This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Data Privacy

A Comprehensive Guide to the US State Privacy Laws

DataGrail, October 11, 2022

Eight out of ten Americans agree there should be a federal law protecting their personal data, according to 2022 DataGrail research.

In 2018, the European Union spearheaded the process of establishing regulations for consumer data protection with the General Data Protection Regulation (GDPR). The United States has yet to develop federal data privacy legislation, but some states have gotten the ball rolling on their own.

If your company currently conducts business in the United States or plans to in the future, you need to stay up to date on the evolving US state privacy laws. To make this easier, we’ll break down the most notable US data privacy laws by state below.

What Are Data Privacy Laws?

Data privacy laws regulate how companies must manage and protect consumer data when it’s collected, used, or shared. Generally, data privacy laws often seek to give consumers the right to:

  • Determine if their data can be collected
  • Opt out of having their data sold to third parties
  • Access and review the data that is collected about them
  • Ensure the accuracy of their stored personal data
  • Request to have their data deleted
  • Receive prompt alerts if their data is compromised during a data breach

Adhering to strict data privacy and protection standards will help you stay on the right side of the law and establish trust with your customers. In contrast, violating relevant data privacy laws in states where you conduct business can lead to legal repercussions, expensive penalties, and reputational damage.

U.S. States with Comprehensive Data Privacy Laws

As of 2022, only five U.S. states have comprehensive data privacy laws on the books:

  • California
  • Colorado
  • Connecticut
  • Utah
  • Virginia

These states give residents the right to obtain their personal information from companies, request to have it deleted, and opt out of having it sold to third parties. They also compel companies to post clear privacy policies that detail the types of personal information they collect about their consumers, who they share this data with, and how consumers can control their data.

Let’s take a closer look at each of these state’s data privacy laws:


California has led the charge in establishing consumer data privacy laws within the United States. As a result, the Golden State has currently enacted more data privacy laws than any other in the nation—both in quantity and protective rigor.

Here are some of the data privacy laws that companies operating in California must abide by:

  • California Consumer Privacy Act of 2018 (CCPA)California’s CCPA allows California residents to ask businesses to disclose the type of information they collect about them, why this information is being collected, and the source of the collection. It also grants consumers the right to have their personal information deleted and opt out of having it sold. Companies cannot discriminate against consumers based on their opt-out requests.
  • California Privacy Rights Act (CPRA) The CPRA gives California consumers even more control over their data. Its primary provisions include enabling consumers to:
    • Prevent businesses from sharing their personal information
    • Correct inaccurate personal information
    • Restrict companies from utilizing sensitive data and personal information (such as race, sexual orientation, precise geolocation, etc.)

Additionally, this act increases the maximum penalties for violations against consumers who are 16 years of age or below and prohibits companies from keeping personal data longer than necessary.

This law will go into effect on January 1, 2023. The California Privacy Protection Agency will be tasked with enforcing it.

  • Cal. Civ. Code §§ 1798.99.80 et seq (Data Broker Registration) – Data Broker Registration compels data brokers to register with the Attorney General. They must also provide certain information, which will be posted on the Attorney General’s website. Lastly, it defines which companies are considered data brokers under the law. If data brokers fail to comply with Data Broker Registration, they can face fees or penalties.
  • California Age Appropriate Design Code Act

Some other laws that California has enacted regarding data security and privacy include:

  • Calif. Bus. & Prof. Code §§ 22580-22582
  • Cal. Govt. Code §§ 6254, 6267 and 6276.28
  • Cal. Civil Code § 1798.90
  • Calif. Bus. & Prof. Code § 22575
  • CalOPPA
  • Cal. Civ. Code §§ 1798.130(5), 1798.135(a)(2)(A)


Colorado’s comprehensive data privacy law is known as the CPA, or Colo. Rev. Stat. § 6-1-1301 et seq.

This law adds the Colorado Privacy Act to the Colorado Consumer Protection Act. It details consumers’ privacy rights and companies’ personal data protection duties. It also grants the Attorney General and district attorneys power to enforce the law. Finally, this act clearly defines any terms relevant to the law to dissolve any confusion.

This law will go into effect on July 1, 2023.


Connecticut’s primary data privacy law is known as Personal Data Privacy and Online Monitoring, or 2022 S.B. 6 or Public Act No. 22-15.

This law establishes standards for how companies must control and process Connecticut residents’ personal data. Like comparable state data laws, it gives residents the right to request a copy of their personal data, correct any inaccuracies, and opt out of personal data processing with a company altogether. It will take effect on July 1, 2023. 

Connecticut residents are also protected by Conn. Gen. Stat. § 42-471, which mandates that entities possessing personal information about consumers must safeguard it from being misused by third parties and erase it upon disposal. This statute also requires companies that collect Social Security numbers to publicly post privacy protection policies.


Utah’s 2022 S.B. 227, known as the Utah Consumer Privacy Act, gives consumers the right to know:

  • What type of data businesses collect about them
  • How their data is being used
  • Whether or not businesses intend to sell their data to third parties

As with the other comprehensive state laws we’ve discussed so far, this act lets consumers access and delete their data and opt out of data collection. It also gives companies clear guidelines on how they must protect consumer data.

Once this Utah privacy law takes effect on December 31, 2023, it will be enforced by the Attorney General through the administration of penalties.


