USA State Law Tracker
Comply with U.S. Federal and State laws
The enactment of the California Consumer Privacy Act of 2018 ('CCPA') created an abundance of privacy-related legislation in the US, at both the federal and state level. However, this plethora of laws and guidelines has made compliance a complicated issue for privacy professionals. OneTrust DataGuidance's analysts work with our external network of contributors to provide you with daily updates in order to stay on top of all relevant developments in the US. With our State Law Tracker, you are able to easily compare requirements introduced by comprehensive privacy bills in different US states and understand how potential laws might affect your operations. In addition, our State Overview Comparison gives you detailed information on the existing privacy frameworks in more than 30 states, all provided by our external network of experts.
OneTrust's solutions are backed by AI, robotic automation, and regulatory research, ensuring quick time to value, efficiency and unparalleled guidance as you build, adapt, and mature your privacy program.
Find out more about OneTrust's full suite of solutions here.
Federal developments
OneTrust DataGuidance, in collaboration with its network of US privacy experts, are producing a series of articles examining the developments in federal law for organisations to consider.
- USA: What the SAFE DATA Act could mean for companies
- USA: AI bill advances in the Senate
- USA: Ensuring operator privacy in the era of commercial drones
- USA: Public health emergency privacy bill introduced to House and Senate
- USA: COPRA, USCDPA and the chances for a federal privacy law in 2020
- USA: SB 3300 and omnibus federal data protection efforts
A full list of US federal related insights can be accessed here.
You can track the latest federal developments using our News Tracker here.
Reports
The Consumer Online Privacy Rights Act: What You Need To Know, which provides an in-depth look at COPRA including the data privacy rights it seeks to establish.
Videos and webinars
- US Privacy Update: Recent Developments in Privacy Legislation (webinar)
- Threat and Breach Response (webinar)
- NIST Privacy Framework (webinar)
- HIPAA Compliance and Cybersecurity Challenges (webinar)
USA Federal Overview
Watch our USA Federal Overview video to understand the state of privacy in USA in today.
A full list of webinars can be accessed here.
Assembly Bill A687 for an Act to regulate the collection of emergency health data and personal information and the use of technology to aid during the COVID-19 pandemic was reintroduced, on 6 January 2021, to the New York State Assembly and referred to the Assembly Committee on Health.
Assembly Bill A400 for the Right to Know Act of 2021 was reintroduced, on 6 January 2021, to the New York State Assembly and referred to the Assembly Committee on Consumer Affairs and Protection.
Assembly Bill A405 for the Online Consumer Protection Act was reintroduced, on 6 January 2021, to the New York State Assembly and referred to the Assembly Committee on Consumer Affairs and Protection.
Assembly Bill A680 for the New York Privacy Act was reintroduced, on 6 January 2021, to the New York State Assembly and referred to the Assembly Committee on Consumer Affairs and Protection.
Senate Bill ('SB') 567 for an act to allow consumers the right to request from businesses the categories of personal information the business has sold or disclosed to third parties was reintroduced, on 6 January 2021, to the New York State Senate and referred to the Senate Consumer Protection Committee.
Senate Bill ('SB') 8450C for An Act to Amend the Public Health Law in relation to the Confidentiality of Contact Tracing Information was signed, on 23 December 2020, into law by the Governo
Senate Bill ('SB') 5140B for An Act to Amend the Education Law, in relation to the Use of Biometric Identifying Technology was signed, on 22 December 2020, by the Governor of New York.
Assembly Bill 27 for the Act to Amend the General Business Law, in Relation to Biometric Privacy ('the Bill') was introduced, on 6 January 2021, in the New York State Legislature.
The U.S. Department of Health and Human Services' Office for Civil Rights ('OCR') issued, on 10 December 2020, a Notice of Proposed Rulemaking ('NPRM') proposed changes to the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') Privacy Rule as part of the HHS's Regulatory Sprint to Coordinated Care.
