024, applies to large companies that do business in Texas or sell, collect, or process personal data. Small businesses are mostly exempt.

utah

On March 24, 2022, Utah became the fourth state to pass comprehensive data legislation. The Utah Consumer Privacy Act (UCPA) – which takes a business-friendly approach to consumer protection – went into effect on Dec. 31, 2023.  If a business sells personal data or uses it for targeted advertising, it must inform consumers and provide them with a way to opt-out. If a consumers submits a request to exercise any of the rights mentioned in the UCPA, the business must respond to the request within 45 days. 

virginia

On March 21, 2021, Virginia became the second state to pass comprehensive data privacy legislation, with the enactment of Virginia Consumer Data Protection Act (VCDPA). The law went into effect on Jan. 1, 2023, and it gives Virginians the right to access their data and request that their personal information be deleted by businesses. It also requires companies to conduct data protection assessments to process personal data for targeted advertising and sales purposes.

targeted (narrow) state privacy laws

maine

Privacy in Maine is not constitutionally recognized, but protected under common law, which recognizes the four invasion of privacy claims. In particular, Maine common law recognizes the claims of unreasonable intrusion upon the seclusion of an individual, appropriation of name or likeness, unreasonable publicity given to an individual's private life, and publicity that unreasonably places the individual in a false public light.

In addition, Maine’s Online Customer Information Act, which regulates the privacy of online consumer information, entered into effect on July 1, 2020. Among other things, the Act establishes various restrictions on broadband providers such as the prohibition to use, sell, distribute, or permit access to, without having first obtained the customer's express consent, customer personal information for purposes other than providing the services offered. Moreover, Maine's data breach law ensures further protection of consumer data, and although individuals do not have a private right of action, the AG may bring enforcement actions against organizations, though companies often opt to settle rather than face investigation procedures.

michigan

In 2012 Michigan passed the Internet Privacy Protection Act, which prohibits employees or job applicants from having to give employers access to their personal social media, email, or other internet accounts. The law also applies to educational institutions. Michigan also has the Identify Theft Protection Act, passed in 2004, that requires companies to notify their customers of data breaches without unreasonable delay. Several Michigan lawmakers introduced the Personal Data Privacy Act in November 2023. It died in committee.

nevada

In 2019, Nevada adopted Senate Bill 220, which prohibits the operator of a website or online service from selling certain collected consumer information in Nevada if directed by the consumer. Separating itself from the California Consumer Privacy Act, SB 220 is one step of a multi-step approach to Nevada’s privacy legislation.

The law was developed to work with Nevada’s existing privacy and security laws, following concerns over the transparency of third-party data sales in the state. The law provides consumers who reside in Nevada with the ability to opt out of data sales. Unlike the CCPA, SB 220 is not comprehensive, does not provide proportional service for data collected, and does not contain an explicit anti-discrimination clause for individuals who choose to opt out. Further analysis here.

new york

New York’s limited privacy law, the Personal Privacy Protection Law (Public Officers Law, Article 6-A, sections 91-99) was adopted in 1984 to recognize public concern about privacy and the relationship between government and the people. The law is intended to protect your privacy by regulating the manner in which the state collects, maintains and disseminates personal information about you. It is limited to state collection of data.

vermont

Vermont’s Data Privacy and Consumer Protection Act took effect July 1, 2020. The Act covers the data breach notification requirements of the State of Vermont and amends the Security Breach Notice Act under § 2435 of Subchapter 2 of Chapter 62 of Title 9 of the Vermont Statutes. The Act requires that notice of security breaches to consumers must include the type of personal information that was subject to the security breach, the acts of the data collector to protect the personal information from further security breaches, contact details that the consumer may call for further information and assistance, and the approximate date of the security breach. The Act also outlines, among other things, provisions for the protection of student data and privacy.

Vermont legislators passed a comprehensive Data Privacy Act in May 2024, but it was vetoed by Gov. Phil Scott.

washington

Washington’s My Health, My Data Act (MHMDA) went into effect July 1, 2024, MHMDA safeguards the privacy of Consumer Health Data not previously covered by federal HIPAA requirements.

Notably, the MHMDA is much more comprehensive than its titles indicates. The Act covers nearly all businesses that operate or conduct business in the state. Consumer Health Data is broadly defined to include personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.” That includes biometric data, genetic data, precise location data, and generalized health data.

state privacy bills introduced, 2023-2024 legislative session

These bills were introduced and received serious consideration, but did not pass during the 2023-2024 legislative session.

hawaii

The Hawaii legislative session closed on May 3 without passage of the Hawaii Consumer Data Protection Act (SB 3018). 

maine

The Maine legislature killed two competing data privacy proposals on the final day of the 2024 session (April 18, 2024). Lawmakers had spent 12 public meetings and countless hours behind-the-scenes throughout the past year trying to get the bills over the finish line. 

Massachusetts

The Massachusetts Data Privacy Act (H. 4632), and the Massachusetts Data Privacy Protection Act (S. 2770), both died in committee prior to the legislature’s adjournment on June 20, 2024.

michigan

Several Michigan lawmakers introduced the Personal Data Privacy Act in November 2023. It died in committee.

missouri

The Missouri legislature adjourned on May 17, 2024; no data privacy bills were approved. Senate Bill 731, an act establishing new consumer rights concerning protection of certain data passed its second reading in the General Assembly. SB 1501 was read for a second time and referred to the Senate Commerce, Consumer Protection, Energy and the Environment Committee. Neither bill made it to a floor vote.

new york

In early 2024, lawmakers introduced the New York Privacy Act (S365B). The New York Privacy Act was approved by the Senate in June 2024 but died in committee in the Assembly.

ohio

The Ohio legislature introduced HB 345, the Ohio Personal Privacy Act, in early 2024. The bill would establish requirements related to the collection, processing, and sale of digital personal data. The bill died in committee.

vermont

On May 11, 2024, the Vermont Legislature passed H.121, the Vermont Data Privacy Act (VDPA). If signed into law, the VDPA would have become the most rigorous state comprehensive privacy law in the country. The Act was ultimately vetoed a few weeks later by Gov. Phil Scott.

wisconsin

The Wisconsin Data Privacy Act (AB 466) passed the State Assembly in Nov. 2023, but failed in the Senate in April 2024.

west virginia

The Consumer Data Protection Act (HB 5698) passed the West Virginia House in Feb. 2024 but was never given a hearing in the Senate Judiciary Committee.

Previous
Previous

TCAI Guide to AI Lawsuits

Next
Next

Transparency Coalition report urges updating privacy laws to counter harms of Generative AI