Support Centre
US Privacy Laws
workspace-icon
Back

US Privacy Laws

                                                                             Comply with US Privacy Laws

The enactment of the California Consumer Privacy Act of 2018 (CCPA) on January 1, 2020 with an enforceability date of July 1, 2020, marked the first comprehensive US state privacy law. Following this, a flurry of privacy-related legislation at both the federal and state level followed. Although many of these bills failed to become law, several states have now managed to pass comprehensive privacy legislation. Moreover, a federal bill known as the American Data Privacy and Protection Act (ADPPA) is making its way through Congress. The bill is significant as it marks the first federal privacy bill to gain both bipartisan and bicameral support. If enacted, the ADPPA would preempt the majority of state and local laws, rendering any similar provisions therein invalid.

With numerous states now enacting privacy legislation, and with a federal bill in the works, privacy compliance in the US has become a complex issue for companies to navigate.

At OneTrust DataGuidance, our team of in-house Privacy Analysts works with an external network of contributors to provide you with daily updates and in-depth insight articles, so you can stay on top of all relevant developments in the US.

Our State Law Tracker enables you to easily track privacy-related bills in different US states to determine which laws might affect your operations. Additionally, our Sectoral Privacy Overview Comparison provides you with detailed information on the existing privacy frameworks in multiple states.

Entry into Effect Dates

State          Law      Effective Date
   
California          California Consumer Privacy Act of 2018 (CCPA)      In effect
Virginia          Consumer Data Protection Act (CDPA)      In effect
California          California Privacy Rights Act of 2020 (CPRA)      In effect 
Colorado          Colorado Privacy Act (CPA)      July 1, 2023
Connecticut          Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA)      July 1, 2023
Utah          Consumer Privacy Act (UCPA)      December 31, 2023
Florida          Florida Digital Bill of Rights (FDBR)      July 1, 2024
Oregon          Oregon Consumer Privacy Act (OCPA)      July 1, 2024 (Sections 1-9 for non-charitable organizations)
Montana          Consumer Data Privacy Act (MCDPA)      October 1, 2024
Iowa          Iowa Consumer Data Protection Act (ICDPA)      January 1, 2025
Texas          Texas Data Privacy and Security Act (TDPSA)      January 1, 2025
Delaware          Delaware Personal Data Privacy Act (DPDPA)      January 1, 2025
Tennessee          Tennessee Information Protection Act (TIPA)       July 1, 2025
Indiana          Consumer Data Protection Act (ICDPA)      January 1, 2026
See All USA News
27 September 2023

California: Bill relating to healthcare sent to Governor

On September 21, 2023, Senate Bill No. 582 relating to healthcare was enrolled and presented to the California Governor for action.

Privacy Law Reform, Health and Pharmaceutical
27 September 2023

California: Bill on exemptions for abortion services under CCPA sent to Governor for action

On September 21, 2023, Assembly Bill 1194 for An act to amend Sections 1798.99.31, 1798.145, and 1798.185 of the Civil Code, relating to privacy was enrolled and sent to the California Governor for action.

Privacy Law Reform, Health and Pharmaceutical
27 September 2023

California: Bill relating to health information sent to Governor for action

On September 21, 2023, Assembly Bill 352 on Health information was enrolled and sent to the California Governor for action. The bill outlines requirements for relevant entities which include providers of healthcare or pharmaceutical

Privacy Law Reform, Health and Pharmaceutical
26 September 2023

USA: SEC approves revised Privacy Act rule

On September 20, 2023, the Securities and Exchange Commission (SEC) announced the approval of the finalized rule providing for amendments to the Privacy Act of 1974.

Data Subject Rights, Privacy Law Reform
21 September 2023

International: DSIT announces UK-US Data Bridge effective October 12, 2023

On September 21, 2023, the Department of Science, Innovation and Technology (DSIT) published the Data Protection (Adequacy) (United States of America) Regulations 2023 for the UK Extension to the EU-US Data Privacy Framework (the Regulations). In particular, the Regulations provide that for the purposes of Part 2 of the Data Protection Act 2018

Privacy Law Reform, Adequate Protection, Data Transfers, Third Countries
21 September 2023

USA: Representatives introduce companion bill on targeted advertising

On September 18, 2023, U.S. Representative Anna G. Eshoo announced that, along with fellow U.S. Representative Jan Schakowsky, the introduction of bill HR5534 to prohibit targeted advertising by advertisers and advertising facilitators, and for other purposes, also known as the Banning Surveillance Advertising Act of 2023.

Privacy Law Reform, Direct Marketing, Profiling
20 September 2023

USA: Senators introduce bill on targeted advertising

On September 19, 2023, U.S. Senator Ron Wyden announced that he, along with Senator Cory Booker, had introduced Senate Bill 2833 to prohibit targeted advertising by advertisers and advertising facilitators, also known as the Banning Surveillance Advertising Act of 2023.

