Support Centre
USA State Law Tracker
Back

USA State Law Tracker

Comply with U.S. Federal and State laws

The enactment of the California Consumer Privacy Act of 2018 ('CCPA') created an abundance of privacy-related legislation in the US, at both the federal and state level. However, this plethora of laws and guidelines has made compliance a complicated issue for privacy professionals. OneTrust DataGuidance's analysts work with our external network of contributors to provide you with daily updates in order to stay on top of all relevant developments in the US. With our State Law Tracker, you are able to easily compare requirements introduced by comprehensive privacy bills in different US states and understand how potential laws might affect your operations. In addition, our State Overview Comparison gives you detailed information on the existing privacy frameworks in more than 30 states, all provided by our external network of experts.

OneTrust's solutions are backed by AI, robotic automation, and regulatory research, ensuring quick time to value, efficiency and unparalleled guidance as you build, adapt, and mature your privacy program.

Find out more about OneTrust's full suite of solutions here.

Federal developments

OneTrust DataGuidance, in collaboration with its network of US privacy experts, are producing a series of articles examining the developments in federal law for organisations to consider.

A full list of US federal related insights can be accessed here.

You can track the latest federal developments using our News Tracker here.

Reports

The Consumer Online Privacy Rights Act: What You Need To Know, which provides an in-depth look at COPRA including the data privacy rights it seeks to establish.

Videos and webinars

USA Federal Overview

Watch our USA Federal Overview video to understand the state of privacy in USA in today.

A full list of webinars can be accessed here.

State Law Tracker

State Law Tracker

The State Law Tracker provides an overview of key features of recently introduced comprehensive consumer privacy bills in US States. In addition to outlining the status of the bill, the Tracker highlights how each State bill accommodates various consumer rights and imposes certain business obligations. The Tracker excludes bills that deal specifically with issues such as biometric information, facial recognition and data breaches.

  • There is a law/restriction/exemption in place.
  • Click to view information for additional detail.
  • There is no law/requirement/exemption in place.

Compare Reset
    Bill details
  • Proposed
  • Passed
    Consumer Rights
  • Access
  • Deletion
  • Portability
  • Opt-out
  • Automated Decision-Making
    Requirements
  • Data security
  • Processors / service providers
  • Privacy notices
    title
  • Enforcement
  • Alabama
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Alabama.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Alaska
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Alaska. Please note, however, that the Alaska Personal Information Protection Act applies.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Arizona
  • Arkansas
  • California
    • The California Consumer Privacy Act of 2018 (as amended) ('CCPA') was signed into law, on 28 June 2018, and entered into force on 1 January 2020.

      The California Office of the Administrative Law approved, on 14 August 2020, the final version of the Regulations under the CCPA.

      Finally, the California Privacy Rights Act ('CPRA') was approved, on 3 November 2020, at the California General Election.

    • A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following (§1798.110(a) of the CPRA): (1) the categories of personal information it has collected about that consumer; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purpose for collecting, selling, or sharing personal information; (4) the categories of third parties to whom the business discloses personal information; and (5) the specific pieces of personal information it has collected about that consumer. 

    • A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer (§1798.105 of the CPRA)

    • Not applicable.

    • A consumer shall have the right, at any time, to direct a business that sells or shares personal Information about the consumer to third parties not to sell or share the consumer's personal information.  (§1798.120 of the CPRA).

    • The CPRA provides that the California Attorney General must issue regulations governing access and opt-out rights with respect to businesses' use of automated decision-making technology, including profiling and requiring businesses' response to access requests to Include meaningful information about the logic Involved In such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer. 

    • A business that collects a consumer's personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure (§1798.100(e) of the CPRA)

    • A business that collects a consumer's personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business  purpose shall enter into an agreement with such third party, service provider, or contractor (§1798.100(d) of the CPRA)

    • A business that controls the collection of a consumer's personal information shall, at or before the point of collection, inform consumers as to: (1) the categories of personal information to be collected and the purposes for which the categories of personal Information are collected or used shall and whether such information is sold or shared (2) if the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal Information are collected or used and whether such Information is sold or shared (3) the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period (§1798.100(a) of the CPRA)

    • The CPRA establishes the California Privacy Protection Agency which is vested with full administrative power, authority, and jurisdiction to implement and enforce the CPRA (§1798.199.100 of the CPRA)

  • Colorado
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Colorado.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Connecticut
    • Not applicable.

