USA State Law Tracker
Comply with U.S. Federal and State laws
The enactment of the California Consumer Privacy Act of 2018 ('CCPA') created an abundance of privacy-related legislation in the US, at both the federal and state level. However, this plethora of laws and guidelines has made compliance a complicated issue for privacy professionals. OneTrust DataGuidance's team of in-house Privacy Analysts work with our external network of contributors to provide you with daily updates in order to stay on top of all relevant developments in the US. With our State Law Tracker, you are able to easily compare requirements introduced by comprehensive privacy bills in different US states and understand how potential laws might affect your operations. In addition, our Sectoral Privacy Overview Comparison gives you detailed information on the existing privacy frameworks in multiple states, all provided by our external network of experts.
California
- California Consumer Privacy Act of 2018 ('CCPA') - Effective
- California Privacy Rights Act of 2020 ('CPRA') - 1 January 2023 (however many provisions became applicable to personal information collected from 1 January 2022)
Colorado
- Colorado Privacy Act ('CPA') - 1 July 2023
Connecticut
- Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA') - 1 July 2023
Utah
- Consumer Privacy Act ('UCPA') - 31 December 2023
Virginia
- Consumer Data Protection Act ('CDPA') - 1 January 2023
OneTrust's solutions are backed by AI, robotic automation, and regulatory research, ensuring quick time to value, efficiency and unparalleled guidance as you build, adapt, and mature your privacy program.
Find out more about OneTrust's full suite of solutions here.
Federal developments
OneTrust DataGuidance, in collaboration with its network of US privacy experts, are producing a series of articles examining the developments in federal law for organisations to consider.
A full list of US federal-related insights can be accessed here.
You can track the latest federal developments using our News Tracker here.
Reports
Videos and webinars
- GDPR v CCPA & CPRA
- US Privacy Update: Recent Developments in Privacy Legislation
- Threat and Breach Response
- NIST Privacy Framework
- HIPAA Compliance and Cybersecurity Challenges
USA Federal Overview
Watch our US Federal Overview video to understand the state of privacy in the US today.
The Attorney General for the State of Florida, Ashley Moody, sent on 3 August 2022, a letter to the Federal Trade Commission ('FTC') urging it to provide better protections for consumers against predatory telemarketing calls, including negative-options, and the Telemarketing Sales Rule ('TSR') exemptions for business-to-business calls and inboun
The New York State Department of Financial Services ('NYDFS') released, on 29 July 2022, its proposed draft amendments to the Cybersecurity Requirements for Financial Services Companies ('23 NYCRR 500'). In particular, the draft amendments would implement several changes, including:
The U.S. Senate Committee on Commerce, Science, and Transportation announced, on 27 July 2022, that it had approved the Children and Teens' Online Privacy Protection Act and the Kids Online Safety Act, following its executive session.
U.S. Senator Rob Portman and Maggie Hassan introduced, on 21 July 2022, a bipartisan bill for the Quantum Computing Cybersecurity Preparedness Act, which aims to strengthen national security by preparing the federal government's defences against quantum-computing-enabled data breaches.
In particular, if passed, the bill would:
The U.S. House Committee on Energy and Commerce announced, on 20 July 2022, that it had passed amendments to House Resolution ('HR') 8152, the American Data Privacy and Protection Act during the full Committee markup.
The U.S. House Committee on Energy and Commerce released, on 18 July 2022, amendments to House Resolution ('HR') 8152, the American Data Privacy and Protection Act, in line with its vote on the Act scheduled for 20 July 2022.
The California Privacy Protection Agency ('CPPA') announced, on 8 July 2022, that it had commenced, on the same date, the formal rulemaking process for the Consumer Privacy Rights Act of 2020 ('CPRA'). In particular, the CPPA highlighted that the CPRA is set to amend the California Consumer Privacy Act ('CCPA') by, among other things:
Assembly Bill ('AB') 1184 which amends the Confidentiality of Medical Information Act and the Insurance Information and Privacy Protection Act regarding the confidentiality of medical information entered, on 1 July 2022, into effect.
On 1 July 2022, House Bill ('HB') 1351 to amend the Indiana Code with respect to the timeframe for notifying breaches, which had been signed by the Indiana Governor on 18 March 2022, entered into effect.
A U.S. Representative in the House Financial Services Committee released, on 23 June 2022, a discussion draft for a federal financial data privacy bill which, if passed, would amend the Gramm-Leach-Bliley Act of 1999 ('GLBA'). In particular, the purpose of the draft is to:
The U.S. President, Joe Biden, signed, on 21 June 2022, Senate Bill ('SB') 2520 for the State and Local Government Cybersecurity Act of 2021 into law.
House Resolution ('HR') 8152 for the American Data Privacy and Protection Act was introduced, on 21 June 2022, to the U.S.
On 20 July 2022, the U.S. House Committee on Energy and Commerce announced that it had passed amendments to House Resolution ('HR') 8152, for the American Data Privacy and Protection Act ('ADPPA'), during the full Committee markup.