Scope

Privacy Law Reform, Direct Marketing, Profiling
19 September 2023

California: Bill relating to in-vehicle cameras passes both houses

On September 18, 2023, the California State Assembly concurred with the amendments introduced by the California State Senate to Senate Bill 296 on in-vehicle cameras, which was thereafter enrolled and presented to the Governor.

Privacy Law Reform, Automotive
19 September 2023

California: Court rules that California Age-Appropriate Design Code likely violates First Amendment

On September 18, 2023, the U.S. State District Court for the Northern District of California San Jose Division granted a preliminary injunction to NetChoice LLC on the basis that provisions of the California Age-Appropriate Design Code Act likely violate the First Amendment of the United States Constitution.

Children's Data, Litigation, Privacy Law Reform
19 September 2023

USA: Background report providers to pay $5.8M for inaccurate personal information

On September 11, 2023, the Federal Trade Commission (FTC) announced that it had filed a proposed order against Instant Checkmate, LLC, TruthFinder, LLC, the Control Group Media Company LLC, Interlicare Direct LLC, and PubRec LLC, (collectively, the defendants) for violation of the Federal Trade Commission Act (FTC Act) and Fair Credit Reporting

Employment, Data Subject Rights, Fines
19 September 2023

California: District Court of Appeal agrees to review ruling to limit CPPA's enforcement capabilities

The California Privacy Protection Agency (CPPA) published on LinkedIn, on September 18, 2023, a statement from the CPPA's Executive Director, Ashkan Soltani, concerning the District Court of Appeal's decision in the case CPPA v CalCha

Litigation, Privacy Law Reform, Supervisory Authority
18 September 2023

California: Bill relating to health information passes both houses

On September 14, 2023, the California State Senate concurred with the amendments introduced by the California State Assembly to Assembly Bill 352 on Health information, which was thereafter ordered for engrossing and enrolling.

Privacy Law Reform, Health and Pharmaceutical
See All USA Insights
Sep 2023

Delaware: An overview of the Personal Data Privacy Act

The Delaware Personal Data Privacy Act was introduced, on May 12, 2023, to the Delaware House of Representatives. Since then, the Act has passed both the House of Representatives and the Senate and was signed by the Governor of Delaware, John Carney, on September 11, 2023.

Data Subject Rights, Privacy Law Principles, Privacy Law Reform
Aug 2023

California: CPPA publishes draft regulations on DPIAs - what do you need to understand and take action on?

The California Privacy Protection Agency (CPPA) has released suggested draft regulations for discussion by the CPPA board before its scheduled meeting on September 8, 2023.

Privacy Impact Assessments, Program Management, Privacy Law Reform
Aug 2023

USA: Employment practices in the emerging AI regulatory framework

Artificial intelligence (AI) has become a transformative force across every industry, revolutionizing the way businesses operate and impacting employment practices worldwide. In the US, the rapid advancement of AI has led to significant changes in the job market, with both positive and negative effects on employment.

Employment, Artificial Intelligence
Aug 2023

Florida: FDBR - FAQs

The Florida Digital Bill of Rights (FDBR) was introduced to the Florida State Senate on March 3, 2023. After passing both Houses of the Florida State Congress, the FDBR was signed by the Governor on June 6, 2023.

The FDBR will enter into effect on July 1, 2024.

Privacy Impact Assessments, Data Subject Rights, Privacy Law Concepts, Privacy Law Reform, Transparency
Aug 2023

Texas: A comprehensive look at the Data Privacy and Security Act

Texas enacted the Texas Data Privacy and Security Act (TDPSA) on June 18, 2023, and compliance is required starting from July 1, 2024. Businesses experienced with other comprehensive state consumer privacy laws will find most aspects of the TDPSA to be familiar.

Data Subject Rights, Privacy Law Principles
Aug 2023

New York: Paving the way for regulation of AI technology in the workforce

In this Insight article, Mark Francis and Sophie Kletzien, from Holland & Knight LLP, delve into New York City's pioneering regulations, making it the first US jurisdiction to govern artificial intelligence's (AI) role in employment decisions.

Employment, Fines, Artificial Intelligence
Aug 2023

California: Overview of Vendor Privacy Contracts

Vendor Management
Aug 2023

USA: What you need to know on vendor management to comply with US privacy laws - part one

Given the increasing number of data privacy laws in the US, entering into appropriate data processing agreements (DPAs) with vendors has now become a critical component of vendor management. It can also be one of the most time-consuming and complex aspects of data privacy compliance.

Privacy Law Reform, Vendor Management
Jul 2023

Florida: Digital Bill of Rights - privacy concerns and key differences for businesses to consider

On June 6, 2023, the Governor signed S.B. 262, the Florida Digital Bill of Rights (FDBR) into law, with an effective date of July 1, 2024. Kyle R.