    • Substitute Senate Bill 1108 for an Act Establishing a Task Force Concerning Consumer Privacy was signed, on 9 June 2019, into law by the Governor of Connecticut, Ned Lamont.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • The Task Force Concerning Consumer Privacy is tasked with examining what information businesses in Connecticut should be required to provide to consumers concerning personal information that is retained or sold by such businesses (Section 1 of the Act).

  • Delaware
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Delaware. Please note, however, that the Delaware Online Privacy and Protection Act of 2015 applies.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • District of Columbia
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the District of Columbia.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Florida
    • Senate Bill 1670 for an act relating to consumer data privacy was indefinitely postponed, on 14 March 2020, and withdrawn from consideration in the Florida State Senate.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • A consumer may submit a verified request to an operator, directing the operator not sell any covered information that the operator has collected or will collect about the consumer (Section 2 of the Bill).

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Operators must make available, in a manner that is accessible to consumers whose covered information they collect, a notice that provides certain information regarding their data practices (Section 3 of the Bill).

    • The Department of Legal Affairs of the Office of the Attorney General would adopt rules to enforce this Bill and may initiate legal proceedings against violators (Section 6(a) of the Bill).

  • Georgia (US)
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Georgia.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Hawaii
    • Senate Bill 2451 for an Act Relating to Personal Information was referred, on 23 January 2020, to the Hawaii Senate Committee on Commerce, Consumer Protection, and Health and the Senate Committee on Technology, following its introduction to the Hawaii Senate on 17 January 2020.

      House Bill 2572 HD2 for an Act Relating to Privacy was transmitted, on 3 March 2020, to the Hawaiian Senate, following its introduction to the Hawaii House of Representatives on 23 January 2020.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • A consumer can request to opt-out from havung thier personal data sold to third parties (Section 1 of SB2451).

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Idaho
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Idaho.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Illinois
    • Senate Bill 2330 for the Data Transparency and Privacy Act was introduced, on 14 January 2020 to the Illinois State Senate and was assigned, on 27 February 2020, to the Judiciary Committee. 

    • Not applicable.

    • Consumers have the right to know and request from businesses certain information (Section 20 of the Bill).

    • Consumers have the right to request that a business delete personal information about the consumer (Section 25(3) of the Bill).

    • Not applicable.

    • Consumers have the right to request to opt out of the disclosure, sale and processing of personal information by the business, third parties and affiliates (Section 25(1) of the Bill). 

    • Not applicable.

    • Businesses, affiliates, and third parties must take reasonable measures to protect consumers personal information from unauthorised, use, disclosure, or access (Section 35(k) of the Bill). 

    • A service provider is the natural or legal person that processes personal information on behalf of the business (Section 10 of the Bill).

    • Businesses that process personal or deidentified information must provide a notice to the consumer (Section 15 of the Bill).

    • The Illinois Attorney General has the authority to enforce the Bill as a violation of the Consumer Fraud and Deceptive Business Practices Act (Section 40 (3) of the Bill). In addition, consumers, whose personal information was subject to a breach have a private right of action against businesses (Section 40(a)(1) of the Bill). 

  • Indiana
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Indiana.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Iowa
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Iowa. 

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Kansas
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Kansas in this legislative session.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Kentucky
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Kentucky.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Louisiana
    • House Bill 617 Which Provides Relative to the Protection of Personally Identifiable Information was introduced, 28 February 2020, to the Louisiana House of Representatives and was referred, on 9 March 2020, to the Committee on Commerce.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • A consumer may submit a verified request through a designated request address to an operator directing it not to make any sale of any covered information the operator has collected or will collect about the consumer (Section 844.91(B)(2) of the Bill)

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Operators must make available, in a manner that is accessible to consumers whose covered information they collect, a notice that provides certain information regarding their data practices (Section 844.91(C) of the Bill)

    • The Office of the Louisiana Attorney General may institute appropriate legal proceeding against operators that violate sections of the Bill (Section 844.91(F) of the Bill).

  • Maine
    • Not applicable.

