Support Centre

USA State Law Tracker

State Law Tracker

State Law Tracker

The State Law Tracker provides an overview of key features of recently introduced comprehensive consumer privacy bills in US States. In addition to outlining the status of the bill, the Tracker highlights how each State bill accommodates various consumer rights and imposes certain business obligations. The Tracker excludes bills that deal specifically with issues such as biometric information, facial recognition and data breaches.

  • There is a law/restriction/exemption in place.
  • Click to view information for additional detail.
  • There is no law/requirement/exemption in place.

Compare Reset
    Bill details
  • Proposed
  • Passed
    Consumer Rights
  • Access
  • Deletion
  • Portability
  • Opt-out
  • Automated Decision-Making
    Requirements
  • Data security
  • Processors / service providers
  • Privacy notices
    title
  • Enforcement
  • Alabama
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Alabama.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Alaska
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Alaska. Please note, however, that the Alaska Personal Information Protection Act applies.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Arizona
  • Arkansas
  • California
    • Not applicable. 

    • The California Consumer Privacy Act of 2018 (as amended) ('CCPA') was signed into law, on 28 June 2018, and entered into force on 1 January 2020. 

      The California Attorney General, published, on 11 March 2020, the second set of modifications made to the proposed regulations ('the Proposed Regulations') under the CCPA.

       

    • A consumer has the right to request that a business that collects personal information, disclose to the consumer the categories and different pieces of personal information collected by the business (§1798.100(a) of the CCPA).

    • A consumer has the right to request that a business that collects personal information delete the personal information about the consumer (§1798.105(a) of the CCPA).

    • Personal information collected by a business, and accessible to a consumer must be portable and, to the extent that is technically feasible, in a format allowing the consumer to, without hindrance, transmit the personal information to another entity (§1798.100(b) of the CCPA).

    • A consumer has a right to opt out, to direct a business to not sell the consumer's personal information (§1798.120 of the CCPA).

    • Not applicable.

    • A business is required to use reasonable security measures when transmitting personal information to the consumer and for record-keeping purposes (§§ 999.313(c)(6) and 999.317(b) of the Proposed Regulations).

    • A service provider is a for-profit legal entity that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract (§1798.140(v) of the CCPA).

    • A business that collects personal information must, at or before the time of collection, inform consumers of categories of personal information to be collected and the purposes for which said personal information will be used (§1798.100(b) of the CCPA). A business shall also provide notice to the consumer informing them of their "right to opt-out" (§1798.120(b) of the CCPA)

    • The Attorney General is tasked with enforcing the CCPA, and imposing penalties for violations (§ 1798.155 of the CCPA). In addition, consumers whose information was breached may institute a civil action (§ 1798.150 of the CCPA).

  • Colorado
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Colorado.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Connecticut
    • Not applicable.

    • Substitute Senate Bill 1108 for an Act Establishing a Task Force Concerning Consumer Privacy was signed, on 9 June 2019, into law by the Governor of Connecticut, Ned Lamont.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • The Task Force Concerning Consumer Privacy is tasked with examining what information businesses in Connecticut should be required to provide to consumers concerning personal information that is retained or sold by such businesses (Section 1 of the Act).

  • Delaware
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Delaware. Please note, however, that the Delaware Online Privacy and Protection Act of 2015 applies.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • District of Columbia
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the District of Columbia.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Florida
    • Senate Bill 1670 for an act relating to consumer data privacy was indefinitely postponed, on 14 March 2020, and withdrawn from consideration in the Florida State Senate.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • A consumer may submit a verified request to an operator, directing the operator not sell any covered information that the operator has collected or will collect about the consumer (Section 2 of the Bill).

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Operators must make available, in a manner that is accessible to consumers whose covered information they collect, a notice that provides certain information regarding their data practices (Section 3 of the Bill).

    • The Department of Legal Affairs of the Office of the Attorney General would adopt rules to enforce this Bill and may initiate legal proceedings against violators (Section 6(a) of the Bill).

