Securiti Named a 2022 Cool Vendor in Data Security by Gartner

Download Now
Free Trial Schedule a Demo

The Consumer Privacy State Laws Across the US

background-image

Leaders across the globe are tightening privacy laws in the midst of consumers’ growing concerns related to the privacy and security of their personal information. Most states in the US already have consumer privacy laws but with the emergence of a more stringent and extensive EU’s General Data Protection Regulation (GDPR), authorities across the US either amended existing consumer privacy laws or enacted new laws.

As an organization that collects, stores, shares, discloses or sells the personal information of consumers residing in any of the US states that have enacted privacy laws, it is critical for your organization to have a thorough understanding of the applicable laws, implement applicable data privacy and security measures, and meet compliance.

Here’s a map of the consumer privacy laws across different states in the US.

US State Law Tracker:

Loading data
Arkansas
California
Colorado
Illinois
Maine
Massachusetts
Nevada
Vermont
Virginia
Indiana
New Jersey
North Carolina
Ohio
Oklahoma
Pennsylvania
Utah

Arkansas

Status:

House Bill 1943 was proposed as an act to amend the Arkansas personal information protection act 2005 which was later passed into law in 2019.

Application Scope:

The law applies to any individual or entity that acquires, owns, or licenses the personal information of Arkansas citizens.

Consumer rights:

The law doesn’t define any regulations for this section.

Data Security:

The applicable personal information protection act obligates organizations that own and maintain the personal information (PI) of consumers to ensure reasonable security measures.

Consent:

The law doesn’t define any regulations for this section.

Privacy Notice:

The law doesn’t define any regulations for this section.

Storage Limitation:

The law doesn’t define any regulations for this section.

Cross-border Data:

The law doesn’t define any regulations for this section.

Breach Notification:

The entity must inform the affected residents of Arkansas about the security breach, and the attorney general if the breach affects the PI of more than 1000 applicable businesses.

Enforcement:

The state of Arkansas has vested the attorney general with the authority to enforce the law.

California

Status:

The California Privacy Rights Act (CPRA), amended from California Consumer Privacy Act (CCPA), was approved by ballot in 2020. It will enter into force in 2023.

Application Scope:

The act applies to all for-profit businesses that do business in California and collect California consumers' personal information and either make annual gross revenue of $25 million or more or that buy, sell, or share the personal information of more than 100,000 California households or consumers or derive 50% or more of its annual revenues from selling or sharing California consumers' personal information.

Consumer rights:

Under CPRA, consumers have the right to access, rectify, delete, transfer (portability), and opt-out of selling or sharing their PI. Consumers also have the right to limit the use of or disclosure of their sensitive personal information (SPI), and also to opt-out of automated decision making.

Data Security:

The act obligates businesses to place reasonable security measures to prevent unauthorized access to data, misuse, disclosure, and modification. The act further requires businesses to monitor the privacy and security risk to PI by conducting annual audits and risk assessments.

Consent:

CPRA requires opt-out consent for the selling and sharing of a consumer’s PI or the disclosure of their SPI, whereas opt-in consent is required only for selling of a minor’s (below 16 years of age) PI.

Privacy Notice:

Businesses are required to notify consumers at or before the point of collection about the categories of PI collected, the purpose of collection and intended use, whether it is sold or shared, and retention period or the criteria which are used to determine the retention period as well as provide a privacy notice with additional information including rights of consumers and the mechanisms to enforce them..

Storage Limitation:

CPRA doesn’t define any time period for storage limitation except that the storage period of PI should be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.

Cross-border Data:

Businesses are required to sign a written agreement with service providers, vendors, or third parties that ensures the transferred PI receives the same level of privacy protection as regulated under the CPRA.

Breach Notification:

CPRA doesn’t define any breach notification regulation but under the California Civil Code, businesses are required to notify the affected consumers as soon as the breach is discovered.

Enforcement:

The California Privacy Protection Agency (CPPA) is vested with the authority to enforce CPRA.

