Comparison guide to US state level data privacy laws
Home Resources Articles US data privacy laws by state: rights and requirements

US data privacy laws by state: rights and requirements

The US has federal privacy legislation, but still no comprehensive federal privacy law. 2023 saw the most new US data privacy laws passed to date at a state level, and 2024 is on track to exceed it. We compare what US data privacy laws mean for consumers and businesses.
by Usercentrics
Feb 15, 2023
Comparison guide to US state level data privacy laws
Table of contents
Show more Show less
Find out if your website complies with data privacy laws
Get your audit results in minutes!

California passed the first US state data privacy law in 2018 with the California Consumer Privacy Act (CCPA), the same year the General Data Protection Regulation (GDPR) came into force. Progress beyond that state was slow for the next several years, with the Virginia Consumer Data Protection Act (VCDPA) being the main state-level regulation passed.

 

New momentum started in 2023, with six states passing laws. The European Union and United States also replaced the struck-down Privacy Shield with their new data privacy framework: the EU-U.S. Data Privacy Framework.

 

The momentum continued into 2024, with more US state data privacy laws being passed and federal legislation being made public for review. As of mid-2024, several state-level laws are scheduled to come into effect in 2026. More laws are close to being passed as well, although it is unlikely that the American Privacy Rights Act (APRA) — the proposed federal law — will be passed in 2024.

 

We are also seeing more topically specific laws being proposed or passed in the US, like the Washington My Health My Data Act, and the AI Act in Colorado, which already has the Colorado Privacy Act (CPA).

How can you make your website compliant with the VCDPA?
Get our easy checklist now!

What states have data privacy laws?

There is a long way to go before US states with data privacy laws are the majority, or a federal law is passed that supplants them. However, momentum is growing, and states drafting legislation now have a substantial number of implemented regulations to draw from, as well as a wealth of evolving thought regarding data privacy, technology, and consumers’ rights.

 

 

To date, all the data privacy laws in the US at a state level have implemented an opt-out consent model, so in most cases personal data can be collected and processed without consent, though individuals have the right to opt-out of sale, sharing, targeted advertising, and/or profiling, depending on the specific regulation. California remains the only state to enable a private right of action, allowing consumers to directly sue companies for damages if they are involved in a data breach or other violation.

How can you make your website compliant with the CCPA?
Get our easy 6-step checklist now!

Which modern US state privacy laws are considered comprehensive?

Due to its somewhat more narrow focus and broader exclusions, the Florida Digital Bill of Rights (FDBR) is not considered among the comprehensive modern data privacy laws in the US. The same goes for the Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) and Amendment SB-260, though that law is older and predates even California’s CCPA.

 

What are the compliance requirements for US state privacy laws?

Compliance threshold standards vary across states, with thresholds like company revenue not being included in more recently passed laws. We are also seeing advancements in technology and social issues being reflected in the laws, e.g. with more explicit considerations for “automated decision-making” (e.g. AI tools) and inclusion of information like gender identity under the category of sensitive data.

 

While some of the US data privacy laws tout themselves as being more “business-friendly” or more strict, they all remain fairly similar. It is important, however, to consult with qualified legal counsel or a data privacy expert to ensure that your business meets the requirements for all states where it’s required to comply with regulations.

 

Let’s look at a comparison of the US data privacy laws at the state level and what they mean for businesses and consumers.

How can you make your website compliant with Colorado’s privacy law?
Get our easy checklist now!

What are the effective dates of the US state privacy laws?

US data privacy laws tend to draw on existing privacy regulations when they’re drafted. When the CCPA was drafted, there were fewer models than when other US state data privacy legislation was in progress. However, the GDPR was already in effect in 2018 when the CCPA was passed.

 

Typically, there is a lead time of a couple of years between when legislation is passed and the law comes into effect, giving businesses and other organizations time to familiarize themselves with the law’s contents and requirements. However, with recently passed laws, that period of time is getting shorter, with the Nebraska Data Privacy Act (NDPA) coming into effect less than nine months after being signed into law by the governor, for example.

 

State Name of Regulation Effective Date
California* California Consumer Privacy Act (CCPA) amended by the California Consumer Rights Act (CPRA) January 1, 2020, updated January 1, 2023
Colorado Colorado Privacy Act (CPA) July 1, 2023
Connecticut Connecticut Data Privacy Act (CTDPA) July 1, 2023
Delaware Delaware Personal Data Privacy Act (DPDPA) January 1, 2025
Florida Florida Digital Bill of Rights (FDBR) July 1, 2024
Indiana Indiana Consumer Protection Act (INCDPA) July 1, 2026
Iowa Iowa Consumer Data Protection Act (ICDPA) January 1, 2025
Kentucky Kentucky Consumer Data Protection Act (KCDPA) January 1, 2026
Maryland Maryland Online Data Privacy Act (MODPA) October 1, 2025
Minnesota Minnesota Consumer Data Privacy Act (MCDPA) July 31, 2025
Montana Montana Consumer Data Privacy Act (MTCDPA) October 24, 2024
Nebraska Nebraska Data Privacy Act (NDPA) January 1, 2025
Nevada Nevada Privacy of Information Collected on the Internet from Consumers Act and Amendment SB-260 (NPICICA & SB-260) July 1, 2017

October 1, 2021

New Hampshire New Hampshire Privacy Act (NHPA) January 1, 2025
New Jersey New Jersey Data Privacy Act (NJDPA) January 16, 2024
Oregon Oregon Consumer Privacy Act (OCPA) July 1, 2024
Rhode Island Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA) January 1, 2026
Tennessee Tennessee Information Protection Act (TIPA) July 1, 2025
Texas Texas Data Privacy and Security Act (TDPSA) July 1, 2024
Virginia Virginia Consumer Data Protection Act (VCDPA) January 1, 2023
Utah Utah Consumer Privacy Act (UCPA) December 31, 2023

*The California Privacy Rights Act (CPRA) amends and expands the California Consumer Privacy Act (CCPA). In this article, they will be displayed as one regulation, and we will include the most up to date requirements, i.e. those introduced with the CPRA.

Who is protected in US states with data privacy laws?

Data privacy laws passed by these states are designed primarily to protect consumers, the data subjects from whom businesses and other organizations collect personal data. These days that data comes from an increasing number of sources as we live and work more and more online. Web browsers, mobile devices, connected appliances, and more all result in consumers generating vast amounts of data about their identities, preferences, and activities every day.

 

The US data privacy laws apply to residents of the state in question. This means that a company does not need to be headquartered in a state, or even have an office there, to be subject to the state’s privacy law, if their users or customers include residents of that state. Many of the state-level laws explicitly protect people and their data in a personal or household context, excluding those acting in a commercial or employment context (which is covered by other laws).