    • Legislative Document 946 for An Act To Protect the Privacy of Online Customer Information was signed into law, on 6 June 2019, and will enter into force on 1 July 2020. 

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • A provider is required to take reasonable measures to protect customer personal information from unauthorised use, disclosure or access (§9301(5) of the Law).

    • The Law applies only to service providers.

    • A provider is required to provide to their customers a clear, conspicious, and nondeceptive notice outlining the customer's rights and the provider's obligations during the sale and on the provider's website (§9301(6) of the Law).

    • Not applicable.

  • Maryland
  • Massachusetts
    • Bill SD 341 for An Act Relative to Consumer Data Privacy ('the Bill') was referred, on 22 January 2019, to the Massachusetts Senate Committee on Consumer Protection and Professional Licensure, following its introduction to the General Court of the Commonwealth of Massachusetts on 11 January 2019. 

    • Not applicable.

    • A consumer shall have the right to request from a business the specific pieces and source of personal information collected and the third parties to whom the personal information has been disclosed (Section 3 of the Bill). 

    • Consumers have a right to deletion (Section 5 of the Bill).

    • Not applicable.

    • Consumers can opt-out of having their data shared with third parties (Section 1(u)(2) of the Bill).

    • Not applicable.

    • Not applicable.

    • Service providers process information on behalf of a business, who disclose a consumer's personal information pursuant to a written contract (Section 1(s) of the Bill).

    • A business shall provide notification to the consumer at or before collection (Section 2 of the Bill).

    • The Massachusetts Attorney General has been granted powers to enforce the Bill (Section 10 of the Bill).

  • Michigan
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Michigan in this legislative session.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Minnesota
    • House File 3936 for the Minnesota Consumer Data Privacy Act, was introduced, on 2 March 2020, to the Minnesota House of Representatives, and its companion bill, Senate File 4247, was introduced, on 11 March 2020, to the Minnesota State Senate.

    • Not applicable.

    • A consumer has the right to request access to their personal data (Section 5(1) of the Bill).

    • A consumer has the right to delete personal data concerning the consumer (Section 5(3) of the Bill).

    • A consumer has the right to obtain their personal information in a form that can be transferred to another data controller (Section 5(4) of the Bill).

    • A consumer has the right to opt-out of the processing of their personal information when it is being used for specifc purposes (Section 5(5) of the Bill).

    • Not applicable.

    • A controller must have reasonable administrative, technical, and physical data security practices to protect personal data (Section 2(d) of the Bill).

    • Processors have various reponsibilities such as working under the instructions of the data controller and assisting data controllers with their compliance with the Bill (Section 4 of the Bill).

    • Data controllers are required to provide a privacy notice (Section 7 of the Bill).

    • The Attorney General of Minnesota may bring an action to enforce the Bill (Section 11(2) of the Bill).

  • Mississippi
    • Senate Bill 2548 for the Mississippi Consumer Data Privacy Act was introduced, on 17 February 2020, to the Mississippi State Senate, however, it died, on 3 March 2020, in the Judiciary Committee.

    • Not applicable.

    • A consumer has the right to access personal information that has been collected about them (Section 4 of the Bill).

    • Upon receipt of a verifiable request, a business must delete the consumer's personal informationand instruct any service providers to do the same. 

    • Not applicable.

    • A consumer has the right to decline or opt-out of the sale of their personal information (Section 7 of the Bill).

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • A business that sells consumers' personal information to third parties shall provide notice to consumers that this information may be sold and that consumers have the right to opt
      out (Section 7(2) of the Bill).

    • Consumers and the Mississippi Attorney General may initiate actions against businesses that violate provisions of the Bill (Section 12 of the Bill).

  • Missouri
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Missouri.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Montana
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Montana.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Nebraska
    • Legislative Bill 746 for the Nebraska Consumer Data Privacy Act ('the Bill') was indefinitely postponed, on 13 August 2020, and withdrawn from consideration in the Nebraska Legislature.

    • Not applicable.

    • A consumer has the right to request from a business their personal information (Section 6 of the Bill).

    • A consumer shall have the right to request a business to delete any personal information about the consumer (Section 9 of the Bill).

    • Not applicable.

    • Consumers have the right to opt-out of the sale of their personal information (Section 5(3) of the Bill).