Colorado

Status:

The Senate Bill ('SB') 21-190 was proposed and later signed into law in 2021 concerning the amendment of data protection under the Colorado Privacy Act (CPA). The CPA will go into effect in 2023.

Application Scope:

CPA applies to data controllers (businesses) that are operating in Colorado or selling products and services that intentionally target residents in Colorado. Additionally, the data controller must control or process the personal data (PD) of more than 100,000 consumers or derive revenue or discount from the PD of 25,000 consumers. There are significant entities which are exempt from CPA requirements.

Consumer rights:

CPA gives consumers the right to access, rectify, confirm, delete, portability and opt-out of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Businesses are further required to fulfill or deny consumers’ requests within 45 days.

Data Security:

CPA requires businesses to establish, implement, and ensure reasonable physical and technical security measures for the protection of data integrity and confidentiality during data storage and processing.

Consent:

Businesses can’t process sensitive PD of consumers or PD of minors unless they have collected consent (consent of the minor’s parents or guardians in case of children’s PD).

Privacy Notice:

The notice must outline the details regarding the categories of PD that the business shares or sells (including targeted advertising), and how consumers can exercise their rights provided under the act and appeal against the denial of their requests.

Storage Limitation:

There are no specific regulations provided under this law, only that controllers shall not collect unnecessary personal data of consumers or process the personal data for purposes beyond what was disclosed to consumers without gaining their consent.

Cross-border Data:

The law doesn’t define any regulations for this section.

Breach Notification:

There are no regulations regarding breach notification but the Colo. Rev. Stat. § 6-1-716 mandates businesses to notify the affected residents of Colorado.

Enforcement:

Under the CPA, only the District Attorney or the Attorney General can enforce the act or impose penalties in the event of any violations.

Illinois

Status:

The Illinois Personal Information Protection Act (PIPA) was signed in June 2005 by the Illinois State and took effect on January 1, 2006. However, in 2017, PIPA was updated to account for up-gradation in technology and data collection methods, such as biometrics.

Application Scope:

PIPA applies to government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and entities that handle, collect, disseminate, or otherwise deal with nonpublic personal information.

Consumer rights:

PIPA protects Illinois residents from the mishandling, misuse, or abuse of their personal information. The Act imposes various requirements on companies and other organizations that collect, handle or store non-public personal information.

Data Security:

PIPA requires data collector entities to implement and maintain reasonable security measures to protect records containing the personal information of customers from any unauthorized access, acquisition, destruction, use, modification, or disclosure.

Consent:

The revised version of PIPA, known as the Biometric Information Privacy Act, requires entities to obtain written consent from consumers before collecting any biometric information, such as fingerprints, voiceprints, or scans of hand or face geometry.

Privacy Notice:

The act doesn’t define any regulations for this section.

Storage Limitation:

Under PIPA, entities must safely dispose of information that's no longer needed for ongoing services or business operations. This includes either paper or electronic documents containing the personal information of Illinois persons. Paper records must be properly burned, shredded, or otherwise disposed of, and electronic records must be rendered unreadable and unrecoverable.

Cross-border Data:

The act doesn’t define any regulations for this section.

Breach Notification:

PIPA requires the data collector to immediately notify the Illinois resident(s) and the Attorney General of the data breach.

Enforcement:

Illinois has empowered the state Attorney General to enforce the law.

Maine

Status:

The legislative document 946 was signed into law in 2019 and later came into effect in 2020 as an act to Protect the Privacy of Online Customer Information.

Application Scope:

The law applies to providers providing broadband internet access services to customers physically located and billed in Maine.

Consumer rights:

The law doesn’t define any regulations for this section.

Data Security:

The law requires providers to take reasonable security measures for customers’ data protection against unauthorized access or disclosure.

Consent:

A customer’s affirmative and express consent is required by the provider for the use, access, permit, or selling of customer’s personal information. A provider may use, disclose, sell, or provide access to information that 'pertains to a customer' but that does not fall within the above definition of 'customer personal information' unless and until a customer affirmatively opts-out of the use, disclosure, sale, or provision of access of his non-personal information.

