A Guide to U.S. State Data Privacy Laws

As privacy concerns continue to rise, U.S. state data privacy laws are becoming more prominent, with businesses and marketers needing to adapt. While Congress has yet to pass a national data privacy law, 17 states are either enforcing or preparing to enforce their own privacy laws. This means that businesses operating across multiple states must navigate a patchwork of regulations that differ in scope, definitions, and requirements.

In this blog, we’ll explore what you need to know about these privacy laws, how they affect businesses, and key dates for upcoming legislation.

Understanding U.S. State Data Privacy Laws

Currently, six states have enacted data privacy laws, while 11 others will see their regulations come into effect by the end of next year. These laws share a common goal: granting consumers more control over their personal information (PI). However, they vary in specific requirements, coverage, and implementation.

The general consumer rights these laws provide include:

• The ability to access, delete, or request changes to their personal information.
• The right to opt out of the sale of their data.
• Restrictions on how businesses collect, store, and use sensitive data.

Despite these shared principles, businesses must be aware of each state’s unique regulations to ensure compliance.

States with Data Privacy Laws Currently in Effect

1. California – California Consumer Privacy Act (CCPA)
   Effective Date: January 1, 2020
   Businesses that meet specific thresholds, such as $25 million in annual revenue or handling data for over 100,000 consumers, must comply with the CCPA. It requires them to allow consumers to opt out of data sales, minimize data collection, and provide a clear privacy notice.
2. Virginia – Virginia Consumer Data Protection Act (VCDPA)
   Effective Date: January 1, 2023
   This law applies to companies processing data for 100,000+ Virginia residents or making at least 50% of their revenue from selling PI. Businesses must let consumers opt out of data sales, provide a privacy notice, and conduct Privacy Impact Assessments.
3. Colorado – Colorado Privacy Act (CPA)
   Effective Date: July 1, 2023
   The CPA targets businesses handling data for 100,000+ consumers annually. It requires businesses to offer opt-out mechanisms for data sales, targeted advertising, and profiling, as well as conduct data protection assessments.
4. Connecticut – Connecticut Data Privacy Act (CDPA)
   Effective Date: July 1, 2023
   Businesses processing data from over 100,000 Connecticut consumers or making 25%+ of their revenue from data sales must follow this law. It requires them to implement data protection measures and allow consumers to opt out of sensitive data processing.
5. Utah – Utah Consumer Privacy Act
   Effective Date: December 31, 2023
   Targeting companies with $25 million+ in revenue, Utah’s law gives consumers the right to opt out of data sales and targeted advertising. Companies must also provide a privacy notice and enter into data processing agreements with service providers.
6. Oregon – Oregon Consumer Privacy Act
   Effective Date: July 1, 2024
   The law applies to businesses handling data for 100,000+ Oregon consumers. It mandates data access rights for consumers and requires businesses to offer opt-out options for profiling, targeted advertising, and data sales.

States with Upcoming Data Privacy Laws

Several other states have passed data privacy laws that will take effect in the coming years. Here are some key laws to be aware of:

1. Montana – Montana Consumer Data Privacy Act
   Effective Date: October 1, 2024
   This law will apply to businesses controlling or processing data for 100,000+ Montana residents. It provides consumers with opt-out rights and requires businesses to offer privacy notices and implement data protection assessments.
2. Iowa – Iowa Consumer Data Protection Act
   Effective Date: January 1, 2025
   Similar to other states, Iowa’s law requires businesses to provide privacy notices, limit data processing to specific purposes, and give consumers the right to opt out of data sales.
3. Texas – Texas Data Privacy and Security Act
   Effective Date: January 1, 2025
   Texas’ law applies to businesses engaging in data sales and includes strict requirements for consumer data protection and security measures. Businesses must also obtain consent for processing sensitive information.
4. New Jersey – New Jersey Consumer Data Privacy Bill
   Effective Date: January 16, 2025
   This law applies to businesses handling data for 100,000+ New Jersey residents. It requires them to limit data collection, obtain consent for processing children’s data, and implement data security measures.
5. Maryland – Maryland Online Data Privacy Act
   Effective Date: October 1, 2025
   Maryland’s upcoming law is expected to be one of the strictest in the nation. It will enforce comprehensive data protection measures, including consumer rights to access, delete, and request portability of their personal data.

Navigating the Patchwork of Laws

While these state laws share some common features, the differences in implementation, consumer rights, and business requirements can create significant compliance challenges. Companies that operate in multiple states must develop flexible data management strategies that account for these variations.

For marketers, the challenge is even more pronounced. Different definitions of personal information, consent requirements, and opt-out mechanisms can impact how data is collected and used for marketing campaigns. It’s essential to stay informed about evolving legislation to avoid fines and maintain consumer trust.

Additionally, businesses must consider their relationships with third-party providers, ensuring that all service providers comply with state data privacy laws. Proper data processing agreements and clear policies on data retention and protection are vital for maintaining compliance.

Why Privacy Laws Matter for Your Business

Data privacy is no longer just a legal issue; it’s a customer trust issue. Consumers are increasingly aware of how their data is used, and they expect businesses to handle their information with care. By complying with state privacy laws, businesses not only avoid legal repercussions but also demonstrate their commitment to consumer rights.

If your business handles sensitive data or operates across state lines, staying on top of data privacy laws is crucial. Regularly updating privacy policies, conducting data protection assessments, and providing clear opt-out options can help build a stronger relationship with your customers.

Conclusion

With 17 states either enforcing or preparing to enforce data privacy laws, the landscape is becoming more complex for businesses. Navigating these regulations requires a proactive approach to data management and a commitment to protecting consumer privacy.

Companies should ensure compliance with the relevant state laws and continually monitor changes to avoid potential pitfalls. As privacy regulations continue to evolve, businesses that stay ahead of the curve will not only meet legal requirements but also foster trust with their consumers.

Need help ensuring your business is compliant with privacy regulations? Shred Instead offers Product Destruction services to securely dispose of sensitive data and products, helping businesses meet privacy standards across multiple states.

By prioritizing consumer privacy, you can safeguard your business’s reputation and protect customer trust in an increasingly regulated world.