California passed the first US state data privacy law in 2018 with the California Consumer Privacy Act (CCPA), the same year the General Data Protection Regulation (GDPR) came into force. Progress beyond that state was slow for the next several years, with the Virginia Consumer Data Protection Act (VCDPA) being the main state-level regulation passed.
New momentum started in 2023, with six states passing laws. The European Union and United States also replaced the struck-down Privacy Shield with their new data privacy framework: the EU-U.S. Data Privacy Framework.
The momentum continued into 2024, with more US state data privacy laws being passed and federal legislation being made public for review. As of mid-2024, several state-level laws are scheduled to come into effect in 2026. More laws are close to being passed as well, although it is unlikely that the American Privacy Rights Act (APRA) — the proposed federal law — will be passed in 2024.
We are also seeing more topically specific laws being proposed or passed in the US, like the Washington My Health My Data Act, and the AI Act in Colorado, which already has the Colorado Privacy Act (CPA).
What states have data privacy laws?
There is a long way to go before US states with data privacy laws are the majority, or a federal law is passed that supplants them. However, momentum is growing, and states drafting legislation now have a substantial number of implemented regulations to draw from, as well as a wealth of evolving thought regarding data privacy, technology, and consumers’ rights.
To date, all the data privacy laws in the US at a state level have implemented an opt-out consent model, so in most cases personal data can be collected and processed without consent, though individuals have the right to opt-out of sale, sharing, targeted advertising, and/or profiling, depending on the specific regulation. California remains the only state to enable a private right of action, allowing consumers to directly sue companies for damages if they are involved in a data breach or other violation.
Which modern US state privacy laws are considered comprehensive?
Due to its somewhat more narrow focus and broader exclusions, the Florida Digital Bill of Rights (FDBR) is not considered among the comprehensive modern data privacy laws in the US. The same goes for the Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) and Amendment SB-260, though that law is older and predates even California’s CCPA.
What are the compliance requirements for US state privacy laws?
Compliance threshold standards vary across states, with thresholds like company revenue not being included in more recently passed laws. We are also seeing advancements in technology and social issues being reflected in the laws, e.g. with more explicit considerations for “automated decision-making” (e.g. AI tools) and inclusion of information like gender identity under the category of sensitive data.
While some of the US data privacy laws tout themselves as being more “business-friendly” or more strict, they all remain fairly similar. It is important, however, to consult with qualified legal counsel or a data privacy expert to ensure that your business meets the requirements for all states where it’s required to comply with regulations.
Let’s look at a comparison of the US data privacy laws at the state level and what they mean for businesses and consumers.
What are the effective dates of the US state privacy laws?
US data privacy laws tend to draw on existing privacy regulations when they’re drafted. When the CCPA was drafted, there were fewer models than when other US state data privacy legislation was in progress. However, the GDPR was already in effect in 2018 when the CCPA was passed.
Typically, there is a lead time of a couple of years between when legislation is passed and the law comes into effect, giving businesses and other organizations time to familiarize themselves with the law’s contents and requirements. However, with recently passed laws, that period of time is getting shorter, with the Nebraska Data Privacy Act (NDPA) coming into effect less than nine months after being signed into law by the governor, for example.
*The California Privacy Rights Act (CPRA) amends and expands the California Consumer Privacy Act (CCPA). In this article, they will be displayed as one regulation, and we will include the most up to date requirements, i.e. those introduced with the CPRA.
Who is protected in US states with data privacy laws?
Data privacy laws passed by these states are designed primarily to protect consumers, the data subjects from whom businesses and other organizations collect personal data. These days that data comes from an increasing number of sources as we live and work more and more online. Web browsers, mobile devices, connected appliances, and more all result in consumers generating vast amounts of data about their identities, preferences, and activities every day.