 

State Protected Parties
California (CCPA/CPRA) Residents of California, acting in an individual or household context, with specific rights for people acting in an employment context
Colorado Residents of Colorado, acting in an individual or household context
Connecticut Residents of Connecticut, acting in an individual or household context
Delaware Residents of Delaware, acting in an individual or household context
Florida Residents of Florida, acting in an individual or household context
Indiana Residents of Indiana, acting in an individual or household context
Iowa Residents of Iowa, acting in an individual or household context
Kentucky Residents of Kentucky, acting in an individual or household context
Maryland Residents of Maryland, acting in an individual or household context
Minnesota Residents of Minnesota, acting in an individual or household context
Montana Residents of Montana, acting in an individual or household context
Nebraska Residents of Nebraska, acting in an individual or household context
Nevada Residents of Nevada in their online activities
New Hampshire Residents of New Hampshire, acting in an individual or household context
New Jersey Residents of New Jersey, acting in an individual or household context
Oregon Residents of Oregon, acting in an individual or household context
Rhode Island Residents of Rhode Island, acting in an individual or household context
Tennessee Residents of Tennessee, acting in an individual or household context
Texas Residents of Texas, acting in an individual or household context
Virginia Residents of Virginia, acting in an individual or household context
Utah Residents of Utah, acting in an individual or household context
Utah’s privacy law is business-friendly, but are you compliant?
Get our easy checklist now!

Who has to comply with state-level US data privacy laws?

State privacy laws are primarily aimed at businesses, i.e. commercial enterprises intended to earn revenue. Those that obtain revenue from selling personal data are particularly responsible to comply. While the number of people whose data is sold is a common criterion, a company revenue threshold is only in use for some laws, and is increasingly being left out of states’ legislation.

Who is exempt from complying with state-level US data privacy laws?

Some of the laws also explicitly exempt small businesses. All of the laws have other exemptions, mainly for personal data covered under other laws, like that collected and processed by healthcare and financial institutions. Nonprofits and institutions of higher education are also often exempt (though not in all states), so as always, requirements of specific laws should be checked with input from qualified legal counsel.

 

All the thresholds listed below, except where noted, are for a calendar year or the preceding calendar year.

 

State Compliance Thresholds
California (CCPA/CPRA) – have gross annual revenue greater than US $25 million in the preceding calendar year

or

– alone or in combination, annually buy, sell or share the personal data of 100,000 or more consumers or households

or

– derive 50% or more of annual revenue from selling or sharing consumers’ personal data

Colorado – process personal data of at least 100,000 consumers

or

– process personal data of at least 25,000 consumers

and

– derive at least 50% of gross revenue from selling personal data

Connecticut – process personal data of at least 100,000 consumers

or

– process personal data of at least 25,000 consumers

and

– receive a discount on goods or services from selling personal data

Delaware – control or process personal data of at least 35,000 Delaware residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

or

– control or process personal data of at least 10,000 Delaware residents

and

– derived more than 20 percent of gross revenue from the sale of personal data

Florida – are organized or operated for the profit or financial benefit of its shareholders or owners

– conduct business in the state of Florida

– collect personal data about consumers, or is the entity on behalf of which such information is collected

– determines the purposes and means of processing personal data about consumers alone or jointly with others

– makes in excess of USD 1 billion on global gross annual revenues

and satisfies at least one of the following:

– derive 50 percent or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online

– operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to cloud computing service that uses hands-free verbal activation

– operate an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install

Indiana – control or process personal data of at least 100,000 Indiana residents

– control or process personal data of at least 25,000 Indiana residents

and

– derive over 50 percent of gross revenue from the sale of personal data

Iowa – control or process personal data of at least 100,000 consumers

or

– control or process personal data of more than 25,000 consumers

and

– derive over 50 percent of gross revenue from the sale of personal data

Kentucky – control or process personal data of at least 100,000 consumers

or

– control or process personal data of at least 25,000 consumers

and

– derive over 50 percent of gross revenue from the sale of personal data

Maryland – control or process the personal data of at least 35,000 consumers, excluding personal data controlled or processed only for completing a payment transaction

or

– control or process the personal data of at least 10,000 consumers

and

– derive more than 20 percent of their gross revenue from the sale of personal data

Minnesota – control or process personal data of at least 100,000 consumers

or

– control or process personal data of at least 25,000 consumers

and

– derive over 50 percent of gross revenue from the sale of personal data

– not a small business as defined under the U.S. Small Business Act, unless they are engaged in the sale of sensitive data without consumer consent

Montana – control or process the personal data of at least 35,000 consumers, excluding personal data controlled or processed only for completing a payment transaction

or

– control or process the personal data of at least 10,000 consumers

and

– derive more than 20 percent of their gross revenue from the sale of personal data

Nebraska – process or engage in the sale of personal data

– not a small business as defined under the U.S. Small Business Act, unless they are engaged in the sale of sensitive data without consumer consent

Nevada – own or operate a website or an online service for business purposes

and

– collect and maintain the personal information of consumers who reside in Nevada and use or visit the website or the online service;

and

– engage in activities catered towards Nevada and conduct transactions with the State of Nevada, or its consumers or residents;

and

– have more than 20,000 visitors per year

New Hampshire – control or process personal data of 100,000 or more consumers, excluding data for the purpose of completing payment transactions

or

– control or process personal data of 25,000 or more consumers

and

– derive 25 percent or more of the gross revenue from selling personal data

*The first state that does not limit the amount of data to a specific time period, e.g. “preceding calendar year”

New Jersey – control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction

or

– control or process the personal data of at least 25,000 consumers

and

– derive revenue or receive a discount on the price of any goods or services from the sale of personal data

Oregon – controls or processes personal data of at least 100,000 consumers

or

– controls or processes personal data of at least 25,000 or more consumers

and

– derive 25 percent or more of the annual gross revenue from selling personal data

Rhode Island – control or process the personal information of at least 10,000 Rhode Island consumers

and

– derive more than 20 percent of their gross revenue from the sale of personal information

Tennessee – exceed USD 25 million in revenue

and

– control or process the personal information of at least 25,000 Tennessee consumers

and

– derive more than 50 percent of their gross revenue from the sale of personal information

or

– control or process the personal information of at least 175,000 Tennessee residents during a calendar year

Texas – conducting business in Texas or generating products or services consumed by Texas residents

and

– processing or engaging in the sale of personal data

and

– not identifying as a small business as defined by the U.S. Small Business Administration (independent for-profit entity with fewer than 500 employees)

Virginia – process personal data of at least 100,000 consumers

or

– process personal data of at least 25,000 consumers

and

– derive at least 50 percent of gross annual revenue from selling personal data

Utah – gross annual revenue of at least US 25 million

and

– process personal data of at least 100,000 consumers

or

– process personal data of at least 25,000 consumers

and

– derive at least 50 percent of gross revenue from selling personal data

Nevada’s privacy law is a bit different from regulations in other states.
Learn how to comply with our checklist.

