It’s been five years since the first state-level data privacy law, California’s CCPA, was passed in the United States. Now, other states have followed suit.
Whether you live in Alaska, Oklahoma, or New York, there’s a pressing need for data privacy. With organizations collecting vast amounts of data and a simultaneous rise in cyberattacks and data breaches, it’s become crucial to establish clear rules and regulations around individual data privacy.
At the state level, there’s also been a growing awareness of the importance of safeguarding data. Many governing bodies around the world have already passed data privacy laws, from the EU’s General Data Protection Regulation (GDPR) to Brazil’s General Data Protection Law (LGPD) — but the United States has yet to pass its own regulations.
Thanks to this lack of comprehensive federal data privacy legislation, individual states have become the primary laboratories for experimenting with various data privacy approaches. Now, a total of 14 US states — comprising at least 40% of the country’s population — have successfully created their own data privacy legislation.
In this blog post, we’ll review the data protection laws that are already on the books. We’ll also take a look at the states that have proposed but not yet passed legislation, and we’ll offer some suggestions for meeting compliance under state-level privacy laws.
First, why do state-level data privacy laws exist?
In short, to fill a void. State-level data privacy laws exist in the United States primarily because of the absence of an overarching federal data privacy law. Unlike many other countries, the US lacks a unified, overarching data protection regulation that governs the handling and protection of personal data. This absence can be attributed to various factors, including differing political ideologies, industry interests, and legislative gridlock in Congress.
Some members of Congress have tried to pass legislation like the proposed American Data Privacy and Protection Act, but none of their bills have been successful yet. As a result, individual states have taken it upon themselves to address the growing concerns around data privacy.
A guide to the 14 existing state data privacy laws
We’ve written individual articles about several of the leading state-level data protection laws, which can be found in our collection of blog posts on compliance. Below, we’ll briefly summarize the existing state laws and their key points, including requirements, timelines, and penalties.
California. Passed in 2018 and amended in 2020 by the California Privacy Rights Act (CPRA), the California Consumer Privacy Act (CCPA) was the first ever US state data privacy law and remains one of the strongest. It applies to all companies that 1) make more than $25 million in gross annual revenue annually, 2) process the personal information of 100,000 or more consumers or households, or 3) derive more than 50% of their annual revenues from selling or sharing consumers’ personal information. The California Consumer Privacy Act is also one of the few state laws that offers a private right of action, i.e. the ability for individual California residents to sue businesses over the violation of their CCPA rights.
Colorado. The Colorado Privacy Act (CPA) was signed into law in July 2021 and includes civil penalties of up to $20,000 per violation. Unlike California’s law, the CPA does not have a gross revenue threshold. Instead, it applies to data controllers that 1) process the personal data of 100,000+ Colorado consumers each year or 2) process the personal data of 25,000+ Colorado consumers each year while earning revenue from selling personal data. It also specifies that businesses’ data protection assessments (DPAs) must thoughtfully consider the risk posed to individual consumers and to the general public by their data processing activities.
Connecticut. The Connecticut Personal Data Privacy Act (CTDPA) was signed into law in 2022 and went into effect in 2023. It applies to businesses that control or process the personal data of 1) at least 100,000 consumers or 2) 25,000 or more consumers while deriving over 25% of their gross revenue from the sale of personal data. Like the other state data privacy laws, Connecticut’s gives consumers the right to access, correct, and delete their personal data as well as obtain a copy of their data in a readily usable format. It also gives consumers the right to opt-out of the sale of their personal data and the processing of their personal data for the purposes of targeted advertising.
Delaware. Signed into law in September 2023, the Delaware Personal Data Privacy Act (DPDPA) is one of the most recent data privacy laws in the United States. Its thresholds are somewhat lower than most other states, likely to accommodate its smaller population. The DPDPA applies to organizations that control or process the personal data of 1) at least 35,000 consumers or 2) at least 10,000 consumers while deriving more than 20% of their gross revenue from the sale of personal data. Notably, the DPDPA does not offer exemptions for nonprofits or for HIPAA-covered entities (although it does exempt PHI, personal health information).
