US State Privacy Legislation Tracker
Updated as of 10/15/2024
*scroll horizontally to view more cells
| State | Consumer Rights | Business Obligations | Introduced | Signed | Bill & Link | Name | Effective Date |
|---|---|---|---|---|---|---|---|
| California |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (sensitive data) • Right to portability • Right to opt out of sales • Right against automated decision-making • Private right of action (limited to certain violations only) |
• Required age of opt-in default (16) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | x | CCPA | California Consumer Privacy Act | January 1, 2020 |
| Colorado |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against (certain) automated decision-making |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
x | x | SB 190 | Colorado Privacy Act | July 1, 2023 |
| Connecticut |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against (certain) automated decision-making |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
x | x | SB 6 | Connecticut Data Privacy Act | July 1, 2023 |
| Delaware |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against automated decision-making |
• Required age of opt-in default (17) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | X | HB 154 | Delaware Personal Data Privacy Act | January 1, 2025 |
| Indiana |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against (certain) automated decision-making |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
x | x | SB 5 | Indiana Consumer Data Protection Act | January 1, 2026 |
| Iowa |
• Right to access • Right to delete • Right to portability • Right to opt out of sales |
• Required age of opt-in default (13) • Notice/transparency requirement • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
x | x | SF 262 | Iowa Consumer Data Protection Act | January 1, 2025 |
| Kentucky |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against (certain) automated decision-making |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | X | HB 15 | Kentucky Consumer Data Protection Act | January 1, 2026 |
| Maryland |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against automated decision-making |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | X | SB 541 | Maryland Online Data Privacy Act | October 1, 2025 |
| Minnesota |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against (certain) automated decision-making |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | X | HF 2309 | Minnesota Consumer Data Privacy Act | July 31, 2025 |
| Montana |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against (certain) automated decision-making |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | X | SB 384 | Montana Consumer Data Privacy Act | October 1, 2024 |
| Nebraska |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against (certain) automated decision-making |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | X | LB 1074 | Nebraska Data Privacy Act | January 1, 2025 |
| New Hampshire |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against (certain) automated decision-making |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | X | SB 255 | January 1, 2025 | |
| New Jersey |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against (certain) automated decision-making |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | X | SB 332 | January 15, 2025 | |
| Oregon |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against (certain) automated decision-making |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | X | SB 619 | Oregon Consumer Privacy Act | July 1, 2024 |
| Rhode Island |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against automated decision-making |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | X | H 7787 | Rhode Island Data Transparency and Privacy Protection Act | January 1, 2026 |
| Tennessee |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against (certain) automated decision-making |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
x | x | HB 1181 | Tennessee Information Protection Act | July 1, 2025 |
| Texas |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against (certain) automated decision-making |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | X | HB 4 | Texas Data Privacy and Security Act | July 1, 2024 |
| Utah |
• Right to access • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
x | x | SB 227 | Utah Consumer Privacy Act | December 31, 2023 |
| Virginia |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against (certain) automated decision-making |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
x | x | SB 1392 | Virginia Consumer Data Protection Act | January 1, 2023 |
| Alabama |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against (certain) automated decision-making |
• Required age of opt-in default (16) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | HB283 | |||
| Arkansas |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against (certain) automated decision-making |
• Opt-in default (sensitive data) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | SB258 | Arkansas Digital Responsibility, Safety, and Trust Act | ||
| Illinois |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (sensitive data) • Right to portability • Right to opt out of sales |
• Required age of opt-in default (16) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | SB0052 / HB3041 | Illinois Privacy Rights Act, Illinois Data Privacy and Protection Act | ||
| Maine |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against (certain) automated decision-making |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | LD1088 / LD1224 | Maine Consumer Data Privacy Act, Maine Consumer Privacy Act | ||
| Massachusetts |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against automated decision-making • Private right of action |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | H78 / S29 / S45 / H104 / S301 / S33 / H80 | Massachusetts Consumer Data Privacy Act, Massachusetts Data Privacy Protection Act, Massachusetts Information Privacy and Security Act, Internet Bill of Rights, Massachusetts Data Privacy Act, Comprehensive Massachusetts Consumer Data Privacy Act | ||
| Michigan |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (opt-in consent required) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against (certain) automated decision-making • Private right of action |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | SB 659 | Michigan Personal Data Privacy Act | ||
