Which States Have Consumer Data Privacy Laws?

The race is on to enact consumer data privacy laws across state lines, which, in the absence of a comprehensive federal law, would provide American consumers with more choice over how companies acquire and utilize their personal data.

Currently, there are 15 states – California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, Texas, Delaware, Florida, New Jersey, and New Hampshire – that have comprehensive data privacy laws in place. Such laws generally apply across industries, with exceptions for certain data categories and entity types, and grant rights to individuals pertaining to the collection, use, and disclosure of their personal data by businesses.

Concurrently, several states have introduced narrow consumer privacy bills that address a range of issues, including protecting biometric identifiers and health data or governing the activities of specific entities like data brokers or internet service providers.

However, this patchwork approach to privacy legislation could pose compliance and liability risks for companies that have multistate operations.

Proposed bills in Massachusetts, Pennsylvania, North Carolina, and other states would grant rights similar to those found in existing privacy legislation but differ in implementation and enforcement. The consumer data privacy map below shows the status of narrow and comprehensive legislation to stay abreast of changing regulatory landscapes.

U.S. states with consumer data privacy laws

Which states have enacted comprehensive privacy legislation?

In the coming years, more states will implement privacy laws to protect consumers from cyber risks and stay competitive with international data regulation, like the EU’s GDPR and China’s PIPL. At the time of publication, 15 U.S. states have enacted comprehensive consumer data privacy laws, which are detailed below.

California

California led the charge in being the first state to enact comprehensive data privacy legislation via the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). CCPA, signed into law on June 8, 2018, and which went into effect on Jan. 1, 2020, establishes privacy rights and business requirements for collecting and selling Californians’ personal information. On Nov. 3, 2020, California voters approved the CPRA, which amended and expanded the CCPA. The CPRA took effect on Dec. 16, 2020 – although most of its CCPA revisions didn’t take effect until Jan. 1, 2023.

Colorado

Joining California and Virginia in the privacy race, Colorado signed the Colorado Privacy Act (CPA) into law on June 8, 2021, and it became effective as of July 1, 2023. The CPA lays out five key rights for Colorado consumers:

1. Right to access.
2. Right to correction.
3. Right to delete.
4. Right to data portability.
5. Right to opt out.

The CPA protects information that can be linked to an identifiable individual and excludes de-identifiable data and publicly available data.

Connecticut

Connecticut became the fifth state to implement comprehensive consumer privacy legislation on May 10, 2022. The Connecticut Data Privacy Act (CTDPA), effective as of July 1, 2023, includes stronger data protections for children but a similar framework as its predecessors.

Delaware

Delaware became the 12th state to join the comprehensive privacy law race, giving consumers more control over how their data is processed and stored. Effective Jan. 1, 2025, the Delaware Personal Data Privacy Act has stronger privacy rights for consumers, such as heightening protections for children’s data, broadening definitions of sensitive data, and being able to opt out of the processing of personal data for targeted advertising purposes.

Florida

While Florida adopted many of the same provisions as other states’ comprehensive privacy laws, there is reasonable debate as to whether it is truly “comprehensive” in scope. The Sunshine State tackles issues related to tech platforms, like addressing alleged censorship of conservative viewpoints. The law requires search engines, such as Google, to disclose if they prioritize results based on political ideology and prohibits government-mandated content moderation on social media. Florida’s law only regulates companies that make more than $1 billion in gross annual revenues and derive more than half their revenue from online ads. Most provisions will go into effect July 1, 2024.

Indiana

Indiana is the seventh state to pass comprehensive legislation that regulates how consumer data is collected and secured. The Indiana Consumer Data Protection Act will regulate businesses that process the personal data of at least 100,000 Indiana residents, or ones that handle the information of at least 25,000 state consumers but derive more than 50% of their revenue from selling data. It will take effect on Jan. 1, 2026.