The last state on our list with an active comprehensive data privacy law is Virginia. This state’s Consumer Data Protection Act (2021 H.B. 2307/2021 S.B. 1392) is quite detailed. It lays out clear regulations for companies that conduct business in Virginia regarding how they can control and process data. It also gives consumers the right to access, delete, and correct their data, as well as opt-out of personal data processing for advertising purposes.

This law only applies to non-government companies that:

  • Control or process data from 100,000 consumers or more
  • Earn over half of their gross revenue from selling personal data and control and process data of 25,000 consumers or more

This law will take effect on January 1, 2023. It will be enforced by the Attorney General exclusively with the Consumer Privacy Fund financing these efforts. Virginia was the second state to enact comprehensive privacy legislation in the U.S.

Looking to master the data privacy basics?
Read the Privacy Primer

U.S. States with Limited Data Privacy Laws

While these five states are the only ones to enact comprehensive data privacy laws so far, there are other states with moderate protective measures in place, such as Nevada.


Nevada’s NRS § 603A.300 mandates that websites allow Nevada users to opt-out of having their personal information sold to third parties. The Attorney General has the right to pursue injunctions and penalties for any violations.

Nevada 2021 S.B. 260, Chap. 292 also applies in this state. This law outlines certain exemptions and prevents data brokers from selling consumer information against their wishes.

Nevada’s other data security and privacy laws are as follows:

  • NRS § 205.498
  • NRS § 603A.340

Other U.S. State Consumer Protection Laws

Ten more states have data protection laws, though they are quite limited compared to the ones above. For example, these laws may only specify how children’s data can be used or how e-reader data can be collected.

These U.S. states with data privacy laws that are limited include:

  • Vermont – 9 V.S.A § 2446-2447
  • Minnesota – Minn. Stat. §§ 325M.01 to .09
  • Maine – 35-A MRSA § 9301
  • Delaware – Del. Code § 1204C and Del. Code Tit. 6 § 205C
  • Arizona – Ariz. Rev. Stat. § 41-151.22
  • Missouri – Mo. Rev. Stat. §§ 182.815, 182.817
  • Oregon – ORS § 646.607
  • Hawaii – 2021 H.B. 1253
  • New York – Civ. Rts. Code § 52-C*2
  • Tennessee – Tenn. Code § 10-7-512

ADPPA—A Proposed Federal Law To Supersede Existing State Regulations

While the US does not currently have a data privacy and protection law enacted at the federal level, this may soon change. A bill known as the American Data Privacy Protection Act (ADPPA) is currently stalled in the legislative process. If it or another US federal data privacy law is enacted, it will supersede the existing state laws and require uniform compliance for all companies conducting business in the US.

However, a federal law doesn’t mean that state-level privacy rules and restrictions disappear. Many of the current state data privacy laws may remain to provide additional protections beyond the federal regulation’s scope, depending on a federal bill’s final structure.

How Can Companies Ensure Compliance?

As you can see, each state has distinct privacy rules and regulations when it comes to data collection and processing. Unfortunately, keeping up with these laws can be difficult if you don’t have the right tools.

One way you can stay in compliance with ease is by utilizing DataGrail, a comprehensive data privacy management software system. With DataGrail’s data privacy platform, you can automate your privacy fulfillment, reducing your reliance on manual labor and enhancing your compliance. As your business grows and expands into new states, DataGrail can ensure your privacy management is up for the task.

Discover how DataGrail can streamline your data compliance management efforts today.

Sources:Forbes. 50 Stats Showing Why Companies Need To Prioritize Consumer Privacy. Consulting. General Data Protection Regulation.
https://gdpr-info.euCalifornia Legislative Information. TITLE 1.81.5. California Consumer Privacy Act of 2018 [1798.100 – 1798.199.100]. Association of Privacy Professionals. CCPA and CPRA. Legislative Information. TITLE 1.81.48. Data Broker Registration [1798.99.80 – 1798.99.88]. Legislative Information. CHAPTER 22.1. Privacy Rights for California Minors in the Digital World [22580 – 22582]. Legislative Information. ARTICLE 1. General Provisions [6250 – 6270.7]. Legislative Information. ARTICLE 1. General Provisions [6250 – 6270.7]. Legislative Information. ARTICLE 2. Other Exemptions from Disclosure [6275 – 6276.48].

California Legislative Information. TITLE 1.81.15. Reader Privacy Act [1798.90 – 1798.90.05].

California Legislative Information. CHAPTER 22. Internet Privacy Requirements [22575 – 22579].

California Legislative Information. CHAPTER 22. Internet Privacy Requirements [22575 – 22579].

California Legislative Information. TITLE 1.81.5. California Consumer Privacy Act of 2018 [1798.100 – 1798.199.100].

California Legislative Information. TITLE 1.81.5. California Consumer Privacy Act of 2018 [1798.100 – 1798.199.100]. SENATE BILL 21-190.


Justia US Law. 2018 Connecticut General Statutes Title 42.

Utah State Legislature. S.B. 227 Consumer Privacy Act.

Virginia’s Legislative Information System. HB 2307 Consumer Data Protection Act; personal data rights of consumer, etc.

Virginia’s Legislative Information System. SB 1392 Consumer Data Protection Act; personal data rights of consumer, etc.


Nevada Legislature. SB260.


Husch Blackwell. A comprehensive resource for tracking U.S. state privacy legislation.

Stay informed on the latest data privacy news and privacy regulations and insights with our newsletter.