Florida. Passed in 2023, the Florida Digital Bill of Rights (FDBR) is unique among the state data privacy laws. Its threshold for applicability is higher than any other state’s to date; companies must generate more than $1 billion in gross annual revenue and meet several other specific requirements exclusive to tech giants. Florida’s law is also unique in prohibiting state government entities from contacting social media platforms to remove or moderate content, and in requiring major search engines to disclose how their algorithms operate.
Indiana. The Indiana Data Privacy Law (IDPL) was signed into law in 2023 and, like most of its counterparts, requires businesses to receive clear and informed consent from consumers before processing their sensitive data. Organizations are also required to provide clear privacy notices, conduct data protection impact assessments, and establish processes for consumers to exercise their rights. Like many other state-level data privacy laws, the Indiana Data Privacy Law provides a cure period for companies to address violations without penalty — in this case, 30 days.
Iowa. The sixth US state to pass a data privacy law, Iowa signed its legislation in 2023 after several failed attempts. The Iowa Consumer Data Protection Act (ICDPA) does not depart significantly from other state privacy laws, investing consumers with the right to access, delete, and request copies of their personal data (i.e. data portability). Like the five laws that preceded it, the ICDPA also bars data controllers from processing personal data in violation of state and federal laws that prohibit unlawful discrimination.
Montana. The Montana Consumer Data Privacy Act (MCDPA) was signed into law in 2023 after unanimous passage in the Montana state legislature. Although the law resembles the Connecticut Personal Data Privacy Act in several ways, it has a much lower threshold, requiring compliance from companies that 1) control or process the personal data of at least 50,000 state residents or 2) control or process the personal data of at least 25,000 state residents while deriving more than 25% of gross revenue from the sale of personal data. Montana’s law is also distinct in that it is the first state data protection regulation to ban TikTok. The social media platform has appealed this decision, but it will be liable for a $10,000 fine for each use of the app in Montana if the appeal does not succeed.
Nevada. A stripped-down privacy law, the Nevada Privacy Law technically amends an earlier online privacy law passed in 2019. The updated legislation adopts a narrow definition of personal data, covering only very basic information like Social Security numbers and email addresses, but still allows consumers to opt-out of the sale of that data. It does not establish a consumer right to access, delete, or request a portable copy of their data, nor does it require businesses to offer an opt-out mechanism on their websites.
Oregon. The Oregon Consumer Privacy Act (OCPA), which will take effect in 2024, establishes similar consumer rights and data controller obligations as other state data privacy laws. However, its definitions of personal and sensitive data are somewhat different. Under the OCPA, 1) “personal data” includes “derived data,” i.e., data that can reasonably be linked to a certain device or household, 2) “sensitive data” includes a person’s gender identity and status as the victim of a crime, and 3) “biometric data” includes potentially identifiable information as well as data explicitly collected for the purpose of identification. This expansion of the categories of personal data will require some adjustments from organizations already complying with other state privacy laws.
Tennessee. The Tennessee Information Protection Act (TIPA) was signed into law in 2023. It joins a growing group of business-friendly state data privacy laws, such as the Virginia Consumer Data Protection Act (VCDPA), the Utah Consumer Privacy Act (UCPA), and the Iowa Consumer Data Protection Act (ICDPA). It includes several favorable provisions for businesses, such as a unique exemption for insurance companies, an especially long 60-day cure period, and more than two years to prepare for its effective date of July 1, 2025. It also allows data controllers and processors to defend themselves against violations if they maintain a written privacy program that “reasonably conforms” to the current privacy framework set by the National Institute of Standards and Practices (NIST).
Texas. With a population of 30 million, Texas is the second largest state (after California) to pass a data privacy law. The Texas Data Privacy and Security Act (TDPSA) offers similar consumer rights as other state-level privacy legislation. It also affords special protections to sensitive data, which it defines as information including genetic and biometric data, geolocation data, and personal information regarding racial or ethnic origins, religious beliefs, mental or physical health diagnoses, sexuality, and citizenship or immigration status. Most notably, the TDPSA applies to almost any organization that is not a “small business” as defined by the United States Small Business Administration (SBA). This means that the TDPSA will likely extend to businesses that fall well below the applicability thresholds in other states, complicating compliance efforts.
