Which States Have Consumer Data Privacy Laws?

Updated on November 27, 2023

RELATED ARTICLES

Checklist: How to Manage Privacy and Cybersecurity Law Risks in Vendor Contracts

Is Biometric Information Protected by Privacy Laws?

China’s Personal Information Protection Law (PIPL)

Browse all privacy articles

The race is on to enact consumer data privacy laws across state lines, which, in the absence of a comprehensive federal law, would provide American consumers with more choice over how companies acquire and utilize their personal data.

Currently, there are 12 states – California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, Texas, and Delaware – that have comprehensive data privacy laws in place. During the 2022-23 legislative cycle, at least 16 states have introduced privacy bills that address a range of issues, including protecting biometric identifiers and health data. However, this patchwork approach to privacy legislation could pose compliance and liability risks for companies that have multistate operations.

Proposed bills in Massachusetts, New Jersey, Pennsylvania, North Carolina, and several other states have similar rights in preexisting privacy legislation but differ in implementation and enforcement. The data privacy map below shows the status of narrow and comprehensive legislation to stay abreast of changing regulatory landscapes.

U.S. states with consumer data privacy laws

Which states have enacted comprehensive privacy legislation?

In the coming years, more states will implement privacy laws to protect consumers from cyber risks and stay competitive with international data regulation, like the EU’s GDPR and China’s PIPL. At the time of publication, 12 U.S. states have enacted comprehensive consumer data privacy laws, which are detailed below.

California

California led the charge in being the first state to enact comprehensive data privacy legislation via the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). CCPA, signed into law on June 8, 2018, and which went into effect on Jan. 1, 2020, establishes privacy rights and business requirements for collecting and selling Californians’ personal information. On Nov. 3, 2020, California voters approved the CPRA, which amended and expanded the CCPA. The CPRA took effect on Dec. 16, 2020 – although most of its CCPA revisions didn’t take effect until Jan. 1, 2023.

Colorado

Joining California and Virginia in the privacy race, Colorado signed the Colorado Privacy Act (CPA) into law on June 8, 2021, and it became effective as of July 1, 2023. The CPA lays out five key rights for Colorado consumers:

  1. Right to access.
  2. Right to correction.
  3. Right to delete.
  4. Right to data portability.
  5. Right to opt out.

The CPA protects information that can be linked to an identifiable individual and excludes de-identifiable data and publicly available data.

Connecticut

Connecticut became the fifth state to implement comprehensive consumer privacy legislation on May 10, 2022. The Connecticut Data Privacy Act (CTDPA), effective as of July 1, 2023, includes stronger data protections for children but a similar framework as its predecessors. 

Delaware

Delaware became the 12th state to join the data privacy race, giving consumers more control over how their data is processed and stored. Effective Jan. 1, 2025, the Delaware Personal Data Privacy Act has stronger privacy rights for consumers, such as heightening protections for children’s data, broadening definitions of sensitive data, and being able to opt out of the processing of personal data for targeted advertising purposes.

Indiana

Indiana is the seventh state to pass comprehensive legislation that regulates how consumer data is collected and secured. The Indiana Consumer Data Protection Act will regulate businesses that process the personal data of at least 100,000 Indiana residents, or ones that handle the information of at least 25,000 state consumers but derive more than 50% of their revenue from selling data. It will take effect on Jan. 1, 2026.

Iowa

The sixth state to sign comprehensive data protections into law, the Iowa Consumer Data Protection Act (ICDPA), is considered one of the most business-friendly so far, which privacy advocates say results in weaker data protections. Slated to go in effect Jan. 1, 2025, Iowa’s law does not grant consumers the right to delete or correct data collected by third parties.

Montana

Modeled after Connecticut’s privacy law, Montana’s Consumer Data Privacy Act limits the collection of personal data to only “adequate, relevant, and reasonably necessary” information. Residents have the right to opt-out or decline the sale of their personal data. This law is set to go into effect Oct. 1, 2024.

Oregon

One of the strongest data privacy laws passed to date, the Oregon Consumer Privacy Act (OCPA) includes provisions on biometric data, sensitive and personal data, and children’s data protections, and it doesn’t have the same exemptions found in other state privacy laws. OCPA has made Oregon the eleventh state to pass comprehensive privacy legislation – the sixth in 2023 – and the bill will take effect July 1, 2024.

Tennessee

Backed with bipartisan support, the Tennessee Information Protection Act enables consumers to confirm that a business has collected their personal data, obtain a copy of the information, and request that inaccuracies be corrected. This law makes Tennessee the eighth state to sign comprehensive data privacy into law, and it will be become effective July 1, 2025.

Texas

Texas is the second-largest state after California to enact comprehensive privacy laws, giving residents more control over their personal data. Scheduled to take effect July 1, 2024, the Texas Data Privacy and Security Act (TDPSA) will apply to large companies that do business in Texas or sell, collect, or process personal data. Small businesses will mostly be exempt.

Utah

On March 24, 2022, Utah became the fourth state to pass comprehensive data legislation. The Utah Consumer Privacy Act (UCPA) – which takes a business-friendly approach to consumer protection – will go into effect on Dec. 31, 2023.

Virginia

On March 21, 2021, Virginia became the second state to pass comprehensive data privacy legislation, with the enactment of Virginia Consumer Data Protection Act (VCDPA). The law went into effect on Jan. 1, 2023, and it gives Virginians the right to access their data and request that their personal information be deleted by businesses. It also requires companies to conduct data protection assessments to process personal data for targeted advertising and sales purposes.

Which states have enacted tailored privacy legislation?

  • Nevada
  • Maine
  • Michigan
  • Minnesota
  • Vermont

Which states have introduced privacy bills in 2023?

  • Illinois
  • Louisiana
  • Massachusetts
  • Minnesota
  • New Hampshire
  • New Jersey
  • New York
  • North Carolina
  • Oklahoma
  • Pennsylvania
  • Rhode Island
  • Vermont

Authoritative analysis on U.S. consumer data privacy laws from Bloomberg Law

With evolving technologies come new risks and responsibilities. Bloomberg Law’s essential news, expert analysis, and up-to-the-moment intelligence will help you stay ahead of consumer privacy and data security developments across the U.S. and the globe, so you can protect your business.

Register for our virtual In-House Forum: Unlocking the Power of Data: Aiming for Privacy and Cyber Stewardship regarding the biggest threats from cyber risk and the ever-growing landscape of privacy laws.

Request a demo to discover all the resources, innovations, and unmatched expertise that only Bloomberg Law provides.

Top