The Office of the California Attorney General ('OAG') issued, on 10 December 2020, a fourth set of proposed modifications to the Regulations under the California Consumer Privacy Act of 2018 ('CCPA'), and launched a public consultation on the same.
House Representative (HR) Bill 1668 for the Internet of Things ('IoT') Cybersecurity Improvement Act of 2020, was signed into law, on 4 December 2020, by the U.S. President.
The U.S. Department of Health and Human Services' Office for Civil Rights ('OCR') issued, on 10 December 2020, a Notice of Proposed Rulemaking ('NPRM') proposed changes to the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') Privacy Rule as part of the HHS's Regulatory Sprint to Coordinated Care.
It took five days for Americans to know who their new president would be, but by the morning after Election Day 2020, it was clear that Californians had voted to move the state – and practically, by extension, the nation – toward a European approach to consumer privacy.
The California Privacy Rights Act of 2020 ('CPRA') or Proposition 24 passed, on 4 November 2020 with a 56% majority in the 2020 California General Elections.
Public Citizen and a coalition of privacy, consumer rights, and consumer organisations released, on 10 November 2020, a data protection policy framework and fact sheet for the next Administration. In particular, the groups note that privacy legislation in the US lags behind and state that that a new approach to privacy is needed.
On 3 November 2020, the California electorate will have the opportunity to vote on 13 ballot propositions.
In September 2020, members of the Senate Committee on Commerce, Science, and Transportation ('the Committee') introduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act ('the SAFE DATA Act').
The Michigan House of Representatives voted, on 9 September 2020, to advance House Bill ('HB') 4186 and 4187 ('the Bills') to the Committee on Regulatory Reform. In particular, the Bills seek to create a Data Breach Notification Act, which would expand the requirements that currently exists.
Whilst the US has traditionally taken a sectoral approach to privacy legislation, a number of high-profile privacy-related incidents paired with a dramatic surge in state-level privacy and data security legislation have brought privacy sharply into the focus of the public eye, in turn bringing about calls for omnibus federal privacy legislation.
In California, among other recently passed bills that would amend the California Consumer Privacy Act of 2018 ('CCPA'), one bill stands out; Assembly Bill ('AB') 713 which would bring state requirements for de-identified health information in line with federal ones and create new obligations regarding contractual safeguards.
In this two-part Insight series, James Snell, Marina Gatto, Zachary Watterson, Nathan Duletzke and Kayla Lindgren, of Perkins Cole LLP, provide an overview of the evolution of consumer privacy legislation in 2020, including a recap of the bills that failed, and an overview of the privacy-related bills that remain pending.
In this two-part Insight series, James Snell, Marina Gatto, Zachary Watterson, Nathan Duletzke and Kayla Lindgren, of Perkins Coie LLP, provide an overview of the evolution of consumer privacy legislation in in the US in 2020, including a recap of the bills that failed, and an overview of the privacy-related bills that remain pending.
The targeting of advertisements to users based on their browsing activity is a controversial practice that has recently attracted the attention of regulators. Sonia S.
State Law Tracker
State Law Tracker
The State Law Tracker provides an overview of key features of recently introduced comprehensive consumer privacy bills in US States. In addition to outlining the status of the bill, the Tracker highlights how each State bill accommodates various consumer rights and imposes certain business obligations. The Tracker excludes bills that deal specifically with issues such as biometric information, facial recognition and data breaches.
- There is a law/restriction/exemption in place.
- Click to view information for additional detail.
- There is no law/requirement/exemption in place.
- Bill details
- Proposed
- Passed
- Consumer Rights
- Access
- Deletion
- Portability
- Opt-out
- Automated Decision-Making
- Requirements
- Data security
- Processors / service providers
- Privacy notices
- title
- Enforcement
- Alabama
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Alabama.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Alaska
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Alaska. Please note, however, that the Alaska Personal Information Protection Act applies.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Arizona
Senate Bill 1614 for an Act Amending Title 18, Arizona Revised Statutes, By Adding Chapter 7: Relating to Personal Data was introduced, on 5 February 2020, to the Arizona State Senate.
