Navigate the Privacy Landscape to
Stay Informed and Compliant With US State Privacy Laws

Kiteworks understands the value of staying informed about the ever-evolving state privacy landscape in the United States. Our chart below and links to enacted state laws provide a comprehensive overview of the changing landscape. Please note that our resources focus on bills that offer comprehensive approaches to personal information governance, excluding industry-specific or narrowly scoped bills.

Kiteworks enables organizations to effectively comply with privacy laws through its robust incident notification and record-keeping system. By maintaining detailed logs of data access and transfers, it simplifies compliance with incident-related obligations. Real-time monitoring aids in promptly identifying and reporting data breaches. Kiteworks also provides secure web forms and data collection mechanisms to address consent requirements empowering organizations to establish reliable opt-in mechanisms and consent procedures. With comprehensive visibility and control over sensitive content across various communication channels, Kiteworks ensures stringent security measures for maintaining privacy law compliance while upholding robust cybersecurity practices.

US State Privacy Legislation Tracker
*scroll horizontally to view more cells

State Introduced Passed Signed Bill & Link Name Effective Date
California CCPA/Proposition 24 California Consumer Privacy Act and California Privacy Rights Act January 1, 2020, and January 1, 2023
Colorado SB 21-190 Colorado Privacy Act July 1, 2023
Connecticut SB 6 Connecticut Data Privacy Act July 1, 2023
Indiana SB 0005 Indiana Consumer Data Protection Act January 1, 2026
Iowa SF 262 Iowa Consumer Data Protection Act January 1, 2025
Tennessee HB 1181 Tennessee Information Protection Act July 1, 2025
Utah SB 227 Utah Consumer Privacy Act December 31, 2023
Virginia SB 1394 Virginia Consumer Data Protection Act January 1, 2023
Montana SB 384 Montana Consumer Data Privacy Act
Texas HB 4 Texas Data Privacy and Security Act
Illinois HB 3385 Illinois Data Privacy and Protection Act
Louisiana SB 199 Louisiana Consumer Privacy Act
Massachusetts HD 2281, SD 745, HD 3263, SD 1971, HD 3245 Massachusetts Data Privacy Protection Act, Massachusetts Information Privacy and Security Act, Massachusetts Internet Bill of Rights
Minnesota HB 2309, SB 2915, HB 1367, SF 950, HF 1892 Minnesota Consumer Data Privacy Act
New Hampshire SB 255
New Jersey SB 3714, A 505 New Jersey Disclosure and Accountability Transparency Act
New York A 6319, SB 3162, A 4374, A 3593, A 3308, SB 2277, SB 365, A 2587, SB 5555 New York American Data Privacy and Protection Act, New York Digital Fairness Act, New York Privacy Act, New York Data Protection Act, New York It’s Your Data Act
North Carolina SB 525 North Carolina Consumer Privacy Act
Oklahoma HB 1030 Oklahoma Computer Data Privacy Act
Oregon SB 619
Pennsylvania HB 708 Pennsylvania Consumer Data Protection Act
Rhode Island HB 6236, SB 754, HB 5745 Rhode Island Data Transparency and Privacy Protection Act, Rhode Island Personal Data and Online Privacy Protection Act
Vermont HB 121

Frequently Asked Questions

Individual states in the U.S. have their own privacy laws to address their residents’ specific privacy and data protection needs and concerns. With the absence of a comprehensive federal privacy law, states have taken it upon themselves to protect their citizens’ privacy rights, regulate data handling practices, and set standards for businesses operating within their jurisdiction. These laws help ensure that companies are transparent about their data practices and allow consumers to control how their personal information is used.

The United States currently does not have a comprehensive national data privacy law similar to the EU’s General Data Protection Regulation (GDPR). Instead, the U.S. has a sectoral approach with different rules applying to specific sectors or types of data, such as the Health Insurance Portability and Accountability Act (HIPAA) for health information and the Gramm-Leach-Bliley Act (GLBA) for financial information. In the absence of a national data privacy law, individual states, including California, Texas, Colorado, Florida, and several others, are passing their own data privacy laws to protect their citizens’ privacy.

While compliance specifics vary from state to state and law to law, generally any business that collects, stores, processes, or shares a citizen’s personal information may be required to comply with that state’s privacy laws, even if the business is incorporated elsewhere. In some states, some rules may only apply to larger firms or those dealing with a specific volume of data or several consumers.

The rights provided to citizens can vary significantly by state and law. Some common rights include the right to know what personal information a business collects about them, the right to request deletion of their data, the right to opt out of the sale of their personal information, and the right to non-discrimination for exercising their privacy rights. The specifics depend on the relevant state law.

The California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) both aim to protect personal data, but they differ in various ways:

    • Scope: The CCPA applies to businesses operating in California and collecting personal information of California residents, while the GDPR applies to all organizations working within the EU, or dealing with data of EU citizens, irrespective of their country location.
    • Rights: Both give individuals the right to access and delete their data, but the GDPR also includes rights like rectification (correcting inaccurate data) and objection (objecting to processing personal data), which the CCPA does not explicitly provide.
    • Enforcement: The GDPR has more vigorous enforcement and steeper penalties, with maximum fines of up to €20 million or 4% of annual global turnover, whichever is higher. CCPA’s penalties can reach up to $7,500 per intentional violation.
    • Consent: The GDPR requires citizens’ explicit and informed consent before collecting personal data, while the CCPA does not require upfront approval but does provide citizens the right to opt out of data sales, preventing organizations from selling a citizen’s personal data.

Take control of your sensitive information

console.log ('hstc cookie not exist') "; } else { //echo ""; echo ""; } ?>