US State Law Tracker
Regulatory bodies across the globe are tightening privacy laws in the midst of consumers’ growing concerns related to the privacy and security of their personal information. Several states in the US already have consumer privacy laws, but with the emergence of a more stringent and extensive European Union’s General Data Protection Regulation (GDPR), authorities across the US have either amended existing consumer privacy laws or enacted new laws.
As an organization that collects, stores, shares, discloses, or sells the personal information of consumers residing in any of the US states that have enacted privacy laws, it is critical for your organization to have a thorough understanding of the applicable laws, implement applicable data privacy and security measures, and meet compliance.
Here’s a map of the consumer privacy laws across different states in the US.
US State Law Tracker:
Arkansas
Status:
House Bill 1943 was proposed as an act to amend the Arkansas personal information protection act 2005, which was later passed into law in 2019.
Applicability:
The law applies to any individual or entity that acquires, owns, or licenses the personal information of Arkansas citizens.
Consumer Rights:
The law doesn’t define any regulations for this section.
Data Security:
The law obligates organizations that own and maintain consumers' personal information (PI) to ensure reasonable security measures.
Consent:
The law doesn’t define any regulations for this section.
Privacy Notice:
The law doesn’t define any regulations for this section.
Storage Limitation:
The law doesn’t define any regulations for this section.
Cross-Border Data:
The law doesn’t define any regulations for this section.
Breach Notification:
The entities must inform the affected residents of Arkansas about the security breach, and the attorney general if the breach affects the PI of more than 1000 applicable businesses.
Enforcement:
The state of Arkansas has vested the attorney general with the authority to enforce the law.
California
Status:
The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, and came into force on January 1, 2020. Later, the CCPA was significantly amended by the California Privacy Rights Act (CPRA), which was passed in November 2020. The amendments to CCPA brought about by the CPRA took effect on January 1, 2023, and are enforceable from July 1, 2023.
Applicability:
The law applies to all for-profit businesses that operate in California and collect California consumers' personal information and either, (a) make annual gross revenue of $25 million or more or that buy, sell, or (b) share the personal information of more than 100,000 California households or consumers, or (c) derive 50% or more of their annual revenues from selling or sharing California consumers' personal information.
Consumer Rights:
Consumers have the right to correct, right to opt-out of automated decision-making, right to know about automated decision-making, right to limit the use of sensitive personal information, right to delete, right to access, right to opt-out, right to data portability, and right of minors.
Data Security:
The law obligates businesses to place reasonable security measures to prevent unauthorized access to data, misuse, disclosure, and modification. The law further requires businesses to monitor the privacy and security risk to PI by conducting annual audits and risk assessments.
Consent:
The law requires opt-out consent for selling and sharing a consumer’s PI or disclosing their SPI, whereas opt-in consent is required only for selling a minor’s (below 16 years of age) PI.
Privacy Notice:
Businesses are required to notify consumers at or before the point of collection about the categories of PI collected, the purpose of collection and intended use, whether it is sold or shared, and the retention period or the criteria which are used to determine the retention period as well as provide a privacy notice with additional information including rights of consumers and the mechanisms to enforce them.
Storage Limitation:
The law doesn’t define any time period for storage limitation except that the storage period of PI should be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.
Cross-Border Data:
Businesses are required to sign a written agreement with service providers, vendors, or third parties that ensures the transferred PI receives the same level of privacy protection as regulated under the law.
Breach Notification:
The law doesn’t define any breach notification regulation, but under the California Civil Code, businesses are required to notify the affected consumers as soon as the breach is discovered.
Enforcement:
The California Privacy Protection Agency (CPPA) has the authority to enforce the law.
Colorado
Status:
Modeled closely after the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA) was signed into law on July 8, 2021. The CPA and its implementing regulations, CPA Rules, went into effect on July 1, 2023.
Applicability:
CPA applies to data controllers (businesses) that are operating in Colorado or that produce or deliver goods or services that intentionally target Colorado residents. Additionally, to be subject to CPA, a business must either (a) control or process the personal data (PD) of 100,000 consumers or more during a calendar year or (b) derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 consumers or more.
Consumer Rights:
CPA gives consumers the right to access, rectify, confirm, delete, portability and opt-out of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Businesses must respond to consumers’ data requests within 45 days.
Data Security:
CPA requires businesses to establish, implement, and ensure reasonable physical and technical security measures for the protection of data integrity and confidentiality during data storage and processing.
Consent:
Businesses cannot process sensitive PD of consumers or PD of minors unless they have collected consent (consent of the minor’s parents or guardians in case of children’s PD).
Privacy Notice:
The notice must, among other requirements, outline the details regarding the categories of PD that the business shares or sells (including targeted advertising), and how consumers can exercise their rights provided under the act and appeal against the denial of their requests.
Storage Limitation:
The law does not provide for any specific data storage limitations; however, any personal data no longer necessary, adequate, or relevant to the express processing purpose(s) must be deleted by the businesses.
Cross-Border Data:
The law doesn’t define any regulations for this section.
Breach Notification:
There are no regulations regarding breach notification, but the Colo. Rev. Stat. § 6-1-716 mandates businesses to notify the affected residents of Colorado in case of any security breach.
Enforcement:
The attorney general and the district attorneys have the exclusive authority to enforce the provisions of the CPA.
Connecticut
Status:
Senate Bill 6: 'An Act Concerning Personal Data Privacy and Online Monitoring' (CTDPA) was signed into law by Gov. Ned Lamont, D-Conn. on 10th May 2022 and went into effect on 1 July 2023.
