Data Privacy Laws by State (2026)

Last verified:

Source: Federal: FTC Act § 5 (15 U.S.C. § 45), HIPAA (42 U.S.C. § 1320d), COPPA (15 U.S.C. §§ 6501–6506), FERPA (20 U.S.C. § 1232g), GLBA (15 U.S.C. §§ 6801–6809). State: California Consumer Privacy Act/CPRA (Cal. Civ. Code § 1798.100 et seq.), Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.), Connecticut Data Privacy Act (Conn. Gen. Stat. § 42-515 et seq.), Virginia Consumer Data Protection Act (Va. Code § 59.1-575 et seq.), Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ch. 541).

About this article

Sourced from primary statutes (U.S. Code, CFR, state compiled statutes) and official government agency guidance. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Compare by state

Statute citations are verified per state. Select a state to jump to its full section below.

Consumer data-privacy statute and rights for each U.S. state and the District of Columbia.
Primary statute
AlabamaAlabama Data Breach Notification Act, Ala. Code § 8-38-1 et seq.
AlaskaAlaska Data Breach Notification — Alaska Stat. § 45.48.010
ArizonaA.R.S. § 18-552 — Arizona data breach notification law
ArkansasArkansas Data Privacy Act, Ark. Code § 4-110-101 et seq.
CaliforniaCalifornia Civil Code § 1798.100 — California Consumer Privacy Act / CPRA
ColoradoC.R.S. § 6-1-1301 et seq. — Colorado Privacy Act (access, deletion, opt-out rights)
ConnecticutCGS § 42-515 — Connecticut Data Privacy Act (CTDPA)
DelawareDelaware Personal Data Privacy Act, HB 154 (2024)
District of ColumbiaD.C. Consumer Security Breach Notification Act, D.C. Code § 28-3851 et seq.
FloridaFlorida Information Protection Act, Fla. Stat. § 501.171
GeorgiaGeorgia Personal Identity Protection Act, O.C.G.A. § 10-1-912
HawaiiHawaii Data Breach Notification — HRS § 487N
IdahoIdaho Code § 28-51-104 et seq. — data breach notification requirements
Illinois740 ILCS 14 — Biometric Information Privacy Act (BIPA) — nation's strongest biometric law
IndianaIndiana Consumer Data Protection Act, IC § 24-15 — consumer data rights (eff. 2026)
IowaIowa Code § 715D — Iowa Consumer Data Protection Act
KansasK.S.A. § 50-7a01 — Data Breach Notification
KentuckyKRS § 365.732 — Data Breach Notification
LouisianaLouisiana Database Security Breach Notification Law, La. R.S. § 51:3071 et seq.
Maine35-A M.R.S.A. § 9301 — Maine ISP privacy law
MarylandMaryland Online Data Privacy Act (2024)
MassachusettsMGL c. 93H — Massachusetts Data Breach Notification Law
MichiganMichigan Identity Theft Protection Act, MCL § 445.61 et seq. (data breach notification)
MinnesotaMinn. Stat. § 325E.61 — Data Breach Notification
MississippiMiss. Code Ann. § 75-24-29 — data breach notification
MissouriMissouri Data Breach Notification Law, RSMo § 407.1500
MontanaMont. Code Ann. § 30-14-1704 — data breach notification
NebraskaNeb. Rev. Stat. § 87-801 — Data Breach Notification
NevadaNRS 603A — Security and Privacy of Personal Information
New HampshireRSA 359-C:19–21 — NH data breach notification requirements
New JerseyNJ Data Privacy Act (S332), signed January 2024
New MexicoNMSA § 57-12C-1 et seq. — Data Breach Notification Act
New YorkNY General Business Law § 899-bb — data security requirements (SHIELD Act)
North CarolinaN.C. Gen. Stat. § 75-61 et seq. — NC Identity Theft Protection Act
North DakotaN.D. Cent. Code § 51-30 — Data Breach Notification
OhioOhio Rev. Code § 1354 — Ohio Data Protection Act (cybersecurity safe harbor)
OklahomaOklahoma Security Breach Notification Act, Okla. Stat. tit. 24 §§ 161–166
OregonOregon Consumer Privacy Act — ORS § 646A
PennsylvaniaPennsylvania Breach of Personal Information Notification Act, 73 P.S. § 2301
Rhode IslandR.I. Gen. Laws § 11-49.3 — Identity Theft Protection Act (breach notification)
South CarolinaS.C. Code § 39-1-90 — Data Breach Notification
South DakotaSDCL § 22-40-19 — Data Breach Notification (60-Day Deadline)
TennesseeTennessee Information Protection Act (TIPA), TCA § 47-18-3201 et seq.
TexasTexas Data Privacy and Security Act (TDPSA), Tex. Bus. & Com. Code Ch. 541
UtahUtah Consumer Privacy Act — Utah Code § 13-61
Vermont9 V.S.A. § 2430 — Vermont data broker registration requirement
VirginiaVirginia Consumer Data Protection Act, Va. Code § 59.1-575 et seq.
WashingtonWashington My Health My Data Act, RCW 19.373
West VirginiaW. Va. Code § 46A-2A-101 et seq. — Data breach notification
WisconsinWis. Stat. § 134.98 — Data Breach Notification
WyomingWyo. Stat. § 40-12-501 et seq. — data breach notification requirements
Federal Law

