In 2019, the US data privacy framework changed significantly with the emergence of the California Consumer Privacy Act which created a significant compliance burden for most businesses that collect personal information about California residents. Since then, activity at the state level has increased as more states look to establish data privacy laws in the absence of a comprehensive data privacy law at the federal level. Currently, a total of twenty states have passed comprehensive data privacy laws in the United States: California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Florida, Montana, Oregon, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska, and Rhode Island. Of those twenty, California, Colorado, Connecticut, Virginia, Utah, Florida, Texas, and Oregon's laws are currently effective while Montana's privacy law will become effective later in 2024. This US Data Privacy Guide provides insight on these and other US data privacy laws and regulations.
View content by year
2024
Rhode Island Enacts the Data Transparency and Privacy Protection Act, Joining the US Data Privacy Landscape
Rhode Island became the latest state to enact comprehensive data privacy legislation, when the Rhode Island Data Transparency and Privacy Protection Act (the "Rhode Island Data Privacy Act") passed into law on June 28, 2024. The law will take effect on January 1, 2026. In this latest in our series of articles on US State Data Privacy Laws, we have summarized below its key components. Read full here »
Minnesota Enacts Comprehensive Consumer Data Privacy Law
Minnesota enacts comprehensive data privacy legislation, continuing the rapid proliferation of laws aimed at protecting consumers’ personal information. Read full here »
Maryland Enacts Comprehensive Data Privacy Law
On May 9, 2024, Maryland Governor Wes Moore signed into law Senate Bill 541 (the "Maryland Online Data Privacy Act") making Maryland the eighteenth state to adopt comprehensive data privacy legislation in the United States ("US State Data Privacy Laws"). The Maryland Online Data Privacy Act will take effect on October 1, 2025. The Maryland Office of the Attorney General (Consumer Protection Division) will have exclusive enforcement authority, and there is no private right of action available under this act. Read full here »
CPPA Enforcement Division Issues First Enforcement Advisory on Data Minimization
On April 2, 2024, the California Privacy Protection Agency's (CPPA) Enforcement Division issued its first enforcement advisory, titled "Applying Data Minimization to Consumer Requests," to further emphasize the importance of data minimization obligations upon businesses under the California Consumer Privacy Act (CCPA). Read full here »
New Hampshire Enacts Comprehensive Data Privacy Law
On March 6, 2024, New Hampshire joined the steadily expanding number of states adopting a comprehensive data privacy law, when Governor Chris Sununu signed SB 225 (the "New Hampshire Privacy Act"). The law will take effect January 1, 2025. Read full here »
Nebraska Enacts Comprehensive Data Privacy Law
On 17 April, 2024, Nebraska Governor Jim Pillen signed into law omnibus Legislative Bill 1074, which includes the Nebraska Data Privacy Act, making Nebraska the seventeenth state to adopt comprehensive data privacy legislation. Read full here »
Kentucky Enacts Comprehensive Data Privacy Law
Governor Andy Beshear signs Kentucky’s Data Privacy Law, continuing the rapid proliferation of comprehensive state data privacy legislation. Read full here »
Recent Proliferation of Lawsuits Under New Jersey’s Daniel’s Law
Plaintiffs' attorneys recently have filed a series of lawsuits in New Jersey, seeking damages based on alleged violations of Daniel's Law (N.J. Stat. § 56:8-166.1). Read the full article here »
CCPA Settlement Illustrates Continued Focus on the Sale of Consumer Personal Information
On February 21, 2024, California Attorney General Rob Bonta ("Cal AG") announced that his office reached a settlement with DoorDash, the food delivery service company, for violating the California Consumer Privacy Act ("CCPA") and the California Online Privacy Protection Act ("CalOPPA"). Read the full article here »
California Consumer Privacy Act Enforcement Update: New Investigative Sweep of Streaming Services & Restoration of the CPPA’s Enforcement Authority
As 2024 gets underway, California's regulators have continued to press forward in seeking to enforce the California Consumer Privacy Act (CCPA). Two recent developments warrant mentioning. Read the full article here »
Connecticut Attorney General Issues Report on the First Six Months of the Connecticut Data Privacy Act – Highlighting Enforcement Priorities
The Connecticut Office of the Attorney General ("CT AG") has released its first report on enforcement of the Connecticut Data Privacy Act ("CTDPA"), revealing its focus on companies’ privacy policies, protections of "sensitive data" (such as genetic, biometric and geolocation data), and teen data. Read the full article here »