Applicability:
The law applies to all businesses operating from Connecticut or offering goods and services to Connecticut residents and that, during the preceding year, (a) controlled or processed the personal data of no less than 100,000 consumers, excluding the personal data controlled or processed solely for the purpose of completing a payment transaction or, (b) controlled or processed the personal data of 25,000 consumers, deriving 25% or more of their gross revenue from selling that data.
Consumer Rights:
Under the CTDPA, consumers have the right to confirm processing and access their personal data, the right to correct, the right to delete, the right to obtain a copy, and the right to opt-out from the processing of their personal data.
Data Security:
The law doesn't define any regulations for this section.
Consent:
Under the law, the consent of a consumer must be free, affirmative, clear, informed and unambiguous. Further, the organizations must provide an effective mechanism for the users to revoke their prior given consent easily.
Privacy Notice:
All organizations must maintain an updated privacy policy on their website that contains detailed resources on the categories of personal data collected on them, the purpose of data processing, potential sharing/selling of personal data, how users can exercise their data rights, and updated contact details.
Storage Limitation:
The law doesn't define any regulations for this section.
Cross-Border Data:
The law doesn't define any regulations for this section.
Breach Notification:
If an organization suffers a data breach that affects information related to users' social security numbers, driver's license numbers, financial information, taxpayer identification number, passport number, medical information, health insurance policy number, biometric information, IP address, full name, or their online username along with a password or security question and answer, they will be required to inform both the affected users as well as the primary regulatory authority.
Enforcement:
The Connecticut State Attorney General (AG) is the primary regulatory authority enforcing the law within the state.
Delaware
Status:
On June 30, 2023, the Delaware General Assembly approved the Delaware Personal Data Privacy Act (DPDPA) – HB 154. The law shall become effective on January 1, 2025, if signed by the governor before or on January 1, 2024. Otherwise, the law shall go into effect on January 1, 2026.
Applicability:
DPDPA applies to those who do business in Delaware or who produce goods or services that are targeted to Delaware citizens and who, during the preceding calendar year, (a) controlled or processed the personal data of at least 35,000 customers, except those whose data was controlled or processed only to facilitate a payment transaction; and (b) controlled or processed the personal data of at least 10,000 customers and derived more than 20% of their gross revenue from the sale of personal data.
Consumer Rights:
Consumers have the right to confirm, the right to correct, the right to delete, the right to obtain a copy, the right to know and the right to opt-out of the processing of their personal data.
Data Security:
Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
Consent:
Controllers and processors must not process consumers’ sensitive data without obtaining their consent or, when processing sensitive data concerning a known child, without obtaining the child's parent or legal guardian's consent.
Privacy Notice:
Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that details the categories of personal data that the controller processes, reasons why personal data is processed, how consumers can exercise their rights, how consumers can appeal a controller's decision about a consumer's request, types of personal information that the controller exchanges with third parties, if any, types of third parties with whom the controller shares personal data, if any, and a working email address or other online contact methods that the consumer may use to contact the controller.
Storage Limitation:
The law doesn't define any regulations for this section.
Cross-Border Data:
The law doesn't define any regulations for this section.
Breach Notification:
The law doesn't define any regulations for this section.
Enforcement:
The Department of Justice (DOJ) has enforcement authority over DPDPA and may investigate and prosecute violations.
Florida
Status:
On June 6, 2023, Florida’s Governor Ron DeSantis signed Senate Bill 262 into law, enacting the state’s data privacy law - Florida’s Digital Bill of Rights (FDBR). The law is set to take effect from July 1, 2024.
Applicability:
FDBR applies only to a person who conducts business in Florida or produces a product or service used by the residents of Florida and processes or engages in the sale of personal data. Most of the obligations under the law apply to businesses that (a) collect and determine the purposes and means of the processing of personal data, (b) make more than $1 billion in global gross annual revenues, and (c) fulfill any of the following conditions: (i) derives 50 percent or more of its global gross annual revenues from the sale of advertisements online; (ii) operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation; and (iii) operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.
Consumer Rights:
Consumers have the right to access, the right to confirm, the right to delete, the right to correct inaccuracies, the right to obtain a copy, the right to opt-out of processing, the right to opt-out of the collection of sensitive data and the right to opt-out of the collection of personal data.
Data Security:
To protect the confidentiality, integrity, and accessibility of personal data, businesses must establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue.
Consent:
The businesses are restricted from using a consumer's personal information without consent for any processing that is neither reasonably necessary nor consistent with the original reason the information was collected. Additionally, a business cannot process a consumer's sensitive data without the consumer's consent. When handling the private information of a known child, the federal Children's Online Privacy Protection Act (COPPA) must be followed.
Privacy Notice:
The businesses must provide consumers with a reasonably accessible and clear privacy notice, updated at least annually. The privacy notice should contain clear notices regarding the sale of sensitive data and biometric data.
Storage Limitation:
The law doesn't define any regulations for this section.
Cross-Border Data:
The law doesn't define any regulations for this section.
Breach Notification:
The law doesn't define any regulations for this section.
Enforcement:
The Florida Department of Legal Affairs (DLA) is the regulatory authority responsible for enforcing the law.
Iowa
Status:
On March 28, 2023, Iowa Governor Kim Reynolds signed into law Senate File 262 ("Iowa Data Privacy Law"), which will go into effect on January 1, 2025.