Utah. The fourth state data privacy law in the country, the Utah Consumer Privacy Act (UCPA) draws from both the Virginia Consumer Data Protection Act and the California Consumer Privacy Act. The UCPA applies to companies with annual revenues over $25 million that either 1) process or control the personal data of at least 100,000 consumers in a year or 2) process or control the personal data of at least 25,000 consumers in a year while deriving over 50% of their gross revenue from the sale of personal data.
Virginia. The Virginia Consumer Data Protection Act (VCDPA) is the second state data privacy law, after California’s. It establishes six key consumer protections: the right to confirm whether a controller is processing the consumer’s personal data; the right to access, correct, delete, or obtain a copy of that personal data; and the right to opt out of having their personal data processed for purposes of targeted advertising, profiling, or sale. It also offers some common exemptions, including for healthcare organizations already governed by the Health Insurance Portability and Accountability Act (HIPAA) and for financial institutions already governed by the Gramm-Leach-Bliley Act (GLBA).
The 7 states with bills currently undergoing the legislative process
So far, the creation of state data privacy legislation shows no sign of slowing down. There are now seven states with bills that have either been introduced or are in committee or cross chamber. It’s unclear when the fate of these bills will be decided, as some can carry over into future legislative sessions if they do not make it to a vote in the current session.
Maine. Maine’s proposed privacy law (LD 1977), An Act to Create the Data Privacy and Protection Act, was introduced in May 2023 and carried over to the Maine House of Representatives in August 2023. If passed, it will establish consumer rights to access, correct, erase, and transfer personal data. It will also impose new obligations on data controllers to establish and maintain reasonable policies and procedures for mitigating privacy risks.
Massachusetts. In Massachusetts, an act to establish the Massachusetts Data Privacy Protection Act was put forward in February 2023. The proposed law largely hews to other US state data privacy laws, establishing typical consumer rights and creating new data controller obligations. It also requires a privacy by design framework from businesses that meet its threshold.
New Hampshire. In January 2023, a bipartisan group of New Hampshire legislators introduced Senate Bill 255-FN, an “act relative to the expectation of privacy.” The bill is largely modeled on the privacy acts in California, Colorado, and Virginia, and it is currently undergoing hearings in the New Hampshire House Judiciary Committee.
New Jersey. The proposed New Jersey Disclosure and Accountability Transparency Act was introduced in the state Senate in March 2023. The bill is largely similar to the other state data privacy laws, including in its exemptions and penalties, although it does not yet specify exact thresholds for applicability.
North Carolina. The proposed Consumer Privacy Act of North Carolina was introduced in April 2023 to the state Senate. With similar HIPAA, GLBA, and nonprofit exemptions to other privacy laws, it would apply to data controllers and processors that have an annual revenue of at least $25 million and either 1) handle the personal data of at least 100,000 consumers or 2) handle the personal data of at least 25,000 consumers while deriving over 50% of their gross revenue from the sale of personal data.
Pennsylvania. The proposed Consumer Data Privacy Act, or House Bill 1201, was introduced in the Pennsylvania state legislature in May 2023. It would require businesses to allow consumers to opt out of certain kinds of personal data processing. Like Virginia’s and Tennessee’s privacy laws, the Pennsylvania act would not include a private right of action and would instead leave enforcement up to the state attorney general.
Wisconsin. One of the most recent pieces of legislation, Wisconsin’s Assembly Bill 466 was introduced in October 2023. It would enshrine similar consumer rights and protections as its counterparts, and it would apply to data controllers that either 1) process the personal data of at least 100,000 consumers or 2) process the personal data of at least 25,000 consumers while deriving over 50% of their gross revenue from the sale of personal data.