Iowa

The sixth state to sign comprehensive data protections into law, the Iowa Consumer Data Protection Act (ICDPA), is considered one of the most business-friendly so far, which privacy advocates say results in weaker data protections. Slated to go in effect Jan. 1, 2025, Iowa’s law does not grant consumers the right to delete or correct data collected by third parties.

Montana

Modeled after Connecticut’s privacy law, Montana’s Consumer Data Privacy Act limits the collection of personal data to only “adequate, relevant, and reasonably necessary” information. Residents have the right to opt-out or decline the sale of their personal data. This law is set to go into effect Oct. 1, 2024.

New Hampshire

The New Hampshire Privacy Act (NHPA) will apply to companies that handle the data of at least 35,000 state residents a year, or 10,000 if more than a quarter of their gross revenue comes from selling personal data. Consumers will have the right to know what data a company collects and opt out of certain uses, such as targeted advertising. The new law will take effect Jan. 1, 2025.

New Jersey

The New Jersey Data Privacy Act (NJDPA) provides New Jersey residents with comprehensive privacy protections against how companies collect and use their personal information. The law applies to entities that do business in the state and handle the personal data of at least 100,000 consumers per year, or at least 25,000 if the company also sells personal data. NJDPA will take effect on Jan. 15, 2025.

Oregon

One of the strongest data privacy laws passed to date, the Oregon Consumer Privacy Act (OCPA) includes provisions on biometric data, sensitive and personal data, and children’s data protections, and it doesn’t have the same exemptions found in other state privacy laws. OCPA has made Oregon the eleventh state to pass comprehensive privacy legislation – the sixth in 2023 – and the bill will take effect July 1, 2024.

Tennessee

Backed with bipartisan support, the Tennessee Information Protection Act enables consumers to confirm that a business has collected their personal data, obtain a copy of the information, and request that inaccuracies be corrected. This law makes Tennessee the eighth state to sign comprehensive data privacy into law, and it will be become effective July 1, 2025.

Texas

Texas is the second-largest state after California to enact comprehensive privacy laws, giving residents more control over their personal data. Scheduled to take effect July 1, 2024, the Texas Data Privacy and Security Act (TDPSA) will apply to large companies that do business in Texas or sell, collect, or process personal data. Small businesses will mostly be exempt.

Utah

On March 24, 2022, Utah became the fourth state to pass comprehensive data legislation. The Utah Consumer Privacy Act (UCPA) – which takes a business-friendly approach to consumer protection – went into effect on Dec. 31, 2023.

Virginia

On March 21, 2021, Virginia became the second state to pass comprehensive data privacy legislation, with the enactment of Virginia Consumer Data Protection Act (VCDPA). The law went into effect on Jan. 1, 2023, and it gives Virginians the right to access their data and request that their personal information be deleted by businesses. It also requires companies to conduct data protection assessments to process personal data for targeted advertising and sales purposes.

Which states have enacted tailored consumer privacy legislation?

States that have not yet enacted comprehensive privacy laws but have narrower consumer privacy laws in effect include:

• Maine
• Michigan
• Minnesota
• Nevada
• New York
• Vermont
• Washington

Which states have introduced consumer privacy bills in 2023-2024?

• Hawaii
• Kentucky
• Maine
• Maryland
• Massachusetts
• Michigan
• Minnesota
• Missouri
• Nebraska
• New Hampshire
• New York
• Ohio
• Pennsylvania
• Wisconsin
• West Virginia

Authoritative analysis on U.S. consumer data privacy laws from Bloomberg Law

With evolving technologies come new risks and responsibilities. Bloomberg Law’s essential news, expert analysis, and up-to-the-moment intelligence will help you stay ahead of consumer privacy and data security developments across the U.S. and the globe, so you can protect your business.

Register for our virtual In-House Forum: Global Privacy Dynamics: Navigating Data Laws & AI Challenges regarding the complexities of international data transfers and the myriad of AI-related privacy considerations surrounding consumer rights.

Request a demo to discover all the resources, innovations, and unmatched expertise that only Bloomberg Law provides.