Which states have consumer data privacy laws?
There are over a dozen states that have enacted comprehensive consumer data privacy laws – and that list is growing, with several privacy bills currently on statehouse dockets.
California led the charge in being the first state to enact comprehensive data privacy legislation via the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). CCPA, signed into law on June 8, 2018, and which went into effect on Jan. 1, 2020, establishes privacy rights and business requirements for collecting and selling Californians’ personal information. On Nov. 3, 2020, California voters approved the CPRA, which amended and expanded the CCPA. The CPRA took effect on Dec. 16, 2020 – although most of its CCPA revisions didn’t take effect until Jan. 1, 2023.
Joining California and Virginia in the privacy race, Colorado signed the Colorado Privacy Act (CPA) into law on June 8, 2021, and it became effective as of July 1, 2023. The CPA lays out five key rights for Colorado consumers:
- Right to access
- Right to correction
- Right to delete
- Right to data portability
- Right to opt out
The CPA protects information that can be linked to an identifiable individual and excludes de-identifiable data and publicly available data.
Connecticut became the fifth state to implement comprehensive consumer privacy legislation on May 10, 2022. The Connecticut Data Privacy Act (CTDPA), effective as of July 1, 2023, includes stronger data protections for children but a similar framework as its predecessors.
Delaware became the 12th state to join the data privacy race, giving consumers more control over how their data is processed and stored. Effective Jan. 1, 2025, the Delaware Personal Data Privacy Act has stronger privacy rights for consumers, such as heightening protections for children’s data, broadening definitions of sensitive data, and being able to opt out of the processing of personal data for targeted advertising purposes.
While Florida adopted many of the same provisions as other states’ comprehensive privacy laws, the Sunshine State tackles issues related to tech platforms, like addressing alleged censorship of conservative viewpoints. The law requires search engines, such as Google, to disclose if they prioritize results based on political ideology and prohibits government-mandated content moderation on social media. Florida’s law only regulates companies that make more than $1 billion in gross annual revenues and derive more than half their revenue from online ads. Most provisions will go into effect July 1, 2024.
Indiana is the seventh state to pass comprehensive legislation that regulates how consumer data is collected and secured. The Indiana Consumer Data Protection Act will regulate businesses that process the personal data of at least 100,000 Indiana residents, or those that handle the information of at least 25,000 state consumers but derive more than 50% of their revenue from selling data. It will take effect on Jan. 1, 2026.
The sixth state to sign comprehensive data protections into law, Iowa’s Consumer Data Protection Act (ICDPA) is considered one of the most business-friendly so far, which privacy advocates say results in weaker data protections. Slated to go in effect Jan. 1, 2025, Iowa’s law does not grant consumers the right to delete or correct data collected by third parties.
Modeled after Connecticut’s privacy law, Montana’s Consumer Data Privacy Act limits the collection of personal data to only “adequate, relevant, and reasonably necessary” information. Residents have the right to opt-out or decline the sale of their personal data. This law is set to go into effect Oct. 1, 2024.
The New Jersey Data Privacy Act (NJDPA) provides New Jersey residents with comprehensive privacy protections over how companies collect and use their personal information. The law applies to entities that do business in the state and handle the personal data of at least 100,000 consumers per year, or at least 25,000 if the company also sells personal data. NJDPA will take effect on Jan. 15, 2025.
One of the strongest data privacy laws passed to date, the Oregon Consumer Privacy Act (OCPA) includes provisions on biometric data, sensitive and personal data, and children’s data protections, and it doesn’t have the same exemptions found in other state privacy laws. OCPA has made Oregon the eleventh state to pass comprehensive privacy legislation – the sixth in 2023 – and the bill is effective July 1, 2024.
Passed with bipartisan support, the Tennessee Information Protection Act enables consumers to confirm that a business has collected their personal data, obtain a copy of the information, and request that inaccuracies be corrected. This law makes Tennessee the eighth state to sign comprehensive data privacy into law, and it is effective July 1, 2025.
Texas is the second-largest state after California to enact comprehensive privacy laws, giving residents more control over their personal data. Effective July 1, 2024, the Texas Data Privacy and Security Act (TDPSA) will apply to large companies that do business in Texas or sell, collect, or process personal data. Small businesses will mostly be exempt.
On March 24, 2022, Utah became the fourth state to pass comprehensive data legislation. The Utah Consumer Privacy Act (UCPA) – which takes a business-friendly approach to consumer protection – took effect on Dec. 31, 2023.
On March 21, 2021, Virginia became the second state to pass comprehensive data privacy legislation with the enactment of Virginia Consumer Data Protection Act (VCDPA). The law went into effect on Jan. 1, 2023, and it gives Virginians the right to access their data and request that their personal information be deleted by businesses. It also requires companies to conduct data protection assessments to process personal data for targeted advertising and sales purposes.