US State Privacy Laws Overview

Businesses are subject to additional regulations as a result of state privacy laws in the US imposing new technical and legal hurdles. Different state privacy laws in the US are providing customers with more control over their personal information, by giving customers certain rights and requiring businesses to be open about their privacy practices. 

Not sure if US laws apply to you? Do this free 1-min quiz

We will assist you in complying with any applicable privacy laws in the US. Our solutions handle the difficult technical and legal lifting, taking the guesswork out of compliance. 

🇺🇸 US State Laws Overview 

California: CCPA (as updated by CPRA)

Effective Date: January 1, 2023

Key Updates:

• Introduced sensitive personal information (SPI) as a separate data category.
  • Businesses handling SPI must provide a “Limit the Use of My Sensitive Personal Information” link on their websites.
• Expanded consumer rights, including the right to correct inaccuracies and opt out of data sharing (for purposes of behavioral advertising).
• Added principles of data minimization, purpose limitation, and storage limitation.
• Requires honoring Opt-Out Preference Signals (OOPS) sent from browsers or similar technologies.

How to Comply:

• Update privacy policies to include SPI-related disclosures.
• Implement mechanisms to process opt-out requests and signals and provide SPI usage controls.

🔗 Detailed Guide to CPRA Compliance
🔗 CCPA vs. CPRA: Key Differences

Virginia: VCDPA

Effective Date: January 1, 2023
Key Requirements:

• Businesses must provide a clear and accessible privacy notice outlining data practices.
• Consumers have the right to access, delete, and correct their data, as well as to opt out of certain processing activities, and businesses must comply with such requests within 45 days.

How to Comply:

• Display privacy notices to meet requirements.
• Use iubenda tools to automate and simplify compliance.

🔗 Detailed Guide to the Virginia Consumer Data Protection Act 
🔗 VCDPA FAQs

Colorado: CPA

Effective Date: July 1, 2023
Universal Opt-Out Mechanism Deadline: July 1, 2024
Key Requirements:

• Enhanced consumer rights, including the ability to opt out of:
  • Targeted advertising
  • Sale of personal data
  • Profiling
• Businesses must honor universal opt-out signals by mid-2024.

How to Comply:

• Provide comprehensive privacy notices that include opt-out options.
• Develop systems to honor universal opt-out mechanisms.

🔗 Full Colorado Privacy Act Guide

Utah: UCPA

Effective Date: December 31, 2023
Key Requirements:

• Provides consumers with rights to:
  • Access
  • Delete
  • Data portability
  • Opt-out of certain processing
• Businesses must respond to consumer requests within 45 days.

How to Comply:

• Ensure your business grants UCPA’s consumers’ rights and follows response requirements;
• Be transparent regarding your data processing activities and include required disclosures in your privacy policy.

🔗 Utah Consumer Privacy Act Overview

Connecticut: CTDPA

Effective Date: July 1, 2023
Key Requirements:

• Consumers in Connecticut can:
  • Access
  • Correct
  • Delete
  • Opt-out of certain data processing activities
  • Exercise data portability rights
• Controllers are required to:
  • Provide privacy notices
  • Conduct data protection assessments
  • Implement easy ways for consumers to give and withdraw consent.

How to Comply:

• Review internal practices to ensure compliance with notice and consent requirements.

🔗 Connecticut Data Privacy Act Details

Oregon: OCPA (Oregon Consumer Privacy Act) 

Effective Date: July 1, 2024 

Key Requirements:

• Consumers gain rights to:
  • Access their data 
  • Correct inaccuracies 
  • Delete personal data 
  • Opt-out of targeted advertising, data sales, and profiling 
• Requires a clear privacy notice outlining data practices. 

How to Comply:

• Update privacy policies to reflect consumer rights. 
• Implement mechanisms for managing opt-outs and consumer requests. 

