These are the thirteen states in the US that that have comprehensive data privacy laws in place, each with unique provisions and compliance requirements:
- California (CCPA & CPRA)
- Virginia (CDPA)
- Colorado (CPA)
- Connecticut (PDPOM Act)
- Utah (UCPA)
- Iowa (IDPA)
- Indiana (IDCPAL)
- Tennessee (TIPA) (effective July 1, 2025)
- Texas (TDPPA)
- Florida
- Montana (MTDPA) (effective October 1, 2024)
- Oregon (ODPA) (effective July 1, 2024 for businesses, July 1, 2025 for non-profits)
- Delaware (DPA) (effective January 1, 2025)
1. California: CCPA & CPRA
What is this policy about?
The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), grant California residents specific rights regarding their personal information.
What are the requirments for this policy?
Right to access: Users can request a copy of the data you hold about them.
Right to deletion: Users can request you delete their information under certain circumstances.
Right to opt-out of sale: Users can prevent you from selling their data to third parties.
Right to know the categories and specific pieces of personal information collected, used, and disclosed.
Right to correction and limitation of use of data.
Who must comply with CCPA & CPRA?
Businesses that collect the personal information of California residents exceeding specific thresholds (generally exceeding $25 million in gross revenue or buying/selling the personal information of 50,000+ California residents annually).
Also applies to certain entities regardless of revenue, such as for-profit businesses that control or process the data of 50,000+ California residents annually or derive over 50% of their revenue from selling consumers' personal information.
Things to keep in mind
- These laws apply to businesses exceeding specific revenue thresholds or processing the data of a certain number of California residents.
- Non-compliance can result in hefty fines and reputational damage.
2. Virginia: CDPA
What is this policy about?
The Virginia Consumer Data Protection Act (CDPA) grants Virginia residents similar control over their personal information as the CCPA.
What are the requirments for this policy?
Right to access: Users can request a copy of the data you hold about them.
Right to correct: Users can request you correct inaccurate data.
Right to deletion: Users can request you delete their information under certain circumstances.
Right to portability: Users can request their data in a format easily transferable to another entity.
Who must comply with CDPA?
Businesses that conduct business in Virginia that control or process personal data of Virginia residents exceeding specific thresholds (generally exceeding $100,000 in gross revenue or processing data of 100,000+ Virginia residents annually).
Things to keep in mind
- The CDPA has different application thresholds and exemptions compared to the CCPA.
- Similar to the CCPA, non-compliance can result in fines and consumer lawsuits.
3. Colorado: CPA
What is this policy about?
The Colorado Privacy Act (CPA) grants Colorado residents the right to access, correct, delete, and opt-out of the sale of their personal data.
What are the requirments for this policy?
Access: Request a copy of the data you hold about them.
Correct: Request you fix inaccurate information.
Delete: Request you erase their data under certain circumstances.
Opt-out of sale: Prevent you from selling their data to third parties.
Who musy comply with CPA?
Businesses that control or process personal data of Colorado residents exceeding specific thresholds (generally exceeding $100,000 in gross revenue or doing business in Colorado and selling data of 50,000+ Colorado residents annually).
Things to keep in mind
- The CPA has specific requirements and exemptions for different types of businesses and data processing activities.
- Non-compliance can result in civil lawsuits.
4. Connecticut: CTDPA Act
What is this policy about?
The Connecticut Personal Data Protection Act (CTDPA Act) focuses on protecting children's online privacy.
What are the requirments for this policy?
Limited data collection: Only collect and use data strictly necessary for the specific service provided to the child.
Parental consent: Obtain verifiable parental consent before collecting, using, or disclosing data of children under 13.
Clear notices: Provide age-appropriate and easily understandable privacy notices.
Who must comply with the CTDPA act?
Any operator that collects personal data of Connecticut residents under the age of 13.
How to follow it:
- Implement robust parental consent mechanisms.
- Develop child-friendly privacy notices that are clear and concise.