New Jersey Enacts Comprehensive Data Privacy Law
On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill 332 (the "New Jersey Data Privacy Law") making New Jersey the thirteenth state to adopt comprehensive data privacy legislation. Read the full article here »
2023
What to Expect in U.S. Privacy for 2024
In 2023, the privacy landscape saw a proliferation of comprehensive state data privacy laws being enacted in several jurisdictions, as well as a few that have also taken effect. Read the full article here »
Oregon Passes Comprehensive Data Privacy Law
On July 18, 2023, Oregon Governor Tina Kotek signed into law Senate Bill 619 (the "Oregon Consumer Privacy Act"), Oregon's new state consumer privacy law, which will become effective July 1, 2024. Read the full article here »
Florida Enacts the Digital Bill of Rights, Joining the Growing Privacy Landscape
Florida Governor Ron DeSantis recently signed Senate Bill 262 into law, adopting the "Digital Bill of Rights" proposed by his office in February. Read the full article here »
Delaware Enacts Comprehensive Data Privacy Law
White & Case's Data Privacy team discuss Delaware’s new state consumer privacy law and its many implications. Read the full article here »
CPRA Enforcement Activity Underway Despite Court Ruling to Delay
The California Attorney General's (Cal AG) office appears to be moving forward with enforcement activities, despite a recent court ruling delaying enforcement. Read the full article here »
US and EU Approve Framework for Personal Data Transfers
The United States ("U.S.") and the European Union ("EU") have settled on a framework for transfers of personal data for the first time since the European Court of Justice ("CJEU") effectively invalidate the EU-U.S. Privacy Shield in July 2020. Read the full article here »
Texas Passes Comprehensive Data Privacy Law
On June 18, 2023, Governor Greg Abbott signed the Texas Data Privacy and Security Act (TDPSA) into law. Texas now joins the rapidly increasing group of states, California, Utah, Colorado, Connecticut, Virginia, Iowa, Indiana, Tennessee, and Montana (together, "US State Data Privacy Laws"), with their own comprehensive consumer data privacy laws. Read the full article here »
Montana Joins the Growing Number of States with a Comprehensive Data Privacy Law
On May 19, 2023, Montana Governor Greg Gianforte signed into law Senate Bill 384 ("Montana Consumer Data Privacy Act"), Montana's new state consumer privacy law, which will become effective October 1, 2024. Read the full article here »
Tennessee Passes Comprehensive Data Privacy Law
On May 11, 2023, Governor Bill Lee signed the Tennessee Information Protection Act (TIPA) into law. Tennessee now joins the rapidly increasing group of states, California, Utah, Colorado, Connecticut, Virginia, Iowa and Indiana (together, "US State Data Privacy Laws"), with their own comprehensive consumer data privacy laws. Read the full article here »
The CPPA Issues Statement of Reasons for the California Privacy Rights Act Regulations Providing Guidance on Implementing the CCPA
After a delay of eight months, the California Privacy Rights Act Regulations (CPRA) (the "Regulations") were finalized in late March of this year. The Regulations remain unchanged from the final modified version of the draft Regulations distributed in November 2022. Read the full article here »
Indiana Becomes the Seventh State to Enact a Comprehensive Data Privacy Law
On May 1, 2023, Indiana Governor Eric Holcomb signed into law Senate Enrolled Act No. 5 ("Indiana Data Privacy Law"), Indiana's new state consumer privacy law, which will become effective January 1, 2026. Read the full article here »
Iowa Enacts Data Privacy Legislation with Senate File 262
On March 28, 2023, Iowa Governor Kim Reynolds signed into law Senate File 262 ("Iowa Data Privacy Law"), Iowa's new state consumer privacy law, which will go into effect on January 1, 2025. By passing this law, Iowa joins California, Utah, Colorado, Connecticut and Virginia as states with their own consumer privacy laws (together, "US State Data Privacy Laws"). Read the full article here »
Colorado Privacy Act Rules Finalized Ahead of July 1, 2023 Effective Date
The Colorado Attorney General's Office recently finalized rules for the Colorado Privacy Act ("CPA Rules") which was signed into law in July 2021. The Colorado Privacy Act ("CPA") will soon join the California Consumer Privacy Act ("California Privacy Law (CCPA)") and the Virginia Consumer Data Protection Act ("Virginia Privacy Law (VCDPA)") as comprehensive state data privacy laws extending consumer rights and protections, and business compliance obligations regarding data privacy. Read the full article here »
California Attorney General Warns of Enforcement Focus on Mobile App Compliance with CCPA
Our Data Privacy and Cybersecurity practice explains how mobile app companies could face enforcement actions and penalties after the recent CA AG's warning of a "sweep" for compliance with CCPA.