  • Georgia (US)
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Georgia.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Hawaii
    • Senate Bill 2451 for an Act Relating to Personal Information was referred, on 23 January 2020, to the Hawaii Senate Committee on Commerce, Consumer Protection, and Health and the Senate Committee on Technology, following its introduction to the Hawaii Senate on 17 January 2020.

      House Bill 2572 HD2 for an Act Relating to Privacy was transmitted, on 3 March 2020, to the Hawaiian Senate, following its introduction to the Hawaii House of Representatives on 23 January 2020.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • A consumer can request to opt-out from havung thier personal data sold to third parties (Section 1 of SB2451).

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Idaho
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Idaho.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Illinois
    • Senate Bill 2330 for the Data Transparency and Privacy Act was introduced, on 14 January 2020 to the Illinois State Senate and was assigned, on 27 February 2020, to the Judiciary Committee. 

    • Not applicable.

    • Consumers have the right to know and request from businesses certain information (Section 20 of the Bill).

    • Consumers have the right to request that a business delete personal information about the consumer (Section 25(3) of the Bill).

    • Not applicable.

    • Consumers have the right to request to opt out of the disclosure, sale and processing of personal information by the business, third parties and affiliates (Section 25(1) of the Bill). 

    • Not applicable.

    • Businesses, affiliates, and third parties must take reasonable measures to protect consumers personal information from unauthorised, use, disclosure, or access (Section 35(k) of the Bill). 

    • A service provider is the natural or legal person that processes personal information on behalf of the business (Section 10 of the Bill).

    • Businesses that process personal or deidentified information must provide a notice to the consumer (Section 15 of the Bill).

    • The Illinois Attorney General has the authority to enforce the Bill as a violation of the Consumer Fraud and Deceptive Business Practices Act (Section 40 (3) of the Bill). In addition, consumers, whose personal information was subject to a breach have a private right of action against businesses (Section 40(a)(1) of the Bill). 

  • Indiana
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Indiana.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Iowa
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Iowa. 

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Kansas
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Kansas in this legislative session.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Kentucky
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Kentucky.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Louisiana
    • House Bill 617 Which Provides Relative to the Protection of Personally Identifiable Information was introduced, 28 February 2020, to the Louisiana House of Representatives and was referred, on 9 March 2020, to the Committee on Commerce.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • A consumer may submit a verified request through a designated request address to an operator directing it not to make any sale of any covered information the operator has collected or will collect about the consumer (Section 844.91(B)(2) of the Bill)

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Operators must make available, in a manner that is accessible to consumers whose covered information they collect, a notice that provides certain information regarding their data practices (Section 844.91(C) of the Bill)

    • The Office of the Louisiana Attorney General may institute appropriate legal proceeding against operators that violate sections of the Bill (Section 844.91(F) of the Bill).

  • Maine
    • Not applicable.

    • Legislative Document 946 for An Act To Protect the Privacy of Online Customer Information was signed into law, on 6 June 2019, and will enter into force on 1 July 2020. 

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • A provider is required to take reasonable measures to protect customer personal information from unauthorised use, disclosure or access (§9301(5) of the Law).

    • The Law applies only to service providers.

    • A provider is required to provide to their customers a clear, conspicious, and nondeceptive notice outlining the customer's rights and the provider's obligations during the sale and on the provider's website (§9301(6) of the Law).

    • Not applicable.

  • Maryland
  • Massachusetts
    • Bill SD 341 for An Act Relative to Consumer Data Privacy ('the Bill') was referred, on 22 January 2019, to the Massachusetts Senate Committee on Consumer Protection and Professional Licensure, following its introduction to the General Court of the Commonwealth of Massachusetts on 11 January 2019. 

    • Not applicable.

    • A consumer shall have the right to request from a business the specific pieces and source of personal information collected and the third parties to whom the personal information has been disclosed (Section 3 of the Bill). 