Applicability:
The law applies to entities conducting business in Iowa or producing products or services targeted to Iowa residents that during a calendar year, (a) control or process the personal data of at least 100,000 Iowa residents; or (b) control or process the personal data of at least 25,000 Iowa residents and derive more than 50% of their gross revenue from selling personal data.
Consumer Rights:
Consumers have the right to access, the right to delete, the right to data portability, and the right to opt-out of the sale of their personal data.
Data Security:
The controllers are obligated to adopt and implement reasonable administrative, technological, and physical data security practices to safeguard the privacy, accuracy, and accessibility of personal data based on the volume and nature of the data.
Consent:
The law doesn’t define any regulations for this section.
Privacy Notice:
The controllers are required to provide the consumers with a reasonably accessible, clear, and meaningful privacy notice that includes (a) the categories of personal data processed by the controller; (b) the purposes of the personal data processing; (c) the mechanism for exercising the rights under the law including the right to appeal the denial of a consumer data request; (d) the categories of personal data the controller shares with third parties; and (e) the categories of third parties with whom the controller shares the personal data. In addition, if a controller sells a consumer’s personal data to a third party or engages in targeted advertising, the controller must clearly disclose the activity to the consumer along with the mechanism through which the consumer may opt-out of any such activity.
Storage Limitation:
The law doesn’t define any regulations for this section.
Cross-Border Data:
The law doesn’t define any regulations for this section.
Breach Notification:
The law doesn’t define any regulations for this section.
Enforcement:
Iowa’s Attorney General has the exclusive authority to enforce the law, issue civil investigative demands to the controllers and processors, and initiate civil action if the violations are not cured.
Indiana
Status:
Modeled closely on the Virginia Consumer Data Protection Act (VCDPA), Indiana's Senate Bill 5 (SB 5), better known as the Indiana Consumer Data Protection Act (ICDPA), was passed by the Senate & House on April 11, 2023, and signed into law by the governor on May 01, 2023. The law shall come into effect on January 1, 2026.
Applicability:
The law applies to persons conducting business in Indiana or producing products and services targeted to Indiana residents who, in a calendar year, (a) control or process the personal data of at least one hundred thousand (100,000) Indiana residents; or (b)control or process the personal data of at least twenty-five thousand (25,000) Indiana residents and derive more than fifty percent (50%) of their gross revenue from the sale of these residents' personal data.
Consumer Rights:
The law gives all Indiana residents the right to know, the right to correction, the right to deletion, the right to access, the right to data portability, and the right to opt-out of the processing of their personal data.
Data Security:
All subject organizations must ensure that they establish, implement, and maintain reasonable administrative, technical, and physical data security practices and measures that ensure the appropriate degree of protection for the confidentiality, integrity, and accessibility of all collected personal data.
Consent:
A data controller may only process a consumer's sensitive personal data after acquiring that consumer's express consent. If the consumer is a known minor, any data processing must align with the relevant consent requirements in the federal Children's Online Privacy Protection Act (COPPA).
Privacy Notice:
Per the ICDPA, all organizations must have an easily accessible, clear, and meaningful privacy notice that contains the (a) categories of personal data processed by the controller; (b) purposes of a controller's data processing activities; (c) how consumers may exercise their data subject rights; (d) how consumers may appeal a controller's decision related to a consumer's request; and (e) categories of personal data shared by a controller with third parties.
Storage Limitation:
The law doesn’t define any regulations for this section.
Cross-Border Data:
The law doesn’t define any regulations for this section.
Data Breach Notification:
The law doesn’t define any regulations for this section.
Enforcement:
The Attorney General of Indiana's Office will have the exclusive regulatory authority to enforce the provisions of the Indiana Consumer Data Protection Act.
Illinois
Status:
The Illinois Personal Information Protection Act (PIPA) was signed in June 2005 by Illinois State and took effect on January 1, 2006. However, in 2017, PIPA was updated to account for upgradation in technology and data collection methods, such as biometrics.
Applicability:
PIPA applies to government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and entities that handle, collect, disseminate, or otherwise deal with nonpublic personal information.
Consumer Rights:
PIPA protects Illinois residents from mishandling, misusing, or abusing of their personal information. The Act imposes various requirements on companies and other organizations that collect, handle or store non-public personal information.
Data Security:
PIPA requires data collector entities to implement and maintain reasonable security measures to protect records containing the personal information of customers from any unauthorized access, acquisition, destruction, use, modification, or disclosure.
Consent:
The revised version of PIPA, known as the Biometric Information Privacy Act, requires entities to obtain written consent from consumers before collecting any biometric information, such as fingerprints, voiceprints, or scans of hand or face geometry.
Privacy Notice:
The act doesn’t define any regulations for this section.
Storage Limitation:
Under PIPA, entities must safely dispose of information that's no longer needed for ongoing services or business operations. This includes either paper or electronic documents containing the personal information of Illinois persons. Paper records must be properly burned, shredded, or otherwise disposed of, and electronic records must be rendered unreadable and unrecoverable.
Cross-Border Data:
The act doesn’t define any regulations for this section.
Breach Notification:
PIPA requires the data collector to immediately notify the Illinois resident(s) and the Attorney General of the data breach.
Enforcement:
Illinois has empowered the state Attorney General to enforce the law.
Maine
Status:
The legislative document 946 was signed into law in 2019 and later came into effect in 2020 as an act to Protect the Privacy of Online Customer Information.