Who is the enforcement authority in US states with data privacy laws?

Each state manages enforcement of the data privacy law, including investigations and penalties. The creation of the California Privacy Protection Agency was included in the CPRA, but to date it is the only state with a separate agency to enforce privacy law. All the other states have these functions under the Attorney General’s office.

 

Do you know what is required for your business to comply with Connecticut’s privacy law?
Our checklist will help!

What are the penalties for violation or noncompliance with the US state privacy laws?

Most penalties are monetary, though some can include cessation of data processing. Some of the privacy laws specify fine amounts, and others defer to laws governing deceptive trade practices, or to the Attorney General’s discretion. Outside of official channels, companies can also suffer loss of brand reputation, customer trust, and, ultimately revenue as the result of a publicized violation or data breach.

Do the US state privacy laws provide a cure period for violations?

Most of the state-level US data privacy laws provide companies with a “right to cure”, which is a specific number of days during which they have the opportunity to fix any violation they’ve been notified about without being penalized for it. If they don’t cure the violation, proceedings to levy fines and/or other penalties can then commence.

 

Some laws have put a time limit of one to two years on the cure period, specifying a sunset date. After that time, companies will not have a right to cure, but can be granted a cure period at the Attorney General’s discretion. In some cases, like with repeat or willful (known) violations, there is no cure period.

 

State Fines, Penalties, and Cure Periods
California (CCPA/SPRA) – up to USD 2,500 for each violation (e.g. negligence) or USD 7,500 for willful violations

– fines for violations involving minors increased to USD 7,500 from USD 2,500

– provides consumers with private right of action only when their unencrypted or unredacted personal information is breached

– no cure period

Colorado – fines not specified under the CPA, penalties governed by the Colorado Consumer Protection Act

– from USD 2,000 to USD 20,000 per violation, or between USD 10,000 to USD 50,000 per violation against an elderly person

– 60-day cure period (sunsets January 1, 2025)

– violations can lead to criminal charges

Connecticut – fines not specified under the CTDPA, penalties governed by the Connecticut Unfair Trade Practices Act (CUTPA)

– USD 5,000 for willful violations

– restraining orders, which can lead to cessation of data collection (violation of a restraining order could result in an additional USD 25,000 penalty)

– 60-day cure period (sunsets December 1, 2024)

Delaware – fines not specified under the DPDPA, but the regulation references Subchapter II of Chapter 25 of Title 29, which provides the Attorney General standing to investigate, initiate administrative proceedings, sanction unlawful conduct, and/or seek remedies on behalf of the state for violations

– willful violations can result in fines up to USD 10,000 per violation

Florida – fines not specified under the FDBR, as violations are considered deceptive trade practices

– fines up to USD 50,000 per violation

– penalties can be tripled if:

– the violation is against a known child

– controller fails to delete personal data after receiving an authenticated consumer request (or a processor receives instructions to do so from a controller)

– controller continues to sell or share a consumer’s personal data after the consumer has opted out

– 45-day cure period at the discretion of the Attorney General (no sunset date), unless the violation involves a known child, in which case there is no cure period

– includes prohibition that no government entity can request that a social media platform remove content or user accounts unless the content or account is used to commit a crime or otherwise violates Florida public records law

Indiana – fines up to USD 7,500 per violation

– 30-day cure period (no sunset date)

Iowa – fines up to USD 7,500 per violation (paid into the fund for consumer education and litigation)

– 90-day cure period (no sunset date)

Kentucky – fines up to USD 7,500 per violation

– 30-day cure period (no sunset date)

Maryland – fines up to USD 10,000 per violation, fines for repeat violations up to USD 25,000 for each subsequent violation

– 60-day cure period (sunsets April 1, 2027)

– individuals do not have private right of action, but MODPA specifically notes that they are not prohibited from pursuing any other remedy provided by law

Minnesota – fines up to USD 7,500 per violation

– 30-day cure period (sunsets July 31, 2026)

Montana – fines not specified under the MTCDPA, but notes that the Attorney General can “bring an action”

– 60-day cure period (sunsets April 1, 2026)

Nebraska – fines up to USD 7,500 per violation

– 30-day cure period (no sunset date)

Nevada – violations are considered deceptive trade practices, so NRS 598A applies

– fines up to USD 5,000 per violation (which can mean per website visitor)

– a data collector can pursue damages against a person or entity that has unlawfully obtained or benefitted from personal data obtained from the data collector’s records, which may include:

– reasonable costs of notification

– reasonable attorneys’ fees

– costs and punitive damages where appropriate

– 30-day cure period (no sunset date)

– the Attorney General or any county’s district attorney can bring action against a suspected violator, enabling them to obtain a temporary or permanent injunction against the violating activity, including cessation of data collection

New Hampshire – fines not specified under the NHPA, as violations are considered deceptive trade practices, but the regulation references Section 358-A:2

– Attorney General can seek civil penalties up to USD 10,000 per violation

– 60-day cure period (sunsets January 1, 2026)

New Jersey – fines up to USD 10,000 for an initial violation and up to USD 20,000 for subsequent violations

– 30-day cure period (sunsets July 16, 2026)

Oregon – fines up to USD 7,500 per violation

– 30-day cure period (sunsets January 1, 2026)

Rhode Island – fines up to USD 10,000 per violation

– 30-day cure period (sunsets January 31, 2026)

Tennessee – fines up to USD 15,000 per violation

– fines can be up to three times higher for willful violations

– 60-day cure period (no sunset date)

Texas – fines up to USD 7,500 per violation

– 30-day cure period (no sunset date)

Virginia – fines up to USD 7,500 per violation

– 30-day cure period (no sunset date)

Utah – fines up to USD 7,500 per violation

– 30-day cure period (no sunset date)

Opt in consent means that in most cases a business or other organization must obtain informed, valid consent from users and customers (data subjects) before collecting or processing their personal data. Opt out consent means that in most cases a business can collect and use data subjects’ personal data without requiring consent.

 

Under state privacy laws, data subjects must have the option to opt out of sale, sharing, targeted advertising, profiling, automated decision-making, or other use of their personal data, depending on the specific data privacy law. Under most of the US privacy laws, prior consent is required if the data to be processed is categorized as sensitive or belongs to a known child. Most of the laws defer to the Children’s Online Protection Act (COPPA) regarding access to and use of children’s personal data.