🔗 Oregon Consumer Privacy Act Overview

Texas: TDPSA (Texas Data Privacy and Security Act) 

Effective Date: July 1, 2024 

Key Requirements:

• Consumers have the right to:
  • Access their personal data 
  • Correct inaccuracies 
  • Delete personal data 
  • Opt-out of targeted advertising, sale of data, and profiling 
• Requires businesses to respond to consumer requests within 45 days. 

How to Comply:

• Provide detailed privacy notices and tools for opt-out requests. 
• Conduct assessments to ensure compliance. 

🔗 Comprehensive Guide to Texas Data Privacy Law
🔗 Detailed Look at Texas TDPSA

Montana: MTCDPA (Montana Consumer Data Privacy Act) 

Effective Date: October 1, 2024 

Key Requirements:

• Grants rights to consumers to:
  • Access, correct, and delete their data 
  • Opt-out of targeted advertising, data sales, and profiling 
• Requires businesses to provide privacy notices and conduct data protection assessments. 

How to Comply:

• Make sure privacy policies inform about consumer rights. 
• Implement robust data protection measures. 

🔗 Understanding the Montana Consumer Data Privacy Act

Iowa: ICDPA (Consumer Data Protection Act)

Effective Date: January 1, 2025 

Key Requirements:

• Introduces consumer rights to:
  • Access and delete personal data 
  • Data portability 
  • Opt-out of the sale of personal data.
• Businesses must respond to consumer requests within 90 days. 

How to Comply:

• Review privacy practices and update notices. 
• Implement systems to manage and honor consumer requests. 

🔗 Newly Enacted Iowa Privacy Law

New Jersey: NJDPA (New Jersey Data Protection Act) 

Effective Date: January 15, 2025

Key Requirements:

• Requires comprehensive privacy notices. 
• Introduces consumer rights, including access, correction, deletion, and opt-outs for targeted advertising, data sales, and profiling. 

How to Comply:

• Develop clear and transparent privacy notices. 
• Implement consumer data rights management tools. 

🔗 New Jersey Data Protection Act Overview

Delaware: DPDPA (Delaware Personal Data Privacy Act) 

Effective Date: January 1, 2025 

Key Requirements:

• Establishes rights to access, correct, delete, and opt out of, among others, targeted advertising. 
• Requires privacy notices and data protection impact assessments. 

How to Comply:

• Update privacy policies and implement data rights systems. 
• Conduct data impact assessments to ensure compliance. 

🔗 Delaware Personal Data Privacy Act Overview

New Hampshire: NHDPA (New Hampshire Data Protection Act) 

Effective Date: January 1, 2025.

Key Requirements:

• Provides consumers with rights to access, correct, and delete personal data. 
• Requires businesses to notify consumers about their data practices. 

How to Comply:

• Create clear privacy notices and opt-out mechanisms. 
• Ensure compliance with rights request processing. 

🔗 New Hampshire Data Protection Act Overview

Nevada: Nevada Privacy Law 

Effective Date: First enacted in 2017 and subsequently amended in 2019 and 2021

Key Requirements:

• Consumers can opt out of the sale of their personal data. 
• Operators are required to make available a comprehensive and accessible privacy notice.

How to Comply:

• Enable users to opt out of the sale of personal data. 
• Include mandatory disclosures in your privacy notice.

🔗 Nevada Privacy Law Overview

Nebraska: NDPA (Nebraska Data Privacy Act)

Effective Date: January 1, 2025
Key Requirements:

• Grants consumers rights to access, correct, delete, and opt out of targeted advertising.
• Requires businesses to implement privacy notices that clearly describe data practices.
• Mandates data protection impact assessments for certain processing activities.

How to Comply:

• Update privacy notices to reflect consumer rights and data processing activities.
• Implement systems to manage consumer requests regarding access, correction, deletion, and opt-out preferences.
• Conduct data protection impact assessments where applicable.

🔗 Nebraska Data Privacy Act Overview