Privacy Notice:

Providers are required to provide customers with a clear, conspicuous and non deceptive notice at the point of sale or on the provider’s website, informing customers of the provider’s obligations and customers’ rights under the law.

Storage Limitation:

The law doesn’t define any regulations for this section.

Cross-border Data:

The law doesn’t define any regulations for this section.

Breach Notification:

There are no regulations regarding breach notification but 10 Me. Rev. Stat. § 1346 mandates businesses to notify the affected residents and the appropriate state regulators within the Department of Professional and Financial Regulation, or if the Entity is not regulated by the department, the state AG of Maine.

Enforcement:

The law doesn’t define any regulations for this section.

Massachusetts

Status:

The Massachusetts Data Privacy Law became notable in 2009. However, Massachusetts comprehensive privacy law act was filed in March 2021 and contains strict rules for employers from recording or monitoring employee data.

Application Scope:

Massachusetts Data Privacy Law applies to any business that deals with the personal information of Massachusetts residents - thus it has an extraterritorial application.

Consumer rights:

The law protects Massachusetts residents from any misuse of their personal information and holds companies responsible in case of any misuse.

Data Security:

The law requires covered companies to implement a Written Information Security Program (WISP), under which they should consider "its scale, scope, amount of capital, nature, and quantity of data collected or stored, and the need for security" and all third-party service providers to covered companies need to maintain adequate security measures to protect the personal information.

Consent:

The act doesn’t define any regulations for this section.

Privacy Notice:

The act doesn’t define any regulations for this section.

Storage Limitation:

The act doesn’t define any regulations for this section.

Cross-border Data:

The law doesn’t define any regulations for this section.

Breach Notification:

There are no regulations regarding breach notification but under Mass. Gen. Laws 93H § 1 notification needs to be made by covered companies to affected state residents and the State Attorney General and the Director of Consumer Affairs and Business Regulation.

Enforcement:

Massachusetts has empowered the state Attorney General to enforce the law. Penalties of up to $5,000 per violation (plus fair costs of prosecution and litigation).

Nevada

Status:

A Senate Bill 260 was signed into law in June 2021 and later came into effect in October 2021 amending the Internet Privacy Act ( Nevada Revised Statutes Chapter 603A).

Application Scope:

The law applies to any operator who owns a website or an online service for any commercial purpose and collects certain personally identifiable information (PII) of consumers who live in the state of Nevada or to “data brokers” defined to include any person whose primary business is “purchasing covered information” about Nevada residents “with whom the person does not have a direct relationship”.

Consumer rights:

The law doesn’t define the extensive rights of consumers, except that the consumer can submit a verified request to the operator or data broker limiting them from making any sale of the covered PI of the customer.

Data Security:

The law doesn’t define any regulations for this section.

Consent:

The law doesn’t define any regulations for this section.

Privacy Notice:

Covered entities are required to make available notice for customers with information detailing the covered PI that is collected, any process for the customer to make a request for changes to the collected PI, and the effective date of the notice.

Storage Limitation:

The law doesn’t define any regulations for this section.

Cross-border Data:

The law doesn’t define any regulations for this section.

Breach Notification:

There are no regulations regarding breach notification but under Nev. Rev. Stat. § 603A.010 there are requirements for Nevada based companies to notify residents in case of breach.

Enforcement:

The Nevada attorney general has the right to enforce penalties against the violation of any provisions and can impose penalties of up to $5,000 per violation.

Vermont

Status:

A Senate Bill 110 was signed into law in 2020 and later came into effect for an Act relating to Data Privacy and Consumer Protection.

Application Scope:

The law applies to “operators” of websites, online services, or applications that are knowingly used and marketed for PreK-12 school purposes.

Consumer rights:

Operators are prohibited from engaging in targeted advertising or to amass a profile about a student based on any information the operator has acquired because of the use of its site, service, or application for PreK-12 purposes; nor sell, barter or rent student’s information or Disclose covered information to a third party, unless a specific exception applies.

Data Security:

The operator must implement and maintain reasonable security procedures and practices.

Consent:

The law doesn’t define any regulations for this section.

