US Privacy Laws
Comply with US Privacy Laws
The enactment of the California Consumer Privacy Act of 2018 (CCPA) on January 1, 2020 with an enforceability date of July 1, 2020, marked the first comprehensive US state privacy law. Following this, a flurry of privacy-related legislation at both the federal and state level followed. Although many of these bills failed to become law, several other states, including Colorado, Virginia, Utah, Connecticut, Iowa, Indiana, Tennessee and Montana have since passed privacy legislation. Moreover, a federal bill known as the American Data Privacy and Protection Act (ADPPA) is making its way through Congress. The bill is significant as it marks the first federal privacy bill to gain both bipartisan and bicameral support. If enacted, the ADPPA would preempt the majority of state and local laws, rendering any similar provisions therein invalid.
With numerous states now enacting privacy legislation, and with a federal bill in the works, privacy compliance in the US has become a complex issue for companies to navigate.
At OneTrust DataGuidance, our team of in-house Privacy Analysts works with an external network of contributors to provide you with daily updates and in-depth insight articles, so you can stay on top of all relevant developments in the US.
Our State Law Tracker enables you to easily track privacy-related bills in different US states to determine which laws might affect your operations. Additionally, our Sectoral Privacy Overview Comparison provides you with detailed information on the existing privacy frameworks in multiple states.
Entry into Effect Dates
State | Law | Effective Date |
---|---|---|
California | California Consumer Privacy Act of 2018 (CCPA) | In effect |
Virginia | Consumer Data Protection Act (CDPA) | In effect |
California | California Privacy Rights Act of 2020 (CPRA) | In effect |
Colorado | Colorado Privacy Act (CPA) | July 1, 2023 |
Connecticut | Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA) | July 1, 2023 |
Utah | Consumer Privacy Act (UCPA) | December 31, 2023 |
Montana | Consumer Data Privacy Act (MCDPA) | October 1, 2024 |
Iowa | Iowa Consumer Data Protection Act (ICDPA) | January 1, 2025 |
Tennessee | Tennessee Information Protection Act (TIPA) | July 1, 2025 |
Indiana | Consumer Data Protection Act (ICDPA) | January 1, 2026 |
Videos and Webinars
- California Privacy Rights Act: Reaction & Analysis
- A US Federal Privacy Bill is On the Horizon: Get to Know
- Understanding the New CPRA Draft Regulations & The ADPPA
- GDPR v CCPA & CPRA
- US Privacy Update: Recent Developments in Privacy Legislation
- Threat and Breach Response
- NIST Privacy Framework
- HIPAA Compliance and Cybersecurity Challenges
Assembly Bill 1194 California Privacy Rights Act of 2020: exemptions: abortion services passed its first reading in the California Senate, on May 23, 2023, and thereafter on the same date was referred to the Committee on Rules.
The Federal Trade Commission (FTC) announced, on May 22, 2023, that the Department of Justice had filed on its behalf a proposed order against Edmodo, Inc. for violations of the Children's Online Privacy Protection Act Rule (COPPA Rule) and unfair practices in violation of the Federal Trade Commission Act (FTC Act).
On May 22, 2023, Senate Bill 296 on in-vehicle cameras passed its second reading and has been ordered for a third reading.
Assembly Bill 1194 California Privacy Rights Act of 2020: exemptions: abortion services passed its third reading, on May 22, 2023, and has been ordered to the California Senate.
Assembly Bill 947 California Consumer Privacy Act of 2018: Sensitive Personal Information passed its third reading, on May 22, 2023, and has been ordered to the California Senate.
On May 18, 2023, U.S. Senator for Colorado, Michael Bennet, announced the introduction of bill S.1671 to the U.S. Senate, which was thereafter read twice and referred to the Committee on Commerce, Science, and Transportation.
The Federal Trade Commission (FTC) announced, on May 17, 2023, that the Department of Justice had filed on its behalf a draft order against Easy Healthcare Corporation for deceptive and unfair acts or practices in violation of the Federal Trade Commission Act (FTC Act) and violations of the Health Breach Notification Rule under the Code of Feder
On May 16, 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it had reached a settlement with MedEvolve, Inc. The settlement requires MedEvolve to pay the OCR $350,000 and to undertake a Corrective Action Plan (CAP).
Senate Bill 1103 for an Act concerning Artificial intelligence, automated decision-making and personal data privacy was passed with amendments, on 11 May 2023, by the Connecticut State Senate and thereafter, on 12 May 2023, sent
The Colorado Attorney General ('AG'), Phil Weise,r announced, on 10 May 2023, that they had entered, on 8 May 2023, an Assurance of Discontinuance constituting a settlement of $21,250, with Ifficient Inc., for the alleged violation of §§6-1-105(1)(e) and 6-1-105(1)(u) of the Colorado Consumer Protection Act ('CCPA').