Applicability:
The law applies to providers providing broadband internet access services to customers physically located and billed in Maine.
Consumer Rights:
The law doesn’t define any regulations for this section.
Data Security:
The law requires providers to take reasonable security measures for customers’ data protection against unauthorized access or disclosure.
Consent:
A customer’s affirmative and express consent is required by the provider for the use, access, permit, or selling of a customer’s personal information. A provider may use, disclose, sell, or provide access to information that 'pertains to a customer' but that does not fall within the above definition of 'customer personal information' unless and until a customer affirmatively opts-out of the use, disclosure, sale, or provision of access of his non-personal information.
Privacy Notice:
Providers are required to provide customers with a clear, conspicuous and non-deceptive notice at the point of sale or on the provider’s website, informing customers of the provider’s obligations and customers’ rights under the law.
Storage Limitation:
The law doesn’t define any regulations for this section.
Cross-border Data:
The law doesn’t define any regulations for this section.
Breach Notification:
There are no regulations regarding breach notification but 10 Me. Rev. Stat. § 1346 mandates businesses to notify the affected residents and the appropriate state regulators within the Department of Professional and Financial Regulation, or if the Entity is not regulated by the department, the state AG of Maine.
Enforcement:
The law doesn’t define any regulations for this section.
Massachusetts
Status:
The Massachusetts Data Privacy Law became notable in 2009. However, Massachusetts comprehensive privacy law act was filed in March 2021 and contains strict rules for employers from recording or monitoring employee data.
Applicability:
Massachusetts Data Privacy Law applies to any business that deals with the personal information of Massachusetts residents - thus, it has an extraterritorial application.
Consumer Rights:
The law protects Massachusetts residents from any misuse of their personal information and holds companies responsible in case of any misuse.
Data Security:
The law requires covered companies to implement a Written Information Security Program (WISP), under which they should consider "its scale, scope, amount of capital, nature, and quantity of data collected or stored, and the need for security" and all third-party service providers to covered companies need to maintain adequate security measures to protect the personal information.
Consent:
The act doesn’t define any regulations for this section.
Privacy Notice:
The act doesn’t define any regulations for this section.
Storage Limitation:
The act doesn’t define any regulations for this section.
Cross-Border Data:
The law doesn’t define any regulations for this section.
Breach Notification:
There are no regulations regarding breach notification but under Mass. Gen. Laws 93H § 1 notification needs to be made by covered companies to affected state residents and the State Attorney General and the Director of Consumer Affairs and Business Regulation.
Enforcement:
Massachusetts has empowered the state Attorney General to enforce the law. Penalties of up to $5,000 per violation (plus fair costs of prosecution and litigation).
Montana
Status:
Montana Consumer Data Privacy Act (MCDPA) – Senate Bill 384 was approved on April 21, 2023, by the legislature and signed into law by the governor on May 19, 2023. The law shall take effect from October 1, 2024.
Applicability:
MCDPA applies to persons that conduct business in Montana or persons that produce products or services that are targeted to residents of Montana and (a) control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction or (b) control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.
Consumer Rights:
Consumers have the right to access, the right to correction, the right to deletion, the right to data portability, the right to opt-out, and the right to appeal.
Data Security:
The MCDPA requires organizations to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
Consent:
A controller must obtain the consumer’s express consent for processing their personal data for a purpose other than for which the data was originally collected. Additionally, controllers must provide an effective mechanism for consumers to revoke their consent to process personal data. On the revocation of the consent, the controller must cease to process the personal data as soon as practicable but not later than 45 days after receiving the request to revoke consent.
Privacy Notice:
The controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: (a) the categories of personal data processed by the controller; (b) the purpose for processing personal data; (c) the categories of personal data that the controller shares with third parties, if any; (d) the categories of third parties, if any, with which the controller shares personal data; and (e) an active e-mail address or other mechanisms that the consumer may use to contact the controller; (f) and how consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision regarding the consumer's request. Additionally, the controller must establish and describe in the privacy notice at least one (1) or more safe and reliable means for consumers to exercise their data subject rights (DSRs).
Storage Limitation:
The law doesn’t define any regulations for this section.
Cross-Border Data:
The law doesn’t define any regulations for this section.
Breach Notification:
The law doesn’t define any regulations for this section.
Enforcement:
The Office of the Attorney General of Montana is the exclusive regulatory authority for the enforcement of provisions of the MCDPA.
Nevada
Status:
Senate Bill 260 was signed into law in June 2021 and later came into effect in October 2021, amending the Internet Privacy Act ( Nevada Revised Statutes Chapter 603A).
Applicability:
The law applies to any operator who owns a website or an online service for any commercial purpose and collects certain personally identifiable information (PII) of consumers who live in the state of Nevada or to “data brokers,” defined to include any person whose primary business is “purchasing covered information” about Nevada residents “with whom the person does not have a direct relationship.”
Consumer Rights:
The law doesn’t define the extensive rights of consumers, except that the consumer can submit a verified request to the operator or data broker, limiting them from making any sale of the covered PI of the customer.
Data Security:
The law doesn’t define any regulations for this section.
Consent:
The law doesn’t define any regulations for this section.
Privacy Notice:
Covered entities are required to make available a privacy notice for customers with information detailing the covered PI that is collected, any process for the customer to make a request for changes to the collected PI, and the effective date of the notice.
Storage Limitation:
The law doesn’t define any regulations for this section.
