US Privacy Laws
Comply with US Privacy Laws
The enactment of the California Consumer Privacy Act of 2018 (CCPA) on January 1, 2020 with an enforceability date of July 1, 2020, marked the first comprehensive US state privacy law. Following this, a flurry of privacy-related legislation at both the federal and state level followed. Although many of these bills failed to become law, several states have now managed to pass comprehensive privacy legislation. Moreover, a federal bill known as the American Data Privacy and Protection Act (ADPPA) is making its way through Congress. The bill is significant as it marks the first federal privacy bill to gain both bipartisan and bicameral support. If enacted, the ADPPA would preempt the majority of state and local laws, rendering any similar provisions therein invalid.
With numerous states now enacting privacy legislation, and with a federal bill in the works, privacy compliance in the US has become a complex issue for companies to navigate.
At OneTrust DataGuidance, our team of in-house Privacy Analysts works with an external network of contributors to provide you with daily updates and in-depth insight articles, so you can stay on top of all relevant developments in the US.
Our State Law Tracker enables you to easily track privacy-related bills in different US states to determine which laws might affect your operations. Additionally, our Sectoral Privacy Overview Comparison provides you with detailed information on the existing privacy frameworks in multiple states.
Entry into Effect Dates
Videos and Webinars
Federal US privacy bill on the horizon? Exploring the draft APRA & new state privacy legislation
The road to 50 states: New Jersey and New Hampshire join the US privacy landscape
The road to 50 states: Delaware and Oregon join the US privacy landscape
- California Privacy Rights Act: Reaction & Analysis
- GDPR v CCPA & CPRA
- Threat and Breach Response
- NIST Privacy Framework
- HIPAA Compliance and Cybersecurity Challenges
On July 25, 2024, the U.S. Senate voted in favor of Senate Bill 2073 for the Eliminate Useless Reports Act of 2024, which contained Senate Amendment 3021, the Kids Online Safety and Privacy Act (KOSPA).
The Federal Communications Commission (FCC) published on July 22, 2024, its consent order as adopted on July 19, 2024, in which it imposed a civil penalty of $16 million to TracFone Wireless, Inc. for violations of the Communications Act of 1934, following three data breaches that occurred between January 2021 and January 2023.
On May 23, 2024, US Senators Maria Cantwell, Chair of the Senate Committee on Commerce, Science, and Transportation, and Jerry Moran, senior member of the Commerce Committee, introduced the National Science Foundation (NSF) AI Education Act of 2024.
On July 15, 2024, Assembly Bill 3286 for California Consumer Privacy Act of 2018: monetary thresholds: grants was signed by the Governor of California following its passage by the California State Senate on June 27, 2024, and the Cal
On July 3, 2024, the California Privacy Protection Agency (CPPA) published additional materials ahead of its board meeting scheduled for July 16, 2024.
On July 11, 2024, U.S. Senator Maria Cantwell, Chair of the Senate Commerce Committee, alongside Senators Marsha Blackburn and Martin Heinrich, introduced a bill for the Content Origin Protection and Integrity from Edited and Deepfaked Media Act (COPIED Act).
On July 11, 2024, the U.S. Chamber of Commerce (the Chamber) published a statement for the Senate Committee on Commerce, Science, and Transportation hearing titled 'The Need to Protect Americans' Privacy and the AI Accelerant.'
On July 9, 2024, the Federal Communications Commission (FCC) announced a settlement with CaptionCall and its parent company Sorenson Communications, LLC to resolve an investigation regarding the unlawful retention of call data and the submission of inaccurate information to the Telecommunications Relay Service (TRS) Fund Administrator.
On July 9, 2024, the Federal Trade Commission (FTC) announced that it had issued a proposed order against NGL Labs, LLC and its co-founders, for the active marketing of their social media app, NGL App, to children and minors, and deceptive claims surrounding the use of artificial intelligence (AI) to prevent cyberbullying, in violation of Sectio
On July 5, 2024, the California Privacy Protection Agency (CPPA) requested public comments on a Notice of Proposed Rulemaking regarding Data Broker Registration pursuant to Senate Bill 362 (the Delete Act).
On July 1, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $950,000 settlement with Heritage Valley Health System for potential violations of the Health Insurance Portability and Accountability Act Security Rule (the HIPAA Security Rule), following a ransomware attack.