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Violators of the Bill will be liable for a civil penalty in a civil action brought by the Attorney General of up to $7500 for each violation (Section 13 of the Bill).

  • Nevada
    • Not applicable.

    • Senate Bill 220 for an Act Relating to Internet Privacy entered into force on 1 October 2019.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • A consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer (Section 2.2. of the Bill)

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • The Nevada Attorney General may bring enforcement actions for violations of the Bill's provisions (Section 7 of the Bill)

  • New Hampshire
    • House Bill 1680 for the Act Relative to the Collection of Personal Information by Businesses was reintroduced, on 8 January 2020, to the New Hampshire House of Representatives and referred, on 8 January 2020, to the Committee on Commerce and Consumer Affairs.

    • Not applicable.

    • A consumer has the right of access to their personal data (Section 1 of the Bill).

    • A consumer can request for their personal data to be deleted (Section 1 of the Bill).

    • Not applicable.

    • A consumer can opt-out from the sale of their personal data (Section 1 of the Bill).

    • Not applicable.

    • Not applicable.

    • A service provider is the natural or legal person that processes personal information on behalf of the business (Section 1 of the Bill).

    • Business are required to provide a privacy notice (Section1 of the Bill).

    • The New Hampshire Attorney General has the right to bring an action against violators and a private right of action does exsist (Section 1 of the Bill).

  • New Jersey
    • A2188 for an Act Concerning Commercial Internet Websites, Online Services, and Personally Identifiable Information and Supplementing 3 P.L.1960, c.39 ('Bill A2188') was introduced, on 14 January 2020, to the New Jersey General Assembly. 

      A3255 for an Act Concerning Certain Businesses and Personally Identifiable Information and Supplementing Title 56 of the Revised Statutes ('Bill A3255') was introduced, on 25 February 2020, to the New Jersey General Assembly.

    • Not applicable.

    • A consumer can access their personal identifiable information (Section 2(e) of Bill A3255).

    • A consumer can access their personal identifiable information (Section 2(e) of Bill A3255).

    • Not applicable.

    • A consumer can opt-out from the sale of their personally identifiable information (Section 1 of Bill A3255).

    • Not applicable.

    • Not applicable.

    • Service Providers can process personal information on behalf of a business under a written contract (Section 1 of Bill A3255).

    • Not applicable.

    • A business which violates Bill A3255 will be subject to a monetary penalty of not more than $10,000 for a first offence and not more than $20,000 for a subsequent offence (Statement Section of Bill A3255).

  • New Mexico
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of New Mexico.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • New York
    • Assembly Bill A680 for the New York Privacy Act ('the Bill') was reintroduced, on 6 January 2021, to the New York State Assembly Committee on Consumer Affairs & Protection.

    • Not applicable.

    • On request from a consumer, the controller shall provide the 25 consumer any personal data concerning such consumer that such consumer 26 has provided to the controller (Section 1103(5)(a) of the Bill).

    • On request from a consumer, a controller shall delete the consumer's personal data without undue delay where one of the following grounds under the Section applies (Section 1103(3)(a) of the Bill).

    • Not applicable.

    • The Bill provides consumers the opportunity to opt in or opt out of the processing of their personal data in such a manner that the consumer must select and clearly indicate their consent or denial of consent (Section 1103 of the Bill).

    • A consumer shall not be subject to a decision based solely on profiling which produces legal effects concerning such consumer or similarly significantly affects the consumer (Section 1103(6) of the Bill).

    • Not applicable.

    • Processing by a processor shall be governed by a contract between the controller and the processor that is binding on the processor and that sets out the processing instructions to which the processor is bound (Section 1105(3) of the Bill).

    • Controllers shall be transparent and accountable for their processing of personal data, by making available in a form that is reasonably accessible to consumers a clear, meaningful privacy notice that is easily understood and which includes (Section 1104(1) of the Bill): the categories of personal data collected by the controller;  the purposes for which the categories of personal data is used and disclosed to third parties, if any; the rights that consumers may exercise pursuant to section 1103 of this article, if any; the categories of personal data that the controller shares with third parties, if any; and (e) the names and categories of third parties, if any, with whom the controller shares personal data.