What is this right?

The United States is one of the only major economies without a single comprehensive federal data privacy law. Congress has come close several times — the American Data Privacy and Protection Act died in committee in 2022, and APRA stalled in 2024 — but never gotten over the line. The result is a patchwork: federal sector-specific laws (HIPAA for health data, FERPA for education records, COPPA for kids under 13, GLBA for financial data) plus a fast-growing list of state laws that look more like the EU's GDPR.

California led with the CCPA in 2018 (strengthened by the CPRA in 2020). Colorado, Connecticut, Virginia, Texas, Oregon, Montana, and a dozen other states have followed with their own comprehensive privacy laws, all with rolling effective dates through 2026. The rights vary, but the core is consistent: you can ask what data a company has, ask them to delete it, and opt out of the sale or sharing of it. Where you live decides what you can demand.

When does it apply?

Your data privacy rights kick in when:

  • A company collects, stores, or sells your personal data — name, email, phone, location, browsing history, purchase history.
  • You want to know what they have on you.
  • You want them to delete it.
  • You want to opt out of the sale or sharing.
  • You're notified of a data breach that exposed your information.

The state-by-state landscape, as of 2026:

  • California (CCPA/CPRA): Still the strongest. Rights to know, delete, opt out of sale and sharing, correct, and limit use of sensitive personal information. Enforced by the California Privacy Protection Agency, the only standalone state privacy regulator. Applies to businesses with $25M+ revenue, data on 100,000+ consumers, or 50%+ revenue from selling data.
  • Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Delaware, Iowa, New Hampshire, New Jersey, Tennessee, Minnesota, and several more — comprehensive privacy laws, varying effective dates through 2026. Most cover access, deletion, correction, and opt-out.
  • States without comprehensive laws: Your main backstop is the FTC's general authority to chase "unfair or deceptive" data practices under Section 5 of the FTC Act, plus the federal sector-specific laws (HIPAA, COPPA, GLBA, FERPA).

Three myths:

  • "No federal law means no rights." The state laws now cover roughly half of all Americans, and the federal sectoral laws cover health, financial, education, and kids' data nationwide.
  • "Free service means they can do anything." They still owe you a privacy policy disclosure and, in CCPA-and-similar states, opt-out rights regardless of whether you paid.
  • "Deleting my account deletes my data." Not automatically. Companies retain data for legal, business, and analytics reasons. To force deletion, you generally have to submit a specific deletion request under your state law.

What to Do If a Company Is Collecting or Selling Your Personal Data

Step 1: Figure out which law covers you. Your residence usually controls. If you're in California, Colorado, Connecticut, Virginia, Texas, Oregon, or one of the newer states, you have specific statutory rights you can exercise.

Step 2: Submit access requests. Most companies have a "Privacy" or "Do Not Sell My Information" link in the footer. California residents can use the phrase "right to know"; the company has 45 days to respond (extendable to 90).

Step 3: Opt out of sale and sharing. Under CCPA-style laws, companies have to give you a clear opt-out mechanism. Look for "Do Not Sell or Share My Personal Information" links, and turn on Global Privacy Control in your browser — California-style laws now treat that signal as a binding opt-out.

Step 4: After a breach, take the steps. Most states require notification and many require offered credit monitoring. Use it. Change passwords, enable two-factor authentication, freeze your credit.

Step 5: Complain. State attorneys general enforce most state privacy laws. California has its dedicated CPPA. The FTC takes federal complaints at reportfraud.ftc.gov.

What should you NOT do?