On July 1, 2024, the Florida Digital Bill of Rights (FDBR), Oregon Consumer Privacy Act (OCPA), and Texas Data Security and Privacy Act (TDPSA) entered into effect.
The FDBR, OCPA, and TDPSA join state privacy legislation already in force in California, Connecticut, Colorado, Virginia, and Utah.
On April 7, 2024, a bipartisan, bicameral Act was introduced. It aims to establish a federal-level comprehensive privacy law and eliminate the growing patchwork of US state-level comprehensive privacy laws. The initial draft of the Act has evolved since its introduction and was recently introduced as House Bill 8818 (House Bill).
On May 24, 2024, Minnesota adopted the Minnesota Consumer Data Privacy Act (MCDPA), becoming the 19th state to adopt a comprehensive state privacy law.
On June 25, 2024, the Governor of Rhode Island transmitted House Bill 7787 and Senate Bill 2500 for the Rhode Island Data Transparency and Privacy Protection Act (collectively referred as RIDTPPA) without signature to become law. The RIDTPPA will enter into effect on January 1, 2026.
Kentucky has joined the growing count of states to enact a comprehensive data privacy law. The law, passed as House Bill 15 and titled the Kentucky Consumer Data Protection Act (KCDPA), was passed by the Kentucky legislature on March 27, 2024, and signed by Governor Andy Beshear on April 4, 2024.
The American Privacy Rights Act 2024 (APRA) was released on April 7, 2024, by U.S. Representative Cathy Rodgers and U.S. Senator Maria Cantwell. Thereafter, on May 23, 2024, the U.S.
Amid little clarity from courts, wiretap claims targeting the use of data analytics tools on websites are becoming increasingly common. Timothy J. Toohey and Alexis S.
The US privacy landscape has seen significant change in the past year, through the introduction of various state privacy legislation and federal initiatives.
On May 10, 2024, the Vermont Legislature passed House Bill 121 for an act relating to enhancing consumer privacy and the age-appropriate design code (the Bill), which was subsequently vetoed by the Governor of Vermont.
In the US, privacy laws are quickly evolving - especially for financial services companies. A significant number of states are passing or contemplating laws to protect personal information, including consumer financial information. At the same time, U.S.
On May 24, 2024, Omnibus Senate Bill 4757, containing the Minnesota Consumer Data Privacy Act (MCDPA), was approved by the Governor of Minnesota after its passage in the Legislature on May 19, 2024, and will enter into effect on July 31, 2025.
Colorado became the first state to adopt a comprehensive AI framework when Governor Polis signed Senate Bill 205. The law, unlike the EU Artificial Intelligence Act (AI Act), does not ban certain uses of artificial intelligence (AI).
Comparing State Privacy Laws
Comparing US State Privacy Laws
Our US State Privacy Law Comparison allows you to compare and contrast requirements across each of the comprehensive privacy laws passed by States, making it easier to streamline compliance efforts and keep pace with the evolving landscape in the US. The Chart can be used alongside our US State Tracker, which allows you to monitor privacy-related bills during the legislative sessions, and our Sectoral Overview which provides further information on sector-specific laws in each US State.
- There is a requirement in place.
- Click to view information for additional detail.
- There is no requirement in place.
(US) Definitions
(US) Legal Bases
(US) Individuals' Rights
(US) Penalties and Enforcement
Sectoral Privacy Overview
USA Sectoral Privacy Overview
- There is a law/restriction/exemption in place.
- Click to view information for additional detail.
- There is no law/requirement/exemption in place.
This Comparison is part of an ongoing OneTrust DataGuidance project, which will be expanding over time. Current non-inclusion of certain US States does not preclude the applicability of specific privacy-related laws within those States.
- title
- Constitution
- Key Privacy Laws
- Health data
- Financial data
- Employment data
- Online privacy
- Unsolicited Commercial Communications
- Privacy Policies
- Data Security
- Other
- Alabama
- Arkansas
- California
- Colorado
- Connecticut
- Delaware
- District of Columbia
- Florida
- Georgia (US)
- Hawaii
- Indiana
- Iowa
- Kansas
- Louisiana
- Maine
- Maryland
- Michigan
- Minnesota
- Mississippi
- Nebraska
- New Hampshire
- New Jersey
- New Mexico
- New York
- Oklahoma
- Oregon
- Pennsylvania
- Rhode Island
- South Carolina
- Tennessee
- Texas
- Utah
- Vermont
- Washington
- West Virginia
- Wisconsin