Support Centre
US Privacy Laws
workspace-icon
Back

US Privacy Laws

                                                                             Comply with US Privacy Laws

The enactment of the California Consumer Privacy Act of 2018 (CCPA) on January 1, 2020 with an enforceability date of July 1, 2020, marked the first comprehensive US state privacy law. Following this, a flurry of privacy-related legislation at both the federal and state level followed. Although many of these bills failed to become law, several other states, including Colorado, Virginia, Utah, Connecticut, Iowa, Indiana, Tennessee and Montana have since passed privacy legislation. Moreover, a federal bill known as the American Data Privacy and Protection Act (ADPPA) is making its way through Congress. The bill is significant as it marks the first federal privacy bill to gain both bipartisan and bicameral support. If enacted, the ADPPA would preempt the majority of state and local laws, rendering any similar provisions therein invalid.

With numerous states now enacting privacy legislation, and with a federal bill in the works, privacy compliance in the US has become a complex issue for companies to navigate.

At OneTrust DataGuidance, our team of in-house Privacy Analysts works with an external network of contributors to provide you with daily updates and in-depth insight articles, so you can stay on top of all relevant developments in the US.

Our State Law Tracker enables you to easily track privacy-related bills in different US states to determine which laws might affect your operations. Additionally, our Sectoral Privacy Overview Comparison provides you with detailed information on the existing privacy frameworks in multiple states.

Entry into Effect Dates

State          Law      Effective Date
   
California          California Consumer Privacy Act of 2018 (CCPA)      In effect
Virginia          Consumer Data Protection Act (CDPA)      In effect
California          California Privacy Rights Act of 2020 (CPRA)      In effect 
Colorado          Colorado Privacy Act (CPA)      July 1, 2023
Connecticut          Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA)      July 1, 2023
Utah          Consumer Privacy Act (UCPA)      December 31, 2023
Montana          Consumer Data Privacy Act (MCDPA)      October 1, 2024
Iowa          Iowa Consumer Data Protection Act (ICDPA)      January 1, 2025
Tennessee          Tennessee Information Protection Act (TIPA)       July 1, 2025
Indiana          Consumer Data Protection Act (ICDPA)      January 1, 2026
See All USA News
25 May 2023

California: Bill on exemptions for abortion services under CCPA passes first reading in Senate

Assembly Bill 1194 California Privacy Rights Act of 2020: exemptions: abortion services passed its first reading in the California Senate, on May 23, 2023, and thereafter on the same date was referred to the Committee on Rules.

Privacy Law Reform, Health and Pharmaceutical
24 May 2023

USA: FTC files proposed order against Edmodo for COPPA Rule violations

The Federal Trade Commission (FTC) announced, on May 22, 2023, that the Department of Justice had filed on its behalf a proposed order against Edmodo, Inc. for violations of the Children's Online Privacy Protection Act Rule (COPPA Rule) and unfair practices in violation of the Federal Trade Commission Act (FTC Act).

Laws, Regulations and Enforcement, Children's Data, Consent, Enforcement Actions, Fines, Education
23 May 2023

California: Bill relating to in-vehicle cameras passes second reading

On May 22, 2023, Senate Bill 296 on in-vehicle cameras passed its second reading and has been ordered for a third reading.

Privacy Law Reform, Artificial Intelligence
23 May 2023

California: Bill on exemptions for abortion services under CCPA passes third reading

Assembly Bill 1194 California Privacy Rights Act of 2020: exemptions: abortion services passed its third reading, on May 22, 2023, and has been ordered to the California Senate.

Privacy Law Reform, Health and Pharmaceutical
23 May 2023

California: Bill on CCPA sensitive personal information passes third reading

Assembly Bill 947 California Consumer Privacy Act of 2018: Sensitive Personal Information passed its third reading, on May 22, 2023, and has been ordered to the California Senate.

Privacy Law Concepts, Privacy Law Reform
19 May 2023

USA: Bill establishing a new federal body to oversee and regulate digital platforms introduced to Congress

On May 18, 2023, U.S. Senator for Colorado, Michael Bennet, announced the introduction of bill S.1671 to the U.S. Senate, which was thereafter read twice and referred to the Committee on Commerce, Science, and Transportation.

Privacy Law Reform, Supervisory Authority, Internet
18 May 2023

USA: FTC's proposed order prohibits Premom from sharing health data for advertising purposes

The Federal Trade Commission (FTC) announced, on May 17, 2023, that the Department of Justice had filed on its behalf a draft order against Easy Healthcare Corporation for deceptive and unfair acts or practices in violation of the Federal Trade Commission Act (FTC Act) and violations of the Health Breach Notification Rule under the Code of Feder

Privacy Notices, Consent, Enforcement Actions, Transparency, Health and Pharmaceutical, Incident and Breach, Direct Marketing
17 May 2023

USA: OCR announces $350,000 settlement with MedEvolve following breach notification

On May 16, 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it had reached a settlement with MedEvolve, Inc. The settlement requires MedEvolve to pay the OCR $350,000 and to undertake a Corrective Action Plan (CAP).