The US data privacy laws apply to residents of the state in question. This means that a company does not need to be headquartered in a state, or even have an office there, to be subject to the state’s privacy law, if their users or customers include residents of that state. Many of the state-level laws explicitly protect people and their data in a personal or household context, excluding those acting in a commercial or employment context (which is covered by other laws).
| State | Protected Parties |
| California (CCPA/CPRA) | Residents of California, acting in an individual or household context, with specific rights for people acting in an employment context |
| Colorado | Residents of Colorado, acting in an individual or household context |
| Connecticut | Residents of Connecticut, acting in an individual or household context |
| Delaware | Residents of Delaware, acting in an individual or household context |
| Florida | Residents of Florida, acting in an individual or household context |
| Indiana | Residents of Indiana, acting in an individual or household context |
| Iowa | Residents of Iowa, acting in an individual or household context |
| Kentucky | Residents of Kentucky, acting in an individual or household context |
| Maryland | Residents of Maryland, acting in an individual or household context |
| Minnesota | Residents of Minnesota, acting in an individual or household context |
| Montana | Residents of Montana, acting in an individual or household context |
| Nebraska | Residents of Nebraska, acting in an individual or household context |
| Nevada | Residents of Nevada in their online activities |
| New Hampshire | Residents of New Hampshire, acting in an individual or household context |
| New Jersey | Residents of New Jersey, acting in an individual or household context |
| Oregon | Residents of Oregon, acting in an individual or household context |
| Rhode Island | Residents of Rhode Island, acting in an individual or household context |
| Tennessee | Residents of Tennessee, acting in an individual or household context |
| Texas | Residents of Texas, acting in an individual or household context |
| Virginia | Residents of Virginia, acting in an individual or household context |
| Utah | Residents of Utah, acting in an individual or household context |
Who has to comply with state-level US data privacy laws?
State privacy laws are primarily aimed at businesses, i.e. commercial enterprises intended to earn revenue. Those that obtain revenue from selling personal data are particularly responsible to comply. While the number of people whose data is sold is a common criterion, a company revenue threshold is only in use for some laws, and is increasingly being left out of states’ legislation.
Who is exempt from complying with state-level US data privacy laws?
Some of the laws also explicitly exempt small businesses. All of the laws have other exemptions, mainly for personal data covered under other laws, like that collected and processed by healthcare and financial institutions. Nonprofits and institutions of higher education are also often exempt (though not in all states), so as always, requirements of specific laws should be checked with input from qualified legal counsel.
All the thresholds listed below, except where noted, are for a calendar year or the preceding calendar year.
| State | Compliance Thresholds |
| California (CCPA/CPRA) | – have gross annual revenue greater than US $25 million in the preceding calendar year or – alone or in combination, annually buy, sell or share the personal data of 100,000 or more consumers or households or – derive 50% or more of annual revenue from selling or sharing consumers’ personal data |
| Colorado | – process personal data of at least 100,000 consumers or – process personal data of at least 25,000 consumers and – derive at least 50% of gross revenue from selling personal data |
| Connecticut | – process personal data of at least 100,000 consumers or – process personal data of at least 25,000 consumers and – receive a discount on goods or services from selling personal data |
| Delaware | – control or process personal data of at least 35,000 Delaware residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction or – control or process personal data of at least 10,000 Delaware residents and – derived more than 20 percent of gross revenue from the sale of personal data |
| Florida | – are organized or operated for the profit or financial benefit of its shareholders or owners – conduct business in the state of Florida – collect personal data about consumers, or is the entity on behalf of which such information is collected – determines the purposes and means of processing personal data about consumers alone or jointly with others – makes in excess of USD 1 billion on global gross annual revenues and satisfies at least one of the following: – derive 50 percent or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online – operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to cloud computing service that uses hands-free verbal activation – operate an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install |
| Indiana | – control or process personal data of at least 100,000 Indiana residents – control or process personal data of at least 25,000 Indiana residents and – derive over 50 percent of gross revenue from the sale of personal data |
| Iowa | – control or process personal data of at least 100,000 consumers or – control or process personal data of more than 25,000 consumers and – derive over 50 percent of gross revenue from the sale of personal data |