Assembly Bill 947 California Consumer Privacy Act of 2018: Sensitive Personal Information passed the second reading, on 11 May 2023, and has been ordered for a third reading.
Assembly Bill 1194 California Privacy Rights Act of 2020: exemptions: abortion services passed second reading, on 11 May 2023, and has been ordered for a third reading.
The Consumer Data Privacy Act was introduced, on February 16, 2023, to the Montana State Senate. Since then, the Act has passed both the State Senate, as well as the House of Representatives, and was signed by the Governor of Montana, Greg Gianforte, on May 18, 2023.
The Consumer Data Protection Act (CDPA) was introduced to the Indiana State Senate on January 9, 2023. After passing both Houses of the Indiana General Assembly, the CDPA was signed by the Governor on May 1, 2023.
The CDPA will now enter into effect on January 1, 2026.
On July 8, 2022, the California Privacy Protection Agency (CPPA) began the formal rulemaking process to update the California Consumer Privacy Act (CCPA) regulations to operationalize new rights and concepts the California Privacy Rights Act (CPRA) introduced.
The Consumer Data Protection Act (CDPA) was introduced, on January 9, 2023, to the Indiana State Senate. Since then, the Act has passed both the State Senate, as well as the House of Representatives, and was signed by the Governor of Indiana, Eric Holcomb, on May 1, 2023.
On 15 March 2023, the Colorado Attorney General's ('AG') Office announced it had filed the finalised Colorado Privacy Act Rules ('the CPA Rules') with the Colorado Secretary of State. The CPA Rules will go into effect on 1 July 2023 - the same date the Colorado Privacy Act ('CPA') goes into effect.
In November 2020, California voters passed the California Privacy Rights Act of 2020 ('CPRA'), which amended the existing California Consumer Privacy Act of 2018 ('CCPA') passed by the California legislature in 2018 and which became effective on 1 January 2020.
The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the Health Insurance Portabili
The California Consumer Privacy Act of 2018 ('CCPA'), signed into law in 2018, granted consumers new rights with respect to the collection and use of their personal information.
Assembly Bill 2273 for the California Age Appropriate Design Code Act ('CAADC') was signed into law on 15 September 2022 and will become effective on 1 July 2024.
The California Privacy Rights Act of 2020 ('CPRA') became fully operative on 1 January 2023. The CPRA was approved by California voters in a November 2020 ballot initiative and amends the requirements of the California Consumer Privacy Act of 2018 ('CCPA').
Whether it is facial recognition technology ('FRT') being used by law enforcement or in connection with various physical security and access management applications, the use of fingerprint-based time management systems or voiceprint technologies to validate identity, applications in the public and private sectors involving the use of biometric i
In the US, California has been leading the charge in developing privacy standards and regulating the processing and selling of personal information, most importantly with the California Consumer Privacy Act of 2018 (last amended in 2019) ('CCPA'), as amended by the California Privacy Rights Act of 2020 ('CPRA'), ('CCPA as amended').
Comparing State Privacy Laws
Comparing US State Privacy Laws
Our US State Privacy Law Comparison allows you to compare and contrast requirements across each of the comprehensive privacy laws passed by States, making it easier to streamline compliance efforts and keep pace with the evolving landscape in the US. The Chart can be used alongside our US State Tracker, which allows you to monitor privacy-related bills during the legislative sessions, and our Sectoral Overview which provides further information on sector-specific laws in each US State.
- There is a requirement in place.
- Click to view information for additional detail.
- There is no requirement in place.
(US) Definitions
(US) Legal Bases
(US) Controller and Processor Obligations
(US) Individuals' Rights
(US) Penalties and Enforcement
Sectoral Privacy Overview
USA Sectoral Privacy Overview
- There is a law/restriction/exemption in place.
- Click to view information for additional detail.
- There is no law/requirement/exemption in place.
This Comparison is part of an ongoing OneTrust DataGuidance project, which will be expanding over time. Current non-inclusion of certain US States does not preclude the applicability of specific privacy-related laws within those States.
- title
- Constitution
- Key Privacy Laws
- Health data
- Financial data
- Employment data
- Online privacy
- Unsolicited Commercial Communications
- Privacy Policies
- Data Security
- Other
- Alabama
- Alaska
- Arkansas
- California
- Colorado
- Connecticut
- Delaware
- District of Columbia
- Florida
- Georgia (US)
- Hawaii
- Indiana
- Kansas
- Louisiana
- Maine
- Maryland
- Massachusetts
- Michigan
- Minnesota
- Mississippi
- Nebraska
- New Hampshire
- New Jersey
- New Mexico
- New York
- Oklahoma
- Pennsylvania
- Rhode Island
- South Carolina
- Tennessee
- Texas
- Utah
- Vermont
- Washington
- West Virginia
- Wisconsin