    • The attorney general may bring an action in the name of the state, or as parens patriae on behalf of persons residing in the state, to enforce the Bill. In addition, any person who has been injured by reason of a violation of this Bill may bring an action in his or her own name to enjoin such unlawful act, or to recover his or her actual damages, or both such actions.

  • North Carolina
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of North Carolina.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • North Dakota
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of North Dakota.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Ohio
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Ohio.

    • Not applicable. 

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Oklahoma
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Oklahoma in this legislative session.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Oregon
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Oregon.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Pennsylvania
    • House Bill 1049 for the Consumer Data Privacy Act ('the Bill') was introduced, on 5 April 2019, to the Pennsylvania House of Representatives and was referred to the House Consumer Affairs Committee on the same day.

    • Not applicable.

    • A consumer has the right to access personal information collected by a business (Section 4(4)(a) of the Bill).

    • A consumer has the right to request the deletion of their personal data (Section 4(e)(1) of the Bill).

    • Not applicable.

    • The consumer has the right to opt out of the sale of their personal information (Section 4(a)(3) of the Bill).

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Violators of the Bill shall be liable for a civil penalty in a civil action brought by the Attorney General of up to $7,500 for each violation (Section 4(o) of the Bill).

  • Rhode Island
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Rhode Island.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • South Carolina
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of South Carolina in this legislative session.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • South Dakota
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of South Dakota. 

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Tennessee
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Tennessee.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Texas
    • House Bill 4518 for the Texas Consumer Privacy Act was introduced, on 8 March 2019, to the House, however, it was left pending, on 2 April 2019, in the House Business & Industry Committee.

    • Not applicable.

    • A consumer has the right of access to their personal data (Section 1 of the Bill).

    • A consumer has the right to request for their personal data to be deleted (Section 1 of the Bill).

    • Not applicable.

    • A consumer can opt-out from the sale of their personal data (Section 1 of the Bill).

    • Not applicable.

    • Not applicable.

    • Service Providers can process personal information on behalf of a business under to written contract (Section 1 of the Bill).

    • A business that collects personal information is requried to disclose specific information in their online privacy notice or other notice of the business's policies (Section 1 of the Bill).

    • Violators may be liable to receive a civil penalty of an amount not exceeding, $2,500 for each violation or $7,500 for each violation, if the violation is intentional (Section 1 of the Bill).

  • Utah
  • Vermont
    • Not applicable.

    • Senate Bill 110 for An Act Relating to Data Privacy and Consumer Protection ('the Act') was signed, on 5 March 2020, by the Governor of Vermont, and will come into effect on 1 July 2020.

    • Not applicable.

    •  Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • The operator of an Internet website, online service, online application, or mobile application must implement and maintain reasonable security procedures and practices (Section 4 of the Act).

    • Not applicable.

    • Not applicable.

    • A person who violates a provision of the Act commits an unfair and deceptive act in commerce in violation of section 2453 of Sec. 4. 9 V.S.A. chapter 62, subchapter 3A.

  • Virginia
    • House Bill 473 for the Virginia Privacy Act was introduced, on 3 January 2020, to the Virginia House of Delegates. Please note the bill has been continued to the 2021 Session.

    • Not applicable.

    • The controller must provide to the consumer any personal data that the controller maintains in an identifiable form concerning the consumer that such consumer has provided to the controller in a  structured, commonly used, and machine-readable format (Section 59.1-574(5) of the Bill).

    • Upon a verified request from a consumer, a controller shall delete, without undue delay, the consumer's personal data that the controller maintains in identifiable form (Section 59.1-574(3) of the Bill).

    • Not applicable. 

    • The controller shall restrict processing of personal data that the controller maintains in identifiable form if certain conditions apply (Section 59.1-574(6) of the Bill).

    • Not applicable.

    • The obligations imposed by the Bill's provisions do not restrict a controller's or processor's ability to prevent, detect, or respond to security incidents, or to preserve the integrity or security of systems (Section 59.1-578. of the Bill).

    • A processor is a natural or legal person that processes personal data on behalf of a controller (Section 59.1-571. of the Bill).

    • Controllers shall be transparent and accountable for their processing of personal data by making available in a form that is reasonably accessible to consumers a clear, meaningful privacy notice (Section 59.1-575 of the Bill).