| Kentucky | – control or process personal data of at least 100,000 consumers or – control or process personal data of at least 25,000 consumers and – derive over 50 percent of gross revenue from the sale of personal data |
| Maryland | – control or process the personal data of at least 35,000 consumers, excluding personal data controlled or processed only for completing a payment transaction or – control or process the personal data of at least 10,000 consumers and – derive more than 20 percent of their gross revenue from the sale of personal data |
| Minnesota | – control or process personal data of at least 100,000 consumers or – control or process personal data of at least 25,000 consumers and – derive over 50 percent of gross revenue from the sale of personal data – not a small business as defined under the U.S. Small Business Act, unless they are engaged in the sale of sensitive data without consumer consent |
| Montana | – control or process the personal data of at least 35,000 consumers, excluding personal data controlled or processed only for completing a payment transaction or – control or process the personal data of at least 10,000 consumers and – derive more than 20 percent of their gross revenue from the sale of personal data |
| Nebraska | – process or engage in the sale of personal data – not a small business as defined under the U.S. Small Business Act, unless they are engaged in the sale of sensitive data without consumer consent |
| Nevada | – own or operate a website or an online service for business purposes and – collect and maintain the personal information of consumers who reside in Nevada and use or visit the website or the online service; and – engage in activities catered towards Nevada and conduct transactions with the State of Nevada, or its consumers or residents; and – have more than 20,000 visitors per year |
| New Hampshire | – control or process personal data of 100,000 or more consumers, excluding data for the purpose of completing payment transactions or – control or process personal data of 25,000 or more consumers and – derive 25 percent or more of the gross revenue from selling personal data *The first state that does not limit the amount of data to a specific time period, e.g. “preceding calendar year” |
| New Jersey | – control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction or – control or process the personal data of at least 25,000 consumers and – derive revenue or receive a discount on the price of any goods or services from the sale of personal data |
| Oregon | – controls or processes personal data of at least 100,000 consumers or – controls or processes personal data of at least 25,000 or more consumers and – derive 25 percent or more of the annual gross revenue from selling personal data |
| Rhode Island | – control or process the personal information of at least 10,000 Rhode Island consumers and – derive more than 20 percent of their gross revenue from the sale of personal information |
| Tennessee | – exceed USD 25 million in revenue and – control or process the personal information of at least 25,000 Tennessee consumers and – derive more than 50 percent of their gross revenue from the sale of personal information or – control or process the personal information of at least 175,000 Tennessee residents during a calendar year |
| Texas | – conducting business in Texas or generating products or services consumed by Texas residents and – processing or engaging in the sale of personal data and – not identifying as a small business as defined by the U.S. Small Business Administration (independent for-profit entity with fewer than 500 employees) |
| Virginia | – process personal data of at least 100,000 consumers or – process personal data of at least 25,000 consumers and – derive at least 50 percent of gross annual revenue from selling personal data |
| Utah | – gross annual revenue of at least US 25 million and – process personal data of at least 100,000 consumers or – process personal data of at least 25,000 consumers and – derive at least 50 percent of gross revenue from selling personal data |
Who is the enforcement authority in US states with data privacy laws?
Each state manages enforcement of the data privacy law, including investigations and penalties. The creation of the California Privacy Protection Agency was included in the CPRA, but to date it is the only state with a separate agency to enforce privacy law. All the other states have these functions under the Attorney General’s office.
What are the penalties for violation or noncompliance with the US state privacy laws?
Most penalties are monetary, though some can include cessation of data processing. Some of the privacy laws specify fine amounts, and others defer to laws governing deceptive trade practices, or to the Attorney General’s discretion. Outside of official channels, companies can also suffer loss of brand reputation, customer trust, and, ultimately revenue as the result of a publicized violation or data breach.
Do the US state privacy laws provide a cure period for violations?
Most of the state-level US data privacy laws provide companies with a “right to cure”, which is a specific number of days during which they have the opportunity to fix any violation they’ve been notified about without being penalized for it. If they don’t cure the violation, proceedings to levy fines and/or other penalties can then commence.