Cross-border Data:
The law doesn’t define any regulations for this section.
Breach Notification:
There are no regulations regarding breach notification but under Nev. Rev. Stat. § 603A.010 there are requirements for Nevada-based companies to notify residents in case of a breach.
Enforcement:
The Nevada attorney general has the right to enforce penalties against violating any provisions and can impose penalties of up to $5,000 per violation.
New Jersey
Status:
New Jersey has no explicit data protection law. However, the state lawmakers have proposed a bill to strengthen data privacy guidelines and inflict stricter limits on the tech industry, The Wall Street Journal reported on Monday (March 2).
Applicability:
The bill mandates that tech firms get authorization from New Jersey consumers before collecting and selling information to third parties.
Consumer Rights:
The New Jersey bill mandates that any firms collecting personal data tell people how the information will be used in plain language. The measure also empowers consumers to ask companies to copy their personal data and request that the information be deleted.
Data Security:
The bill would establish specific security standards.
Consent:
The bill would require businesses to explicitly obtain consent from consumers before their data can be collected and sold to third parties.
Privacy Notice:
The law doesn’t define any regulations for this section.
Storage Limitation:
The law doesn’t define any regulations for this section.
Cross-Border Data:
The law doesn’t define any regulations for this section.
Breach Notification:
Under the bill, entities must notify the breach to a customer who is a resident of New Jersey and whose personal information is believed to have been accessed by an unauthorized person. Additionally, entities must also disclose any breach of security of their computerized records.
Enforcement:
New Jersey has empowered the Attorney General to enforce the law.
North Carolina
Status:
The North Carolina General Assembly introduced the Senate bill known as the Consumer Privacy Act (CPA) on April 6, 2021.
Applicability:
The proposed Act would apply to companies that provide products and services to North Carolina residents. As such, companies that gather, control, or process the personal data of the following would need to comply: have at least 100,000 consumers annually, or have at least 25,000 consumers, and Acquire over 50% of their gross revenue from the sale of personal data.
Consumer Rights:
The proposed Act empowers consumers with the right to knowledge and access, the right to correction, the right to deletion, the right to opt-out, and the privacy right to the action.
Data Security:
The proposed Act demands data controllers employ data protection, such as cybersecurity measures for consumer data security.
Consent:
The proposed Act demands data controllers obtain the consumer’s consent before processing their data.
Privacy Notice:
Under the proposed Act, data controllers are required to provide consumers with a clear and accessible privacy notice. The privacy notice must include the classification of personal data being processed, the purposes of such processing, how consumers may exercise their rights, and information regarding the sharing of personal consumer data with third parties.
Storage Limitation:
The law doesn’t define any regulations for this section.
Cross-Border Data:
The law doesn’t define any regulations for this section.
Breach Notification:
The law doesn’t define any regulations for this section.
Enforcement:
North Carolina has empowered the Attorney General to enforce the law.
Ohio
Status:
The Ohio Personal Privacy Act (OPPA), or HB 376, was introduced in June 2021 by Ohio State.
Applicability
The OPPA would apply to companies conducting business in Ohio or target Ohioans and either: have gross revenue exceeding $25 million annually; controls or processes the personal data of 100,000 or more Ohio consumers yearly; or derives over 50% of its gross revenue from selling the personal data of Ohio consumers, and processes or controls the personal data of 25,000 or more Ohio consumers during a calendar year.
Consumer Rights:
The OPPA would create various consumer rights, such as the right to know what type of personal data is being collected about the consumer; gain unrestricted access to the consumer's personal data collected so far; request the immediate deletion of their personal data; and decline or opt-out of the sale of the consumer's personal data.
Data Security:
The law doesn’t define any regulations for this section.
Consent:
The law doesn’t define any regulations for this section.
Privacy Notice:
The OPPA requires businesses to provide consumers with a notice about the personal data they process regarding a consumer. Additionally, businesses must provide consumers with an easily accessible and clear privacy policy.
Storage Limitation:
The law doesn’t define any regulations for this section.
Cross-Border Data:
The law doesn’t define any regulations for this section.
Breach Notification:
The law doesn’t define any regulations for this section.
Enforcement:
Ohio State has empowered the Attorney General to enforce the law.
Oklahoma
Status:
The recently introduced Oklahoma Computer Data Privacy Act (OCDPA) will be the State’s first opt-in proposed data privacy law.
Applicability:
The OCDPA would apply to businesses in Oklahoma that: conduct business in Oklahoma; collect the personal information of consumers, or have that information collected by a third party on their behalf; alone or in conjunction with others determine the purpose for and means of processing consumers' personal information and satisfy specified financial and business thresholds.
Consumer Rights:
The OCDPA empowers consumers the right to opt-in to the sale of their personal information. Additionally, consumers have the right to request deletion of their personal information, request a report containing the categories of personal information collected, sold, or disclosed about them for business purposes; and the categories of third parties to whom that information was sold or disclosed.
Data Security:
Under the OCDPA, businesses would be required to implement and maintain reasonable security procedures and practices to protect consumers' personal information.
Consent:
The OCDPA would also require businesses to obtain the consumer's explicit consent before it begins collecting and selling the consumer’s personal information.
Privacy Notice:
The law doesn’t define any regulations for this section.
Storage Limitation:
The law doesn’t define any regulations for this section.
Cross-Border Data:
The law doesn’t define any regulations for this section.