What are the notification requirements under US data privacy laws?

All of the American privacy laws require that data subjects be notified under all circumstances about what data is collected, for what purposes, who it’s shared with, etc. The United States is the main country utilizing an opt-out consent model. In much of the rest of the world, the opt-in model is the standard.

Are companies required to recognize the Global Privacy Control under US state privacy laws?

The Global Privacy Control (GPC) or universal opt-out mechanism, enables individuals to set their consent preferences once in their web browser, and having those preferences respected automatically by all websites they subsequently visit. Some of the state-level data privacy laws stipulate this signal must be respected, and others do not reference it at all. Some states have provided a grace period of a year or so before GPC signals must be respected.

 

State Consent Model
California (CCPA/CPRA) – opt out in most cases

– “Do Not Sell Or Share My Personal Information” link required on websites

– If sensitive personal information is processed, “Limit the Use of My Sensitive Personal Information” link required on websites

– prior consent required for sensitive or children’s personal data

Colorado – opt out in most cases

– prior consent required for sensitive or children’s personal data

Connecticut – opt out in most cases

– if a controller sells personal data to third parties or processes it for targeted advertising, the controller must provide a “clear and conspicuous link” on their website that enables consumers to opt out of either of those activities (explicit wording for the link is not specified)

– prior consent required for sensitive or children’s personal data

Delaware – opt out in most cases

– controllers must provide “a clear and conspicuous link on the controller’s Internet web site to an Internet web page that enables a consumer, or an agent of the consumer, to opt out of the targeted advertising or the sale of the consumer’s personal data”

– prior consent required for sensitive or children’s personal data

Florida – opt out in most cases

– prior consent required for sensitive or children’s personal data

– definition of a child is anyone under the age of 18 (under 13 is the standard under most of the state-level privacy laws)

Indiana – opt out in most cases

– prior consent required for sensitive or children’s personal data

Iowa – opt out in most cases

– prior consent required for sensitive or children’s personal data

Kentucky – opt out in most cases

– prior consent required for sensitive or children’s personal data

Maryland – opt out in most cases

– prior consent required for sensitive or children’s personal data

– sale of sensitive data or children’s data is banned without exception

Minnesota – opt out in most cases

– prior consent required for sensitive or children’s personal data

Montana – opt out in most cases

– prior consent required for sensitive or children’s personal data

Nebraska – opt out in most cases

– prior consent required for sensitive or children’s personal data

Nevada – opt out
New Hampshire – opt out in most cases

– prior consent required for sensitive or children’s personal data

New Jersey – opt out in most cases

– prior consent required for sensitive or children’s personal data

Oregon – opt out in most cases

– prior consent required for sensitive or children’s personal data

Rhode Island – opt out in most cases

– prior consent required for sensitive or children’s personal data

Tennessee – opt out in most cases

– prior consent required for sensitive or children’s personal data

Texas – opt out in most cases

– prior consent required for sensitive or children’s personal data

Virginia – opt out in most cases

– prior consent required for sensitive or children’s personal data

Utah – opt out in most cases

– prior consent required for sensitive or children’s personal data

What are the privacy notice/policy requirements of the US state privacy laws?

While in many cases the data privacy laws in the US do not require consent before data collection or use, all of them require users to be notified with information about what data is collected, for what purposes, what parties it gets shared with, what consumers’ rights are and how to exercise them, etc. This is most commonly presented in a privacy notice or privacy policy.

 

State Privacy Notice/Policy Requirements
California (CCPA/CPRA)
  • a business that controls the collection of a consumer’s personal information must, before or at the point of collection, inform consumers about:
  • categories of personal information to be collected
  • purposes for which the categories of personal information are collected or used and whether that information is sold or shared
  • categories of sensitive personal information to be collected, if any
  • purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared, if any
  • the length of time the business intends to retain each category of personal information, including sensitive personal information, if possible
  • if providing the data retention period is not possible, the criteria used to determine that period, provided that a business does not retain a consumer’s personal information for each disclosed purpose for longer than is reasonably necessary
Colorado controllers must include an accessible, clear, and meaningful privacy notice, which must include the following information:

  • categories of personal data processed
  • purposes for processing personal data
  • how consumers can exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request
  • categories of personal data that the controller shares with third parties, if any
  • categories of third parties, if any, with whom the controller shares personal data
  • if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing
Connecticut – controllers must include an accessible, clear, and meaningful privacy notice, which must include the following information:

  • categories of personal data processed
  • purposes for processing personal data
  • how consumers can exercise their consumer rights, including contact information and how a consumer may appeal a controller’s decision with regard to the consumer’s request
  • categories of personal data that the controller shares with third parties, if any
  • categories of third parties with whom the controller shares personal data, if any
  • an active electronic mail address or other online mechanism that the consumer may use to contact the controller
Delaware – a controller must include an accessible, clear, and meaningful privacy notice, which must include all of the following information:

– categories of personal data processed

– purpose(s) for processing personal data

– how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request

– categories of personal data that the controller shares with third parties, if any

– categories of third parties with which the controller shares personal data, if any

– an active electronic mail address or other online mechanism that the consumer may use to contact the controller, including to submit a request

– if the controller sells personal data to third parties or processes personal data for targeted advertising, they must clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing

Florida – data controller must include an accessible and simple to read privacy notice on their website, which must contain at least the following information:

  • categories of personal data processed by the controller
  • purpose(s) of processing personal data
  • how customers may exercise their rights
  • categories of third parties with whom the controller shares personal data, if any
  • description of the methods by which consumers can submit requests to exercise their consumer rights
  • if the controller engages in the sale of personal data that is biometric data, the controller must provide the following notice “NOTICE: This website may sell your biometric personal data“
  • a secure and reliable means for consumers to submit a request to exercise their rights
Indiana – a controller must include an accessible, clear, and meaningful privacy notice, which must contain at least the following information:

  • categories of personal data processed
  • purpose(s) for processing personal data
  • how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request
  • categories of personal data that the controller shares with third parties, if any
  • categories of third parties with whom the controller shares personal data, if any
  • if a controller sells a personal data to third parties or uses it for targeted advertising, the controller shall clearly disclose such activity in the privacy notice, as well as how a consumer may exercise the right to opt out of such sales or use
    – a secure and reliable means for consumers to submit a request to exercise their rights
Iowa – data processors must include an accessible and simple to read privacy notice on their website, which must contain at least the following information:

  • categories of personal data processed by the controller
  • purpose for processing personal data
  • how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request
  • categories of personal data that the controller shares with third parties, if any
  • categories of third parties, if any, with whom the controller shares personal data
  • description of secure and reliable means for consumers to submit requests to exercise their consumer rights
  • if a controller sells consumer’s personal data or engages in targeted advertising, then the controller needs to clearly and conspicuously disclose such activity and the manner in which a consumer may exercise the right to opt out
  • a secure and reliable means for consumers to submit a request to exercise their rights
Kentucky – controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

  • categories of personal data processed
  • purpose(s) for processing personal data
  • how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision regarding the consumer’s request
  • categories of personal data that the controller shares with third parties, if any
  • categories of third parties with which the controller shares personal data, if any
  • an active email address or other mechanism that the consumer may use to contact the controller
Maryland – controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

  • categories of personal data processed, including sensitive data
  • purpose(s) for processing personal data
  • how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision regarding the consumer’s request
  • categories of third parties with which the controller shares personal data, if any
  • categories of personal data that the controller shares with third parties, including sensitive data, if any
  • an active email address or other mechanism that the consumer may use to contact the controller
  • if a controller sells consumer’s personal data or engages in targeted advertising or profiling, then the controller needs to clearly and conspicuously disclose such activity and the manner in which a consumer may exercise the right to opt out
Minnesota – controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

  • categories of personal data processed
  • purpose(s) for processing personal data
  • how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision regarding the consumer’s request
  • categories of personal data that the controller shares with third parties, if any
  • categories of third parties with which the controller shares personal data, if any
  • an active email address or other mechanism that the consumer may use to contact the controller
  • description of the controller’s retention policies for personal data
  • the data the privacy notice was last updated
Montana – controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

  • categories of personal data processed
  • purpose(s) for processing personal data
  • categories of personal data that the controller shares with third parties, if any
  • categories of third parties with which the controller shares personal data, if any
  • an active email address or other mechanism that the consumer may use to contact the controller
  • how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision regarding the consumer’s request
Nebraska – a controller shall provide each consumer with a reasonably accessible and clear privacy notice that includes:

  • categories of personal data processed by the controller, including sensitive data
  • purpose(s) for processing personal data
  • how a consumer may exercise a consumer right, including the process by which a consumer may appeal a controller’s decision with regard to the consumer’s request
  • categories of personal data that the controller shares with third parties, if any
  • categories of third parties with whom the controller shares personal data, if any
  • methods through which a consumer may submit a request to exercise a consumer right
  • if a controller sells personal data to any third party or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process
Nevada – data processors need to provide an accessible and simple to read privacy notice on their website, which must contain at least the following information:

  • categories of personal data processed by the controller or processor
  • categories of third parties, if any, with whom the controller shares personal data
  • if the controller sells personal data
  • third parties that collect information about consumers throughout different websites (via use of third-party cookies)
  • how consumers may exercise their consumer rights, including contact information for how consumers may request their personal data not be sold
  • effective date of the privacy policy and a description of the process by which controllers will let consumers know of any changes to their privacy policy
New Hampshire – a controller shall provide each consumer with a reasonably accessible, clear, and meaningful privacy notice that includes:

  • categories of personal data processed
  • purpose(s) for processing personal data
  • how a consumer may exercise a consumer right, including the process by which a consumer may appeal a controller’s decision with regard to the consumer’s request
  • categories of personal data that the controller shares with third parties, if any
  • categories of third parties with whom the controller shares personal data, if any
  • an active electronic mail address or other online mechanism that the consumer may use to contact the controller
  • if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt-out of such processing
New Jersey – an operator that collects the personally identifiable information of a consumer through a commercial Internet website or an online service shall provide on its commercial Internet website or online service, notification to a consumer that shall include, but not be limited to:

  • categories of personal data processed
  • categories of third parties with whom the controller shares personal data, if any
  • whether a third party may collect personally identifiable information about a consumer’s online activities over time and across different commercial Internet websites or online services when the consumer uses the Internet website or online service of the operator (use of third-party cookies, or tracking cookies)
  • a description of the process for an individual consumer who uses or visits the commercial Internet website or online service to review and request changes to any of the consumer’s personally identifiable information that is collected
  • the process by which the operator notifies consumers who use or visit the commercial Internet website or online service of material changes to the notification required to be made available, along with the effective date of the notice
  • information concerning one or more designated request addresses of the operator
Oregon – a controller must provide an accessible, clear, and meaningful privacy notice on their website, which must contain at least the following information:

  • categories of personal data processed by the controller, including sensitive data
  • purpose(s) for processing personal data
  • how a consumer may exercise their rights, including the process by which a consumer may appeal a controller’s decision with regard to the consumer’s request
  • categories of personal data that the controller shares with third parties, including sensitive data, if any
  • categories of third parties with whom the controller shares personal data, if any
  • an electronic mail address or other online method by which a consumer can contact the controller that the controller actively monitors
  • identifies the controller, including any business name under which the controller
  • registered with the Secretary of State and any assumed business name that the controller uses in the state
  • a clear and conspicuous description of any processing of personal data in
  • which the controller engages for the purpose of targeted advertising or for the purpose of profiling the consumer and a procedure by which the consumer may opt out
Rhode Island – controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

  • categories of personal data processed
  • third parties to whom the controller has sold or may sell customers’ personally identifiable information
  • when the controller may disclose personal information
  • an active email address or other mechanism that the consumer may use to contact the controller
Tennessee – upon receipt of an authenticated consumer request, a controller must provide the consumer with a reasonably accessible, clear, and meaningful privacy notice that includes:

  • categories of personal information processed
  • purpose(s) for processing personal information
  • how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request
  • categories of personal information that the controller sells to third parties, if any
  • categories of third parties, to whom the controller sells personal information, if any
  • if a controller sells personal information to third parties or processes personal information for targeted advertising, then the controller shall clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out of the processing
  • at least one of the following methods for consumers to submit a request to exercise consumer rights:

– toll-free telephone number

– email address

– web form

– a clear and conspicuous link on the controller’s main internet homepage to an internet webpage that enables a consumer to exercise their rights

Texas – a controller must provide consumers with a reasonably accessible and clear privacy

notice that includes:

  • categories of personal data processed, including any sensitive data
  • purpose(s) for processing personal data
  • how consumers may exercise their consumer rights, including the process by which a consumer may appeal a controller’s decision with regard to the consumer’s request
  • categories of personal data that the controller shares with third parties, if any
  • categories of third parties with whom the controller shares personal data, if any
  • a description of the methods through which consumers can submit requests to exercise their consumer rights
  • if a controller engages in the sale of sensitive personal data, they must include the following notice: “NOTICE: We may sell your sensitive personal data” posted in the same location and in the same manner as the privacy notice
  • if a controller engages in the sale of biometric personal data, they must include the following notice: “NOTICE: We may sell your biometric personal data”, posted in the same location and in the same manner as the privacy notice
  • if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process
Virginia – controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