Privacy Impact Assessments, Privacy Notices, Biometric Data, Data Subject Rights, Privacy Law Reform
Jul 2023

Texas: TDPSA - FAQs

The Texas Data Privacy and Security Act (TDPSA) was signed into law by the Governor of Texas on July 1, 2023, having passed both the Texas State Senate and the Texas House of Representatives.

Privacy Impact Assessments, Data Subject Rights, Fines, Privacy Law Concepts, Privacy Law Reform
Jul 2023

Oregon: Consumer Privacy Act - a comprehensive consumer state privacy law

On July 18, 2023, Oregon become the latest US State to adopt a comprehensive consumer privacy law when the Governor of Oregon, Tina Kotek, signed into law Senate Bill 619 relating to the protections for the personal data of consumers.

Law Enforcement, Privacy Law Concepts, Privacy Law Principles
Jul 2023

Tennessee: TIPA - FAQs

The Tennessee Information Protection Act (TIPA) was signed into law by the Governor of Tennessee, Bill Lee, on May 11, 2023, having passed both Houses of the Tennessee General Assembly.

Fines, Privacy Law Concepts, Privacy Law Reform

Comparing State Privacy Laws

Request a jurisdiction

Comparing US State Privacy Laws

Our US State Privacy Law Comparison allows you to compare and contrast requirements across each of the comprehensive privacy laws passed by States, making it easier to streamline compliance efforts and keep pace with the evolving landscape in the US. The Chart can be used alongside our US State Tracker, which allows you to monitor privacy-related bills during the legislative sessions, and our Sectoral Overview which provides further information on sector-specific laws in each US State.

  • There is a requirement in place.
  • Click to view information for additional detail.
  • There is no requirement in place.
Request a jurisdiction

(US) Law and Authority

Export
Compare Reset
    title
  • Law
  • Bill
    Scope
  • Personal
  • Territorial
  • Material
    title
  • Authority
  • California
  • Colorado
  • Connecticut
  • Florida
  • Indiana
  • Iowa
  • Montana
  • Tennessee
  • Texas
  • Utah
  • Virginia
Request a jurisdiction

(US) Definitions

Export
Compare Reset
    title
  • Data Controller
  • Data Processor
  • Personal Data
  • Sensitive Data
  • Health Data
  • Biometric Data
  • Pseudonymisation
  • California
  • Colorado
  • Connecticut
  • Florida
  • Indiana
  • Iowa
  • Montana
  • Tennessee
  • Texas
  • Utah
  • Virginia
Request a jurisdiction

(US) Controller and Processor Obligations

Export
Compare Reset
    title
  • Data Processing Registration
  • Data Transfers
  • Data Processing Records
  • DPIAs
  • DPOs
  • Breach Notification
  • Data Retention
  • Children's Data
  • Special Categories
  • Vendor Contracts
  • California
  • Colorado
  • Connecticut
  • Florida
  • Indiana
  • Iowa
  • Montana
  • Tennessee
  • Texas
  • Utah
  • Virginia
Request a jurisdiction

(US) Individuals' Rights

Export
Compare Reset
    title
  • Informed
  • Access
  • Rectification
  • Erasure
  • Object
  • Portability
  • Automated Decision-Making
  • Other
  • California
  • Colorado
  • Connecticut
  • Florida
  • Indiana
  • Iowa
  • Montana
  • Tennessee
  • Texas
  • Utah
  • Virginia
Request a jurisdiction

(US) Penalties and Enforcement

Export
Compare Reset
    title
  • Penalties
  • Enforcement
  • California
  • Colorado
  • Connecticut
  • Florida
  • Indiana
  • Iowa
  • Montana
  • Tennessee
  • Texas
  • Utah
  • Virginia

Sectoral Privacy Overview

Request a jurisdiction

USA Sectoral Privacy Overview

  • There is a law/restriction/exemption in place.
  • Click to view information for additional detail.
  • There is no law/requirement/exemption in place.

This Comparison is part of an ongoing OneTrust DataGuidance project, which will be expanding over time. Current non-inclusion of certain US States does not preclude the applicability of specific privacy-related laws within those States.

Export
Compare Reset
    title
  • Constitution
  • Key Privacy Laws
  • Health data
  • Financial data
  • Employment data
  • Online privacy
  • Unsolicited Commercial Communications
  • Privacy Policies
  • Data Security
  • Other
  • Alabama
  • Arkansas
  • California
  • Colorado
  • Connecticut
  • Delaware
  • District of Columbia
  • Florida
  • Georgia (US)
  • Hawaii
  • Indiana
  • Kansas
  • Louisiana
  • Maine
  • Maryland
  • Michigan
  • Minnesota
  • Mississippi
  • Nebraska
  • New Hampshire
  • New Jersey
  • New Mexico
  • New York
  • Oklahoma
  • Pennsylvania
  • Rhode Island
  • South Carolina
  • Tennessee
  • Texas
  • Utah
  • Vermont
  • Washington
  • West Virginia
  • Wisconsin

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback