The California Consumer Privacy Act (CCPA), the first comprehensive state privacy law in the United States, expanded California consumers’ control over their personal data. Amended by the California Privacy Rights Act (CPRA) to include additional data privacy protections, the CCPA established consumers’ right to know what personal data is being collected and whether this data is being sold and disclosed, and to deny the sale of their personal data. Companies are expressly prohibited from discriminating against California consumers for exercising their privacy rights. California has also enacted a data broker law that requires businesses meeting the criteria for “data brokers” under the law to register annually with the Attorney General. Failure to register can result in legal penalties, including fines and pecuniary damages.
Learn more about the CCPA.
Passed in 2021, the Colorado Privacy Act grants Colorado consumers the right to access, delete, and correct their personal data, as well as to opt out of the sale or sharing of their personal information. Under this law, companies have the responsibility to protect consumers’ personal data and obtain consent before processing any data defined as “sensitive.”
Learn more about the Colorado Privacy Act.
The Connecticut Personal Data and Privacy Online Monitoring Act, effective July 1, 2023, establishes privacy rights for Connecticut consumers. This legislation specifies the rights of Connecticut residents to know whether a business is processing their personal data, to correct or delete their personal information, to obtain a copy of their personal data, and to opt out of the processing of their personal data.
The Indiana Consumer Data Protection Act requires businesses to provide consumers with information regarding the collection and use of their data. Passed in May of 2023 and taking effect January 1, 2026, the legislation also ensures that consumers can correct or delete their data, and requires businesses to provide means for consumers to opt out of having their data processed for certain purposes.
Signed by the governor in March of 2023, the Iowa Consumer Data Protection Act takes effect January 1, 2025. This legislation imposes transparency and disclosure requirements regarding the types of consumer data collected and the uses for which personal information will be processed, and applies to all organizations that conduct business in Iowa or produce products and services targeted to the residents of Iowa.
Signed into law in May 2023 and taking effect October 1, 2024, the Montana Consumer Data Privacy Act grants consumers the right to revoke their consent to data processing, request the deletion of their personal data, and obtain a copy of their personal information.
Taking effect January 15, 2025, the New Jersey Privacy Act prohibits companies from collecting ‘sensitive data’ without the consumer’s consent and requires companies that sell personal data or engage in targeted advertising to provide consumers with a conspicuous notice of such and the manner the consumer may opt out. Similar to privacy laws in California and Colorado, corresponding regulations will accompany the law. New Jersey’s privacy law has a broader revenue threshold for applicability, potentially covering more companies than other state privacy laws.
Scheduled to go into effect in July 2024, the Oregon Consumer Privacy Act sets forth obligations for companies to provide information regarding the collection and use of consumers’ personal data. The Act also establishes requirements for companies to allow consumers to correct inaccuracies in their data, and to ensure that consumers can opt out of data processing.
Taking effect July 1, 2025, the Tennessee Information Protection Act requires that companies allow consumers to opt out of personal data collection, provide consumers with the ability to access their data, and correct inaccuracies in their personal information. By narrowly defining the types of disclosures that require opt-in consent and providing companies with the right to cure, Tennessee’s privacy law is considered more business-friendly compared with other state privacy laws.
The Texas Data Privacy and Security Act requires businesses to obtain consent before processing sensitive personal data, to recognize the universal opt-out mechanism, and includes a right to cure any privacy violation within 30 days of notification from the Texas Attorney General. Signed in June of 2023, this Act joins the list of consumer privacy laws due to take effect in July 2024.
The Utah Consumer Privacy Act, which has narrower applicability thresholds than some other state privacy laws, establishes requirements for businesses to provide information on the collection, use, and sale of consumer personal data. Expected to take effect on December 31, 2023, this law is considered more business-friendly than some other state privacy laws and is notable for limiting its definition of the sale of personal data as the exchange of personal data for monetary consideration.
The Virginia Consumer Data Protection Act (VCDPA), effective since January 1, 2023, creates a framework for controlling and processing the personal data of Virginia residents. This law grants consumers the ability to access, correct, and obtain a copy of their information as well as the right to opt-out of the processing of their personal data. Businesses operating in Virginia –– including via remote activities conducted online –– have compliance obligations for implementing processes to ensure that opt-out and other consumer requests made under the law are handled promptly.
Learn more about the VCDPA.
In September 2023, Delaware enacted its comprehensive Delaware Personal Data Privacy Act (Bill Detail – Delaware General Assembly) (DPDPA). The law, which takes effect January 1, 2025, provides consumers the right to access, correct, and delete their personal data and to opt out of having their data sold or used for targeted advertising or profiling. Consumers can also obtain from controllers a list of the third parties to whom the controller has disclosed their data. Notably, the law applies a lower collection threshold and sell/share threshold compared to other states’ consumer privacy laws, making the DPDPA applicable to a wider range of businesses. However, it does not provide consumers with a private right of action.
The “Florida Digital Bill of Rights,” (FDBR) which applies to businesses with more than $1 billion in annual gross revenue, requires businesses to obtain consent and conduct data protection assessments for certain processing activities. Signed into law in June 2023 and effective July 1, 2024, the law establishes familiar consumer rights and grants consumers the right to opt out of personal data collection through voice and facial recognition technologies. Like privacy laws in California and Colorado, the FDBR will have accompanying regulations.