Some laws have put a time limit of one to two years on the cure period, specifying a sunset date. After that time, companies will not have a right to cure, but can be granted a cure period at the Attorney General’s discretion. In some cases, like with repeat or willful (known) violations, there is no cure period.
| State | Fines, Penalties, and Cure Periods |
| California (CCPA/SPRA) | – up to USD 2,500 for each violation (e.g. negligence) or USD 7,500 for willful violations – fines for violations involving minors increased to USD 7,500 from USD 2,500 – provides consumers with private right of action only when their unencrypted or unredacted personal information is breached – no cure period |
| Colorado | – fines not specified under the CPA, penalties governed by the Colorado Consumer Protection Act – from USD 2,000 to USD 20,000 per violation, or between USD 10,000 to USD 50,000 per violation against an elderly person – 60-day cure period (sunsets January 1, 2025) – violations can lead to criminal charges |
| Connecticut | – fines not specified under the CTDPA, penalties governed by the Connecticut Unfair Trade Practices Act (CUTPA) – USD 5,000 for willful violations – restraining orders, which can lead to cessation of data collection (violation of a restraining order could result in an additional USD 25,000 penalty) – 60-day cure period (sunsets December 1, 2024) |
| Delaware | – fines not specified under the DPDPA, but the regulation references Subchapter II of Chapter 25 of Title 29, which provides the Attorney General standing to investigate, initiate administrative proceedings, sanction unlawful conduct, and/or seek remedies on behalf of the state for violations – willful violations can result in fines up to USD 10,000 per violation |
| Florida | – fines not specified under the FDBR, as violations are considered deceptive trade practices – fines up to USD 50,000 per violation – penalties can be tripled if: – the violation is against a known child – controller fails to delete personal data after receiving an authenticated consumer request (or a processor receives instructions to do so from a controller) – controller continues to sell or share a consumer’s personal data after the consumer has opted out – 45-day cure period at the discretion of the Attorney General (no sunset date), unless the violation involves a known child, in which case there is no cure period – includes prohibition that no government entity can request that a social media platform remove content or user accounts unless the content or account is used to commit a crime or otherwise violates Florida public records law |
| Indiana | – fines up to USD 7,500 per violation – 30-day cure period (no sunset date) |
| Iowa | – fines up to USD 7,500 per violation (paid into the fund for consumer education and litigation) – 90-day cure period (no sunset date) |
| Kentucky | – fines up to USD 7,500 per violation – 30-day cure period (no sunset date) |
| Maryland | – fines up to USD 10,000 per violation, fines for repeat violations up to USD 25,000 for each subsequent violation – 60-day cure period (sunsets April 1, 2027) – individuals do not have private right of action, but MODPA specifically notes that they are not prohibited from pursuing any other remedy provided by law |
| Minnesota | – fines up to USD 7,500 per violation – 30-day cure period (sunsets July 31, 2026) |
| Montana | – fines not specified under the MTCDPA, but notes that the Attorney General can “bring an action” – 60-day cure period (sunsets April 1, 2026) |
| Nebraska | – fines up to USD 7,500 per violation – 30-day cure period (no sunset date) |
| Nevada | – violations are considered deceptive trade practices, so NRS 598A applies – fines up to USD 5,000 per violation (which can mean per website visitor) – a data collector can pursue damages against a person or entity that has unlawfully obtained or benefitted from personal data obtained from the data collector’s records, which may include: – reasonable costs of notification – reasonable attorneys’ fees – costs and punitive damages where appropriate – 30-day cure period (no sunset date) – the Attorney General or any county’s district attorney can bring action against a suspected violator, enabling them to obtain a temporary or permanent injunction against the violating activity, including cessation of data collection |
| New Hampshire | – fines not specified under the NHPA, as violations are considered deceptive trade practices, but the regulation references Section 358-A:2 – Attorney General can seek civil penalties up to USD 10,000 per violation – 60-day cure period (sunsets January 1, 2026) |
| New Jersey | – fines up to USD 10,000 for an initial violation and up to USD 20,000 for subsequent violations – 30-day cure period (sunsets July 16, 2026) |
| Oregon | – fines up to USD 7,500 per violation – 30-day cure period (sunsets January 1, 2026) |
| Rhode Island | – fines up to USD 10,000 per violation – 30-day cure period (sunsets January 31, 2026) |
| Tennessee | – fines up to USD 15,000 per violation – fines can be up to three times higher for willful violations – 60-day cure period (no sunset date) |
| Texas | – fines up to USD 7,500 per violation – 30-day cure period (no sunset date) |
| Virginia | – fines up to USD 7,500 per violation – 30-day cure period (no sunset date) |
| Utah | – fines up to USD 7,500 per violation – 30-day cure period (no sunset date) |
How are consent and Global Privacy Control managed under the US data privacy laws?