Privacy Notice:

The law doesn’t define any regulations for this section.

Storage Limitation:

The law doesn’t define any regulations for this section.

Cross-border Data:

The law doesn’t define any regulations for this section.

Breach Notification:

There are no breach notification obligations under this law but under 9 V.S.A. §§ 2430, 2435 notification must be made to affected residents of the state.

Enforcement:

The Attorney General and the State’s Attorney have the right to assess violations against any provisions under this act.

Virginia

Status:

The Senate Bill ('SB') 1392 and House Bill 2307 for the Virginia Consumer Data Protection Act (VCDPA) was signed into law in 2021. VDCPA will go into effect in 2023.

Application Scope:

VCDPA applies to persons or entities (businesses) that are operating in the Commonwealth or offering products or services to residents of Virginia and control and process the personal data of at least 100,000 Virginia residents; or for an entity that derives over half (50%) of its gross revenue from the sale of personal data, of at least 25,000 Virginia residents.

Consumer rights:

VCDPA gives consumers the right to confirm, access, rectify, delete, port, and opt-out, while persons or entities are required to either fulfill or deny the consumers’ request within 45 days.

Data Security:

Persons or entities must establish technical, administrative, and physical security measures for data protection.

Consent:

Consent is required for the processing of sensitive data of any consumer. In the case of minors, parental consent is required.

Privacy Notice:

Covered entities are required to publicly disclose and provide the school with information about the operator’s collection, use, and disclosure of covered information.

Storage Limitation:

The law doesn’t define any regulations for this section.

Cross-border Data:

The law doesn’t define any regulations for this section.

Breach Notification:

There are no regulations regarding breach notification under VCDPA but as per Va. Code §18.2-186.6. businesses are mandated to notify the affected residents of Virginia.

Enforcement:

VCDPA empowers an Attorney General to enforce the provisions.

Indiana

Status:

On February 1st, 2022, Indiana became the first US state to pass a consumer privacy bill outside of a chamber.

Application Scope:

The bill covers entities processing the data of:

  • More than 100,000 consumers, or
  • Entities that collect data of 25,000 individuals while deriving more than 25% of their annual revenue from data sales.

New Jersey

Status:

There is no explicit data protection law in New Jersey. However, the state lawmakers have proposed a bill to strengthen data privacy guidelines and inflict stricter limits on the tech industry, The Wall Street Journal reported on Monday (March 2).

Application Scope:

The bill mandates that tech firms get authorization from New Jersey consumers before collecting and selling information to third parties.

Consumer rights:

The New Jersey bill mandates that any firms collecting personal data tell people how the information will be used in plain language. The measure also empowers consumers to ask companies to copy their personal data and request that the information be deleted.

Data Security:

The bill would establish specific security standards.

Consent:

The bill would require businesses to explicitly obtain consent from consumers before their data can be collected and sold to third parties.

Privacy Notice:

The law doesn’t define any regulations for this section.

Storage Limitation:

The law doesn’t define any regulations for this section.

Cross-border Data:

The law doesn’t define any regulations for this section.

Breach Notification:

Under the bill, entities must notify the breach to a customer who is a resident of New Jersey and whose personal information is believed to have been accessed by an unauthorized person. Additionally, entities must also disclose any breach of security of their computerized records.

Enforcement:

New Jersey has empowered the Attorney General to enforce the law.

North Carolina

Status:

The North Carolina General Assembly introduced the Senate bill known as the Consumer Privacy Act (CPA) on April 6, 2021.

Application Scope:

The proposed Act would apply to companies that provide products and services to North Carolina residents. As such, companies that gather, control, or process the personal data of the following would need to comply: have at least 100,000 consumers annually, or have at least 25,000 consumers, and Acquire over 50% of their gross revenue from the sale of personal data.

Consumer rights:

The proposed Act empowers consumers with the right to knowledge and access, right to correction, right to deletion, right to opt-out, and the privacy right to the action.

Data Security:

The proposed Act demands data controllers to employ data protection, such as cybersecurity measures for consumer data security.