– categories of personal data processed

– purpose(s) for processing personal data

– how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request

– categories of personal data that the controller shares with third parties, if any

– categories of third parties, with whom the controller shares personal data, if any

– if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing

– one or more secure and reliable means for consumers to submit a request to exercise their consumer rights

Utah – a controller must provide an accessible and clear privacy notice, which must contain at least the following information:

– categories of personal data processed

– purpose(s) for processing personal data

– how consumers can exercise their consumer rights

– categories of personal data that the controller shares with third parties, if any

– categories of third parties with whom the controller shares personal data, if any

– if a controller sells a consumer’s personal data to one or more third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose to the consumer the manner in which the consumer may exercise the right to opt out of the sale of the consumer’s personal data or processing for targeted advertising

How is personal data defined under US state privacy laws?

Information that is considered personal data or personal information is generally required to be able to identify a person, by itself or in combination with other data points (e.g. name, address, credit card number, IP address). There are differences between what is categorized as personal data and personally identifiable information.

How is sensitive personal information defined and handled under US data privacy laws?

Many US data privacy laws also have explicit consideration for “sensitive personal data”, which can include information belonging to children, about racial or ethnic origin, medical or genetic data, sexual orientation, etc. Generally, this category includes information that could particularly be used to cause discrimination or harm if misused.

 

Typically, sensitive personal information (and children’s information) require consent before it can be collected or processed, and additional security measures. Specific US data privacy laws should be checked for their definitions and requirements for sensitive personal data. Data that is publicly available, like government records, is not typically considered personal data.

 

State Definition of Personal Data/Information
California (CCPA/CPRA) “…information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (Examples in Section 1798.140 CCPA)
Colorado “…information that is linked or reasonably linkable to an identified or identifiable individual… does not include de-identified data or publicly available information.”
Connecticut “…any information that is linked or reasonably linkable to an identified or identifiable individual… does not include de-identified data or publicly available information.”
Delaware “…any information that is linked or reasonably linkable to an identified or identifiable individual… does not include de-identified data or publicly available information.”
Florida Personal data: “…information that is linked or reasonably linkable to an identified or identifiable child, including biometric information and unique identifiers to the child.”

Personal information: “…any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include deidentified data or publicly available information.”

Indiana “…information that is linked or reasonably linkable to an identified or identifiable individual… does not include:

(1) de-identified data

(2) aggregate data

(3) publicly available information”

Iowa “…any information that is linked or reasonably linkable to an identified or identifiable natural person… does not include de-identified or aggregate data or publicly available information.”
Kentucky “…any information that is linked or reasonably linkable to an identified or identifiable natural person… does not include de-identified data or publicly available information,”
Maryland “…any information that is linked or can be reasonably linked to an identified or identifiable consumer… does not include de-identified data or publicly available information.”
Minnesota “… any information that is linked or reasonably linkable to an identified or identifiable natural person… does not include deidentified data or publicly available information.”
Montana “…any information that is linked or reasonably linkable to an identified or identifiable individual… does not include deidentified data or publicly available information.”
Nebraska “any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, and includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual… does not include deidentified data or publicly available

information”

Nevada Covered information: “…any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator or a data broker in an accessible form:

1. A first and last name.

2. A home or other physical address which includes the name of a street and the name of a city or town.

3. An electronic mail address.

4. A telephone number.

5. A social security number.

6. An identifier that allows a specific person to be contacted either physically or online.

7. Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator or data broker in combination with an identifier in a form that makes the information personally identifiable.”

New Hampshire “…any information that is linked or reasonably linkable to an identified or identifiable individual… does not include deidentified data or publicly available information.”
New Jersey “…any information that is linked or reasonably linkable to an identified or identifiable individual… does not include deidentified data or publicly available information.”
Oregon “…data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household… does not include deidentified data or data that is lawfully available through federal, state or local government records or through widely distributed media; or a controller reasonably has understood to have been lawfully made available to the public by a consumer.”
Rhode Island “… any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.”
Tennessee “…information that identifies, relates to, or describes a particular consumer or is reasonably capable of being directly or indirectly associated or linked with a particular consumer… does not include information that is: publicly available information; or de-identified or aggregate consumer information” (Examples in Section 2, 47-18-3201, 16B)
Texas “…any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include deidentified data or publicly available information.”
Virginia “…any information that is linked or reasonably linkable to an identified or identifiable natural person… does not include de-identified data or publicly available information.”
Utah “…information that is linked or reasonably linkable to an identified individual or an identifiable individual… does not include deidentified data, aggregated data, or publicly available information.”

What are consumers’ rights under the states’ data privacy law?

Some rights are consistent across all of the state-level US data privacy laws to date, though some laws get more granular than others. California is currently the only state that enables consumers to sue for a data breach in specific circumstances (private right of action). Not all data privacy laws enable portability of one’s data, either.

 

How do companies have to handle consumer requests under the US state privacy laws?

It is common for businesses to have 45 days from receiving a consumer’s request to exercise their rights to fulfill it, with an option to extend that under certain circumstances. Specific US data privacy laws should be reviewed to confirm the exact time frame for responding to requests, extensions, and/or the ability to refuse requests, as well as ensuring familiarity with each data privacy law’s specific consumer rights to ensure consumers can exercise them or appeal a decision.

 

