Which States Have Consumer Data Privacy Laws?
The race is on to enact consumer data privacy laws across state lines, which, in the absence of a comprehensive federal law, would provide American consumers with more choice over how companies acquire and utilize their personal data.
Currently, there are 20 states – including California, Virginia, and Colorado, among others – that have comprehensive data privacy laws in place. Such laws generally apply across industries, with exceptions for certain data categories and entity types, and grant rights to individuals pertaining to the collection, use, and disclosure of their personal data by businesses.
Concurrently, several states have introduced narrow consumer privacy bills that address a range of issues, including protecting biometric identifiers and health data or governing the activities of specific entities like data brokers or internet service providers.
However, this patchwork approach to privacy legislation could pose compliance and liability risks for companies that have multistate operations.
Proposed bills in Massachusetts, Pennsylvania, North Carolina, and other states would grant rights similar to those found in existing privacy legislation but differ in implementation and enforcement. The consumer data privacy map below shows the status of narrow and comprehensive legislation to stay abreast of changing regulatory landscapes.
U.S. states with consumer data privacy laws
Which states have enacted comprehensive privacy legislation?
In the coming years, more states will implement privacy laws to protect consumers from cyber risks and stay competitive with international data regulation, like the EU’s GDPR and China’s PIPL. At the time of publication, 20 U.S. states have enacted comprehensive consumer data privacy laws, which are detailed below.
California
California led the charge in being the first state to enact comprehensive data privacy legislation via the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). CCPA, signed into law on June 8, 2018, and which went into effect on Jan. 1, 2020, establishes privacy rights and business requirements for collecting and selling Californians’ personal information. On Nov. 3, 2020, California voters approved the CPRA, which amended and expanded the CCPA. The CPRA took effect on Dec. 16, 2020 – although most of its CCPA revisions didn’t take effect until Jan. 1, 2023.
Colorado
Joining California and Virginia in the privacy race, Colorado signed the Colorado Privacy Act (CPA) into law on June 8, 2021, and it became effective as of July 1, 2023. The CPA lays out five key rights for Colorado consumers:
- Right to access.
- Right to correction.
- Right to delete.
- Right to data portability.
- Right to opt out.
The CPA protects information that can be linked to an identifiable individual and excludes de-identifiable data and publicly available data.
Connecticut
Connecticut became the fifth state to implement comprehensive consumer privacy legislation on May 10, 2022. The Connecticut Data Privacy Act (CTDPA), effective as of July 1, 2023, includes stronger data protections for children but a similar framework as its predecessors.
Delaware
Delaware became the 12th state to join the comprehensive privacy law race, giving consumers more control over how their data is processed and stored. Effective Jan. 1, 2025, the Delaware Personal Data Privacy Act has stronger privacy rights for consumers, such as heightening protections for children’s data, broadening definitions of sensitive data, and being able to opt out of the processing of personal data for targeted advertising purposes.
Florida
While Florida adopted many of the same provisions as other states’ comprehensive privacy laws, there is reasonable debate as to whether it is truly “comprehensive” in scope. The Sunshine State tackles issues related to tech platforms, like addressing alleged censorship of conservative viewpoints. The law requires search engines, such as Google, to disclose if they prioritize results based on political ideology and prohibits government-mandated content moderation on social media.
Florida’s law only regulates companies that make more than $1 billion in gross annual revenues and derive more than half their revenue from online ads. Most provisions will go into effect July 1, 2024.
Indiana
Indiana is the seventh state to pass comprehensive legislation that regulates how consumer data is collected and secured. The Indiana Consumer Data Protection Act will regulate businesses that process the personal data of at least 100,000 Indiana residents, or ones that handle the information of at least 25,000 state consumers but derive more than 50% of their revenue from selling data. It will take effect on Jan. 1, 2026.
Iowa
The sixth state to sign comprehensive data protections into law, the Iowa Consumer Data Protection Act (ICDPA), is considered one of the most business-friendly so far, which privacy advocates say results in weaker data protections. Slated to go in effect Jan. 1, 2025, Iowa’s law does not grant consumers the right to delete or correct data collected by third parties.
Kentucky
The Kentucky Consumer Data Act (KCDPA) applies to entities that conduct business in the state or target residents and manage the personal data of at least 100,000 consumers per year. That threshold drops to 25,000 consumers if a business derives more than half its gross revenue from selling personal data. Businesses will have the opportunity to remedy violations within 30 days without penalty. Exemptions under the law include government entities, federally regulated financial institutions, and nonprofits. The law will go into effect Jan. 1, 2026.
Maryland
The Maryland Online Data Privacy Act (MODPA) imposes more stringent privacy standards on businesses than similar laws in other states. Consumer advocates say language requiring a company to minimize the data it holds from the outset marks a departure from industry-supported measures elsewhere.
Maryland’s law applies to companies that handle the personal data of at least 35,000 residents per year, or 10,000 residents if more than 20% of the company’s revenue comes from selling personal data. Children will receive heightened data privacy protections, as will sensitive data related to a person’s religious beliefs, sexual orientation, immigration status, and other similar information. The law takes effect on Oct. 1, 2025.