    • Violations of the Bill would constitute a prohibited practice pursuant and be subject to any and all of the enforcement provisions of  the Virginia Consumer Protection Act (Section 59.1-579 of the Bill)

  • Washington
    • Washington State Senator Reuven Carlyle announced, on 9 September 2020, on Twitter, that the draft bill for the Washington Privacy Act 2021 ('the Draft Bill') is now avaliable for public comment and feedback.

    • Not applicable.

    • A consumer has the right to access their personal information from a controller (Page 12 of the Draft Bill).

    • A consumer has the right to delete their personal data (Page 12 of the Draft Bill).

    • A consumer has the right to request for their data to be transferred to another controller without hindrance (Page 12 of the Draft Bill).

    • A consumer has the right to opt-out of the processing of their personal data, when processed for specific circumstances (Page 13 of the Draft Bill).

    • Not applicable.

    • Controllers are required to establish, implement, and maintain reasonable security practices to protect personal data (Page 19 of the Draft Bill).

    • Processors are required to adhere to the instructions of the controller and assisting the controller to meet its obligations under the Draft Bill (Page 16 of the Draft Bill).

    • Controllers must provide privacy notices (Page 18 of the Draft Bill).

    • The Washington Attorney General may bring an action for an injunction and violators may be liable for a civil penalty of not more than $7500 for each violation (Page 27 of the Draft Bill).

  • West Virginia
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of West Virginia.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

  • Wisconsin
    • Assembly Bill ('AB') 870 on consumer access to personal dataAB 871 on deletion of consumer personal data and AB 872 on restricting controllers from using consumer personal data, were introduced, on 10 February 2020, to the Wisconsin State Assembly, however, they failed to pass at the end of the last general-business floorperiod, which was adjourned on March 26, 2020.

    • Not applicable.

    • Consumers have the right to request from a controller to be informed as to whether or not the controller processes the consumer's personal data and to obtain a copy of the personal data and certain information (Section 1(3) of AB 870). 

    • Controllers must delete, without undue delay, the personal data relating to a consumer if certain conditions apply (Section 1(2) of AB 871). 

    • Not applicable.

    • A consumer may request restriction of the processing of their personal data when certain conditions apply (Section 1(4) of AB 872).

    • Not applicable.

    • Not applicable.

    • A controller may not process personal data unless the processing is conducted to detect security incidents, to protect against malicious, deceptive, fraudulent, or illegal activity, or to prosecute a person responsible for that activity (Section 1(2)(f) of AB 872).

    • A processor is a person who processes personal data on behalf of a controller, but does not include a law enforcement agency or a unit or instrumentality of the federal government, the state, or a local government(Section 1(1)(h) of AB 872).

    • When a controller collects personal data from a consumer, certain information must be provided to such consumer (Section 1(2) of AB 870).

  • Wyoming
    • We are not aware of a bill in this legislative session seeking to regulate consumer or internet privacy in the State of Wyoming.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

    • Not applicable.

State Overview Chart

USA State Overview

  • There is a law/restriction/exemption in place.
  • Click to view information for additional detail.
  • There is no law/requirement/exemption in place.

This Comparison is part of an ongoing OneTrust DataGuidance project, which will be expanding over time. Current non-inclusion of certain US States does not preclude the applicability of specific privacy-related laws within those States.

Compare Reset
    title
  • Constitution
  • Key Privacy Laws
  • Health data
  • Financial data
  • Employment data
  • Online privacy
  • Unsolicited Commercial Communications
  • Privacy Policies
  • Data Security
  • Other
  • Alabama
  • Alaska
  • Arkansas
  • California
  • Colorado
  • Connecticut
  • Delaware
  • District of Columbia
  • Florida
  • Georgia (US)
  • Hawaii
  • Illinois
  • Indiana
  • Kentucky
  • Maryland
  • Massachusetts
  • Minnesota
  • Mississippi
  • Missouri
  • Nebraska
  • Nevada
  • New Hampshire
  • New Jersey
  • New Mexico
  • New York
  • Ohio
  • Oklahoma
  • Pennsylvania
  • South Carolina
  • Texas
  • Utah
  • Vermont
  • Virginia
  • Washington
  • West Virginia
  • Wisconsin