Opt in consent means that in most cases a business or other organization must obtain informed, valid consent from users and customers (data subjects) before collecting or processing their personal data. Opt out consent means that in most cases a business can collect and use data subjects’ personal data without requiring consent.
Under state privacy laws, data subjects must have the option to opt out of sale, sharing, targeted advertising, profiling, automated decision-making, or other use of their personal data, depending on the specific data privacy law. Under most of the US privacy laws, prior consent is required if the data to be processed is categorized as sensitive or belongs to a known child. Most of the laws defer to the Children’s Online Protection Act (COPPA) regarding access to and use of children’s personal data.
What are the notification requirements under US data privacy laws?
All of the American privacy laws require that data subjects be notified under all circumstances about what data is collected, for what purposes, who it’s shared with, etc. The United States is the main country utilizing an opt-out consent model. In much of the rest of the world, the opt-in model is the standard.
Are companies required to recognize the Global Privacy Control under US state privacy laws?
The Global Privacy Control (GPC) or universal opt-out mechanism, enables individuals to set their consent preferences once in their web browser, and having those preferences respected automatically by all websites they subsequently visit. Some of the state-level data privacy laws stipulate this signal must be respected, and others do not reference it at all. Some states have provided a grace period of a year or so before GPC signals must be respected.
| State | Consent Model |
| California (CCPA/CPRA) | – opt out in most cases – “Do Not Sell Or Share My Personal Information” link required on websites – If sensitive personal information is processed, “Limit the Use of My Sensitive Personal Information” link required on websites – prior consent required for sensitive or children’s personal data |
| Colorado | – opt out in most cases – prior consent required for sensitive or children’s personal data |
| Connecticut | – opt out in most cases – if a controller sells personal data to third parties or processes it for targeted advertising, the controller must provide a “clear and conspicuous link” on their website that enables consumers to opt out of either of those activities (explicit wording for the link is not specified) – prior consent required for sensitive or children’s personal data |
| Delaware | – opt out in most cases – controllers must provide “a clear and conspicuous link on the controller’s Internet web site to an Internet web page that enables a consumer, or an agent of the consumer, to opt out of the targeted advertising or the sale of the consumer’s personal data” – prior consent required for sensitive or children’s personal data |
| Florida | – opt out in most cases – prior consent required for sensitive or children’s personal data – definition of a child is anyone under the age of 18 (under 13 is the standard under most of the state-level privacy laws) |
| Indiana | – opt out in most cases – prior consent required for sensitive or children’s personal data |
| Iowa | – opt out in most cases – prior consent required for sensitive or children’s personal data |
| Kentucky | – opt out in most cases – prior consent required for sensitive or children’s personal data |
| Maryland | – opt out in most cases – prior consent required for sensitive or children’s personal data – sale of sensitive data or children’s data is banned without exception |
| Minnesota | – opt out in most cases – prior consent required for sensitive or children’s personal data |
| Montana | – opt out in most cases – prior consent required for sensitive or children’s personal data |
| Nebraska | – opt out in most cases – prior consent required for sensitive or children’s personal data |
| Nevada | – opt out |
| New Hampshire | – opt out in most cases – prior consent required for sensitive or children’s personal data |
| New Jersey | – opt out in most cases – prior consent required for sensitive or children’s personal data |
| Oregon | – opt out in most cases – prior consent required for sensitive or children’s personal data |
| Rhode Island | – opt out in most cases – prior consent required for sensitive or children’s personal data |
| Tennessee | – opt out in most cases – prior consent required for sensitive or children’s personal data |
| Texas | – opt out in most cases – prior consent required for sensitive or children’s personal data |
| Virginia | – opt out in most cases – prior consent required for sensitive or children’s personal data |
| Utah | – opt out in most cases – prior consent required for sensitive or children’s personal data |
What are the privacy notice/policy requirements of the US state privacy laws?