    • Consumers have a right to deletion (Section 5 of the Bill).

    • Not applicable.

    • Consumers can opt-out of having their data shared with third parties (Section 1(u)(2) of the Bill).

    • Not applicable.

    • Not applicable.

    • Service providers process information on behalf of a business, who disclose a consumer's personal information pursuant to a written contract (Section 1(s) of the Bill).

    • A business shall provide notification to the consumer at or before collection (Section 2 of the Bill).

    • The Massachusetts Attorney General has been granted powers to enforce the Bill (Section 10 of the Bill).

  • Michigan
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Michigan in this legislative session.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Minnesota
    • House File 3936 for the Minnesota Consumer Data Privacy Act, was introduced, on 2 March 2020, to the Minnesota House of Representatives, and its companion bill, Senate File 4247, was introduced, on 11 March 2020, to the Minnesota State Senate.

    • Not applicable.

    • A consumer has the right to request access to their personal data (Section 5(1) of the Bill).

    • A consumer has the right to delete personal data concerning the consumer (Section 5(3) of the Bill).

    • A consumer has the right to obtain their personal information in a form that can be transferred to another data controller (Section 5(4) of the Bill).

    • A consumer has the right to opt-out of the processing of their personal information when it is being used for specifc purposes (Section 5(5) of the Bill).

    • Not applicable.

    • A controller must have reasonable administrative, technical, and physical data security practices to protect personal data (Section 2(d) of the Bill).

    • Processors have various reponsibilities such as working under the instructions of the data controller and assisting data controllers with their compliance with the Bill (Section 4 of the Bill).

    • Data controllers are required to provide a privacy notice (Section 7 of the Bill).

    • The Attorney General of Minnesota may bring an action to enforce the Bill (Section 11(2) of the Bill).

  • Mississippi
    • Senate Bill 2548 for the Mississippi Consumer Data Privacy Act was introduced, on 17 February 2020, to the Mississippi State Senate, however, it died, on 3 March 2020, in the Judiciary Committee.

    • Not applicable.

    • A consumer has the right to access personal information that has been collected about them (Section 4 of the Bill).

    • Upon receipt of a verifiable request, a business must delete the consumer's personal informationand instruct any service providers to do the same. 

    • Not applicable.

    • A consumer has the right to decline or opt-out of the sale of their personal information (Section 7 of the Bill).

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • A business that sells consumers' personal information to third parties shall provide notice to consumers that this information may be sold and that consumers have the right to opt
      out (Section 7(2) of the Bill).

    • Consumers and the Mississippi Attorney General may initiate actions against businesses that violate provisions of the Bill (Section 12 of the Bill).

  • Missouri
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Missouri.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Montana
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Montana.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Nebraska
    • Legislative Bill 746 for the Nebraska Consumer Data Privacy Act ('the Bill') was introduced, on 8 January 2020, to the Nebraska Transportation and Telecommunications Committee.

    • Not applicable.

    • A consumer has the right to request from a business their personal information (Section 6 of the Bill).

    • A consumer shall have the right to request a business to delete any personal information about the consumer (Section 9 of the Bill).

    • Not applicable.

    • Consumers have the right to opt-out of the sale of their personal information (Section 5(3) of the Bill).

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Violators of the Bill will be liable for a civil penalty in a civil action brought by the Attorney General of up to $7500 for each violation (Section 13 of the Bill).

  • Nevada
    • Not applicable.

    • Senate Bill 220 for an Act Relating to Internet Privacy entered into force on 1 October 2019.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • A consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer (Section 2.2. of the Bill)

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • The Nevada Attorney General may bring enforcement actions for violations of the Bill's provisions (Section 7 of the Bill)

  • New Hampshire
    • House Bill 1680 for the Act Relative to the Collection of Personal Information by Businesses was reintroduced, on 8 January 2020, to the New Hampshire House of Representatives and referred, on 8 January 2020, to the Committee on Commerce and Consumer Affairs.