Read the full article here »
2022
Upcoming California Privacy Rights Act: Key Compliance Tasks for California Employers
California employer's reprieve from obligations to employees to disclose data privacy practices and provide access rights to employees appears to be coming to an end as the California Privacy Rights Act (CPRA) becomes effective on January 1, 2023. Read the full article here »
California Attorney General Bark Turns to Bite as First CCPA Settlement Includes Monetary Penalty
In a long anticipated development, on August 24 California Attorney General Rob Bonta ("Cal AG") announced the state's first monetary penalty under the California Consumer Privacy Act ("CCPA"), in a settlement with the beauty products retailer Sephora USA, Inc. ("Sephora"). Read the full article here »
Connecticut Lends Its Hand to U.S. Data Privacy Framework
Connecticut lends its hand to US data privacy framework: Our US Data Privacy and Cybersecurity team evaluates this latest addition to the US data privacy law framework against other emerging state data privacy laws in the US along with a checklist for achieving compliance with the law. Read the full article here »
The Utah Consumer Privacy Act: Utah Becomes Fourth US State with Comprehensive Privacy Law
Continuing efforts at the state level to establish a data privacy framework in the US, a fourth state has passed a comprehensive consumer privacy law. Utah has joined the ranks of Colorado, California and Virginia after Governor Spencer Cox signed the Utah Consumer Privacy Act ("UCPA") on March 24, 2022. The legislation is set to take effect well after other state data privacy laws, on December 31, 2023. Read the full article here »
Taking Your First Steps: Key Compliance Tasks to Kick-start Compliance with California and Virginia Data Privacy Laws
As state and federal legislatures across the United States continue to contemplate comprehensive data protection legislation, two pending laws—the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA)—are set to become effective on January 1, 2023. Read the full article here »
2021
Colorado Privacy Act: US Consumer Data Privacy Framework Continues Expansion
Colorado has joined California and Virginia in enacting comprehensive data privacy legislation after Governor Jared Polis signed the Colorado Privacy Act into effect yesterday. The enactment of the Colorado Privacy Act continues the trend of state legislatures guiding the development of the general consumer data privacy framework in the US. The legislation is set to take effect on July 1, 2023. Read the full article here »
Virginia joins California in regulating consumer information: Virginia enacts the Consumer Data Protection Act
On March 2, 2021, Governor Ralph Northam of Virginia signed the Consumer Data Protection Act ("CDPA") into law, after it passed both houses of the legislature with overwhelming support. This new legislation is set to take effect on January 1, 2023, and extends consumer data protections and business obligations that are quite similar to the California Consumer Privacy Act ("CCPA") and the upcoming California Privacy Rights Act ("CPRA"). Read the full article here »
2020
Before the Dust Settles: The California Privacy Rights Act Ballot Initiative Modifies and Expands California Privacy Law
Hot on the heels of the California Attorney General's rulemaking process for the California Consumer Privacy Act ("CCPA"), California voters have passed a ballot initiative to expand and create new privacy rights for consumers. Most of the California Privacy Rights Act ("CPRA") will not take effect until January 1, 2023, giving weary businesses some lead time for their compliance efforts. In this client alert, we set out the key changes for businesses to be aware of as they look forward to meeting their obligations under the CPRA. Read the full article here »
Building a Robust Biometric Compliance Program in the US: A Five-Step Checklist
As companies across industries continue to take advantage of existing and emerging technologies that involve the collection and use of human biometric identifiers, corporate privacy programs must take into account the unique legal and compliance concerns associated with this form of personal data. Currently, the state of Illinois has the most mature regulation, which is heavily litigated and aggressively enforced. Illinois is not alone among states, however, and we anticipate biometric privacy rights will expand across the US in the years to come. Read the full article here »
The California Consumer Privacy Act Regulations Are Finally Here, But Wait There's More…
On August 14, 2020, California's Office of Administrative Law ("OAL") approved the final version of the implementing regulations for the California Consumer Privacy Act ("Final Regulations"). The approval of these final regulations caps off a long period of uncertainty and establishes specific content and administrative compliance obligations for businesses subject to the California Consumer Privacy Act ("CCPA"). The regulations are effective immediately. Read the full article here »
UK Business Exposure To The California Consumer Privacy Act 2018 ("CCPA")
The CCPA took effect on 1 January 2020, introducing significant compliance burdens for most businesses that collect personal information about California residents. The reach of the CCPA extends beyond California and the US; it may apply to businesses based in the UK depending on the level of interaction with California residents and their personal information. Businesses based in the UK should understand the CCPA exposure risk, since the compliance requirements differ in some material ways from the General Data Protection Regulations ("GDPR") and the UK Data Protection Act 2018 ("DPA 2018"). Read the full article here »
Do Turkish Companies Have to Comply With the California Consumer Privacy Act ("CCPA")?
Your business complies with the General Data Protection Regulation ("GDPR") and/or Turkish Personal Data Protection Law numbered 6698 and its secondary legislation ("PDPL"); but does it comply with the California Consumer Privacy Act ("CCPA"), which took effect on January 1, 2020? If your company needs to comply with the CCPA, some crucial differences should be taken into account in privacy compliance management. Read the full article here »
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2022 White & Case LLP