Breach Notification:
Although the breach notification hasn’t been mentioned, violations of the act could seek monetary fines of $2,500 for each violation and $7,500 for each intentional violation.
Enforcement:
Oklahoma State has empowered the Attorney General to enforce the law.
Oregon
Status:
On June 22, 2023, the Oregon House of Representatives passed Senate Bill 619, also known as Oregon Consumer Privacy Act (OCPA). Modeled on Connecticut and Virginia data privacy laws, the OCPA must be signed by Governor Tina Kotek before it becomes law. Should it be approved, the law shall come into force on July 1, 2024.
Applicability:
The law applies to any person that conducts business in Oregon, or that provides products or services to residents of Oregon, and during a calendar year, controls or processes (a) the personal data of 100,000 or more consumers, other than personal data controlled or processed solely to complete a payment transaction; or (b) the personal data of 25,000 or more consumers while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.
Consumer Rights:
Consumers have the right to know, the right to correction, the right to delete, the right to opt-out, and the right to data portability.
Data Security:
To protect the confidentiality, integrity, and accessibility of personal data, the controller must establish, implement, and maintain the same safeguards described in ORS 646A.622 that are required to protect personal information, as defined in ORS 646A.602, to the extent necessary for the volume and nature of the data.
Consent:
Controllers must provide consumers with an effective means to revoke their consent from having their personal information processed by the controller. The method must be at least as simple as the method used to obtain the consumer's consent. The controller must stop processing personal data as soon as possible when the consumer withdraws consent but no later than 15 days after receiving the revocation.
Privacy Notice:
A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that, among other things, outlines the categories of sensitive data, along with the types of personal data, that the controller processes, specifies the reasons why the controller is processing the personal data, and explains how a consumer can exercise their rights, including how to appeal a controller's denial of a request made by a consumer.
Storage Limitation:
The law doesn’t define any regulations for this section.
Cross-Border Data:
The law doesn’t define any regulations for this section.
Breach Notification:
The law doesn’t define any regulations for this section.
Enforcement:
The Oregon Attorney General has the exclusive authority to enforce the provisions of OCPA.
Pennsylvania
Status:
On April 7, 2021, Pennsylvania legislators introduced a comprehensive consumer data protection bill (HB 1126). The bill takes inspiration from the California Consumer Privacy Act (CCPA).
Applicability:
The proposed bill applies to businesses that need to comply with any consumer access requests. Businesses must comply with any consumer request within 45 days of receiving a verifiable request from a consumer.
Consumer Rights:
Under the proposed bill, Pennsylvania consumers would have a right to request disclosure of personal information collected by a business; have their personal information deleted; request information about any personal data sold or used for business purposes by a business, and outright decline or opt-out of the sale of personal information to third parties.
Data Security:
The law doesn’t define any regulations for this section.
Consent:
The proposed bill would require companies to obtain the consumer’s consent before collecting and processing data.
Privacy Notice:
The law doesn’t define any regulations for this section.
Storage Limitation:
The law doesn’t define any regulations for this section.
Cross-Border Data:
The law doesn’t define any regulations for this section.
Breach Notification:
The Pennsylvania bill provides for a private right of action but only in cases of breaches where personal data is unencrypted and non-redacted.
Enforcement:
Pennsylvania has empowered the Attorney General to enforce the law.
Puerto Rico
Status:
While a comprehensive data protection law is absent within Puerto Rico, the Department of Consumer Affairs (DACO) published its draft regulation, Protection of Digital Privacy, in March 2019. It aims to empower all users with privacy rights and give the DACO regulatory powers to enforce the proposed law and conduct relevant inspections, audits, and fines for non-compliance.
Applicability:
The proposed law will apply to all personal information registered in the databases of private sector companies. However, any protected information within the same databases is covered by other regulations such as the Gramm-Leach-Bliley Act, Law on the Protection of Driver's Privacy Act of 1994, Federal Fair Credit Reporting Act, Law of Availability and Portability of Health Insurance, etc.
Consumer Rights:
Per the proposed law, users will have the right to access information collected on them, whether this information has been shared, sold, or transferred and to whom, deny permission for their information to be shared, sold, or transferred, access their personal information in the custody of third parties, request the deletion of all their collected personal information, and have any collected information rectified or modified.
Data Security:
All organizations that collect consumers' personal information are required to ensure they implement appropriate security measures and practices to prevent alteration, destruction, loss, or unauthorized access to this data. These measures must include security mechanisms suitable for current technological developments.
Consent:
Organizations may only proceed with actions related to collecting, storing, treating, or transferring users' data after gaining their free, explicit, and informed consent.
Privacy Notice:
The organization must maintain a privacy policy page, regularly updated on its website, containing all necessary mandatory disclosures related to its data processing practices.
Storage Limitation:
The proposed law is unclear on storage limitations.
Cross-Border Data:
The proposed law is unclear on cross-border data transfer requirements.
Breach Notification:
In case of a data breach, the organization must notify the affected users of the security breach within 72 hours. The notification must include information related to what information was compromised, the contact information of relevant personnel at the organization the consumers can contact for further information, likely consequences of the breach, and what corrective measures are being undertaken.
Enforcement:
The primary body responsible for enforcing this proposed law in its initial phases will be the Department of Consumer Affairs.
Tennessee
Status:
Tennessee Information Protection Act (TIPA) received unanimous support in both houses of the State General Assembly, with Governor Bill Lee signing it into law on May 11, 2023. TIPA will come into effect on July 1, 2024.