Don't toss the breach notice. If a company tells you your data was compromised, the clock has already started. Change passwords, enable 2FA on the affected accounts and any account that reuses the password, and freeze your credit.

Don't auto-accept cookie banners. Most are designed to look like accepting all is the easy path — and "Reject All" is hidden behind two clicks. Take the two clicks.

Don't read privacy policies as protection. They're disclosures, not commitments. The interesting sections are usually "how we share your data with third parties," "data retention," and "your rights" — the rest is boilerplate.

Don't pay data-removal services upfront without comparison. Many of them charge $10–$30 a month to send the same opt-out requests you can send yourself for free. Try DIY first; the requests for the major data brokers are mostly automated forms.

State Law

Worked example

  1. ScenarioYou live in California and want a data broker to delete everything it has on you and stop selling your information.

    OutcomeUnder the CCPA/CPRA you can submit a request to delete and to opt out of the sale or sharing of your personal information. The business must generally respond to the deletion request within 45 days (extendable by another 45 with notice) and honor the opt-out.

    Verified against the CCPA/CPRA — the rights to delete and to opt out, and the 45-day response window (extendable to 90). Rights vary widely by state; many states have no comprehensive law. See your state's section.

You shouldn't have to hire a lawyer to assert your rights.

Answer a few questions. We generate a personalized letter citing your state's exact statutes, deadlines, and penalties — ready to print and send in minutes.

Lawyers charge $350+. Your letter: $19.

See all 12 letter types →

Common Questions

Do I have a right to see what data companies have on me?

It depends on your state. In states with comprehensive privacy laws (like California, Colorado, and Virginia), you can request the categories and specific pieces of personal information a business holds. Many states still have no such general right — check your state's section above.

Can I make a company delete my personal information?

In states with comprehensive privacy laws, yes — you can request deletion, though businesses can keep some data for legal or security reasons. In California they generally must respond within 45 days. States without these laws offer narrower deletion rights.

What does 'opt out of sale' actually do?

It tells a business to stop selling or sharing your personal information with third parties, often for targeted advertising. Many laws require a clear 'Do Not Sell or Share My Personal Information' link. The business must honor it going forward.

Is there a federal data privacy law?

There's no single comprehensive federal consumer privacy law. Federal rules cover specific areas — health data (HIPAA), credit data (FCRA), and children under 13 (COPPA) — but general consumer data rights come from state law. Your state's section above explains what you have.

What extra protection does 'sensitive' data get?

Many state laws single out sensitive data — health, precise location, biometric identifiers, race, religion, and children's data — for stricter rules, often requiring opt-in consent or letting you limit its use. See your state's section above for specifics.

State-by-state details

Alabama

Primary statute: Alabama Data Breach Notification Act, Ala. Code § 8-38-1 et seq.

Full Alabama guide →

Alaska

Primary statute: Alaska Data Breach Notification — Alaska Stat. § 45.48.010

Full Alaska guide →

Arizona

Primary statute: A.R.S. § 18-552 — Arizona data breach notification law

Arizona does not have a comprehensive consumer privacy law but provides some data protections:

  • Arizona has no comprehensive consumer data privacy statute comparable to California's CCPA or other state privacy laws
  • Arizona's breach notification law (A.R.S. § 18-552) requires businesses to notify individuals of data breaches involving personal information
  • The Arizona Attorney General uses the Consumer Fraud Act (A.R.S. § 44-1521 et seq.) to take enforcement action against deceptive data practices
  • Arizona has enacted limited data privacy measures including protections for student data and insurance data
  • Arizona law requires businesses to implement reasonable security measures to protect personal information
  • Disposal of personal information must be done in a manner that renders it unreadable (A.R.S. § 44-7601)

Arkansas

Primary statute: Arkansas Data Privacy Act, Ark. Code § 4-110-101 et seq.