State Consumers’ Rights
California (CCPA/CPRA)
  • Right to access: personal information collected before the CPRA’s look-back period (the 12 months prior to January 1, 2023) as long as it’s possible or not unreasonably difficult to provide
  • Right to opt out: of the sharing and sale of personal information to third parties
  • Right to delete: any personal data the controller and third parties has about or from the consumer, with some exceptions
  • Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
  • Right for minors’ personal information not to be shared or sold without explicit consent, and for them not to be asked for consent within 12 months of declining a company’s consent request
  • Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
  • Right to restrict sensitive personal information: to limit access to and use of data categorized as sensitive
  • Right to access information about automated decision-making: to request information about automated decision-making and the likely outcomes of using such processes, specifically with regards to profiling
  • Right to opt-out of automated decision-making technology: for the use of automated decision-making technology with regards to personal information
  • Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
Colorado
  • Right to opt-out: of data processing for targeted advertising, sale or profiling using their personal data
  • Right to access: any data that a company has collected about them
  • Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
  • Right to delete: any personal data the controller has about or from the consumer, with some exceptions
  • Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
Connecticut
  • Right to access: any data that a company has collected about them
  • Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
  • Right to delete: any personal data the controller has about or from the consumer, with some exceptions
  • Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
  • Right to opt-out: of data processing for targeted advertising, sale or profiling using their personal data
Delaware
  • Right to access: confirmation if the controller is processing the consumer’s personal information and access to that data and information about third parties it’s shared with, with exceptions
  • Right to disclosure: a list of the categories of third parties to which the controller has disclosed the consumer’s personal data
  • Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
  • Right to delete: any personal data the controller has about or from the consumer, with some exceptions
  • Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
  • Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
  • Right to opt out: of sale of personal data, targeted advertising, or profiling “in furtherance of solely automated decisions that produce legal or similarly significant effects” concerning the consumer
Florida
  • Right to access: confirmation if the controller is processing the consumer’s personal information and access to that data, with some exceptions
  • Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
  • Right to delete: any personal data the controller has about or from the consumer, with some exceptions
  • Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
  • Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
  • Right to opt out:
    • sale of personal data
    • targeted advertising
    • certain profiling “in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer
    • collection or processing of sensitive data
    • collection of personal data through the operation of a voice recognition or facial recognition feature
Indiana
  • Right to access: confirmation if the controller is processing the consumer’s personal information and access to that data or a representative summary of it, with some exceptions
  • Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
  • Right to portability: obtain a copy of the consumer’s personal information that the consumer previously provided to the controller, in a readily usable format, with some exceptions
  • Right to delete: any personal information the controller has that was provided by the consumer (with some exceptions)
  • Right to disclosure: any categories of information about the consumer that have been sold
  • Right to opt out: of sale of personal information, targeted advertising, or profiling, and partial right not to be subject to fully automated decision-making
  • Right to not be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
Iowa
  • Right to access: confirmation if the controller is processing the consumer’s personal data and access to that data, with some exceptions
  • Right to delete: any personal data the controller has that was provided by the consumer
  • Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
  • Right to opt out: of sale of personal data
Kentucky
  • Right to access: confirmation if the controller is processing the consumer’s personal data and access to that data, with some exceptions
  • Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
  • Right to delete: any personal data the controller has that was provided by the consumer
  • Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
  • Right to opt out: consumers can opt out of the processing of their personal data for the purposes of its sale or use for targeted advertising or profiling
Maryland
  • Right to access: consumers can confirm whether or not the controller is processing their personal data and can access their data, with some exceptions
  • Right to correction: consumers have the right to correct any inaccuracies in their personal data, considering the nature of the personal data and purposes of processing
  • Right to deletion: consumers can request controllers to delete any personal data provided by, or obtained about, them, unless the law requires the personal data to be retained
  • Right to data portability: consumers can obtain a copy of their personal data in a ready usable format, with some exceptions
  • Right to information: consumers can obtain a list of categories of third parties to whom the controller has disclosed their, or any consumer’s, personal data
  • Right to opt out: consumers can opt out of the processing of their personal data for the purposes of its sale or use for targeted advertising or profiling
Minnesota
  • Right to access: confirmation if the controller is processing the consumer’s personal data and access to that data, with some exceptions
  • Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
  • Right to delete: any personal data the controller has that was provided by the consumer
  • Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
  • Right to opt out: consumers can opt out of the processing of their personal data for the purposes of its sale or use for targeted advertising or profiling
  • Right to obtain: a list of third parties to which the controller has disclosed the consumer’s personal data
  • Right to question the results of a controller’s profiling: to be informed of the reason that the profiling resulted in a specific decision, the actions the consumer may take to secure a different decision in the future, review their data used in the profiling, and correct inaccurate data for reevaluation
Montana
  • Right to access: confirmation if the controller is processing the consumer’s personal information and access to that data, with some exceptions
  • Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
  • Right to delete: any personal data the controller has about or from the consumer (with some exceptions)
  • Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
  • Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
  • Right to opt out: of sale of personal data, targeted advertising, or profiling
Nebraska
  • Right to access: consumers can confirm whether or not the controller is processing their personal data and can access their data, with some exceptions
  • Right to correction: consumers have the right to have any inaccuracies in their personal data that the controller holds corrected, taking into account the nature of the personal data and purposes of processing
  • Right to deletion: consumers can request the deletion of any personal data provided by, or obtained about, them, with exceptions
  • Right to data portability: consumers can obtain a copy of their personal data that they previously provided to the controller, in a ready usable format, with some exceptions
  • Right to opt out: consumers can opt out of the processing of their personal data for the purposes of its sale or use for targeted advertising or profiling
Nevada
  • Right to access covered information that a controller has collected about them
  • Right to correction of covered information that the operator has collected about them
  • Right to opt out of the sale of covered information
New Hampshire
  • Right to access: confirm whether or not the controller is processing the consumer’s personal data and access such data, with exceptions
  • Right to correction: any inaccuracies in the information the controller has, taking into account the nature of the personal data and processing purposes
  • Right to delete: any personal data provided by, or obtained about, the consumer, with exceptions
  • Right to portability: obtain a copy of the consumer’s personal data processed by the controller, in a portable and reasonable readily usable format, where processing is carried out by automated means, with exceptions
  • Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
  • Right to opt out: of processing of personal data for the purposes of sale, targeted advertising, or profiling
New Jersey
  • Right to access: confirmation if the controller is processing the consumer’s personal information and access to that data and information about third parties it’s shared with, with exceptions
  • Right to disclosure: a list of the categories of third parties to which the controller has disclosed the consumer’s personal data
  • Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
  • Right to delete: any personal data the controller has about or from the consumer (with some exceptions)
  • Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
  • Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
  • Right to opt out: of sale of personal data, targeted advertising, or profiling
Oregon
  • Right to access: confirmation if the controller is processing the consumer’s personal information and access to that data and information about third parties it’s shared with, with exceptions
  • Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
  • Right to delete: any personal data the controller has about or from the consumer (with some exceptions)
  • Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
  • Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
  • Right to opt out: of sale of personal data, targeted advertising, or profiling
Rhode Island
  • Right to access: confirmation if the controller is processing the consumer’s personal information and access to that data and information about third parties it’s shared with, with exceptions
  • Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
  • Right to delete: any personal data the controller has about or from the consumer (with some exceptions)
  • Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
  • Right to opt out: of sale of personal data, targeted advertising, or profiling
Tennessee
  • Right to access: confirmation if the controller is processing the consumer’s personal information and access to that data, with some exceptions
  • Right to disclosure: any categories of information about the consumer that have been sold
  • Right to delete: any personal information the controller has that was provided by the consumer (with some exceptions)
  • Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
  • Right to portability: obtain a copy of the consumer’s personal information that the consumer previously provided to the controller, in a readily usable format, with some exceptions
  • Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
  • Right to opt out: of sale of personal information, targeted advertising, or profiling
Texas
  • Right to access: confirmation if the controller is processing the consumer’s personal information and access to that data, with some exceptions
  • Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
  • Right to delete: any personal data the controller has about or from the consumer (with some exceptions)
  • Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
  • Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
  • Right to opt out: of sale of personal data, targeted advertising, or profiling
Virginia
  • Right to access: confirm whether or not the controller is processing the consumer’s personal data and access such data, with exceptions
  • Right to correction: any inaccuracies in the information the controller has, taking into account the nature of the personal data and processing purposes
  • Right to delete: any personal data provided by, or obtained about, the consumer, with exceptions
  • Right to portability: obtain a copy of the consumer’s personal data processed by the controller, in a portable and reasonable readily usable format, where processing is carried out by automated means, with exceptions
  • Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
  • Right to opt out: of processing of personal data for the purposes of sale, targeted advertising, or profiling
Utah
  • Right to access, including confirming whether a controller is processing their data, and the ability to request and receive that data
  • Right to deletion of personal data, if the data subject directly provided the data to the controller
  • Right to portability, obtaining a copy of their personal data that they provided to the controller, in a format that is:
    • portable to a technically reasonable extent
    • readily usable to a practical extent
    • enables the consumer to transmit the data to another controller reasonably easily, where the processing is carried out by automated means
  • Right to opt out of certain processing, specifically for the sale of the personal data or the purposes of targeted advertising