While in many cases the data privacy laws in the US do not require consent before data collection or use, all of them require users to be notified with information about what data is collected, for what purposes, what parties it gets shared with, what consumers’ rights are and how to exercise them, etc. This is most commonly presented in a privacy notice or privacy policy.
| State | Privacy Notice/Policy Requirements |
| California (CCPA/CPRA) |
|
| Colorado | controllers must include an accessible, clear, and meaningful privacy notice, which must include the following information:
|
| Connecticut | – controllers must include an accessible, clear, and meaningful privacy notice, which must include the following information:
|
| Delaware | – a controller must include an accessible, clear, and meaningful privacy notice, which must include all of the following information: – categories of personal data processed – purpose(s) for processing personal data – how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request – categories of personal data that the controller shares with third parties, if any – categories of third parties with which the controller shares personal data, if any – an active electronic mail address or other online mechanism that the consumer may use to contact the controller, including to submit a request – if the controller sells personal data to third parties or processes personal data for targeted advertising, they must clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing |
| Florida | – data controller must include an accessible and simple to read privacy notice on their website, which must contain at least the following information:
|
| Indiana | – a controller must include an accessible, clear, and meaningful privacy notice, which must contain at least the following information:
|
| Iowa | – data processors must include an accessible and simple to read privacy notice on their website, which must contain at least the following information:
|
| Kentucky | – controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
|
| Maryland | – controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
|
| Minnesota | – controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
|
| Montana | – controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
|
| Nebraska | – a controller shall provide each consumer with a reasonably accessible and clear privacy notice that includes:
|
| Nevada | – data processors need to provide an accessible and simple to read privacy notice on their website, which must contain at least the following information:
|
| New Hampshire | – a controller shall provide each consumer with a reasonably accessible, clear, and meaningful privacy notice that includes:
|
| New Jersey | – an operator that collects the personally identifiable information of a consumer through a commercial Internet website or an online service shall provide on its commercial Internet website or online service, notification to a consumer that shall include, but not be limited to:
|
| Oregon | – a controller must provide an accessible, clear, and meaningful privacy notice on their website, which must contain at least the following information:
|
| Rhode Island | – controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
|
| Tennessee | – upon receipt of an authenticated consumer request, a controller must provide the consumer with a reasonably accessible, clear, and meaningful privacy notice that includes:
– toll-free telephone number – email address – web form – a clear and conspicuous link on the controller’s main internet homepage to an internet webpage that enables a consumer to exercise their rights |
| Texas | – a controller must provide consumers with a reasonably accessible and clear privacy notice that includes:
|
| Virginia | – controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: – categories of personal data processed – purpose(s) for processing personal data – how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request – categories of personal data that the controller shares with third parties, if any – categories of third parties, with whom the controller shares personal data, if any – if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing – one or more secure and reliable means for consumers to submit a request to exercise their consumer rights |
| Utah | – a controller must provide an accessible and clear privacy notice, which must contain at least the following information: – categories of personal data processed – purpose(s) for processing personal data – how consumers can exercise their consumer rights – categories of personal data that the controller shares with third parties, if any – categories of third parties with whom the controller shares personal data, if any – if a controller sells a consumer’s personal data to one or more third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose to the consumer the manner in which the consumer may exercise the right to opt out of the sale of the consumer’s personal data or processing for targeted advertising |
How is personal data defined under US state privacy laws?
Information that is considered personal data or personal information is generally required to be able to identify a person, by itself or in combination with other data points (e.g. name, address, credit card number, IP address). There are differences between what is categorized as personal data and personally identifiable information.
How is sensitive personal information defined and handled under US data privacy laws?
Many US data privacy laws also have explicit consideration for “sensitive personal data”, which can include information belonging to children, about racial or ethnic origin, medical or genetic data, sexual orientation, etc. Generally, this category includes information that could particularly be used to cause discrimination or harm if misused.