Arkansas enacted a comprehensive consumer data privacy law effective 2024:

  • The Arkansas Data Privacy Act (Ark. Code § 4-110-101 et seq.), effective July 1, 2024, gives consumers rights over their personal data
  • You have the right to know, access, correct, delete, and opt out of the sale of your personal data or its use for targeted advertising
  • Applies to businesses that control or process data of more than 100,000 Arkansas consumers per year, or more than 25,000 consumers if 25% of revenue comes from selling data
  • Sensitive data (health, biometric, precise geolocation, financial, etc.) requires opt-in consent before processing
  • No private right of action — the Arkansas Attorney General has exclusive enforcement authority
  • Arkansas also has a data breach notification law (Ark. Code § 4-110-105) requiring notice within a reasonable time

California

Primary statute: California Civil Code § 1798.100 — California Consumer Privacy Act / CPRA

Full California guide →

Colorado

Primary statute: C.R.S. § 6-1-1301 et seq. — Colorado Privacy Act (access, deletion, opt-out rights)

Full Colorado guide →

Connecticut

Primary statute: CGS § 42-515 — Connecticut Data Privacy Act (CTDPA)

Connecticut has a comprehensive consumer data privacy law — one of the strongest in the nation:

  • The Connecticut Data Privacy Act (CTDPA) (CGS § 42-515 et seq.) took effect July 1, 2023, making Connecticut one of the first states with comprehensive data privacy legislation
  • Consumer rights under CTDPA: Right to access, correct, delete, and obtain a portable copy of your personal data. Right to opt out of targeted advertising, sale of personal data, and profiling
  • Applies to businesses that conduct business in Connecticut or target Connecticut residents, and either: control or process data of 100,000+ consumers, or control/process data of 25,000+ consumers and derive 25%+ of revenue from data sales
  • Businesses must provide a clear and accessible privacy notice
  • The Connecticut Attorney General has exclusive enforcement authority — there is no private right of action
  • Data breach notification: CGS § 36a-701b requires notification without unreasonable delay (not later than 60 days) when personal information is breached

District of Columbia

Primary statute: D.C. Consumer Security Breach Notification Act, D.C. Code § 28-3851 et seq.

D.C. has consumer data privacy protections through several local laws:

  • D.C. Consumer Security Breach Notification Act (D.C. Code § 28-3851 et seq.): Requires businesses to notify D.C. residents of data breaches. If Social Security numbers are compromised, the business must provide 18 months of free identity theft protection
  • D.C. Consumer Protection Procedures Act (CPPA): Prohibits deceptive practices regarding data collection and use, giving the OAG broad enforcement authority
  • Student data privacy: D.C. has enacted protections for student data collected by educational technology companies
  • Employment credit check restrictions: The Fair Credit in Employment Amendment Act (D.C. Code § 32-1341 et seq.) limits employer use of credit information, protecting financial data privacy
  • D.C. does not yet have a comprehensive consumer data privacy law like California's CCPA, but existing laws provide meaningful protections

Georgia

Primary statute: Georgia Personal Identity Protection Act, O.C.G.A. § 10-1-912

Georgia does not have a comprehensive consumer data privacy law, but has some protections:

  • No comprehensive privacy law: Georgia has not enacted a broad consumer data privacy statute like California's CCPA or Virginia's CDPA
  • Data breach notification: The Georgia Personal Identity Protection Act requires businesses to notify consumers when their personal information is compromised in a data breach
  • AG enforcement: The Georgia Attorney General uses general consumer protection authority to address unfair or deceptive data practices
  • Federal privacy laws (HIPAA, GLBA, FERPA, COPPA) apply where relevant

Hawaii

Primary statute: Hawaii Data Breach Notification — HRS § 487N

Hawaii has data breach notification requirements and is developing broader privacy protections:

  • Hawaii's data breach notification law (HRS § 487N) requires businesses to notify individuals of breaches involving personal information
  • Notification must be made without unreasonable delay following discovery of the breach
  • Hawaii has considered comprehensive consumer privacy legislation modeled on California's CCPA but has not yet enacted one
  • The Hawaii Office of Consumer Protection enforces against deceptive data practices under HRS § 480-2
  • Hawaii law requires businesses to take reasonable steps to protect personal information and dispose of it securely
  • Hawaii has enacted protections for student data privacy in educational settings

Idaho

Primary statute: Idaho Code § 28-51-104 et seq. — data breach notification requirements

Idaho does not have a comprehensive consumer data privacy law but provides some protections:

  • Idaho does not have a comprehensive consumer data privacy statute comparable to California's CCPA
  • Idaho's data breach notification law (Idaho Code § 28-51-104 et seq.) requires businesses to notify individuals of breaches involving personal information
  • Notification must be made within a reasonable time following discovery of the breach
  • The Idaho Attorney General uses the Consumer Protection Act (Idaho Code § 48-601 et seq.) to enforce against deceptive data practices
  • Idaho law requires businesses to take reasonable steps to protect and dispose of personal information
  • Idaho has enacted student data privacy protections in educational settings