The US data privacy laws to date all use an opt-out model of consent that does not require businesses to obtain consent before collecting personal data in most cases, with the typical exceptions being sensitive data and data belonging to known children. However, the laws do consistently require consumers to be notified about data collection and use, and provided with an option to opt out — of collection, selling data, or sharing of their personal data, or targeted advertising or profiling, depending on the law — as well as have instructions and at least one mechanism to contact the company with requests or complaints.

 

That said, a number of the states’ regulations don’t specify how consent or opting out must be handled, what form that needs to take, etc. A high performance Consent Management Platform, like Usercentrics CMP, can help companies flexibly and scalably provide the required notifications and consent options for states where they need to comply with privacy regulations.

 

State Consent Management Requirements
California (CCPA/CPRA) – clearly and conspicuously display a link reading “Do Not Sell Or Share My Personal Information” to enable consumers to submit an opt out request

– must honor the Global Privacy Signal

Colorado – clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request

– by January 1st, 2025, websites must be able to honor preference signals that communicate the consumer’s opt out choice (Global Privacy Control)

Connecticut – no specific requirements regarding how an opt out option needs to be presented

– must honor a Universal Opt-Out Mechanism

Delaware – clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request

– must honor a Universal Opt-Out Mechanism (as of January 2025)

Florida – no specific requirements regarding how an opt out option needs to be presented, except for “methods must be secure, reliable, and clearly and conspicuously accessible”

– if a controller engages in the sale of sensitive personal data, the controller must provide the following notice: “NOTICE: This website may sell your sensitive personal data.”

– if a controller engages in the sale of personal data that is biometric data, the controller must provide the following notice: “NOTICE: This website may sell your biometric personal data.”

Indiana – no specific requirements regarding how an opt out option needs to be presented
Iowa – no specific requirements regarding how an opt out option needs to be presented
Kentucky – no specific requirements regarding how an opt out option needs to be presented
Maryland – clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request

– must honor a Universal Opt-Out Mechanism

Minnesota – clearly and conspicuous method outside the privacy notice for a consumer to opt out, “This method may include but is not limited to an Internet hyperlink clearly labeled “Your Opt-Out Rights” or “Your Privacy Rights” that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request”

– must honor a Universal Opt-Out Mechanism

Montana – clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request

– must honor a Universal Opt-Out Mechanism

Nebraska – no specific requirements regarding how an opt out option needs to be presented

– must honor a Universal Opt-Out Mechanism

Nevada – no specific requirements regarding how an opt out option needs to be presented

– privacy policy is required

New Hampshire – clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request

– must honor a Universal Opt-Out Mechanism

New Jersey – clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request

– must honor a Universal Opt-Out Mechanism (with specific reference for user profiling)

Oregon – clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request

– must honor a Universal Opt-Out Mechanism (as of January 2026)

Rhode Island – no specific requirements regarding how an opt out option needs to be presented
Tennessee – clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request
Texas – clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request

– must honor a Universal Opt-Out Mechanism

Virginia – no specific requirements regarding how an opt out option needs to be presented
Utah – no specific requirements regarding how an opt out option needs to be presented, aside from that the controller must clearly and conspicuously provide an option on the website that enables the consumer to submit an opt out request

FAQ

 

How many US states with privacy laws are there?
As of mid-2024, there are 21 states with data privacy laws. There is additional legislation that may pass before the end of the year.
What US states have data privacy laws?
As of mid-2024, these states have passed data privacy laws (though not all are in effect yet):

  • California
  • Colorado
  • Connecticut
  • Delaware
  • Florida
  • Indiana
  • Iowa
  • Kentucky
  • Minnesota
  • Maryland
  • Montana
  • Nebraska
  • Nevada
  • New Hampshire
  • New Jersey
  • Oregon
  • Rhode Island
  • Tennessee
  • Texas
  • Virginia
  • Utah
Does the US have a federal data privacy law?
No. Federal data privacy legislation has been tabled before, but never passed. A discussion draft of the American Privacy Rights Act (APRA) was released in April 2024. Two further revisions were made to the APRA through June 2024, but the proposed legislation has not progressed.
Which US state has the most strict data privacy law?
Most of the US state privacy laws are fairly similar, but Maryland has claimed to have passed the one that is the most strict.
Which US state has the most business-friendly data privacy law?
Iowa, Tennessee, and Utah’s data privacy laws are considered the most business-friendly.
Which US state has the most consumer-friendly data privacy law?
It depends on the criteria, but Connecticut claims to have a consumer-friendly data privacy law, though California’s laws could be considered for that designation as well.
Can companies face criminal charges for violating any of the US state privacy laws?
While a couple of states enable consumers to pursue legal recourse for violations, Colorado is the only state that enables criminal charges for data privacy violations.

Related Articles

End-user License Agreement (EULA)

What is an End-user License Agreement (EULA)? Here’s what you should know

End-user License Agreements (EULA) are probably the most often agreed-to but least-read contracts. We’ve highlighted what...

Maryland Online Data Privacy Act: an overview

Maryland Online Data Privacy Act: an overview

The Maryland Online Data Privacy Act takes effect on October 1, 2025. It includes stricter privacy compliance...