    • Not applicable.

    • A consumer has the right of access to their personal data (Section 1 of the Bill).

    • A consumer can request for their personal data to be deleted (Section 1 of the Bill).

    • Not applicable.

    • A consumer can opt-out from the sale of their personal data (Section 1 of the Bill).

    • Not applicable.

    • Not applicable.

    • A service provider is the natural or legal person that processes personal information on behalf of the business (Section 1 of the Bill).

    • Business are required to provide a privacy notice (Section1 of the Bill).

    • The New Hampshire Attorney General has the right to bring an action against violators and a private right of action does exsist (Section 1 of the Bill).

  • New Jersey
    • A2188 for an Act Concerning Commercial Internet Websites, Online Services, and Personally Identifiable Information and Supplementing 3 P.L.1960, c.39 ('Bill A2188') was introduced, on 14 January 2020, to the New Jersey General Assembly. 

      A3255 for an Act Concerning Certain Businesses and Personally Identifiable Information and Supplementing Title 56 of the Revised Statutes ('Bill A3255') was introduced, on 25 February 2020, to the New Jersey General Assembly.

    • Not applicable.

    • A consumer can access their personal identifiable information (Section 2(e) of Bill A3255).

    • A consumer can access their personal identifiable information (Section 2(e) of Bill A3255).

    • Not applicable.

    • A consumer can opt-out from the sale of their personally identifiable information (Section 1 of Bill A3255).

    • Not applicable.

    • Not applicable.

    • Service Providers can process personal information on behalf of a business under a written contract (Section 1 of Bill A3255).

    • Not applicable.

    • A business which violates Bill A3255 will be subject to a monetary penalty of not more than $10,000 for a first offence and not more than $20,000 for a subsequent offence (Statement Section of Bill A3255).

  • New Mexico
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of New Mexico.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • New York
    • Senate Bill 5642 for the New York Privacy Act ('the Bill') was reintroduced, on 8 January 2020, to the New York State Assembly Committee on Consumer Affairs & Protection.

    • Not applicable.

    • On request from a consumer, the controller shall provide the 25 consumer any personal data concerning such consumer that such consumer 26 has provided to the controller (Section 1103(5)(a) of the Bill).

    • On request from a consumer, a controller shall delete the consumer's personal data without undue delay where one of the following grounds under the Section applies (Section 1103(3)(a) of the Bill).

    • Not applicable.

    • The Bill provides consumers the opportunity to opt in or opt out of the processing of their personal data in such a manner that the consumer must select and clearly indicate their consent or denial of consent (Section 1103 of the Bill).

    • A consumer shall not be subject to a decision based solely on profiling which produces legal effects concerning such consumer or similarly significantly affects the consumer (Section 1103(6) of the Bill).

    • Not applicable.

    • Processing by a processor shall be governed by a contract between the controller and the processor that is binding on the processor and that sets out the processing instructions to which the processor is bound (Section 1105(3) of the Bill).

    • Controllers shall be transparent and accountable for their processing of personal data, by making available in a form that is reasonably accessible to consumers a clear, meaningful privacy notice that is easily understood and which includes (Section 1104(1) of the Bill): the categories of personal data collected by the controller;  the purposes for which the categories of personal data is used and disclosed to third parties, if any; the rights that consumers may exercise pursuant to section 1103 of this article, if any; the categories of personal data that the controller shares with third parties, if any; and (e) the names and categories of third parties, if any, with whom the controller shares personal data.

    • The attorney general may bring an action in the name of the state, or as parens patriae on behalf of persons residing in the state, to enforce the Bill. In addition, any person who has been injured by reason of a violation of this Bill may bring an action in his or her own name to enjoin such unlawful act, or to recover his or her actual damages, or both such actions.

  • North Carolina
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of North Carolina.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • North Dakota
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of North Dakota.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Ohio
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Ohio.

    • Not applicable. 