Enforcement Actions, Privacy Law Principles, Health and Pharmaceutical
16 May 2023

Connecticut: Bill relating to AI, automated decision-making, and personal data privacy passes Senate

Senate Bill 1103 for an Act concerning Artificial intelligence, automated decision-making and personal data privacy was passed with amendments, on 11 May 2023, by the Connecticut State Senate and thereafter, on 12 May 2023, sent

Children's Data, Privacy Law Reform, Artificial Intelligence
16 May 2023

Colorado: AG announces $21,250 settlement with Ifficient due to consent shortcomings in advocacy campaign

The Colorado Attorney General ('AG'), Phil Weise,r announced, on 10 May 2023, that they had entered, on 8 May 2023, an Assurance of Discontinuance constituting a settlement of $21,250, with Ifficient Inc., for the alleged violation of §§6-1-105(1)(e) and 6-1-105(1)(u) of the Colorado Consumer Protection Act ('CCPA').

Consent, Fines, Direct Marketing
14 May 2023

California: Bill on CCPA sensitive personal information passes second reading

Assembly Bill 947 California Consumer Privacy Act of 2018: Sensitive Personal Information passed the second reading, on 11 May 2023, and has been ordered for a third reading.

Privacy Law Concepts, Privacy Law Reform
14 May 2023

California: Bill on exemptions for abortion services under CCPA passes second reading

Assembly Bill 1194 California Privacy Rights Act of 2020: exemptions: abortion services passed second reading, on 11 May 2023, and has been ordered for a third reading.

Privacy Law Reform, Health and Pharmaceutical
See All USA Insights
May 2023

Montana: Consumer Data Privacy Act - a comprehensive state privacy law

The Consumer Data Privacy Act was introduced, on February 16, 2023, to the Montana State Senate. Since then, the Act has passed both the State Senate, as well as the House of Representatives, and was signed by the Governor of Montana, Greg Gianforte, on May 18, 2023.

Privacy Impact Assessments, Data Subject Rights, Privacy Law Concepts, Privacy Law Principles, Privacy Law Reform
May 2023

Indiana: CDPA - FAQs

The Consumer Data Protection Act (CDPA) was introduced to the Indiana State Senate on January 9, 2023. After passing both Houses of the Indiana General Assembly, the CDPA was signed by the Governor on May 1, 2023.

The CDPA will now enter into effect on January 1, 2026.

Privacy Impact Assessments, Privacy Law Concepts, Privacy Law Reform
May 2023

California: Operationalizing CPRA - sensitive personal information

On July 8, 2022, the California Privacy Protection Agency (CPPA) began the formal rulemaking process to update the California Consumer Privacy Act (CCPA) regulations to operationalize new rights and concepts the California Privacy Rights Act (CPRA) introduced.

Privacy Law Concepts, Privacy Law Reform
May 2023

Indiana: Consumer data protection act - a comprehensive state privacy law

The Consumer Data Protection Act (CDPA) was introduced, on January 9, 2023, to the Indiana State Senate. Since then, the Act has passed both the State Senate, as well as the House of Representatives, and was signed by the Governor of Indiana, Eric Holcomb, on May 1, 2023.

Privacy Law Principles
May 2023

Colorado: Analysing the finalised CPA rules

On 15 March 2023, the Colorado Attorney General's ('AG') Office announced it had filed the finalised Colorado Privacy Act Rules ('the CPA Rules') with the Colorado Secretary of State. The CPA Rules will go into effect on 1 July 2023 - the same date the Colorado Privacy Act ('CPA') goes into effect.

Privacy Impact Assessments, Privacy Notices, Consent, Privacy Law Concepts, Privacy Law Principles, Privacy Law Reform, Profiling
May 2023

California: Operationalising CPRA - vendors and vendor management

In November 2020, California voters passed the California Privacy Rights Act of 2020 ('CPRA'), which amended the existing California Consumer Privacy Act of 2018 ('CCPA') passed by the California legislature in 2018 and which became effective on 1 January 2020.

Privacy Law Reform, Vendor Management
May 2023

International: GDPR v. HIPAA - Comparing and contrasting two important data protection regimes

The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the Health Insurance Portabili

Data Protection Officer, Privacy Impact Assessments, Anonymization and Pseudonymization, Data Subject Rights, Privacy Law Principles, Health and Pharmaceutical, Breach Notification, Incident and Breach
May 2023

California: Operationalising CPRA - scope and application

The California Consumer Privacy Act of 2018 ('CCPA'), signed into law in 2018, granted consumers new rights with respect to the collection and use of their personal information.

Privacy Law Concepts, Privacy Law Reform
Apr 2023

California: COPPA v. CAADC - strength lies in knowing the differences

Assembly Bill 2273 for the California Age Appropriate Design Code Act ('CAADC') was signed into law on 15 September 2022 and will become effective on 1 July 2024.