Applicability:
TIPA applies to persons that conduct business in Tennessee or produce products or services that are targeted to residents of Tennessee and that (a) control or process the personal information of at least one hundred thousand (100,000) consumers during a calendar year; (b) control or process personal information of at least twenty-five thousand (25,000) consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information.
Consumer Rights:
Consumers have the right to access, the right to correction, the right to deletion, the right to data portability, the right to disclosure, the right to opt-out of the processing of their personal data.
Data Security:
TIPA requires the controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal information. The data security practices must be appropriate to the volume and nature of the personal information at issue.
Consent:
The controller must not process sensitive data concerning a consumer without obtaining the consumer's consent. In the case of the processing of sensitive data concerning a known child, the controller must process the data in accordance with the federal Children's Online Privacy Protection Act. Further, a controller must seek the consumer’s express consent for processing the personal data for a purpose that is not reasonably necessary or compatible with the purposes for which the data was originally collected.
Privacy Notice:
Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: (a) categories of personal information processed by the controller; (b) the purpose for processing personal information; (c) how consumers may exercise their consumer rights under TIPA, including how a consumer may appeal a controller's decision with regard to the consumer's request; (d) the categories of personal information that the controller sells to third parties, if any; (e) the categories of third parties, if any, to whom the controller sells personal information; and (f) the right to opt out of the sale of personal information to third parties and the ability to request deletion or correction of certain personal information.
Storage Limitation:
The law doesn’t define any regulations for this section.
Cross-Border Data:
The law doesn’t define any regulations for this section.
Breach Notification:
The law doesn’t define any regulations for this section.
Enforcement:
The Tennessee Attorney General & Reporter (AGR) has the exclusive authority to enforce the provisions of TIPA.
Texas
Status:
On May 28, 2023, the Texas legislature passed the Texas Data Privacy and Security Act (TDPSA), also known as H.B. 4, making Texas the tenth US state to pass a comprehensive data privacy law. Once Governor Abbott signs TDPSA, it will take effect on July 1, 2024.
Applicability:
The TDPSA applies only to persons who: (a) conduct business in Texas or produce products or services consumed by Texas residents; (b) process or engage in the sale of personal data; and (c) are not small businesses as defined by the United States Small Business Administration (SBA), i.e., an independent business having fewer than 500 employees.
Consumer Rights:
Consumers have the right to confirm, the right to access, the right to correct inaccuracies, the right to delete, the right to obtain a personal copy, and the right to opt-out.
Data Security:
Controllers must also establish, implement, and maintain acceptable administrative, technical, and physical data security procedures that are appropriate to the volume and nature of the personal data at stake to safeguard the privacy, accuracy, and accessibility of personal data.
Consent:
Controllers must not process a consumer's personal data for a purpose that is neither reasonably necessary nor compatible with the disclosed purpose for which the personal data is processed unless the controller obtains the consumer’s consent. Further, a controller must not process sensitive data concerning a consumer without obtaining the consumer's consent. In the case of the processing of sensitive data concerning a known child, the controller must process the data in accordance with the federal Children's Online Privacy Protection Act (COPPA).
Privacy Notice:
Controllers must provide consumers with a reasonably accessible and clear privacy notice that includes: (a) the categories of personal data that the controller processes, including, if relevant, any sensitive data that the controller processes; (b) the purpose of processing personal data; (c) how consumers can exercise their consumer rights, including the procedure for appealing a controller's decision about a consumer's request; (d) the categories of personal data, if any, that the controller shares with third parties; (e) the categories of third parties, if any, that the controller shares personal data with; and (f) a description of the procedures for submitting consumer rights requests.
Storage Limitation:
The law doesn’t define any regulations for this section.
Cross-Border Data:
The law doesn’t define any regulations for this section.
Breach Notification:
The law doesn’t define any regulations for this section.
Enforcement:
The Texas Attorney General has the exclusive authority to enforce the provisions of the TDPSA.
Utah
Status:
Utah Governor Spencer J. Cox signed the Utah Consumer Privacy Act (UCPA) into law on March 24, 2022. By doing so, Utah became only the fourth state in the US to have an active data protection act in place after Colorado, Virginia, and California. The Utah Consumer Privacy Act will go into effect on December 31, 2023.
Applicability:
All data processors and controllers that have annual gross revenue in excess of $25 million are subject to the UCPA if they have at least 100,000 customers during a calendar year or make 50% of their gross revenue from selling/sharing user data.
Consumer Rights:
Like all other major data protection laws, the UCPA gives all consumers certain rights. These include the right to access, delete, or obtain a copy of their data, as well as the right to confirm the processing of their data. Additionally, consumers can opt out of any targeted advertising and sale of personal information. Consumers also have a right to face no discrimination as a result of exercising their consumer rights under the Act. All such authenticated requests must be responded to within 45 days of their receipt, with the provision for 45 additional days if the request is of a complex nature and its completion would require more time.
Data Security:
The UCPA requires all organizations to establish, implement, and ensure reasonable physical and technical security measures to ensure appropriate security protocols are in place.
Consent:
No organization can proceed with its data processing activities unless it gains the users’ affirmative and explicit consent for doing so. In the case of minors, they must collect the minor’s parents' consent per the Children's Online Privacy Protection Act.