Minnesota
The Minnesota Consumer Data Privacy Act (MCDPA) will give consumers similar protections to privacy laws in other states, however it diverges from other states by allowing consumers to question automated decisions made about them via profiling. Profiling occurs when a company uses personal data to evaluate or predict an individual’s health, interests, economic status, or other characteristics.
The law will take effect July 31, 2025, and cover companies that handle the personal data of at least 100,000 Minnesota consumers each year. That threshold will drop to 25,000 consumers if the company makes more than a quarter of its revenue from selling personal data. Companies that fall under the federal definition of a small business will be exempt.
Montana
Modeled after Connecticut’s privacy law, Montana’s Consumer Data Privacy Act limits the collection of personal data to only “adequate, relevant, and reasonably necessary” information. Residents have the right to opt-out or decline the sale of their personal data. This law is set to go into effect Oct. 1, 2024.
New Hampshire
The New Hampshire Privacy Act (NHPA) will apply to companies that handle the data of at least 35,000 state residents a year, or 10,000 if more than a quarter of their gross revenue comes from selling personal data. Consumers will have the right to know what data a company collects and opt out of certain uses, such as targeted advertising. The new law will take effect Jan. 1, 2025.
Nebraska
The Nebraska Data Privacy Act (NDPA) applies to companies that do business in the state or target its residents and also process or sell personal data. The law excludes federally defined small businesses and includes numerous exemptions, such as for federally regulated financial institutions. Residents have the right to request that companies correct or delete their data. They can opt out of having their personal data sold or used for targeted advertising or profiling. The law takes effect Jan. 1, 2025.
New Jersey
The New Jersey Data Privacy Act (NJDPA) provides New Jersey residents with comprehensive privacy protections against how companies collect and use their personal information. The law applies to entities that do business in the state and handle the personal data of at least 100,000 consumers per year, or at least 25,000 if the company also sells personal data. NJDPA will take effect on Jan. 15, 2025.
Oregon
One of the strongest data privacy laws passed to date, the Oregon Consumer Privacy Act (OCPA) includes provisions on biometric data, sensitive and personal data, and children’s data protections, and it doesn’t have the same exemptions found in other state privacy laws. OCPA has made Oregon the eleventh state to pass comprehensive privacy legislation – the sixth in 2023 – and the bill will take effect July 1, 2024.
Rhode Island
Rhode Island became the 20th state to enact data privacy protections for its residents. Rhode Island’s law drew criticism from consumer advocates who argued it doesn’t meaningfully limit how companies collect or use personal information. Consumers will have the right to confirm what data a company collects, correct it, receive a copy, and opt out of certain uses. Companies must also secure consent before processing sensitive data.
The attorney general will be the sole enforcer of the law, which doesn’t allow individuals to sue over violations. The law will take effect Jan. 1, 2026.
Tennessee
Backed with bipartisan support, the Tennessee Information Protection Act enables consumers to confirm that a business has collected their personal data, obtain a copy of the information, and request that inaccuracies be corrected. This law makes Tennessee the eighth state to sign comprehensive data privacy into law, and it will be become effective July 1, 2025.
Texas
Texas is the second-largest state after California to enact comprehensive privacy laws, giving residents more control over their personal data. Scheduled to take effect July 1, 2024, the Texas Data Privacy and Security Act (TDPSA) will apply to large companies that do business in Texas or sell, collect, or process personal data. Small businesses will mostly be exempt.
Utah
On March 24, 2022, Utah became the fourth state to pass comprehensive data legislation. The Utah Consumer Privacy Act (UCPA) – which takes a business-friendly approach to consumer protection – went into effect on Dec. 31, 2023.
Virginia
On March 21, 2021, Virginia became the second state to pass comprehensive data privacy legislation, with the enactment of Virginia Consumer Data Protection Act (VCDPA). The law went into effect on Jan. 1, 2023, and it gives Virginians the right to access their data and request that their personal information be deleted by businesses. It also requires companies to conduct data protection assessments to process personal data for targeted advertising and sales purposes.
Which states have enacted tailored consumer privacy legislation?
States that have not yet enacted comprehensive privacy laws but have narrower consumer privacy laws in effect include:
- Maine
- Michigan
- Nevada
- New York
- Vermont
- Washington
Which states have introduced consumer privacy bills in 2023-2024?
- Hawaii
- Maine
- Massachusetts
- Michigan
- Missouri
- New York
- Ohio
- Pennsylvania
- Wisconsin
- West Virginia
Authoritative analysis on U.S. consumer data privacy laws from Bloomberg Law
With evolving technologies come new risks and responsibilities. Bloomberg Law’s essential news, expert analysis, and up-to-the-moment intelligence will help you stay ahead of consumer privacy and data security developments across the U.S. and the globe, so you can protect your business.
Download our GC Guide to Navigating 2024: Data Privacy and Cybersecurity Risk for analysis of the most pressing data privacy and cybersecurity challenges facing in-house counsel, from child online privacy state law trends to California’s new data broker law.
Request a demo to discover all the resources, innovations, and unmatched expertise that only Bloomberg Law provides.