Things to keep in mind
- The PDPOM Act applies to businesses that collect personal data from Connecticut residents under 13.
- While the focus is on children, it's advisable to have robust data practices overall.
5. Utah: Utah Consumer Privacy Act (UCPA)
What is this policy about?
The UCPA empowers Utah residents with control over their data.
What are the requirments for this policy?
Access: Request a copy of the data you hold about them.
Correct: Request you fix inaccurate information.
Delete: Request you erase their data under certain circumstances.
Opt-out of sale: Prevent you from selling their data to third parties.
Who must comply with UCPA ?
Businesses that control or process personal data of Utah consumers exceeding specific thresholds (generally exceeding $25 million in gross revenue or controlling/processing data of 100,000+ consumers annually).
Things to keep in mind
- The UCPA has different application thresholds and focuses on "consumers" rather than "residents."
- Non-compliance can result in lawsuits from consumers.
6. Iowa: Iowa Data Protection Act (Iowa CDPA)
What is this policy about?
The Iowa CDPA grants Iowa residents similar rights as the CCPA and CDPA.
What are the requirments for this policy?
Access: Request a copy of their data
Correct: Request you fix inaccurate information.
Delete: Request you erase their data under certain circumstances.
Opt-out of sale: Prevent you from selling their data to third parties.
Who must comply with Iowa CDPA?
Businesses that control or process personal data of Iowa consumers exceeding specific thresholds (generally exceeding $100,000 in gross revenue or controlling/processing data of 100,000+ consumers annually).
Things to keep in mind
- The Iowa CDPA has different application thresholds and focuses on "consumers" rather than "residents."
- Non-compliance can result in fines and lawsuits.
Quick Note
If you want to create legal documents for your startup that are up to date and highly personalised for your business then create your legal documents using Airstrip AI - the legal solution for startups.
Create your personalised Privacy Policy7. Indiana: Indiana Consumer Data Protection Act (ICDPA)
What is this policy about?
The ICDPA, coming into effect on January 1, 2026, grants Indiana residents similar rights as the UCPA and IDPA.
What are the requirments for this policy?
Access: Request a copy of their data.
Correct: Request you fix inaccurate information.
Delete: Request you erase their data under certain circumstances.
Opt-out of sale: Prevent you from selling their data to third parties.
Who must comply with ICDPA?
Businesses that control or process the personal data of at least 100,000 Indiana residents fall under the law's purview regardless of their revenue source.
This means that even if a company doesn't generate any income from selling data, exceeding this data threshold triggers compliance obligations.
Businesses that control or process the personal data of at least 25,000 Indiana residents also fall under the ICDPA, but with an additional stipulation.
These businesses must also derive more than 50% of their gross annual revenue from the sale of personal data. This means companies primarily focused on data monetization with a significant Indiana user base are subject to the law.
Things to keep in mind
As the law isn't yet in effect, staying updated and seeking guidance from the IAPP closer to the implementation date is crucial.
8. Tennessee: Tennessee Information Privacy Act (TIPA)
What is this policy about?
The TIPA, effective July 1, 2025, grants Tennesseans similar rights as the UCPA and IDPA.
What are the requirments for this policy?
Access: Request a copy of their data.
Correct: Request you fix inaccurate information.
Delete: Request you erase their data under certain circumstances.
Opt-out of sale: Prevent you from selling their data to third parties.
Who must comply with TIPA?
- Businesses operating in Tennessee or targeting its residents with products or services must comply with the Tennessee Information Protection Act (TIPA) if have annual revenue that exceeds $25 million.
Additionally, they must fulfill at least one of the following conditions:
Control or process personal information of at least 25,000 Tennessee residents and derive 50% or more of their gross annual revenue from selling that information.
If the Process or control the personal information of at least 175,000 Tennessee residents in a calendar year.
Things to keep in mind
As the law is not yet in effect, staying informed about updates and seeking guidance from the IAPP closer to the implementation date is crucial.