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Oklahoma
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Oklahoma in this legislative session.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Oregon
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Oregon.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Pennsylvania
    • House Bill 1049 for the Consumer Data Privacy Act ('the Bill') was introduced, on 5 April 2019, to the Pennsylvania House of Representatives and was referred to the House Consumer Affairs Committee on the same day.

    • Not applicable.

    • A consumer has the right to access personal information collected by a business (Section 4(4)(a) of the Bill).

    • A consumer has the right to request the deletion of their personal data (Section 4(e)(1) of the Bill).

    • Not applicable.

    • The consumer has the right to opt out of the sale of their personal information (Section 4(a)(3) of the Bill).

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Violators of the Bill shall be liable for a civil penalty in a civil action brought by the Attorney General of up to $7,500 for each violation (Section 4(o) of the Bill).

  • Rhode Island
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Rhode Island.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • South Carolina
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of South Carolina in this legislative session.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • South Dakota
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of South Dakota. 

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Tennessee
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Tennessee.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Texas
    • House Bill 4518 for the Texas Consumer Privacy Act was introduced, on 8 March 2019, to the House, however, it was left pending, on 2 April 2019, in the House Business & Industry Committee.

    • Not applicable.

    • A consumer has the right of access to their personal data (Section 1 of the Bill).

    • A consumer has the right to request for their personal data to be deleted (Section 1 of the Bill).

    • Not applicable.

    • A consumer can opt-out from the sale of their personal data (Section 1 of the Bill).

    • Not applicable.

    • Not applicable.

    • Service Providers can process personal information on behalf of a business under to written contract (Section 1 of the Bill).

    • A business that collects personal information is requried to disclose specific information in their online privacy notice or other notice of the business's policies (Section 1 of the Bill).

    • Violators may be liable to receive a civil penalty of an amount not exceeding, $2,500 for each violation or $7,500 for each violation, if the violation is intentional (Section 1 of the Bill).

  • Utah
  • Vermont
    • Not applicable.

    • Senate Bill 110 for An Act Relating to Data Privacy and Consumer Protection ('the Act') was signed, on 5 March 2020, by the Governor of Vermont, and will come into effect on 1 July 2020.

    • Not applicable.

    •  Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • The operator of an Internet website, online service, online application, or mobile application must implement and maintain reasonable security procedures and practices (Section 4 of the Act).

    • Not applicable.

    • Not applicable.

    • A person who violates a provision of the Act commits an unfair and deceptive act in commerce in violation of section 2453 of Sec. 4. 9 V.S.A. chapter 62, subchapter 3A.

  • Virginia
    • House Bill 473 for the Virginia Privacy Act was introduced, on 3 January 2020, to the Virginia House of Delegates. Please note the bill has been continued to the 2021 Session.

    • Not applicable.

    • The controller must provide to the consumer any personal data that the controller maintains in an identifiable form concerning the consumer that such consumer has provided to the controller in a  structured, commonly used, and machine-readable format (Section 59.1-574(5) of the Bill).

    • Upon a verified request from a consumer, a controller shall delete, without undue delay, the consumer's personal data that the controller maintains in identifiable form (Section 59.1-574(3) of the Bill).

    • Not applicable. 

    • The controller shall restrict processing of personal data that the controller maintains in identifiable form if certain conditions apply (Section 59.1-574(6) of the Bill).

    • Not applicable.

    • The obligations imposed by the Bill's provisions do not restrict a controller's or processor's ability to prevent, detect, or respond to security incidents, or to preserve the integrity or security of systems (Section 59.1-578. of the Bill).

    • A processor is a natural or legal person that processes personal data on behalf of a controller (Section 59.1-571. of the Bill).

    • Controllers shall be transparent and accountable for their processing of personal data by making available in a form that is reasonably accessible to consumers a clear, meaningful privacy notice (Section 59.1-575 of the Bill).