Privacy Notice:
The organization must provide consumers with a reasonably accessible and transparent privacy notice that includes the categories of personal data processed by the controller; the purposes for which the categories of personal data are processed; how consumers may exercise a right; the categories of personal data that the controller shares with third parties, if any; and the categories of third parties, if any, with whom the controller shares personal data.
Storage Limitation:
There are no specific regulations provided under this law.
Cross-Border Data:
The law doesn’t define any regulations for this section.
Breach Notification:
The law does not outline breach notification requirements, however under §13-61-301(1)(b) of the law, processors are required to assist the controller in meeting their obligations, including obligations related to the security of processing personal data and notification of a breach of security system under the Protection of Personal Information Act.
Enforcement:
The UCPA's enforcement responsibilities are "shared" between the Utah Department of Commerce Division of Consumer Protection (the Division) and the Utah Attorney General’s Office. If the Division has “reasonable cause” to believe that substantial evidence of a violation exists, it will refer the complaint to the Attorney General. If such a violation is not cured within 30 days of notice by the Utah Attorney General, the Utah Attorney General may seek actual damages for the consumer and civil penalties of up to $7,500 per violation.
Vermont
Status:
Senate Bill 110 was signed into law in 2020 and later came into effect as an Act relating to Data Privacy and Consumer Protection.
Applicability:
The law applies to “operators” of websites, online services, or applications that are knowingly used and marketed for PreK-12 school purposes.
Consumer Rights:
Operators are prohibited from engaging in targeted advertising or amassing a profile about a student based on any information the operator has acquired because of the use of its site, service, or application for PreK-12 purposes; nor sell, barter, or rent student’s information or Disclose covered information to a third party, unless a specific exception applies.
Data Security:
The operator must implement and maintain reasonable security procedures and practices.
Consent:
The law doesn’t define any regulations for this section.
Privacy Notice:
The law doesn’t define any regulations for this section.
Storage Limitation:
The law doesn’t define any regulations for this section.
Cross-Border Data:
The law doesn’t define any regulations for this section.
Breach Notification:
There are no breach notification obligations under this law, but under 9 V.S.A. §§ 2430, 2435, the notification must be made to affected residents of the state.
Enforcement:
The Attorney General and the State’s Attorney have the right to assess violations against any provisions under this act.
Virginia
Status:
The Senate Bill ('SB') 1392 and House Bill 2307 for the Virginia Consumer Data Protection Act (VCDPA) was signed into law in 2021. The VCDPA went into effect on January 1, 2023.
Applicability:
VCDPA applies to persons or entities (businesses) that are operating in the Commonwealth or offering products or services to residents of Virginia and control and process the personal data of at least 100,000 Virginia residents; or for an entity that derives over half (50%) of its gross revenue from the sale of personal data, of at least 25,000 Virginia residents.
Consumer Rights:
VCDPA gives consumers the right to confirm, access, correct, delete, obtain a copy, and opt-out, while persons or entities are required to either fulfill or deny the consumers’ request within 45 days.
Data Security:
Persons or entities must establish technical, administrative, and physical security measures for data protection.
Consent:
Consent is required for the processing of sensitive data of any consumer. In the case of minors, parental consent is required.
Privacy Notice:
Covered entities are required to publicly disclose and provide the school with information about the operator’s collection, use, and disclosure of covered information.
Storage Limitation:
The law doesn’t define any regulations for this section.
Cross-Border Data:
The law doesn’t define any regulations for this section.
Breach Notification:
There are no regulations regarding breach notification under VCDPA, but as per Va. Code §18.2-186.6. businesses are mandated to notify the affected residents of Virginia.
Enforcement:
VCDPA empowers an Attorney General to enforce the provisions.
Watch the demo to see how Securiti is helping organizations with global privacy regulatory compliance.
Watch the demoFrequently Asked Questions (FAQs)
Yes, there are privacy regulations in the US, such as the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), the Health Insurance Portability and Accountability Act (HIPAA), and more.
While there isn't a single federal privacy law, notable ones include HIPAA for healthcare, the Family Educational Rights and Privacy Act (FERPA) for education, and sector-specific regulations.
The US does not have an equivalent to the GDPR at the federal level, but there are discussions about potential federal privacy legislation. The most notable equivalent to the GDPR is the CRPA.
GDPR is not coming to the US, but there are discussions about introducing federal privacy legislation that might draw inspiration from GDPR principles.
The US Privacy Act applies to federal agencies and covers federal government entities' collection, use, and disclosure of personal information.
Violation of privacy in the United States refers to actions that infringe upon an individual's right to privacy, including unauthorized surveillance, data breaches, and misuse of personal information.
Join Our Newsletter
Get all the latest information, law updates and more delivered to your inbox
Share
More Stories that May Interest You
September 15, 2023
Right of Access to Personal Data: What To Know
The wealth of data available to organizations globally has brought tremendous improvements in their ability to target and cater to their customers' needs. Organizations...
September 13, 2023
Kuwait’s DPPR
Kuwait didn’t have any data protection law until the Communication and Information Technology Regulatory Authority (CITRA) introduced the Data Privacy Protection Regulation (DPPR). The...
September 12, 2023
The UK GDPR & Data Protection Act (DPA) 2018: Explained
Following the end of the Brexit Implementation Period on 31 December 2020, the United Kingdom is no longer subject to the European Union General...
Take a
Product Tour
See how easy it is to manage privacy compliance with robotic automation.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
Newsletter
Resources
Get in touch
[email protected]
300 Santana Row Suite 450. San Jose,
CA 95128
