US State Data Privacy Laws and Compliance
Navigate the Privacy Landscape to
Stay Informed and Compliant With US State Privacy Laws
Kiteworks understands the value of staying informed about the ever-evolving state privacy landscape in the United States. Our chart below and links to enacted state laws provide a comprehensive overview of the changing landscape. Please note that our resources focus on bills that offer comprehensive approaches to personal information governance, excluding industry-specific or narrowly scoped bills.
Kiteworks enables organizations to effectively comply with privacy laws through its robust incident notification and record-keeping system. By maintaining detailed logs of data access and transfers, it simplifies compliance with incident-related obligations. Real-time monitoring aids in promptly identifying and reporting data breaches. Kiteworks also provides secure web forms and data collection mechanisms to address consent requirements empowering organizations to establish reliable opt-in mechanisms and consent procedures. With comprehensive visibility and control over sensitive content across various communication channels, Kiteworks ensures stringent security measures for maintaining privacy law compliance while upholding robust cybersecurity practices.
*scroll horizontally to view more cells
State | Introduced | Passed | Signed | Bill & Link | Name | Effective Date |
---|---|---|---|---|---|---|
California | CCPA/Proposition 24 | California Consumer Privacy Act and California Privacy Rights Act | January 1, 2020, and January 1, 2023 | |||
Colorado | SB 21-190 | Colorado Privacy Act | July 1, 2023 | |||
Connecticut | SB 6 | Connecticut Data Privacy Act | July 1, 2023 | |||
Indiana | SB 0005 | Indiana Consumer Data Protection Act | January 1, 2026 | |||
Iowa | SF 262 | Iowa Consumer Data Protection Act | January 1, 2025 | |||
Tennessee | HB 1181 | Tennessee Information Protection Act | July 1, 2025 | |||
Utah | SB 227 | Utah Consumer Privacy Act | December 31, 2023 | |||
Virginia | SB 1394 | Virginia Consumer Data Protection Act | January 1, 2023 | |||
Montana | SB 384 | Montana Consumer Data Privacy Act | ||||
Texas | HB 4 | Texas Data Privacy and Security Act | ||||
Illinois | HB 3385 | Illinois Data Privacy and Protection Act | ||||
Louisiana | SB 199 | Louisiana Consumer Privacy Act | ||||
Massachusetts | HD 2281, SD 745, HD 3263, SD 1971, HD 3245 | Massachusetts Data Privacy Protection Act, Massachusetts Information Privacy and Security Act, Massachusetts Internet Bill of Rights | ||||
Minnesota | HB 2309, SB 2915, HB 1367, SF 950, HF 1892 | Minnesota Consumer Data Privacy Act | ||||
New Hampshire | SB 255 | |||||
New Jersey | SB 3714, A 505 | New Jersey Disclosure and Accountability Transparency Act | ||||
New York | A 6319, SB 3162, A 4374, A 3593, A 3308, SB 2277, SB 365, A 2587, SB 5555 | New York American Data Privacy and Protection Act, New York Digital Fairness Act, New York Privacy Act, New York Data Protection Act, New York It’s Your Data Act | ||||
North Carolina | SB 525 | North Carolina Consumer Privacy Act | ||||
Oklahoma | HB 1030 | Oklahoma Computer Data Privacy Act | ||||
Oregon | SB 619 | |||||
Pennsylvania | HB 708 | Pennsylvania Consumer Data Protection Act | ||||
Rhode Island | HB 6236, SB 754, HB 5745 | Rhode Island Data Transparency and Privacy Protection Act, Rhode Island Personal Data and Online Privacy Protection Act | ||||
Vermont | HB 121 |
Frequently Asked Questions
Individual states in the U.S. have their own privacy laws to address their residents’ specific privacy and data protection needs and concerns. With the absence of a comprehensive federal privacy law, states have taken it upon themselves to protect their citizens’ privacy rights, regulate data handling practices, and set standards for businesses operating within their jurisdiction. These laws help ensure that companies are transparent about their data practices and allow consumers to control how their personal information is used.
The United States currently does not have a comprehensive national data privacy law similar to the EU’s General Data Protection Regulation (GDPR). Instead, the U.S. has a sectoral approach with different rules applying to specific sectors or types of data, such as the Health Insurance Portability and Accountability Act (HIPAA) for health information and the Gramm-Leach-Bliley Act (GLBA) for financial information. In the absence of a national data privacy law, individual states, including California, Texas, Colorado, Florida, and several others, are passing their own data privacy laws to protect their citizens’ privacy.
While compliance specifics vary from state to state and law to law, generally any business that collects, stores, processes, or shares a citizen’s personal information may be required to comply with that state’s privacy laws, even if the business is incorporated elsewhere. In some states, some rules may only apply to larger firms or those dealing with a specific volume of data or several consumers.
The rights provided to citizens can vary significantly by state and law. Some common rights include the right to know what personal information a business collects about them, the right to request deletion of their data, the right to opt out of the sale of their personal information, and the right to non-discrimination for exercising their privacy rights. The specifics depend on the relevant state law.
The California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) both aim to protect personal data, but they differ in various ways:
- Scope: The CCPA applies to businesses operating in California and collecting personal information of California residents, while the GDPR applies to all organizations working within the EU, or dealing with data of EU citizens, irrespective of their country location.
- Rights: Both give individuals the right to access and delete their data, but the GDPR also includes rights like rectification (correcting inaccurate data) and objection (objecting to processing personal data), which the CCPA does not explicitly provide.
- Enforcement: The GDPR has more vigorous enforcement and steeper penalties, with maximum fines of up to €20 million or 4% of annual global turnover, whichever is higher. CCPA’s penalties can reach up to $7,500 per intentional violation.
- Consent: The GDPR requires citizens’ explicit and informed consent before collecting personal data, while the CCPA does not require upfront approval but does provide citizens the right to opt out of data sales, preventing organizations from selling a citizen’s personal data.