House Bill for an Act Amending Title 18, Chapter 5, Arizona Revised Statutes, By Adding Article 5: Relating to Personal Data was introduced, on 10 February 2020, to the Arizona House of Representatives.
Not applicable.
A consumer has the right of access to their personal data (Section 1 of HB 2729).
A consumer has the right to request for their personal data to be deleted (Section 1 of HB 2729 and SB 1614).
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
The Attorney General of Arizona may bring an action against violators (Section 1 of HB 2729).
- Arkansas
Not applicable.
House Bill 1943 for an Act to Amend the Personal Data Protection Act was signed into law, on 15 April 2019, by the Arkansas Governor, Asa Hutchinson. In addition, please note that the Personal Information Protection Act 2005 applies.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- California
The California Consumer Privacy Act of 2018 (as amended) ('CCPA') was signed into law, on 28 June 2018, and entered into force on 1 January 2020.
The California Office of the Administrative Law approved, on 14 August 2020, the final version of the Regulations under the CCPA.
Finally, the California Privacy Rights Act ('CPRA') was approved, on 3 November 2020, at the California General Election.
A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following (§1798.110(a) of the CPRA): (1) the categories of personal information it has collected about that consumer; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purpose for collecting, selling, or sharing personal information; (4) the categories of third parties to whom the business discloses personal information; and (5) the specific pieces of personal information it has collected about that consumer.
A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer (§1798.105 of the CPRA)
Not applicable.
A consumer shall have the right, at any time, to direct a business that sells or shares personal Information about the consumer to third parties not to sell or share the consumer's personal information. (§1798.120 of the CPRA).
The CPRA provides that the California Attorney General must issue regulations governing access and opt-out rights with respect to businesses' use of automated decision-making technology, including profiling and requiring businesses' response to access requests to Include meaningful information about the logic Involved In such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.
A business that collects a consumer's personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure (§1798.100(e) of the CPRA)
A business that collects a consumer's personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with such third party, service provider, or contractor (§1798.100(d) of the CPRA)
A business that controls the collection of a consumer's personal information shall, at or before the point of collection, inform consumers as to: (1) the categories of personal information to be collected and the purposes for which the categories of personal Information are collected or used shall and whether such information is sold or shared (2) if the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal Information are collected or used and whether such Information is sold or shared (3) the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period (§1798.100(a) of the CPRA)
The CPRA establishes the California Privacy Protection Agency which is vested with full administrative power, authority, and jurisdiction to implement and enforce the CPRA (§1798.199.100 of the CPRA)
- Colorado
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Colorado.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Connecticut
Not applicable.
Substitute Senate Bill 1108 for an Act Establishing a Task Force Concerning Consumer Privacy was signed, on 9 June 2019, into law by the Governor of Connecticut, Ned Lamont.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
The Task Force Concerning Consumer Privacy is tasked with examining what information businesses in Connecticut should be required to provide to consumers concerning personal information that is retained or sold by such businesses (Section 1 of the Act).
- Delaware
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Delaware. Please note, however, that the Delaware Online Privacy and Protection Act of 2015 applies.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- District of Columbia
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the District of Columbia.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Florida
Senate Bill 1670 for an act relating to consumer data privacy was indefinitely postponed, on 14 March 2020, and withdrawn from consideration in the Florida State Senate.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
A consumer may submit a verified request to an operator, directing the operator not sell any covered information that the operator has collected or will collect about the consumer (Section 2 of the Bill).
Not applicable.
Not applicable.
Not applicable.
Operators must make available, in a manner that is accessible to consumers whose covered information they collect, a notice that provides certain information regarding their data practices (Section 3 of the Bill).