Typically, sensitive personal information (and children’s information) require consent before it can be collected or processed, and additional security measures. Specific US data privacy laws should be checked for their definitions and requirements for sensitive personal data. Data that is publicly available, like government records, is not typically considered personal data.
| State | Definition of Personal Data/Information |
| California (CCPA/CPRA) | “…information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (Examples in Section 1798.140 CCPA) |
| Colorado | “…information that is linked or reasonably linkable to an identified or identifiable individual… does not include de-identified data or publicly available information.” |
| Connecticut | “…any information that is linked or reasonably linkable to an identified or identifiable individual… does not include de-identified data or publicly available information.” |
| Delaware | “…any information that is linked or reasonably linkable to an identified or identifiable individual… does not include de-identified data or publicly available information.” |
| Florida | Personal data: “…information that is linked or reasonably linkable to an identified or identifiable child, including biometric information and unique identifiers to the child.” Personal information: “…any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include deidentified data or publicly available information.” |
| Indiana | “…information that is linked or reasonably linkable to an identified or identifiable individual… does not include: (1) de-identified data (2) aggregate data (3) publicly available information” |
| Iowa | “…any information that is linked or reasonably linkable to an identified or identifiable natural person… does not include de-identified or aggregate data or publicly available information.” |
| Kentucky | “…any information that is linked or reasonably linkable to an identified or identifiable natural person… does not include de-identified data or publicly available information,” |
| Maryland | “…any information that is linked or can be reasonably linked to an identified or identifiable consumer… does not include de-identified data or publicly available information.” |
| Minnesota | “… any information that is linked or reasonably linkable to an identified or identifiable natural person… does not include deidentified data or publicly available information.” |
| Montana | “…any information that is linked or reasonably linkable to an identified or identifiable individual… does not include deidentified data or publicly available information.” |
| Nebraska | “any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, and includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual… does not include deidentified data or publicly available information” |
| Nevada | Covered information: “…any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator or a data broker in an accessible form: 1. A first and last name. 2. A home or other physical address which includes the name of a street and the name of a city or town. 3. An electronic mail address. 4. A telephone number. 5. A social security number. 6. An identifier that allows a specific person to be contacted either physically or online. 7. Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator or data broker in combination with an identifier in a form that makes the information personally identifiable.” |
| New Hampshire | “…any information that is linked or reasonably linkable to an identified or identifiable individual… does not include deidentified data or publicly available information.” |
| New Jersey | “…any information that is linked or reasonably linkable to an identified or identifiable individual… does not include deidentified data or publicly available information.” |
| Oregon | “…data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household… does not include deidentified data or data that is lawfully available through federal, state or local government records or through widely distributed media; or a controller reasonably has understood to have been lawfully made available to the public by a consumer.” |
| Rhode Island | “… any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.” |
| Tennessee | “…information that identifies, relates to, or describes a particular consumer or is reasonably capable of being directly or indirectly associated or linked with a particular consumer… does not include information that is: publicly available information; or de-identified or aggregate consumer information” (Examples in Section 2, 47-18-3201, 16B) |
| Texas | “…any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include deidentified data or publicly available information.” |
| Virginia | “…any information that is linked or reasonably linkable to an identified or identifiable natural person… does not include de-identified data or publicly available information.” |
| Utah | “…information that is linked or reasonably linkable to an identified individual or an identifiable individual… does not include deidentified data, aggregated data, or publicly available information.” |
What are consumers’ rights under the states’ data privacy law?
Some rights are consistent across all of the state-level US data privacy laws to date, though some laws get more granular than others. California is currently the only state that enables consumers to sue for a data breach in specific circumstances (private right of action). Not all data privacy laws enable portability of one’s data, either.
How do companies have to handle consumer requests under the US state privacy laws?