Consent:

The proposed Act demands data controllers to obtain the consumer’s consent before processing their data.

Privacy Notice:

Under the proposed Act, data controllers are required to provide consumers with a clear and accessible privacy notice. The privacy notice must include the classification of personal data being processed, the purposes of such processing, how consumers may exercise their rights, and information regarding the sharing of personal consumer data with third parties.

Storage Limitation:

The law doesn’t define any regulations for this section.

Cross-border Data:

The law doesn’t define any regulations for this section.

Breach Notification:

The law doesn’t define any regulations for this section.

Enforcement:

North Carolina has empowered the Attorney General to enforce the law.

Ohio

Status:

The Ohio Personal Privacy Act (OPPA) or HB 376 was introduced in June 2021 by Ohio State.

Application Scope:

The OPPA would apply to companies conducting business in Ohio or target Ohioans, and either: have gross revenue exceeding $25 million annually; controls or processes the personal data of 100,000 or more Ohio consumers yearly; or derives over 50% of its gross revenue from selling the personal data of Ohio consumers, and processes or controls the personal data of 25,000 or more Ohio consumers during a calendar year.

Consumer rights:

The OPPA would create various consumer rights, such as the right to: know what type of personal data is being collected about the consumer; gain unrestricted access to the consumer's personal data collected so far; request to the immediate deletion of their personal data; and decline or opt-out of the sale of the consumer's personal data.

Data Security:

The law doesn’t define any regulations for this section.

Consent:

The law doesn’t define any regulations for this section.

Privacy Notice:

The OPPA requires businesses to provide consumers with a notice about the personal data they process regarding a consumer. Additionally, businesses need to provide consumers with an easily accessible and clear privacy policy.

Storage Limitation:

The law doesn’t define any regulations for this section.

Cross-border Data:

The law doesn’t define any regulations for this section.

Breach Notification:

The law doesn’t define any regulations for this section.

Enforcement:

Ohio State has empowered the Attorney General to enforce the law.

Oklahoma

Status:

The recently introduced Oklahoma Computer Data Privacy Act (OCDPA) will be the State’s first opt-in proposed data privacy law.

Application Scope:

The OCDPA would apply to businesses in Oklahoma that: conduct business in Oklahoma; collect the personal information of consumers or have that information collected by a third party on their behalf; alone or in conjunction with others determine the purpose for and means of processing consumers' personal information and satisfy specified financial and business thresholds.

Consumer rights:

The OCDPA empowers consumers the right to opt-in to the sale of their personal information. Additionally, consumers have the right to request deletion of their personal information, request a report containing the categories of personal information collected, sold, or disclosed about them for business purposes; and the categories of third parties to whom that information was sold or disclosed.

Data Security:

Under the OCDPA, businesses would be required to implement and maintain reasonable security procedures and practices to protect the personal information of consumers.

Consent:

The OCDPA would also require businesses to obtain the explicit consent of the consumer before it begins collecting and selling the consumer’s personal information.

Privacy Notice:

The law doesn’t define any regulations for this section.

Storage Limitation:

The law doesn’t define any regulations for this section.

Cross-border Data:

The law doesn’t define any regulations for this section.

Breach Notification:

Although the breach notification hasn’t been mentioned, violations of the act could seek monetary fines of $2,500 for each violation and $7,500 for each intentional violation.

Enforcement:

The Oklahoma State has empowered the Attorney General to enforce the law.

Pennsylvania

Status:

On April 7, 2021, Pennsylvania legislators introduced a comprehensive consumer data protection bill (HB 1126). The bill takes inspiration from the California Consumer Privacy Act (CCPA).

Application Scope:

The proposed bill applies to businesses that need to comply with any consumer access requests. Businesses must comply with any consumer request within 45 days after receiving a verifiable request from a consumer.

Consumer rights:

Under the proposed bill, Pennsylvania consumers would have a right to request disclosure of personal information collected by a business; have their personal information deleted; request information about any personal data sold or used for business purposes by a business, and outright decline or opt-out of the sale of personal information to third parties.

Data Security:

The law doesn’t define any regulations for this section.