The Department of Legal Affairs of the Office of the Attorney General would adopt rules to enforce this Bill and may initiate legal proceedings against violators (Section 6(a) of the Bill).
- Georgia (US)
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Georgia.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Hawaii
Senate Bill 2451 for an Act Relating to Personal Information was referred, on 23 January 2020, to the Hawaii Senate Committee on Commerce, Consumer Protection, and Health and the Senate Committee on Technology, following its introduction to the Hawaii Senate on 17 January 2020.
House Bill 2572 HD2 for an Act Relating to Privacy was transmitted, on 3 March 2020, to the Hawaiian Senate, following its introduction to the Hawaii House of Representatives on 23 January 2020.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
A consumer can request to opt-out from havung thier personal data sold to third parties (Section 1 of SB2451).
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Idaho
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Idaho.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Illinois
Senate Bill 2330 for the Data Transparency and Privacy Act was introduced, on 14 January 2020 to the Illinois State Senate and was assigned, on 27 February 2020, to the Judiciary Committee.
Not applicable.
Consumers have the right to know and request from businesses certain information (Section 20 of the Bill).
Consumers have the right to request that a business delete personal information about the consumer (Section 25(3) of the Bill).
Not applicable.
Consumers have the right to request to opt out of the disclosure, sale and processing of personal information by the business, third parties and affiliates (Section 25(1) of the Bill).
Not applicable.
Businesses, affiliates, and third parties must take reasonable measures to protect consumers personal information from unauthorised, use, disclosure, or access (Section 35(k) of the Bill).
A service provider is the natural or legal person that processes personal information on behalf of the business (Section 10 of the Bill).
Businesses that process personal or deidentified information must provide a notice to the consumer (Section 15 of the Bill).
The Illinois Attorney General has the authority to enforce the Bill as a violation of the Consumer Fraud and Deceptive Business Practices Act (Section 40 (3) of the Bill). In addition, consumers, whose personal information was subject to a breach have a private right of action against businesses (Section 40(a)(1) of the Bill).
- Indiana
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Indiana.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Iowa
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Iowa.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Kansas
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Kansas in this legislative session.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Kentucky
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Kentucky.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Louisiana
House Bill 617 Which Provides Relative to the Protection of Personally Identifiable Information was introduced, 28 February 2020, to the Louisiana House of Representatives and was referred, on 9 March 2020, to the Committee on Commerce.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
A consumer may submit a verified request through a designated request address to an operator directing it not to make any sale of any covered information the operator has collected or will collect about the consumer (Section 844.91(B)(2) of the Bill)
Not applicable.
Not applicable.
Not applicable.
Operators must make available, in a manner that is accessible to consumers whose covered information they collect, a notice that provides certain information regarding their data practices (Section 844.91(C) of the Bill)
The Office of the Louisiana Attorney General may institute appropriate legal proceeding against operators that violate sections of the Bill (Section 844.91(F) of the Bill).
- Maine
Not applicable.
Legislative Document 946 for An Act To Protect the Privacy of Online Customer Information was signed into law, on 6 June 2019, and will enter into force on 1 July 2020.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
A provider is required to take reasonable measures to protect customer personal information from unauthorised use, disclosure or access (§9301(5) of the Law).
The Law applies only to service providers.
A provider is required to provide to their customers a clear, conspicious, and nondeceptive notice outlining the customer's rights and the provider's obligations during the sale and on the provider's website (§9301(6) of the Law).
Not applicable.
- Maryland
House Bill 784 for an Act concerning the Maryland Online Consumer Protection – Online Privacy - Study passed, on 15 March 2020, the Maryland House of Delegates and was sent to the Maryland State Senate on 16 March 2020.