It is common for businesses to have 45 days from receiving a consumer’s request to exercise their rights to fulfill it, with an option to extend that under certain circumstances. Specific US data privacy laws should be reviewed to confirm the exact time frame for responding to requests, extensions, and/or the ability to refuse requests, as well as ensuring familiarity with each data privacy law’s specific consumer rights to ensure consumers can exercise them or appeal a decision.
| State | Consumers’ Rights |
| California (CCPA/CPRA) |
|
| Colorado |
|
| Connecticut |
|
| Delaware |
|
| Florida |
|
| Indiana |
|
| Iowa |
|
| Kentucky |
|
| Maryland |
|
| Minnesota |
|
| Montana |
|
| Nebraska |
|
| Nevada |
|
| New Hampshire |
|
| New Jersey |
|
| Oregon |
|
| Rhode Island |
|
| Tennessee |
|
| Texas |
|
| Virginia |
|
| Utah |
|
What are the requirements for consent management to comply with US data privacy laws?
The US data privacy laws to date all use an opt-out model of consent that does not require businesses to obtain consent before collecting personal data in most cases, with the typical exceptions being sensitive data and data belonging to known children. However, the laws do consistently require consumers to be notified about data collection and use, and provided with an option to opt out — of collection, selling data, or sharing of their personal data, or targeted advertising or profiling, depending on the law — as well as have instructions and at least one mechanism to contact the company with requests or complaints.
That said, a number of the states’ regulations don’t specify how consent or opting out must be handled, what form that needs to take, etc. A high performance Consent Management Platform, like Usercentrics CMP, can help companies flexibly and scalably provide the required notifications and consent options for states where they need to comply with privacy regulations.
| State | Consent Management Requirements |
| California (CCPA/CPRA) | – clearly and conspicuously display a link reading “Do Not Sell Or Share My Personal Information” to enable consumers to submit an opt out request – must honor the Global Privacy Signal |
| Colorado | – clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request – by January 1st, 2025, websites must be able to honor preference signals that communicate the consumer’s opt out choice (Global Privacy Control) |
| Connecticut | – no specific requirements regarding how an opt out option needs to be presented – must honor a Universal Opt-Out Mechanism |
| Delaware | – clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request – must honor a Universal Opt-Out Mechanism (as of January 2025) |
| Florida | – no specific requirements regarding how an opt out option needs to be presented, except for “methods must be secure, reliable, and clearly and conspicuously accessible” – if a controller engages in the sale of sensitive personal data, the controller must provide the following notice: “NOTICE: This website may sell your sensitive personal data.” – if a controller engages in the sale of personal data that is biometric data, the controller must provide the following notice: “NOTICE: This website may sell your biometric personal data.” |
| Indiana | – no specific requirements regarding how an opt out option needs to be presented |
| Iowa | – no specific requirements regarding how an opt out option needs to be presented |
| Kentucky | – no specific requirements regarding how an opt out option needs to be presented |
| Maryland | – clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request – must honor a Universal Opt-Out Mechanism |
| Minnesota | – clearly and conspicuous method outside the privacy notice for a consumer to opt out, “This method may include but is not limited to an Internet hyperlink clearly labeled “Your Opt-Out Rights” or “Your Privacy Rights” that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request” – must honor a Universal Opt-Out Mechanism |
| Montana | – clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request – must honor a Universal Opt-Out Mechanism |
| Nebraska | – no specific requirements regarding how an opt out option needs to be presented – must honor a Universal Opt-Out Mechanism |
| Nevada | – no specific requirements regarding how an opt out option needs to be presented – privacy policy is required |
| New Hampshire | – clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request – must honor a Universal Opt-Out Mechanism |
| New Jersey | – clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request – must honor a Universal Opt-Out Mechanism (with specific reference for user profiling) |
| Oregon | – clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request – must honor a Universal Opt-Out Mechanism (as of January 2026) |
| Rhode Island | – no specific requirements regarding how an opt out option needs to be presented |
| Tennessee | – clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request |
| Texas | – clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request – must honor a Universal Opt-Out Mechanism |
| Virginia | – no specific requirements regarding how an opt out option needs to be presented |
| Utah | – no specific requirements regarding how an opt out option needs to be presented, aside from that the controller must clearly and conspicuously provide an option on the website that enables the consumer to submit an opt out request |
FAQ