    • Violations of the Bill would constitute a prohibited practice pursuant and be subject to any and all of the enforcement provisions of  the Virginia Consumer Protection Act (Section 59.1-579 of the Bill)

  • Washington
    • U.S. Senator, Reuven Carlyle, announced, on 12 March 2020 that Senate Bill 6281 for the Washington Privacy Act ('the Bill') had died in the Washington State Senate, after members of the Senate and the Washington House of Representatives failed to reach a consensus on its provisions.

    • Not applicable.

    • A consumer has the right to access their personal information from a controller (Section 6(1) of the Bill).

    • A consumer has the right to delete their personal data (Section 6(3) of the Bill).

    • A consumer has the right to request for their data to be transferred to another controller without hindrance (Section 6(4) of the Bill).

    • A consumer has the right to opt-out of the processing of their personal data, when processed for specific circumstances (Section 6(5) of the Bill).

    • Not applicable.

    • Controllers are required to establish, implement, and maintain reasonable security practices to protect personal data (Section 8(5) of the Bill).

    • Processors are required to adhere to the instructions of the controller and assisting the controller to meet its obligations under the Bill (Section 5(2) of the Bill).

    • Controllers must provide privacy notices (Section 8 of the Bill).

    • The Washington Attorney General may bring an action for an injunction and violators may be liable for a civil penalty of not more than $7500 for each violation (Section 12 of the Bill).

  • West Virginia
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of West Virginia.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Wisconsin
    • Assembly Bill ('AB') 870 on consumer access to personal dataAB 871 on deletion of consumer personal data and AB 872 on restricting controllers from using consumer personal data, were introduced, on 10 February 2020, to the Wisconsin State Assembly, however, they failed to pass at the end of the last general-business floorperiod, which was adjourned on March 26, 2020.

    • Not applicable.

    • Consumers have the right to request from a controller to be informed as to whether or not the controller processes the consumer's personal data and to obtain a copy of the personal data and certain information (Section 1(3) of AB 870). 

    • Controllers must delete, without undue delay, the personal data relating to a consumer if certain conditions apply (Section 1(2) of AB 871). 

    • Not applicable.

    • A consumer may request restriction of the processing of their personal data when certain conditions apply (Section 1(4) of AB 872).

    • Not applicable.

    • Not applicable.

    • A controller may not process personal data unless the processing is conducted to detect security incidents, to protect against malicious, deceptive, fraudulent, or illegal activity, or to prosecute a person responsible for that activity (Section 1(2)(f) of AB 872).

    • A processor is a person who processes personal data on behalf of a controller, but does not include a law enforcement agency or a unit or instrumentality of the federal government, the state, or a local government(Section 1(1)(h) of AB 872).

    • When a controller collects personal data from a consumer, certain information must be provided to such consumer (Section 1(2) of AB 870).

  • Wyoming
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Wyoming.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

State Overview Chart

USA State Overview

  • There is a law/restriction/exemption in place.
  • Click to view information for additional detail.
  • There is no law/requirement/exemption in place.

2 September 2019: This Cross-Border Chart is part of an ongoing OneTrust DataGuidance project, which will be expanding over time. Current non-inclusion of certain US States does not preclude the applicability of specific privacy-related laws within those States.

Compare Reset
    title
  • Constitution
  • Key Privacy Laws
  • Health data
  • Financial data
  • Employment data
  • Online privacy
  • Unsolicited Commercial Communications
  • Privacy Policies
  • Data Security
  • Other
  • Alabama
  • Arkansas
  • California
  • Colorado
  • Connecticut
  • Delaware
  • District of Columbia
  • Florida
  • Hawaii
  • Illinois
  • Indiana
  • Kentucky
  • Louisiana
  • Maine
  • Massachusetts
  • Mississippi
  • Missouri
  • Nevada
  • New Hampshire
  • New Jersey
  • New Mexico
  • New York
  • Ohio
  • Oklahoma
  • Pennsylvania
  • South Carolina
  • Texas
  • Utah
  • Vermont
  • Virginia
  • Washington
  • Wisconsin