Upgrade to a premium account to save this to your customizable Workspace
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
US Privacy Laws
Comply with US Privacy Laws
The enactment of the California Consumer Privacy Act of 2018 ('CCPA') on 1 January 2020 with an enforceability date of 1 July 2020 marked the first comprehensive US State privacy law, after which, an abundance of privacy-related legislation in the US, at both the federal and state level followed. While many bills fail to become law, four other States (Colorado, Virginia, Utah, and Connecticut) have now passed privacy legislation, and there is currently a federal bill, known as the American Data Privacy and Protection Act ('ADPPA') making its way through Congress. Significantly, the ADPPA marks the first federal privacy bill to gain both bipartisan and bicameral support. If enacted, it would preempt the majority of state and local laws, invalidating any similar provisions therein.
With the US now having five comprehensive State privacy laws and a federal bill in the works compliance has become a complex issue for privacy professionals.
OneTrust DataGuidance's team of in-house Privacy Analysts work with our external network of contributors to provide you with daily updates and in-depth insight articles so you can stay on top of all relevant developments in the US.
Our State Law Tracker, allows you to easily compare requirements introduced by comprehensive privacy bills in different US states and understand how potential laws might affect your operations.
In addition, our Sectoral Privacy Overview Comparison gives you detailed information on the existing privacy frameworks in multiple states, all provided by our external network of experts.
Entry into Effect Dates
California
- California Consumer Privacy Act of 2018 ('CCPA') - Effective
- California Privacy Rights Act of 2020 ('CPRA') - 1 January 2023 (however many provisions became applicable to personal information collected from 1 January 2022)
Colorado
- Colorado Privacy Act ('CPA') - 1 July 2023
Connecticut
- Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA') - 1 July 2023
Utah
- Consumer Privacy Act ('UCPA') - 31 December 2023
Virginia
- Consumer Data Protection Act ('CDPA') - 1 January 2023
US Privacy Law Comparison Report
Videos and Webinars
- California Privacy Rights Act: Reaction & Analysis
- A US Federal Privacy Bill is On the Horizon: Get to Know
- Understanding the New CPRA Draft Regulations & The ADPPA
- GDPR v CCPA & CPRA
- US Privacy Update: Recent Developments in Privacy Legislation
- Threat and Breach Response
- NIST Privacy Framework
- HIPAA Compliance and Cybersecurity Challenges
The U.S Department of Health and Human Services ('HHS') Office for Civil Rights ('OCR') announced, on 2 February 2023, that it had reached a settlement, with the transaction number 16-245464, with Banner Health Affiliated Covered Entities to pay the OCR $1,250,000 as well as undertake a Corrective Action Plan ('CAP') to settle a potential violat
Senate Bill 1432 to amend the Code of Virginia in relation to health records privacy was passed, with an amendment, on 2 February 2023, by the Committee on Education and Health with a unanimous vote.
Senate Bill 152 for the Social Media Regulation Amendments was introduced, on 30 January 2023, to the Utah State Senate, and thereafter referred, on 31 January 2023, to the Senate Business and Labor Committee, before being read, on 1 February 2023, for a second time in the State Senate.
Senate Bill 1087 to amend the Code of Virginia in relation to genetic data privacy, was passed with amendments, on 2 February 2023, by the Committee on General Laws and Technology of the Senate with a unanimous vote.
House Bill 1688 to amend the Virginia Consumer Data Protection Act ('CDPA') in relation to protections for children was read for the first time, on 2 February 2023, following its passage with amendments, on 30 January 2023, by the Committee on Communications, Technology, and Innovation in a majority vote.
The Federal Trade Commission ('FTC') announced, on 1 February 2023, a proposed order to fine GoodRx Holdings Inc.
The California Privacy Protection Agency ('CPPA') published, on 1 February 2023, additional materials ahead of its board meeting scheduled for 3 February 2023.
House Bill ('HB') 158 for an Electronic Information or Data Privacy Act Modifications was referred, on 30 January 2023, to the House Law Enforcement and Criminal Justice Committee.
The Future of Privacy Forum ('FPF') published, on 26 January 2023, its written comments filed in response to the proposed Consumer Financial Protection Bureau's ('CFPB') rulemaking aiming to establish data portability and access righ
The California Attorney General ('AG'), Rob Bonta, announced, on 27 January 2023, that it had initiated an investigative sweep, and had sent letters to businesses with mobile apps that fail to comply with the California Consumer Privacy Act of 2018 (last amended) ('CCPA').