The Finance Committee of the Maryland State Senate gave the Bill an unfavourable report on 17 March 2020
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Massachusetts
Bill SD 341 for An Act Relative to Consumer Data Privacy ('the Bill') was referred, on 22 January 2019, to the Massachusetts Senate Committee on Consumer Protection and Professional Licensure, following its introduction to the General Court of the Commonwealth of Massachusetts on 11 January 2019.
Not applicable.
A consumer shall have the right to request from a business the specific pieces and source of personal information collected and the third parties to whom the personal information has been disclosed (Section 3 of the Bill).
Consumers have a right to deletion (Section 5 of the Bill).
Not applicable.
Consumers can opt-out of having their data shared with third parties (Section 1(u)(2) of the Bill).
Not applicable.
Not applicable.
Service providers process information on behalf of a business, who disclose a consumer's personal information pursuant to a written contract (Section 1(s) of the Bill).
A business shall provide notification to the consumer at or before collection (Section 2 of the Bill).
The Massachusetts Attorney General has been granted powers to enforce the Bill (Section 10 of the Bill).
- Michigan
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Michigan in this legislative session.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Minnesota
House File 3936 for the Minnesota Consumer Data Privacy Act, was introduced, on 2 March 2020, to the Minnesota House of Representatives, and its companion bill, Senate File 4247, was introduced, on 11 March 2020, to the Minnesota State Senate.
Not applicable.
A consumer has the right to request access to their personal data (Section 5(1) of the Bill).
A consumer has the right to delete personal data concerning the consumer (Section 5(3) of the Bill).
A consumer has the right to obtain their personal information in a form that can be transferred to another data controller (Section 5(4) of the Bill).
A consumer has the right to opt-out of the processing of their personal information when it is being used for specifc purposes (Section 5(5) of the Bill).
Not applicable.
A controller must have reasonable administrative, technical, and physical data security practices to protect personal data (Section 2(d) of the Bill).
Processors have various reponsibilities such as working under the instructions of the data controller and assisting data controllers with their compliance with the Bill (Section 4 of the Bill).
Data controllers are required to provide a privacy notice (Section 7 of the Bill).
The Attorney General of Minnesota may bring an action to enforce the Bill (Section 11(2) of the Bill).
- Mississippi
Senate Bill 2548 for the Mississippi Consumer Data Privacy Act was introduced, on 17 February 2020, to the Mississippi State Senate, however, it died, on 3 March 2020, in the Judiciary Committee.
Not applicable.
A consumer has the right to access personal information that has been collected about them (Section 4 of the Bill).
Upon receipt of a verifiable request, a business must delete the consumer's personal informationand instruct any service providers to do the same.
Not applicable.
A consumer has the right to decline or opt-out of the sale of their personal information (Section 7 of the Bill).
Not applicable.
Not applicable.
Not applicable.
A business that sells consumers' personal information to third parties shall provide notice to consumers that this information may be sold and that consumers have the right to opt
out (Section 7(2) of the Bill).Consumers and the Mississippi Attorney General may initiate actions against businesses that violate provisions of the Bill (Section 12 of the Bill).
- Missouri
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Missouri.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Montana
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Montana.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Nebraska
Legislative Bill 746 for the Nebraska Consumer Data Privacy Act ('the Bill') was indefinitely postponed, on 13 August 2020, and withdrawn from consideration in the Nebraska Legislature.
Not applicable.
A consumer has the right to request from a business their personal information (Section 6 of the Bill).
A consumer shall have the right to request a business to delete any personal information about the consumer (Section 9 of the Bill).
Not applicable.
Consumers have the right to opt-out of the sale of their personal information (Section 5(3) of the Bill).
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Violators of the Bill will be liable for a civil penalty in a civil action brought by the Attorney General of up to $7500 for each violation (Section 13 of the Bill).
- Nevada
Not applicable.
Senate Bill 220 for an Act Relating to Internet Privacy entered into force on 1 October 2019.
Not applicable.
Not applicable.
Not applicable.
A consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer (Section 2.2. of the Bill)
Not applicable.
Not applicable.
Not applicable.
Not applicable.
The Nevada Attorney General may bring enforcement actions for violations of the Bill's provisions (Section 7 of the Bill)
- New Hampshire
House Bill 1680 for the Act Relative to the Collection of Personal Information by Businesses was reintroduced, on 8 January 2020, to the New Hampshire House of Representatives and referred, on 8 January 2020, to the Committee on Commerce and Consumer Affairs.
Not applicable.
A consumer has the right of access to their personal data (Section 1 of the Bill).
A consumer can request for their personal data to be deleted (Section 1 of the Bill).
Not applicable.
A consumer can opt-out from the sale of their personal data (Section 1 of the Bill).
Not applicable.
Not applicable.
A service provider is the natural or legal person that processes personal information on behalf of the business (Section 1 of the Bill).
Business are required to provide a privacy notice (Section1 of the Bill).
The New Hampshire Attorney General has the right to bring an action against violators and a private right of action does exsist (Section 1 of the Bill).
- New Jersey
A2188 for an Act Concerning Commercial Internet Websites, Online Services, and Personally Identifiable Information and Supplementing 3 P.L.1960, c.39 ('Bill A2188') was introduced, on 14 January 2020, to the New Jersey General Assembly.
A3255 for an Act Concerning Certain Businesses and Personally Identifiable Information and Supplementing Title 56 of the Revised Statutes ('Bill A3255') was introduced, on 25 February 2020, to the New Jersey General Assembly.
Not applicable.
A consumer can access their personal identifiable information (Section 2(e) of Bill A3255).
A consumer can access their personal identifiable information (Section 2(e) of Bill A3255).
Not applicable.
A consumer can opt-out from the sale of their personally identifiable information (Section 1 of Bill A3255).
Not applicable.
Not applicable.
Service Providers can process personal information on behalf of a business under a written contract (Section 1 of Bill A3255).
Not applicable.
A business which violates Bill A3255 will be subject to a monetary penalty of not more than $10,000 for a first offence and not more than $20,000 for a subsequent offence (Statement Section of Bill A3255).
- New Mexico
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of New Mexico.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- New York
Assembly Bill A680 for the New York Privacy Act ('the Bill') was reintroduced, on 6 January 2021, to the New York State Assembly Committee on Consumer Affairs & Protection.
Not applicable.
On request from a consumer, the controller shall provide the 25 consumer any personal data concerning such consumer that such consumer 26 has provided to the controller (Section 1103(5)(a) of the Bill).
On request from a consumer, a controller shall delete the consumer's personal data without undue delay where one of the following grounds under the Section applies (Section 1103(3)(a) of the Bill).
Not applicable.
The Bill provides consumers the opportunity to opt in or opt out of the processing of their personal data in such a manner that the consumer must select and clearly indicate their consent or denial of consent (Section 1103 of the Bill).
A consumer shall not be subject to a decision based solely on profiling which produces legal effects concerning such consumer or similarly significantly affects the consumer (Section 1103(6) of the Bill).
Not applicable.
Processing by a processor shall be governed by a contract between the controller and the processor that is binding on the processor and that sets out the processing instructions to which the processor is bound (Section 1105(3) of the Bill).
Controllers shall be transparent and accountable for their processing of personal data, by making available in a form that is reasonably accessible to consumers a clear, meaningful privacy notice that is easily understood and which includes (Section 1104(1) of the Bill): the categories of personal data collected by the controller; the purposes for which the categories of personal data is used and disclosed to third parties, if any; the rights that consumers may exercise pursuant to section 1103 of this article, if any; the categories of personal data that the controller shares with third parties, if any; and (e) the names and categories of third parties, if any, with whom the controller shares personal data.
The attorney general may bring an action in the name of the state, or as parens patriae on behalf of persons residing in the state, to enforce the Bill. In addition, any person who has been injured by reason of a violation of this Bill may bring an action in his or her own name to enjoin such unlawful act, or to recover his or her actual damages, or both such actions.
- North Carolina
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of North Carolina.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- North Dakota
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of North Dakota.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Ohio
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Ohio.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Oklahoma
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Oklahoma in this legislative session.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Oregon
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Oregon.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Pennsylvania
House Bill 1049 for the Consumer Data Privacy Act ('the Bill') was introduced, on 5 April 2019, to the Pennsylvania House of Representatives and was referred to the House Consumer Affairs Committee on the same day.
Not applicable.
A consumer has the right to access personal information collected by a business (Section 4(4)(a) of the Bill).
A consumer has the right to request the deletion of their personal data (Section 4(e)(1) of the Bill).
Not applicable.
The consumer has the right to opt out of the sale of their personal information (Section 4(a)(3) of the Bill).
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Violators of the Bill shall be liable for a civil penalty in a civil action brought by the Attorney General of up to $7,500 for each violation (Section 4(o) of the Bill).
- Rhode Island
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Rhode Island.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- South Carolina
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of South Carolina in this legislative session.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- South Dakota
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of South Dakota.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Tennessee
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Tennessee.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Texas
House Bill 4518 for the Texas Consumer Privacy Act was introduced, on 8 March 2019, to the House, however, it was left pending, on 2 April 2019, in the House Business & Industry Committee.
Not applicable.
A consumer has the right of access to their personal data (Section 1 of the Bill).
A consumer has the right to request for their personal data to be deleted (Section 1 of the Bill).
Not applicable.
A consumer can opt-out from the sale of their personal data (Section 1 of the Bill).
Not applicable.
Not applicable.
Service Providers can process personal information on behalf of a business under to written contract (Section 1 of the Bill).
A business that collects personal information is requried to disclose specific information in their online privacy notice or other notice of the business's policies (Section 1 of the Bill).
Violators may be liable to receive a civil penalty of an amount not exceeding, $2,500 for each violation or $7,500 for each violation, if the violation is intentional (Section 1 of the Bill).
- Utah
Not applicable.
House Bill 57 for the Electronic Information or Data Privacy Act was signed into law, on 27 March 2019, and entered into force, on 14 May 2019.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Vermont
Not applicable.
Senate Bill 110 for An Act Relating to Data Privacy and Consumer Protection ('the Act') was signed, on 5 March 2020, by the Governor of Vermont, and will come into effect on 1 July 2020.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
The operator of an Internet website, online service, online application, or mobile application must implement and maintain reasonable security procedures and practices (Section 4 of the Act).
Not applicable.
Not applicable.
A person who violates a provision of the Act commits an unfair and deceptive act in commerce in violation of section 2453 of Sec. 4. 9 V.S.A. chapter 62, subchapter 3A.
- Virginia
House Bill 473 for the Virginia Privacy Act was introduced, on 3 January 2020, to the Virginia House of Delegates. Please note the bill has been continued to the 2021 Session.
Not applicable.
The controller must provide to the consumer any personal data that the controller maintains in an identifiable form concerning the consumer that such consumer has provided to the controller in a structured, commonly used, and machine-readable format (Section 59.1-574(5) of the Bill).
Upon a verified request from a consumer, a controller shall delete, without undue delay, the consumer's personal data that the controller maintains in identifiable form (Section 59.1-574(3) of the Bill).
Not applicable.
The controller shall restrict processing of personal data that the controller maintains in identifiable form if certain conditions apply (Section 59.1-574(6) of the Bill).
Not applicable.
The obligations imposed by the Bill's provisions do not restrict a controller's or processor's ability to prevent, detect, or respond to security incidents, or to preserve the integrity or security of systems (Section 59.1-578. of the Bill).
A processor is a natural or legal person that processes personal data on behalf of a controller (Section 59.1-571. of the Bill).