The 14 states with inactive data privacy legislation
A total of fourteen states have proposed and attempted to pass data protection legislation. Most of these proposed laws only made it to committee, meaning that they were not voted on by a full legislature. However, in several states — Hawaii, Kentucky, Oklahoma, and New York — the bills made it further, to cross-committee status.
- Hawaii — The Consumer Data Protection Act
- Illinois — The Illinois Data Privacy and Protection Act
- Kentucky — The Kentucky Consumer Protection Data Act
- Louisiana — The Louisiana Consumer Privacy Act
- Maryland — The Online and Biometric Data Privacy Act
- Minnesota — The Minnesota Consumer Data Privacy Act
- Mississippi — The Mississippi Consumer Data Privacy Act
- New York — The Digital Fairness Act, The New York Privacy Act, The New York Data Protection Act, The It’s Your Data Act
- Oklahoma — The Oklahoma Computer Data Privacy Act
- Rhode Island — The Rhode Island Data Transparency and Privacy Protection Act, The Rhode Island Personal Data and Online Privacy Protection Act
- South Carolina — The South Carolina Biometric Data Privacy Act
- Vermont — Unnamed (H.121, “An act relating to enhancing consumer privacy”)
- Washington — The People’s Privacy Act
- West Virginia — The Consumer Data Protection Act
Since legislators in these states have expressed clear interest in passing data privacy regulations, it’s likely that we’ll see successful bills enacted over the next few years.
The 15 states with no data privacy bills on the books
The remaining states with no comprehensive data protection bills are generally located in the Midwest and South. Many of these states also have relatively small populations, like Wyoming with under 600,000 residents and Alaska with under 750,000. The states that have yet to introduce any data privacy legislation include:
- New Mexico
- North Dakota
- South Dakota
It remains to be seen whether these states will jump on the bandwagon and introduce their own laws, or whether they will wait indefinitely for the passage of a federal data protection law instead.
Strengthening data privacy, wherever your data resides
Currently, individual state data privacy laws offer a way to fill the gap left by the federal government. However, the patchwork of state laws highlights the need for a comprehensive federal data privacy law that can streamline data protection requirements in the United States. It also creates a complex regulatory landscape and presents compliance challenges for businesses — particularly those operating across state lines.
Whether or not your organization does business in one of the states with an official data privacy law, it’s likely that you will have to meet compliance with some kind of data protection regulation in the future. To help support your compliance efforts, we have a few suggestions and cybersecurity best practices.
Follow data minimization and privacy by design frameworks. The right mindset toward data can help greatly with compliance for both current and future data privacy laws. A data minimization framework will help organizations collect and store only the minimum amount of personal data necessary for business purposes. Meanwhile, a privacy by design approach will help organizations proactively integrate strong privacy practices into their systems, technologies, and everyday operations.
Conduct regular data audits. It’s critical to have a thorough understanding of the data flows within your organization, including how data is acquired, stored, and shared. Identifying and classifying the types of data your organization collects and processes — and knowing exactly where that data resides — is an essential part of data privacy.
Conduct ongoing employee training. It’s also important to invest in employee training on privacy best practices and cybersecurity awareness. Your workforce should be well-versed in identifying potential security risks and understanding the importance of protecting sensitive information. Regular training sessions and awareness programs can significantly reduce the likelihood of data breaches and ensure compliance with evolving data protection regulations.
Implement robust data encryption. To safeguard sensitive information and protect it from unauthorized access, consider implementing strong data encryption protocols. The right encryption solutions will ensure that data remains unintelligible to unauthorized parties, even in the event of a data breach or ransomware attack.
Consider ShardSecure. We provide advanced data security, privacy, and resilience with our innovative approach to file-level encryption, which secures data from access by unauthorized third parties. As part of a robust cybersecurity strategy, ShardSecure’s platform can help you safeguard consumer data as well as sensitive enterprise data and any other vital information you might want to protect. We were recently named a 2023 Gartner® Cool Vendor in Privacy.
Interested in learning more about ShardSecure? Visit our data privacy page to get started.
GARTNER is a registered trademark and service mark of Gartner and Cool Vendors is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.