State Privacy Laws Compliance
Individual states are passing their own data privacy laws to protect citizens’ privacy rights, regulate data handling practices, and set standards for businesses operating within their jurisdiction. Noncompliance can be costly.
The Kiteworks Private Content Network enables organizations to comply with state data privacy laws. Detailed audit logs of data access and transfers and real-time monitoring simplify compliance and enable prompt identification of unauthorized access. And secure web forms and data collection mechanisms establish reliable opt-in mechanisms and consent procedures.
US State Privacy Legislation Tracker
*scroll horizontally to view more cells
State | Introduced | Signed | Bill & Link | Name | Effective Date |
---|---|---|---|---|---|
California | CCPA/California Privacy Rights Act | California Consumer Privacy Act and California Privacy Rights Act | January 1, 2020, and January 1, 2023 | ||
Colorado | SB 190 | Colorado Privacy Act | July 1, 2023 | ||
Connecticut | SB 6 | Connecticut Data Privacy Act | July 1, 2023 | ||
Delaware | HB 154 | Delaware Personal Data Privacy Act | January 1, 2025 | ||
Indiana | SB 5 | Indiana Consumer Data Protection Act | January 1, 2026 | ||
Iowa | SF 262 | Iowa Consumer Data Protection Act | January 1, 2025 | ||
Kentucky | HB 15 | Kentucky Consumer Data Protection Act | January 1, 2026 | ||
Montana | SB 384 | Montana Consumer Data Privacy Act | October 1, 2024 | ||
New Hampshire | SB 255 | January 1, 2025 | |||
New Jersey | SB 332 | New Jersey Data Privacy Act | January 15, 2025 | ||
Oregon | SB 619 | Oregon Consumer Privacy Act | July 1, 2024 | ||
Tennessee | HB 1181 | Tennessee Information Protection Act | July 1, 2025 | ||
Texas | HB 4 | Texas Data Privacy and Security Act | July 1, 2024 | ||
Utah | SB 227 | Utah Consumer Privacy Act | December 31, 2023 | ||
Virginia | SB 1392 | Virginia Consumer Data Protection Act | January 1, 2023 | ||
Georgia | SB 473 | Georgia Consumer Privacy Protection Act | |||
Hawaii | SB 3018 | Consumer Data Protection Act | |||
Illinois | SB 3517 / HB 5581 | Privacy Rights Act / Illinois Privacy Rights Act | |||
Louisiana | SB 199 | Louisiana Consumer Privacy Act | |||
Maine | LD 1973 / LD 1977 | Maine Consumer Privacy Act / Data Privacy and Protection Act | |||
Maryland | HB 567 / SB 541 | Maryland Online Data Privacy Act | |||
Massachusetts | H 83 / S 25 / H 60 / S 227 / HD 3245 | Massachusetts Data Privacy Protection Act, Massachusetts Information Privacy and Security Act, Internet Bill of Rights | |||
Michigan | SB 659 | Michigan Personal Data Privacy Act | |||
Minnesota | HB 2309 / SB 2915 / HB 1367 / SB 950 / HF 1892 | Minnesota Consumer Data Privacy Act | |||
Missouri | SB 731 / SB 1501 | ||||
Nebraska | LB 1294 | Nebraska Data Privacy Act | |||
New York | A 6319 / SB 3162 / A 4374 / A 3593 / A 3308 / SB 2277 / SB 365 / A 2587 / S 5555 | New York Privacy Act, New York Data Protection Act, It’s Your Data Act, Digital Fairness Act, American Data Privacy and Protection Act | |||
North Carolina | SB 525 | North Carolina Consumer Privacy Act | |||
Ohio | HB 345 | Ohio Personal Privacy Act | |||
Pennsylvania | HB 1947 / HB 1201 | Pennsylvania Consumer Data Protection Act | |||
Rhode Island | H 7787 / S 2500 | Rhode Island Data Transparency and Privacy Protection Act | |||
Vermont | S 269 / H 121 | Vermont Data Privacy Act | |||
Wisconsin | AB 466 / SB 642 |
Frequently Asked Questions
Individual states in the U.S. have their own privacy laws to address their residents’ specific privacy and data protection needs and concerns. With the absence of a comprehensive federal privacy law, states have taken it upon themselves to protect their citizens’ privacy rights, regulate data handling practices, and set standards for businesses operating within their jurisdiction. These laws help ensure that companies are transparent about their data practices and allow consumers to control how their personal information is used.
The United States currently does not have a comprehensive national data privacy law similar to the EU’s General Data Protection Regulation (GDPR). Instead, the U.S. has a sectoral approach with different rules applying to specific sectors or types of data, such as the Health Insurance Portability and Accountability Act (HIPAA) for health information and the Gramm-Leach-Bliley Act (GLBA) for financial information. In the absence of a national data privacy law, individual states, including California, Texas, Colorado, Florida, and several others, are passing their own data privacy laws to protect their citizens’ privacy.
While compliance specifics vary from state to state and law to law, generally any business that collects, stores, processes, or shares a citizen’s personal information may be required to comply with that state’s privacy laws, even if the business is incorporated elsewhere. In some states, some rules may only apply to larger firms or those dealing with a specific volume of data or several consumers.
The rights provided to citizens can vary significantly by state and law. Some common rights include the right to know what personal information a business collects about them, the right to request deletion of their data, the right to opt out of the sale of their personal information, and the right to non-discrimination for exercising their privacy rights. The specifics depend on the relevant state law.
The California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) both aim to protect personal data, but they differ in various ways:
- Scope: The CCPA applies to businesses operating in California and collecting personal information of California residents, while the GDPR applies to all organizations working within the EU, or dealing with data of EU citizens, irrespective of their country location.
- Rights: Both give individuals the right to access and delete their data, but the GDPR also includes rights like rectification (correcting inaccurate data) and objection (objecting to processing personal data), which the CCPA does not explicitly provide.
- Enforcement: The GDPR has more vigorous enforcement and steeper penalties, with maximum fines of up to €20 million or 4% of annual global turnover, whichever is higher. CCPA’s penalties can reach up to $7,500 per intentional violation.
- Consent: The GDPR requires citizens’ explicit and informed consent before collecting personal data, while the CCPA does not require upfront approval but does provide citizens the right to opt out of data sales, preventing organizations from selling a citizen’s personal data.