Controllers shall be transparent and accountable for their processing of personal data by making available in a form that is reasonably accessible to consumers a clear, meaningful privacy notice (Section 59.1-575 of the Bill).
Violations of the Bill would constitute a prohibited practice pursuant and be subject to any and all of the enforcement provisions of the Virginia Consumer Protection Act (Section 59.1-579 of the Bill)
- Washington
Washington State Senator Reuven Carlyle announced, on 9 September 2020, on Twitter, that the draft bill for the Washington Privacy Act 2021 ('the Draft Bill') is now avaliable for public comment and feedback.
Not applicable.
A consumer has the right to access their personal information from a controller (Page 12 of the Draft Bill).
A consumer has the right to delete their personal data (Page 12 of the Draft Bill).
A consumer has the right to request for their data to be transferred to another controller without hindrance (Page 12 of the Draft Bill).
A consumer has the right to opt-out of the processing of their personal data, when processed for specific circumstances (Page 13 of the Draft Bill).
Not applicable.
Controllers are required to establish, implement, and maintain reasonable security practices to protect personal data (Page 19 of the Draft Bill).
Processors are required to adhere to the instructions of the controller and assisting the controller to meet its obligations under the Draft Bill (Page 16 of the Draft Bill).
Controllers must provide privacy notices (Page 18 of the Draft Bill).
The Washington Attorney General may bring an action for an injunction and violators may be liable for a civil penalty of not more than $7500 for each violation (Page 27 of the Draft Bill).
- West Virginia
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of West Virginia.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
- Wisconsin
Assembly Bill ('AB') 870 on consumer access to personal data, AB 871 on deletion of consumer personal data and AB 872 on restricting controllers from using consumer personal data, were introduced, on 10 February 2020, to the Wisconsin State Assembly, however, they failed to pass at the end of the last general-business floorperiod, which was adjourned on March 26, 2020.
Not applicable.
Consumers have the right to request from a controller to be informed as to whether or not the controller processes the consumer's personal data and to obtain a copy of the personal data and certain information (Section 1(3) of AB 870).
Controllers must delete, without undue delay, the personal data relating to a consumer if certain conditions apply (Section 1(2) of AB 871).
Not applicable.
A consumer may request restriction of the processing of their personal data when certain conditions apply (Section 1(4) of AB 872).
Not applicable.
Not applicable.
A controller may not process personal data unless the processing is conducted to detect security incidents, to protect against malicious, deceptive, fraudulent, or illegal activity, or to prosecute a person responsible for that activity (Section 1(2)(f) of AB 872).
A processor is a person who processes personal data on behalf of a controller, but does not include a law enforcement agency or a unit or instrumentality of the federal government, the state, or a local government(Section 1(1)(h) of AB 872).
When a controller collects personal data from a consumer, certain information must be provided to such consumer (Section 1(2) of AB 870).
- Wyoming
We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Wyoming.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
Not applicable.
State Overview Chart
USA State Overview
- There is a law/restriction/exemption in place.
- Click to view information for additional detail.
- There is no law/requirement/exemption in place.
This Comparison is part of an ongoing OneTrust DataGuidance project, which will be expanding over time. Current non-inclusion of certain US States does not preclude the applicability of specific privacy-related laws within those States.
- title
- Constitution
- Key Privacy Laws
- Health data
- Financial data
- Employment data
- Online privacy
- Unsolicited Commercial Communications
- Privacy Policies
- Data Security
- Other
- Alabama
- Alaska
- Arkansas
- California
- Colorado
- Connecticut
- Delaware
- District of Columbia
- Florida
- Georgia (US)
- Hawaii
- Illinois
- Indiana
- Kentucky
- Maryland
- Massachusetts
- Minnesota
- Mississippi
- Missouri
- Nebraska
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- Ohio
- Oklahoma
- Pennsylvania
- South Carolina
- Texas
- Utah
- Vermont
- Virginia
- Washington
- West Virginia
- Wisconsin