9. Texas: Texas Data Privacy and Security Act (TDPSA)
What is this policy about?
The TDPSA, effective September 1, 2023, grants Texans rights surrounding their personal data.
What are the requirments for this policy?
Access: Request a copy of their data.
Correction: Request you fix inaccurate information.
Deletion: Request you erase their data under certain circumstances.
Portability: Receive their data in a transferable format.
Who must comply with TDPSA?
Businesses that control or process personal data of Texans exceeding specific thresholds (generally exceeding $25 million in gross revenue or controlling/processing data of 100,000+ Texans annually).
Things to keep in mind
- The TDPSA has specific application thresholds and exemptions for different data processing activities.
- Non-compliance can result in fines and potential lawsuits.
10. Florida: Florida Data Protection Act
What is this policy about?
The Florida Data Protection Act, effective July 1, 2022, grants Florida residents similar rights as the TDPPA.
What are the requirments for this policy?
Access: Request a copy of their data.
Correction: Request you fix inaccurate information.
Deletion: Request you erase their data under certain circumstances.
Portability: Receive their data in a transferable format.
Who must comply with Florida Data Protection Act?
Businesses that control or process personal data of Florida residents exceeding specific thresholds (generally exceeding $25 million in gross revenue or selling data of 50,000+ Florida residents annually).
Things to keep in mind
- The Florida Data Protection Act has specific application thresholds and exemptions.
- Non-compliance can result in fines and potential lawsuits.
11. Montana: Montana Data Privacy Act (MTDPA)
What is this policy about?
The MTDPA, effective October 1, 2024, grants Montana residents control over their personal data.
What are the requirments for this policy?
Access: Request a copy of their data.
Correction: Request you fix inaccurate information.
Deletion: Request you erase their data under certain circumstances.
Opt-out of sale: Prevent you from selling their data to third parties.
Who must comply with MTDPA?
Businesses that control or process the personal data of at least 50,000 consumers. This threshold excludes data solely used for completing payment transactions, meaning companies handling a wider range of data beyond just payments are included.
Businesses that control or process the personal data of at least 25,000 consumers and derive more than 25% of their gross annual revenue from the sale of personal data. This category focuses on businesses that profit significantly from data monetization alongside handling a significant volume of consumer data.
Things to keep in mind
The MTDPA is new, and specific information and resources might be limited initially. Stay updated and seek IAPP guidance closer to the effective date.
12. Oregon: Oregon Data Protection Act (ODPA)
What is this policy about?
The ODPA, effective July 1, 2024 for businesses and July 1, 2025 for non-profits, grants Oregonians similar rights as the MTDPA.
What are the requirments for this policy?
Access: Request a copy of their data.
Correction: Request you fix inaccurate information.
Deletion: Request you erase their data under certain circumstances.
Opt-out of sale: Prevent you from selling their data to third parties.
Who must comply with ODPA?
Businesses that control or process data of 100,000+ Oregonians annually or Derive over 50% of their gross revenue from the sale of personal data.
Non-profits those that control or process data of 25,000+ Oregonians annually and Derive over 50% of their gross revenue from the sale of personal data.
Things to keep in mind
The ODPA has different application thresholds and effective dates for different entities.
13. Delaware: Delaware Personal Data Protection Act (DPA)
What is this policy about?
The DPA, effective January 1, 2025, grants Delaware residents similar rights as the MTDPA and ODPA.
What are the requirments for this policy?
Access: Request a copy of their data.
Correction: Request you fix inaccurate information.
Deletion: Request you erase their data under certain circumstances.
Opt-out of sale: Prevent you from selling their data to third parties.
Who must comply with DPA?
Businesses that controlled or processed the personal data of at least 35,000 consumers. This threshold excludes data solely used for payment transactions, ensuring that businesses handling a significant amount of non-payment-related information fall under the law's purview.
Businesses that controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data. This category focuses on businesses that profit significantly from data sales alongside handling a substantial volume of consumer data.
