What started as a tentative trickle in the California legislature back in 2018 has evolved into a veritable tidal wave of state consumer privacy legislation. As of this date, eight states have comprehensive consumer privacy laws in effect, and an additional eleven states have passed similar laws that are scheduled to take effect over the course of the next two years.
Most of the state consumer privacy laws discussed follow the basic framework laid down by the California Privacy Rights Act as it was subsequently modified by similar laws passed in Colorado and Virginia.
Current State Consumer Privacy Laws
California: The California Consumer Privacy Act of 2018, as amended by the voter-approved California Privacy Rights Act of 2020 (CPRA) (collectively, CCPA) (Cal. Civ. Code §§ 1798.100 to 1798.199.95; Cal. Code Regs. tit. 11, §§ 7000 to 7102). The CCPA first took effect on January 1, 2020.
Colorado: The Colorado Privacy Act (CPA) (Colo. Rev. Stat. Ann. § 6-1-1308(5)). The CPA went into effect on July 1, 2023.
Connecticut: The Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) (Conn. Gen. Stat. Ann. §§ 42-515 to 42-525). The CTDPA took effect on July 1, 2023.
Florida: The Florida Digital Bill of Rights (FDBR) (§ 501.701, Fla. Stat.). The FDBR went into effect on July 1, 2024.
Oregon: The Oregon Consumer Privacy Act (OCPA) (SB 619). The OCPA took effect on July 1, 2024.
Texas: The Texas Data Privacy and Security Act (TDPSA) (Tex. Bus. & Com. Code Ann. §§ 541.001 to 541.205). The TDPSA went into effect on July 1, 2024.
Utah: The Utah Consumer Privacy Act (UCPA) (Utah Code §§ 13-61-101 to 13-61-404). The UCPA took effect on December 31, 2023.
Virginia: The Virginia Consumer Data Protection Act (VCDPA) (Va. Code Ann. §§ 59.1-575 to 59.1-584). The VCDPA became effective on January 1, 2023.
Pending State Consumer Privacy Laws
Delaware: The Delaware Personal Data Privacy Act (DPDPA) (HB 154) takes effect on January 1, 2025.
Indiana: The Indiana Consumer Data Protection Act (INCDPA) (SB 5) takes effect on January 1, 2025.
Iowa: The Iowa Consumer Protection Data Act (ICPDA) (SF 262) takes effect on January 1, 2026.
Kentucky: The Kentucky Consumer Data Protection Act (KCDPA) (HB 15) takes effect on January 1, 2026.
Minnesota: The Minnesota Consumer Data Privacy Act (MCDPA) (HF 4757) is scheduled to take effect on January 31, 2025, for most entities.
Montana: The Montana Consumer Data Privacy Act (MCDPA) (SB 384) goes into effect on October 1, 2024.
Nebraska: The Nebraska Data Privacy Act (NDPA) (LB 1074) takes effect on January 1, 2025.
New Hampshire: The New Hampshire Privacy Act (NHPA) (SB 255) will become effective on January 1, 2025.
New Jersey: The New Jersey Data Privacy Act (NJDPA) (SB 332) takes effect on January 15, 2025.
Rhode Island: The Rhode Island Data Transparency and Privacy Protection Act (RIDPA) (H 7787 and S 2500) takes effect on January 1, 2026.
Tennessee: The Tennessee Information Protection Act (TIPA) (HB 1181) takes effect on July 1, 2025.
Meeting the Challenges of Privacy Law Compliance
While their frameworks are similar, each state’s privacy statute has its own applicability threshold along with other intricacies. For example, while most state consumer privacy statutes grant similar rights to their respective residents, including as a right to access, correct, and delete personal data, along with a right to opt-out of the sale of their personal information, residents of Iowa and Utah have no right to correct inaccurate personal data held by covered entities.
Although many of the variations amongst existing and pending state consumer privacy laws are relatively minor, they can nevertheless pose a serious compliance challenge to covered entities, which is why many have elected to simply comply with the most demanding amongst them.
The most important aspect to consider when formulating a compliance strategy is to first determine whether your company falls within the numerous exemptions and coverage thresholds found within each state’s consumer privacy law. If your company and the data you collect is covered, you must update your policies to ensure compliance with the various consumer rights those laws guarantee, and to amend your data sharing agreements accordingly.