On 10 May 2022, Connecticut became the fifth state to enact broad consumer data privacy legislation when Connecticut Governor Ned Lamont signed Senate Bill 6 - the Connecticut Data Privacy Act ('CTDPA'). David M. Stauss and Shelby E.
On 20 May 2022, the Oklahoma Governor signed into law House Bill ('HB') 3168 for the Oklahoma Telephone Solicitation Act ('the Act').
On 3 June 2022, a bipartisan group of U.S. Senate and U.S. House of Representative leaders released a discussion draft for a federal comprehensive data privacy bill, the American Data Privacy and Protection Act ('the Discussion Draft Bill').
On 21 April 2022, rulemaking authority under the California Consumer Privacy Act of 2018 ('CCPA') had been formally transferred to the California Privacy Protection Agency ('CPPA').
Coming in fourth place in the race to enact a comprehensive consumer privacy law, the Utah Consumer Privacy Act ('UCPA) passed through the Utah Senate and House unanimously on 25 February and 2 March 2022 respectively.
On 8 April 2022, the Kentucky Governor signed into law House Bill ('HB') 502 for the Genetic Information Privacy Act ('the Act'). In particular, the Act grants consumers greater control over their genetic materials by regulating the collection, use, and disclosure of genetic data, among others. The Act will go into effect on 1 June 2022.
On 8 November 2021, New York Governor Kathy Hochul signed into law Senate Bill ('SB') 2628, which requires every private-sector employer to provide notice of its electronic monitoring practices to all employees upon hiring, with written or electronic employee acknowledgement, and, more generally, in a 'conspicuous place' viewable by all employee
On 10 May 2022, the Connecticut State Governor signed Senate Bill 6, thereby enacting the Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA') and making Connecticut the fifth State in the US to pass a comprehensive privacy law, joining the likes of California, Colorado, Utah, and Virginia.
On 8 March 2022, the Wyoming State Governor signed House Bill ('HB') 0086, thereby enacting the Wyoming Genetic Data Privacy Act ('the Act'). The Act will go into effect on 1 July 2022 and applies to any business that collects genetic data from individuals in the state of Wyoming.
On 24 March 2022, the Utah State Governor signed Senate Bill ('SB') 227, thereby enacting the Utah Consumer Privacy Act ('UCPA') and making Utah the fourth State in the US to pass a comprehensive privacy law, bringing it more in line with the likes of California, Colorado, and Virginia.
On 28 June 2019 the California Consumer Privacy Act of 2018 ('CCPA') was signed into law and later entered into effect on 1 January 2020.
State Law Tracker
State Law Tracker
The State Law Tracker provides an overview of key features of recently introduced consumer privacy bills in US States within the current legislative session. In addition to outlining the status of the bill, the Tracker highlights how each State bill accommodates various consumer rights and imposes certain business obligations. The Tracker excludes bills that deal specifically with issues such as biometric information, facial recognition and data breaches.
- There is a law/restriction/exemption in place.
- Click to view information for additional detail.
- There is no law/requirement/exemption in place.
- Bill details
- Proposed
- Passed
- Consumer Rights
- Access
- Deletion
- Portability
- Opt-out
- Automated Decision-Making
- Requirements
- Data security
- Processors / service providers
- Privacy notices
- title
- Enforcement
- Alabama
- Alaska
- Arizona
- Arkansas
- California
- Colorado
- Connecticut
- Delaware
- District of Columbia
- Florida
- Georgia (US)
- Hawaii
- Idaho
- Illinois
- Indiana
- Iowa
- Kansas
- Kentucky
- Louisiana
- Maine
- Maryland
- Massachusetts
- Michigan
- Minnesota
- Mississippi
- Missouri
- Montana
- Nebraska
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- North Carolina
- North Dakota
- Ohio
- Oklahoma
- Oregon
- Pennsylvania
- Rhode Island
- South Carolina
- South Dakota
- Tennessee
- Texas
- Utah
- Vermont
- Virginia
- Washington
- West Virginia
- Wisconsin
- Wyoming
Sectoral Privacy Overview
USA Sectoral Privacy Overview
- There is a law/restriction/exemption in place.
- Click to view information for additional detail.
- There is no law/requirement/exemption in place.
This Comparison is part of an ongoing OneTrust DataGuidance project, which will be expanding over time. Current non-inclusion of certain US States does not preclude the applicability of specific privacy-related laws within those States.
- title
- Constitution
- Key Privacy Laws
- Health data
- Financial data
- Employment data
- Online privacy
- Unsolicited Commercial Communications
- Privacy Policies
- Data Security
- Other
- Alabama
- Alaska
- Arkansas
- California
- Colorado
- Connecticut
- Delaware
- District of Columbia
- Florida
- Georgia (US)
- Hawaii
- Indiana
- Kansas
- Louisiana
- Maine
- Maryland
- Massachusetts
- Michigan
- Minnesota
- Mississippi
- Nebraska
- New Hampshire
- New Jersey
- New Mexico
- New York
- Oklahoma
- Oregon
- Pennsylvania
- Rhode Island
- South Carolina
- Tennessee
- Texas
- Vermont
- Virginia
- Washington
- West Virginia
- Wisconsin