Consent:

The proposed bill would require companies to obtain the consumer’s consent before collecting and processing data.

Privacy Notice:

The law doesn’t define any regulations for this section.

Storage Limitation:

The law doesn’t define any regulations for this section.

Cross-border Data:

The law doesn’t define any regulations for this section.

Breach Notification:

The Pennsylvania bill provides for a private right of action but only in cases of breaches where the personal data is nonencrypted and nonredacted.

Enforcement:

Pennsylvania has empowered the Attorney General to enforce the law.

Utah

Status:

Utah Governor Spencer J. Cox signed the Utah Consumer Privacy Act (UCPA) into law in March 2022. By doing so, Utah became only the fourth state in the US to have an active data protection act in place after Colorado, Virginia, and California. The Utah Consumer Privacy Act will go into effect on December 31, 2023

Application Scope:

All data processors and controllers that have annual gross revenue in excess of $25 million are subject to the UCPA if they have at least 100,000 customers during a calendar year or make 50% of their gross revenue from selling/sharing user data.

Consumer rights:

Like all other major data protection laws, the UCPA gives all consumers certain rights. These include the right to access, delete, or obtain a copy of their data, as well as the right to confirm processing of their data. Additionally, consumers can opt out of any targeted advertising and sale of personal information. Consumers also have a right to face no discrimination as a result of exercising their consumer rights under the Act. All such authenticated requests must be responded to within 45 days of their receipt, with the provision for 45 additional days if the request is of a complex nature and its completion would require more time.

Data Security:

The UCPA requires all organizations to establish, implement, and ensure reasonable physical and technical security measures to ensure appropriate security protocols are in place.

Consent:

No organization can proceed with its data processing activities unless it gains the users’ affirmative and explicit consent for doing so. In case of minors, they must collect the minor’s parents' consent per the Children's Online Privacy Protection Act.

Privacy Notice:

The organization must provide consumers with a reasonably accessible and transparent privacy notice that includes the following information:

  1. The categories of personal data processed by the controller;
  2. The purposes for which the categories of personal data are processed;
  3. How consumers may exercise a right;
  4. The categories of personal data that the controller shares with third parties, if any;
  5. The categories of third parties, if any, with whom the controller shares personal data.

Storage Limitation:

There are no specific regulations provided under this law.

Cross-border Data:

The law doesn’t define any regulations for this section.

Breach Notification:

The law does not outline breach notification requirements, however under, §13-61-301(1)(b) of the law, processors are required to assist the controller in meeting their obligations, including obligations related to the security of processing personal data and notification of a breach of security system under the Protection of Personal Information Act.

Enforcement:

The UCPA's enforcement responsibilities are "shared" between the Utah Department of Commerce Division of Consumer Protection (the Division) and the Utah Attorney General’s Office. The Division if has “reasonable cause” to believe that substantial evidence of a violation exists will refer the complaint to the Attorney General. If such violation is not cured within 30 days of notice by the Utah Attorney General, the Utah Attorney General may seek actual damages for the consumer and civil penalties of up to $7,500 per violation.

Compliance with applicable global data privacy laws is obligatory for businesses.
Failure to comply can result in huge loss such as consumer trust, class-action lawsuits, and hefty fines.
Is your organization ready to comply with the existing as well as upcoming data privacy laws?

Watch the demo to see how Securiti is helping organizations with global privacy regulatory compliance.

Watch the demo

Share this

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Take a
Product Tour

See how easy it is to manage privacy compliance with robotic automation.

Watch a demo

Products

Solutions

Systems

Newsletter

Users love Securiti on G2 G2 leader spring 2022 G2 leader summer 2022 G2 leader easiest business 2022 ISO certification RSAC Leader Forrester Badge IAPP Innovation award 2020 Sinet Innovator Award Gartner Cool Vendor Award

Company

Resources

Terms

Get in touch

[email protected]
PO Box 13039,
Coyote CA 95013

Copyright © 2022 Securiti

Sitemap - XML Sitemap

Securiti PrivacyOps Named a Leader in The Forrester WaveTM

View