Things to keep in mind
The DPA is new, and specific information and resources might be limited initially.
How to follow these data privacy laws?
1. Conduct a data inventory: Identify what personal information you collect, store, and use.
2. Craft a clear and comprehensive privacy notice: Explain how you collect, use, and share data and how users can exercise their rights. Create your customised Privacy Policy with Airstrip AI ->
3. Implement mechanisms for user requests: Create a system for users to access, delete, or opt-out of the sale of their data (e.g., online portal, toll-free number).
What happens if you violate these data privacy laws?
While the specific consequences of violating data privacy laws can vary across different states, the general potential consequences can be summarized as follows:
Financial Penalties
This is the most common consequence, with fines ranging from thousands to millions of dollars per violation, depending on the severity of the offense and the specific law.
Consumer Lawsuits
Individuals whose data is compromised due to a violation may have the right to sue the company for damages. This can be particularly damaging to a startup's reputation and financial stability.
Reputational Damage
Violations can lead to negative media coverage and public backlash, significantly damaging a company's reputation and potentially impacting customer trust and future business opportunities.
Injunctions and Corrective Measures
Courts may order companies to take specific actions to address the violation, such as improving data security practices or notifying affected individuals.
Loss of Business Licenses
In severe cases, companies may face the suspension or revocation of their business licenses for repeated or egregious violations.
Additionally:
Some laws, like the Oregon ODPA, allow for a private right of action, meaning even the state Attorney General doesn't need to sue for consumers to file lawsuits. Some states, like California, have a "cure period" where companies can fix the violation before facing the full penalty.
Upcoming Data privacy laws that are being developed by states
Maryland: The Maryland Consumer Privacy Act (MDCPA) is currently under consideration and could be enacted in the coming years.
New York: The New York Privacy Act (NYPA) is another proposed bill awaiting further legislative discussion.
Washington: The Washington Privacy Act (WPA) is currently under development and is expected to be considered by the state legislature in the near future.
Which state has the best privacy laws?
There is no single "best" state in terms of data privacy laws, as each state has its own unique framework with advantages and limitations.
But overall, California is by far the most that has taken the most steps towards data privacy.
Its state constitution is also the only one in the country to explicitly mention a right to privacy.
Source: news.networktigers.com
Is GDPR a law in the US?
No, the General Data Protection Regulation (GDPR) is not a law in the US. It is a regulation enforced by the European Union (EU) that applies to organizations processing the personal data of individuals residing within the EU, regardless of the organization's location.
Does New York have a data privacy law?
As of October 26, 2023, New York does not have a comprehensive data privacy law in effect. However, several bills related to data privacy have been proposed in the state legislature, and the landscape is evolving.
What is the US equivalent of the GDPR?
There is no single US equivalent to the GDPR, due to the decentralized nature of data privacy regulations in the US. While California was the first US state to enact a comprehensive data privacy law (CCPA) in 2018, several other states have followed suit with their own unique frameworks.
These state laws vary in scope and requirements, making it difficult to pinpoint a single equivalent to the GDPR.
Best practices businesses should follow when implementing data privacy laws
Know the laws & educate your team.
Inventory your data & map its flow.
Be transparent with users and get consent.
Respect user rights and respond promptly.
Secure your data and regularly review practices.
optional: Try to minimize the amount of data you collect
Final thoughts on Data Privacy Laws
While complying with these regulations might seem daunting, remember that it's not just about avoiding penalties, but about safeguarding user data and building trust.
By implementing best practices like those outlined, you can demonstrate your commitment to responsible data handling and foster a strong foundation for success.
Hope you found this useful, share it with people you think would find need to know about these data privacy laws being implemented into their business.
Create your personalised Privacy PolicyDisclaimer: The information provided on this website is for general informational purposes only and should not be considered legal advice. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, or suitability of the information. Any reliance you place on such information is strictly at your own risk. We are not liable for any loss or damage resulting from the use of this website or its content.