| New York |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against automated decision-making • Private right of action |
• Required age of opt-in default (16) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | A974 / S3044 / A4947 / A5827 | New York Data Protection Act, New York Privacy Act, American Data Privacy and Protection Act | ||
| North Carolina |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against automated decision-making |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | H462 / SB757 | North Carolina Personal Data Privacy Act, North Carolina Consumer Privacy Act | ||
| Ohio |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right against (certain) automated decision-making |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | HB 345 | Ohio Personal Privacy Act | ||
| Oklahoma |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against automated decision-making |
• Required age of opt-in default (13) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | HB1012 / SB546 | Oklahoma Computer Data Privacy Act | ||
| Pennsylvania |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against (certain) automated decision-making |
• Required age of opt-in default (16) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | HB78 / SB112 | Consumer Data Protection Act | ||
| South Carolina |
• Right to access • Right to correct • Right to delete • Right to opt-out of processing for profiling/targeted advertising purposes • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against automated decision-making • Private right of action (limited to certain violations only) |
• Required age of opt-in default (16) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | H3401 | |||
| Vermont |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against automated decision-making • Private right of action limited to certain violations only |
• Required age of opt-in default (16) • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | SB112 / S0071 / S0093 | Vermont Data Privacy and Online Surveillance Act | ||
| Wisconsin |
• Right to access • Right to correct • Right to delete • Right to opt out of certain processing (for profiling/targeting purposes) • Right to portability • Right to opt out of sales • Right to opt in for sensitive data processing • Right against automated decision-making |
• Opt-in default • Notice/transparency requirement • Risk assessments • Prohibition on discrimination (exercising rights) • Purpose/processing limitation |
X | SB166 |
Additional Resources
- Web page State Privacy Laws
- Web page Secure Government Solutions: Encrypted File Transfer & Email Service
- Web page State, Provincial, and Local Government Solutions
- Case Studies Private Content Network Case Studies
- Web page GDPR Compliance: GDPR Data Protection and Compliance, GDPR File Sharing
- Report Executive Summary – 2022 Sensitive Content Communications Privacy and Compliance Report
Frequently Asked Questions
Individual states in the U.S. have their own privacy laws to address their residents’ specific privacy and data protection needs and concerns. With the absence of a comprehensive federal privacy law, states have taken it upon themselves to protect their citizens’ privacy rights, regulate data handling practices, and set standards for businesses operating within their jurisdiction. These laws help ensure that companies are transparent about their data practices and allow consumers to control how their personal information is used.
The United States currently does not have a comprehensive national data privacy law similar to the EU’s General Data Protection Regulation (GDPR). Instead, the U.S. has a sectoral approach with different rules applying to specific sectors or types of data, such as the Health Insurance Portability and Accountability Act (HIPAA) for health information and the Gramm-Leach-Bliley Act (GLBA) for financial information. In the absence of a national data privacy law, individual states, including California, Texas, Colorado, Florida, and several others, are passing their own data privacy laws to protect their citizens’ privacy.
While compliance specifics vary from state to state and law to law, generally any business that collects, stores, processes, or shares a citizen’s personal information may be required to comply with that state’s privacy laws, even if the business is incorporated elsewhere. In some states, some rules may only apply to larger firms or those dealing with a specific volume of data or several consumers.
The rights provided to citizens can vary significantly by state and law. Some common rights include the right to know what personal information a business collects about them, the right to request deletion of their data, the right to opt out of the sale of their personal information, and the right to non-discrimination for exercising their privacy rights. The specifics depend on the relevant state law.
The California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) both aim to protect personal data, but they differ in various ways:
- Scope: The CCPA applies to businesses operating in California and collecting personal information of California residents, while the GDPR applies to all organizations working within the EU, or dealing with data of EU citizens, irrespective of their country location.
- Rights: Both give individuals the right to access and delete their data, but the GDPR also includes rights like rectification (correcting inaccurate data) and objection (objecting to processing personal data), which the CCPA does not explicitly provide.
- Enforcement: The GDPR has more vigorous enforcement and steeper penalties, with maximum fines of up to €20 million or 4% of annual global turnover, whichever is higher. CCPA’s penalties can reach up to $7,500 per intentional violation.
- Consent: The GDPR requires citizens’ explicit and informed consent before collecting personal data, while the CCPA does not require upfront approval but does provide citizens the right to opt out of data sales, preventing organizations from selling a citizen’s personal data.
FEATURED RESOURCES
Customer Use Cases: Kiteworks Private Content Network Innovations
Customer Use Cases: Kiteworks Private Content Network Innovations
Kiteworks’ 2023 Sensitive Content Communications Privacy and Compliance Report (Executive summary)
Kiteworks’ 2023 Sensitive Content Communications Privacy and Compliance Report (Executive summary)
Kiteworks Private Content Network in the Compliance Era
Kiteworks Private Content Network in the Compliance Era
Kiteworks Supports Compliance With the American Privacy Rights Act
