Support Centre
US Privacy Laws
workspace-icon
Back

US Privacy Laws

                                                                             Comply with US Privacy Laws

The enactment of the California Consumer Privacy Act of 2018 (CCPA) on January 1, 2020 with an enforceability date of July 1, 2020, marked the first comprehensive US state privacy law. Following this, a flurry of privacy-related legislation at both the federal and state level followed. Although many of these bills failed to become law, several states have now managed to pass comprehensive privacy legislation. Moreover, a federal bill known as the American Data Privacy and Protection Act (ADPPA) is making its way through Congress. The bill is significant as it marks the first federal privacy bill to gain both bipartisan and bicameral support. If enacted, the ADPPA would preempt the majority of state and local laws, rendering any similar provisions therein invalid.

With numerous states now enacting privacy legislation, and with a federal bill in the works, privacy compliance in the US has become a complex issue for companies to navigate.

At OneTrust DataGuidance, our team of in-house Privacy Analysts works with an external network of contributors to provide you with daily updates and in-depth insight articles, so you can stay on top of all relevant developments in the US.

Our State Law Tracker enables you to easily track privacy-related bills in different US states to determine which laws might affect your operations. Additionally, our Sectoral Privacy Overview Comparison provides you with detailed information on the existing privacy frameworks in multiple states.

Entry into Effect Dates

State           Law      Effective Date
   
California          California Consumer Privacy Act of 2018 as amended (CCPA as amended)      In effect
Virginia          Consumer Data Protection Act (CDPA)      In effect
Colorado          Colorado Privacy Act (CPA)      In effect
Connecticut          Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA)      In effect
Utah          Consumer Privacy Act (UCPA)      In effect
Texas           Texas Data Privacy and Security Act (TDPSA)      July 1, 2024
Florida          Florida Digital Bill of Rights (FDBR)      July 1, 2024
Oregon          Oregon Consumer Privacy Act (OCPA)      July 1, 2024 
Montana          Consumer Data Privacy Act (MCDPA)     October 1, 2024
Iowa          Iowa Consumer Data Protection Act (ICDPA)      January 1, 2025
Delaware          Delaware Personal Data Privacy Act (DPDPA)      January 1, 2025
Nebraska           Data Privacy Act (NEDPA)      January 1, 2025
New Hampshire          An Act relative to the expectation of privacy (NHCDPA)      January 1, 2025
New Jersey          An Act concerning commercial Internet websites, online services, consumers, and personally identifiable information (NJDPA)      January 15, 2025
Tennessee          Tennessee Information Protection Act (TIPA)       July 1, 2025
Maryland           Maryland Online Data Privacy Act (MODPA)      October 1, 2025
Indiana          Consumer Data Protection Act (ICDPA)      January 1, 2026
Kentucky          Kentucky Consumer Data Protection Act (KCDPA)      January 1, 2026

Comparing State Privacy Laws

Comparing US State Privacy Laws

Our US State Privacy Law Comparison allows you to compare and contrast requirements across each of the comprehensive privacy laws passed by States, making it easier to streamline compliance efforts and keep pace with the evolving landscape in the US. The Chart can be used alongside our US State Tracker, which allows you to monitor privacy-related bills during the legislative sessions, and our Sectoral Overview which provides further information on sector-specific laws in each US State.

  • There is a requirement in place.
  • Click to view information for additional detail.
  • There is no requirement in place.

(US) Law and Authority

Compare Reset
    title
  • Law
  • Bill
    Scope
  • Personal
  • Territorial
  • Material
    title
  • Authority
  • California
  • Colorado
  • Connecticut
  • Delaware
  • Florida
  • Indiana
  • Iowa
  • Kentucky
  • Montana
  • Nebraska
  • New Hampshire
  • New Jersey
  • Oregon
  • Tennessee
  • Texas
  • Utah
  • Virginia

(US) Definitions

Compare Reset
    title
  • Data Controller
  • Data Processor
  • Personal Data
  • Sensitive Data
  • Health Data
  • Biometric Data
  • Pseudonymisation
  • California
  • Colorado
  • Connecticut
  • Delaware
  • Florida
  • Indiana
  • Iowa
  • Kentucky
  • Montana
  • Nebraska
  • New Hampshire
  • New Jersey
  • Tennessee
  • Texas
  • Utah
  • Virginia

(US) Controller and Processor Obligations

Compare Reset
    title
  • Data Processing Registration
  • Data Transfers
  • Data Processing Records
  • DPIAs
  • DPOs
  • Breach Notification
  • Data Retention
  • Children's Data
  • Special Categories
  • Vendor Contracts
  • California
  • Colorado
  • Connecticut
  • Delaware
  • Florida
  • Indiana
  • Iowa
  • Kentucky
  • Montana
  • Nebraska
  • New Hampshire
  • New Jersey
  • Oregon
  • Tennessee
  • Texas
  • Utah
  • Virginia

(US) Individuals' Rights

Compare Reset
    title
  • Informed
  • Access
  • Rectification
  • Erasure
  • Object
  • Portability
  • Automated Decision-Making
  • Other
  • California
  • Colorado
  • Connecticut
  • Delaware
  • Florida
  • Indiana
  • Iowa
  • Kentucky
  • Montana
  • Nebraska
  • New Hampshire
  • New Jersey
  • Oregon
  • Tennessee
  • Texas
  • Utah
  • Virginia

(US) Penalties and Enforcement

Compare Reset
    title
  • Penalties
  • Enforcement
  • California
  • Colorado
  • Connecticut
  • Delaware
  • Florida
  • Indiana
  • Iowa
  • Kentucky
  • Montana
  • Nebraska
  • New Hampshire
  • New Jersey
  • Oregon
  • Tennessee
  • Texas
  • Utah
  • Virginia

Sectoral Privacy Overview

USA Sectoral Privacy Overview

  • There is a law/restriction/exemption in place.
  • Click to view information for additional detail.
  • There is no law/requirement/exemption in place.

This Comparison is part of an ongoing OneTrust DataGuidance project, which will be expanding over time. Current non-inclusion of certain US States does not preclude the applicability of specific privacy-related laws within those States.

Compare Reset
    title
  • Constitution
  • Key Privacy Laws
  • Health data
  • Financial data
  • Employment data
  • Online privacy
  • Unsolicited Commercial Communications
  • Privacy Policies
  • Data Security
  • Other
  • Alabama
  • Arkansas
  • California
  • Colorado
  • Connecticut
  • Delaware
  • District of Columbia
  • Florida
  • Georgia (US)
  • Hawaii
  • Indiana
  • Iowa
  • Kansas
  • Louisiana
  • Maine
  • Maryland
  • Michigan
  • Minnesota
  • Mississippi
  • Nebraska
  • New Hampshire
  • New Jersey
  • New Mexico
  • New York
  • Oklahoma
  • Oregon
  • Pennsylvania
  • Rhode Island
  • South Carolina
  • Tennessee
  • Texas
  • Utah
  • Vermont
  • Washington
  • West Virginia
  • Wisconsin
Feedback