Key Takeaways
- Consumer data privacy is a growing legislative concern in the US.
- Data privacy safeguards personal information and builds trust.
- Businesses have specific obligations for data protection.
- Many states have passed or introduced US state privacy laws.
Consumer data privacy has become a hot-button topic for legislators in the United States. With emerging tools that make collecting and utilizing data easier than ever, businesses have a vested interest in utilizing consumer data to create targeted marketing and gain valuable insights into the needs of their business.
Gathering this data, which is also referred to as data mining, has become a thriving business tool. However, lawmakers are attempting to balance the needs of businesses with laws designed to protect the privacy and safety of individuals.
Back in 2018, Californians demanded higher transparency and control over how businesses collect and use their data through the California Consumer Privacy Act (CCPA). After the implementation of the CCPA, many U.S. states followed suit and introduced privacy laws for their consumers.
With many states now having passed or introduced states with US data privacy laws, your business must comply with the evolving state privacy laws. Before we present a breakdown of these laws by state, we should talk about why data privacy is so important.
Importance of Data Privacy
Individuals risk fraud and identity theft if their personal information, such as financial, health insurance, and other personal information, falls into the wrong hands.
A data breach at the government level can put the security of entire countries at risk. Furthermore, if the breach happens within your organization, it exposes your proprietary information to competitors.
In this context, privacy laws are crucial because we spend more time online, and cyber security is crucial. In summary, data privacy is important for:
- Safeguarding personal information
- Building trust
- Remaining compliant with regulations
- Upholding ethical standards
- Inspiring innovation
- Respecting individual autonomy
While websites in the United States do not have to create Terms and Conditions, doing so can save you a lot of legal headaches. Use a website terms and conditions template so that you can create easy terms and conditions for your website.
Start your Website Terms & Conditions now
What Data Obligations Do Businesses Have?
Businesses are required to protect and responsibly use data. Below are some common data obligations for companies, which may vary based on jurisdiction and industry:
- Accountability: Provide information about your consumer data rights protection policies, practices, and complaints process upon request, and take action where there is a breach.
- Notify affected parties: Explain to your customers why and how your organization intends to collect, use, or disclose their personal information.
- Obtain Consent: You may only collect, use, and disclose personal data with a consumer's consent. Moreover, they should be given reasonable notice of withdrawal and informed of the potential consequences of withdrawal. If they don't agree, stop collecting, using, and disclosing their data.
- Limit purposes: Collect, use, and disclose personal data only for purposes that are reasonable under the circumstances and for which the consumer has agreed. Refrain from tricks like giving products or services in exchange for consent to collect, use, or disclose your customers' data.
- Accuracy: If personal data is likely to be used for making a decision that affects the consumer or disclosed to another organization, ensure it is accurate and complete.
- Protection: You must take reasonable steps to protect the personal data in your business from unauthorized access, collection, use, or disclosure.
- Limit retention: If your business or legal needs no longer require you to keep personal data, dispose of it properly.
- Limit transfers: Transfer personal data only if the privacy standard is comparable to the protection under the consumer's state data privacy law.
- Access and correct: If a consumer wants access to their data and information on how it was used or disclosed, your business must provide it within a year of their request. Further, correct any errors or omissions in the data and notify other organizations that got the data or selected organizations to which the individual has consented within a year.
- Report a data breach: All businesses must determine whether a data breach needs reporting and further notify affected individuals if the data breach may harm them significantly.
- Data portability: A consumer may request that your business transmit their data to another business in a standard, machine-readable format when they ask for it.
Data Privacy Laws by State
Now that we understand more of what these different potential obligations mean, the table below has a list of what states have already passed laws on data privacy, as well as which ones have laws set to pass in the near future.
| State | Bills Passed* |
| California | California Consumer Privacy Act, California Privacy Rights Act |
| Colorado | Colorado Privacy Act |
| Connecticut | Connecticut Data Privacy Act |
| Delaware | Delaware Personal Data Privacy Act |
| Florida | Florida Digital Bill of Rights (FDBR) |
| Indiana | Indiana Consumer Data Protection Act |
| Iowa | Iowa Consumer Data Protection Act |
| Kentucky | Kentucky Consumer Protection Data Act, HB 301 |
| Maryland | Online and Biometric Data Privacy Act (C), HB 807 |
| Minnesota | Minnesota Consumer Data Privacy Act |
| Montana | Montana Consumer Data Privacy Act |
| Nebraska | Nebraska Data Privacy Act |
| New Hampshire | SB 255 |
| New Jersey | New Jersey Data Privacy Act |
| Oregon | SB 619 |
| Rhode Island | Rhode Island Data Transparency and Privacy Protection Act |
| Tennessee | Tennessee Information Protection Act |
| Texas | Texas Data Privacy and Security Act |
| Utah | Utah Consumer Privacy Act |
| Virginia | Virginia Consumer Data Protection Act |
*as of January 2026
Meanwhile, the following states have no law introduced: Alabama, Alaska, Arizona, Arkansas, Georgia, Idaho, Kansas, Michigan, Missouri, Nevada, New Mexico, North Dakota, Ohio, South Carolina, South Dakota, Wisconsin and Wyoming.
The following map shows the current state of these laws in the US:
The Future of Data Privacy Laws
To protect your customers' and partners' personal data, stay up-to-date on the latest data privacy developments. Further, ensure the company's compliance with privacy laws by implementing data loss prevention and threat detection solutions.
Review your current documentation and processes relating to consumer data protection and the changes needed to comply with these laws. The legal requirements for data privacy are still evolving, and businesses need to keep monitoring these developments because a certain degree of flexibility will be required to accommodate new needs.
Key Takeaways
- Consumer data privacy is a growing legislative concern in the US.
- Data privacy safeguards personal information and builds trust.
