Summary of State-Level Privacy Regulations
Until we do have a federal law like Europe has the General Data Protection Regulation (GDPR), we’ll have to navigate the patchwork of state-level regulations, but this doesn’t have to be as difficult as it sounds. Although there are some nuances to the individual state laws, there are similarities among them.
We built this guide because we could not find anything that clearly laid out what makes one privacy law distinct from the other. We outline what similarities the regulations have, and identify any interesting nuances to each state-side law worth noting.
Stateside Data Privacy Laws Snapshot
State | Name | Effective Date | Requires Risk Assessment | Applies to Employee Data | Protects Customers from Discrimination | Provides Right to Appeal | Requires Consent to Process Sensitive Data | Provides Right to Limit Use of Sensitive Info | Requires Opt-Out Signal Recognition |
---|---|---|---|---|---|---|---|---|---|
CA | CCPA | 1/1/2020 (CCPA) 1/1/2023 (CPRA) |
(*Future regulations will require risk assessments) |
||||||
CO | CPA | 7/1/2023 | N/A |
(*effective July 1, 2024) |
|||||
CT | CTDPA | 7/1/2023 | N/A |
(*effective 2025) |
|||||
DE | DPDPA | 1/1/2025 | N/A | ||||||
FL | FDBR | 7/1/2024 | N/A | ||||||
IN | ICDPA | 1/1/2026 | N/A | ||||||
IA | ICDPA | 1/1/2025 |
(must offer consumers an opt-out) |
||||||
MT | MTCDPA | 10/1/2024 | N/A |
(*effective January 1, 2025) |
|||||
OR | OCPA | 7/1/2024 | N/A |
(*effective January 1, 2026) |
|||||
TN | TIPA | 7/1/2025 | N/A | NO | |||||
TX | TDPSA | 7/1/2024 | N/A |
(*effective January 1, 2025) |
|||||
UT | UCPA | 12/31/2023 |
(must offer consumers an opt-out) |
||||||
VA | VCDPA | 1/1/2023 | N/A | ||||||
WA | MHMDA | 3/31/2024 | N/A |