Accountability, Children's Data, Data Subject Rights, Privacy Law Concepts, Privacy Law Reform
Apr 2023

California: Operationalising CPRA - new and expanded consumer rights under CCPA

The California Privacy Rights Act of 2020 ('CPRA') became fully operative on 1 January 2023. The CPRA was approved by California voters in a November 2020 ballot initiative and amends the requirements of the California Consumer Privacy Act of 2018 ('CCPA').

Employment, Data Subject Rights, Privacy Law Reform
Apr 2023

USA: The rising use of biometrics and consequential legal and compliance risks

Whether it is facial recognition technology ('FRT') being used by law enforcement or in connection with various physical security and access management applications, the use of fingerprint-based time management systems or voiceprint technologies to validate identity, applications in the public and private sectors involving the use of biometric i

Anonymization and Pseudonymization, Biometric Data, Privacy Law Concepts, Artificial Intelligence
Apr 2023

Colorado: Comparing the CPA with the CPPA as amended

In the US, California has been leading the charge in developing privacy standards and regulating the processing and selling of personal information, most importantly with the California Consumer Privacy Act of 2018 (last amended in 2019) ('CCPA'), as amended by the California Privacy Rights Act of 2020 ('CPRA'), ('CCPA as amended').

Privacy Impact Assessments, Data Subject Rights, Fines, Privacy Law Concepts, Privacy Law Reform, Direct Marketing

Comparing State Privacy Laws

Request a jurisdiction

Comparing US State Privacy Laws

Our US State Privacy Law Comparison allows you to compare and contrast requirements across each of the comprehensive privacy laws passed by States, making it easier to streamline compliance efforts and keep pace with the evolving landscape in the US. The Chart can be used alongside our US State Tracker, which allows you to monitor privacy-related bills during the legislative sessions, and our Sectoral Overview which provides further information on sector-specific laws in each US State.

  • There is a requirement in place.
  • Click to view information for additional detail.
  • There is no requirement in place.
Request a jurisdiction

(US) Law and Authority

Export
Compare Reset
    title
  • Law
  • Bill
    Scope
  • Personal
  • Territorial
  • Material
    title
  • Authority
  • California
  • Colorado
  • Connecticut
  • Iowa
  • Utah
  • Virginia
Request a jurisdiction

(US) Definitions

Export
Compare Reset
    title
  • Data Controller
  • Data Processor
  • Personal Data
  • Sensitive Data
  • Health Data
  • Biometric Data
  • Pseudonymisation
  • California
  • Colorado
  • Connecticut
  • Iowa
  • Utah
  • Virginia
Request a jurisdiction

(US) Controller and Processor Obligations

Export
Compare Reset
    title
  • Data Processing Registration
  • Data Transfers
  • Data Processing Records
  • DPIAs
  • DPOs
  • Breach Notification
  • Data Retention
  • Children's Data
  • Special Categories
  • Vendor Contracts
  • California
  • Colorado
  • Connecticut
  • Iowa
  • Utah
  • Virginia
Request a jurisdiction

(US) Individuals' Rights

Export
Compare Reset
    title
  • Informed
  • Access
  • Rectification
  • Erasure
  • Object
  • Portability
  • Automated Decision-Making
  • Other
  • California
  • Colorado
  • Connecticut
  • Iowa
  • Utah
  • Virginia
Request a jurisdiction

(US) Penalties and Enforcement

Export
Compare Reset
    title
  • Penalties
  • Enforcement
  • California
  • Colorado
  • Connecticut
  • Iowa
  • Utah
  • Virginia

Sectoral Privacy Overview

Request a jurisdiction

USA Sectoral Privacy Overview

  • There is a law/restriction/exemption in place.
  • Click to view information for additional detail.
  • There is no law/requirement/exemption in place.

This Comparison is part of an ongoing OneTrust DataGuidance project, which will be expanding over time. Current non-inclusion of certain US States does not preclude the applicability of specific privacy-related laws within those States.

Export
Compare Reset
    title
  • Constitution
  • Key Privacy Laws
  • Health data
  • Financial data
  • Employment data
  • Online privacy
  • Unsolicited Commercial Communications
  • Privacy Policies
  • Data Security
  • Other
  • Alabama
  • Alaska
  • Arkansas
  • California
  • Colorado
  • Connecticut
  • Delaware
  • District of Columbia
  • Florida
  • Georgia (US)
  • Hawaii
  • Indiana
  • Kansas
  • Louisiana
  • Maine
  • Maryland
  • Massachusetts
  • Michigan
  • Minnesota
  • Mississippi
  • Nebraska
  • New Hampshire
  • New Jersey
  • New Mexico
  • New York
  • Oklahoma
  • Pennsylvania
  • Rhode Island
  • South Carolina
  • Tennessee
  • Texas
  • Utah
  • Vermont
  • Washington
  • West Virginia
  • Wisconsin

Company

Our Policies

Your Rights

© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.