- Businesses have specific obligations for data protection.
- Many states have passed or introduced US state privacy laws.
Consumer data privacy has become a hot-button topic for legislators in the United States. With emerging tools that make collecting and utilizing data easier than ever, businesses have a vested interest in utilizing consumer data to create targeted marketing and gain valuable insights into the needs of their business.
Gathering this data, which is also referred to as data mining, has become a thriving business tool. However, lawmakers are attempting to balance the needs of businesses with laws designed to protect the privacy and safety of individuals.
Back in 2018, Californians demanded higher transparency and control over how businesses collect and use their data through the California Consumer Privacy Act (CCPA). After the implementation of the CCPA, many U.S. states followed suit and introduced privacy laws for their consumers.
With many states now having passed or introduced states with US data privacy laws, your business must comply with the evolving state privacy laws. Before we present a breakdown of these laws by state, we should talk about why data privacy is so important.
Importance of Data Privacy
Individuals risk fraud and identity theft if their personal information, such as financial, health insurance, and other personal information, falls into the wrong hands.
A data breach at the government level can put the security of entire countries at risk. Furthermore, if the breach happens within your organization, it exposes your proprietary information to competitors.
In this context, privacy laws are crucial because we spend more time online, and cyber security is crucial. In summary, data privacy is important for:
- Safeguarding personal information
- Building trust
- Remaining compliant with regulations
- Upholding ethical standards
- Inspiring innovation
- Respecting individual autonomy
While websites in the United States do not have to create Terms and Conditions, doing so can save you a lot of legal headaches. Use a website terms and conditions template so that you can create easy terms and conditions for your website.
Start your Website Terms & Conditions now
What Data Obligations Do Businesses Have?
Businesses are required to protect and responsibly use data. Below are some common data obligations for companies, which may vary based on jurisdiction and industry:
- Accountability: Provide information about your consumer data rights protection policies, practices, and complaints process upon request, and take action where there is a breach.
- Notify affected parties: Explain to your customers why and how your organization intends to collect, use, or disclose their personal information.
- Obtain Consent: You may only collect, use, and disclose personal data with a consumer's consent. Moreover, they should be given reasonable notice of withdrawal and informed of the potential consequences of withdrawal. If they don't agree, stop collecting, using, and disclosing their data.
- Limit purposes: Collect, use, and disclose personal data only for purposes that are reasonable under the circumstances and for which the consumer has agreed. Refrain from tricks like giving products or services in exchange for consent to collect, use, or disclose your customers' data.
- Accuracy: If personal data is likely to be used for making a decision that affects the consumer or disclosed to another organization, ensure it is accurate and complete.
- Protection: You must take reasonable steps to protect the personal data in your business from unauthorized access, collection, use, or disclosure.
- Limit retention: If your business or legal needs no longer require you to keep personal data, dispose of it properly.
- Limit transfers: Transfer personal data only if the privacy standard is comparable to the protection under the consumer's state data privacy law.
- Access and correct: If a consumer wants access to their data and information on how it was used or disclosed, your business must provide it within a year of their request. Further, correct any errors or omissions in the data and notify other organizations that got the data or selected organizations to which the individual has consented within a year.
- Report a data breach: All businesses must determine whether a data breach needs reporting and further notify affected individuals if the data breach may harm them significantly.
- Data portability: A consumer may request that your business transmit their data to another business in a standard, machine-readable format when they ask for it.
Data Privacy Laws by State
Now that we understand more of what these different potential obligations mean, the table below has a list of what states have already passed laws on data privacy, as well as which ones have laws set to pass in the near future.
| State | Bills Passed* |
| California | California Consumer Privacy Act, California Privacy Rights Act |
| Colorado | Colorado Privacy Act |
| Connecticut | Connecticut Data Privacy Act |
| Delaware | Delaware Personal Data Privacy Act |
| Florida | Florida Digital Bill of Rights (FDBR) |
| Indiana | Indiana Consumer Data Protection Act |
| Iowa | Iowa Consumer Data Protection Act |
| Kentucky | Kentucky Consumer Protection Data Act, HB 301 |
| Maryland | Online and Biometric Data Privacy Act (C), HB 807 |
| Minnesota | Minnesota Consumer Data Privacy Act |
| Montana | Montana Consumer Data Privacy Act |
| Nebraska | Nebraska Data Privacy Act |
| New Hampshire | SB 255 |
| New Jersey | New Jersey Data Privacy Act |
| Oregon | SB 619 |
| Rhode Island | Rhode Island Data Transparency and Privacy Protection Act |
| Tennessee | Tennessee Information Protection Act |
| Texas | Texas Data Privacy and Security Act |
| Utah | Utah Consumer Privacy Act |
| Virginia | Virginia Consumer Data Protection Act |
*as of January 2026
Meanwhile, the following states have no law introduced: Alabama, Alaska, Arizona, Arkansas, Georgia, Idaho, Kansas, Michigan, Missouri, Nevada, New Mexico, North Dakota, Ohio, South Carolina, South Dakota, Wisconsin and Wyoming.
The following map shows the current state of these laws in the US:
The Future of Data Privacy Laws
To protect your customers' and partners' personal data, stay up-to-date on the latest data privacy developments. Further, ensure the company's compliance with privacy laws by implementing data loss prevention and threat detection solutions.
Review your current documentation and processes relating to consumer data protection and the changes needed to comply with these laws. The legal requirements for data privacy are still evolving, and businesses need to keep monitoring these developments because a certain degree of flexibility will be required to accommodate new needs.
Most Popular Posts
Some states require a motor vehicle bill of sale form; others do not. Even if only for your personal records, anyone who buys or sells a vehicle needs
t’s a topic that no one likes to think about. But do you know who will make decisions about your property, finances, or medical care if you...