The Colorado Attorney General ('AG') published, on 27 January 2023, an updated version of its draft rules implementing the Colorado Privacy Act ('CPA') with redline changes based on feedback received through public input between 10 October 2022 and 18 January 2023. In particular, the latest revision affects several elements of the draft rules im
Senate Bill ('SB') 1026 to amend the Virginia Consumer Data Protection Act ('CDPA') in relation to protections for children was passed, on 25 January 2023, by the Committee on General Laws and Technology. In particular, SB 1026 was introduced to the State Senate, on 7 January 2023, and referred to the Committee on the same date.
On 1 January 2023, the California Consumer Privacy Act of 2018 ('CCPA') became applicable to the personal information of employees, job applicants, subcontractors, contractors, and others in work roles who are California residents ('Employee Personal Information').
The New Year marks the entry into effect of various privacy legislation in the US along with amendments to existing privacy legislation.
Two years into compliance with the California Consumer Privacy Act of 2018 ('CCPA'), the expiration of Assembly Bill 25 An act to amend Sections 1798.130 and 1798.145 of the Civil Code, relating to consumer privacy ('AB 25') ushers in new challenges.
In this Insight article, Bart Huffman, Wendell Bartnick, and Haylie Treas, from Holland & Knight, address opt-out rights and related requirements under certain US state privacy laws that are currently in effect and/or will take effect in 2023.
The COVID-19 pandemic has made 'work-from-home' a common term and has changed how Americans think about the balance between work and life. Not only are employees regularly working productively for their employers without stepping into the office, many are doing so from entirely different cities and states.
In this Insight article, Bart Huffman, Wendell Bartnick, and Haylie Treas, from Holland & Knight, address opt-out rights and related requirements under certain US state privacy laws that are currently in effect and/or will take effect in 2023.
In the US, location tracking data constitutes personal data. According to the multi-state settlement reached by 40 US State Attorney Generals ('AGs') on 14 November 2022, on the use of location tracking data, companies should be aware of how location tracking technology should be used in accordance of data protection and privacy standards.
The Utah Senate passed, on 3 March 2022, Senate Bill ('SB') 227 for a Consumer Privacy Act ('UCPA') which was later signed by the Governor on 24 March 2022, making Utah the fourth State to enact comprehensive privacy legislation. The UCPA will enter into effect on 31 December 2023.
Just as the Gramm-Leach-Bliley Act of 1999 ('GLBA') permits US states to extend greater protections than afforded by the same, states can also choose to exempt GLBA-regulated entities from compliance with state privacy statutes.
The Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTPDA') was signed on 10 May 2022, entering into effect on 1 July 2023. OneTrust DataGuidance Research answers frequently asked questions ('FAQs') surrounding the CTPDA.
The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ('CAN-SPAM Act') is a US federal law that establishes certain requirements for covered businesses that send emails and some text messages for 'commercial advertisement or promotion of a commercial product of service'.
On 7 October 2022, the U.S. Department of Justice's ('DOJ') Office of the Attorney General ('AG') published regulations ('the Regulations') establishing a Data Protection Review Court ('DPRC') within the DOJ1.
Sectoral Privacy Overview
USA Sectoral Privacy Overview
- There is a law/restriction/exemption in place.
- Click to view information for additional detail.
- There is no law/requirement/exemption in place.
This Comparison is part of an ongoing OneTrust DataGuidance project, which will be expanding over time. Current non-inclusion of certain US States does not preclude the applicability of specific privacy-related laws within those States.
- title
- Constitution
- Key Privacy Laws
- Health data
- Financial data
- Employment data
- Online privacy
- Unsolicited Commercial Communications
- Privacy Policies
- Data Security
- Other
- Alabama
- Alaska
- Arkansas
- California
- Colorado
- Connecticut
- Delaware
- District of Columbia
- Florida
- Georgia (US)
- Hawaii
- Indiana
- Kansas
- Louisiana
- Maine
- Maryland
- Massachusetts
- Michigan
- Minnesota
- Mississippi
- Nebraska
- New Hampshire
- New Jersey
- New Mexico
- New York
- Oklahoma
- Oregon
- Pennsylvania
- Rhode Island
- South Carolina
- Tennessee
- Texas
- Vermont
- Washington
- West Virginia
- Wisconsin