Illinois

Primary statute: 740 ILCS 14 — Biometric Information Privacy Act (BIPA) — nation's strongest biometric law

Full Illinois guide →

Indiana

Primary statute: Indiana Consumer Data Protection Act, IC § 24-15 — consumer data rights (eff. 2026)

Indiana enacted the Indiana Consumer Data Protection Act (ICDPA), effective January 1, 2026:

  • The Indiana Consumer Data Protection Act (IC § 24-15, SB 5, 2023) provides comprehensive consumer data privacy rights
  • Consumer rights under the ICDPA include: the right to access, correct, delete, and obtain a portable copy of personal data, and the right to opt out of targeted advertising, sale of personal data, and profiling
  • The ICDPA applies to businesses that conduct business in Indiana and process personal data of at least 100,000 consumers, or 25,000 consumers if deriving over 50% of revenue from selling personal data
  • Enforcement is exclusively through the Indiana Attorney General — there is no private right of action
  • Indiana's data breach notification law (IC § 24-4.9) requires businesses to notify individuals of data breaches
  • Indiana also has the Deceptive Consumer Sales Act (IC § 24-5-0.5) which can apply to deceptive data practices

Iowa

Primary statute: Iowa Code § 715D — Iowa Consumer Data Protection Act

Iowa enacted a consumer data privacy law effective January 1, 2025:

  • The Iowa Consumer Data Protection Act (Iowa Code § 715D), effective January 1, 2025, grants Iowa consumers rights over their personal data
  • You have the right to access, delete, and opt out of the sale of your personal data and targeted advertising
  • Applies to businesses processing data of more than 100,000 Iowa consumers per year, or more than 25,000 consumers if selling data constitutes more than 50% of gross revenue
  • Sensitive data categories (health, biometric, precise geolocation, etc.) require opt-in consent before processing
  • Iowa does not provide a private right of action — the Iowa Attorney General has exclusive enforcement authority
  • Iowa also has a data breach notification law (Iowa Code § 715C) requiring notification within a reasonable time

Kansas

Primary statute: K.S.A. § 50-7a01 — Data Breach Notification

Kansas does not have a comprehensive consumer data privacy law but provides some protections:

  • Kansas does not have a comprehensive consumer data privacy statute like California's CCPA or Utah's UCPA
  • Kansas has a data breach notification law (K.S.A. § 50-7a01 et seq.) requiring businesses to notify individuals when personal information is compromised
  • Notification must be provided in the most expedient time possible without unreasonable delay
  • The Kansas Consumer Protection Act (K.S.A. § 50-623 et seq.) can apply to deceptive data practices
  • The Kansas Attorney General enforces consumer protection laws related to data practices
  • Federal laws such as HIPAA, GLBA, and FERPA apply to specific sectors in Kansas
  • Kansas residents can place security freezes on credit reports at no cost under federal law

Kentucky

Primary statute: KRS § 365.732 — Data Breach Notification

Kentucky does not have a comprehensive consumer data privacy law:

  • No comprehensive privacy law: Kentucky has not enacted a broad consumer data privacy statute comparable to California's CCPA or Connecticut's CTDPA
  • Data breach notification: Kentucky's breach notification law (KRS § 365.732) requires businesses to notify individuals when their personal information is compromised in a data breach
  • Notification must occur in the most expedient time possible and without unreasonable delay
  • The Kentucky Attorney General has authority to enforce data-related consumer protection claims under the Consumer Protection Act (KRS § 367.110 et seq.)
  • Federal privacy laws (HIPAA, GLBA, FERPA, COPPA) apply where relevant

Louisiana

Primary statute: Louisiana Database Security Breach Notification Law, La. R.S. § 51:3071 et seq.

Louisiana does not have a comprehensive consumer data privacy law, but has data breach protections:

  • No comprehensive privacy law: Louisiana has not enacted a broad consumer data privacy statute comparable to California's CCPA
  • Database Security Breach Notification Law: Louisiana requires businesses to notify consumers of data breaches involving personal information within 60 days (La. R.S. § 51:3071 et seq.)
  • AG notification: If a breach affects more than 1,000 Louisiana residents, the Attorney General must also be notified
  • AG enforcement: The Louisiana Attorney General can enforce data breach laws under the Unfair Trade Practices Act
  • Federal privacy laws (HIPAA, GLBA, FERPA, COPPA) apply where relevant

Maryland

Primary statute: Maryland Online Data Privacy Act (2024)

Maryland has enacted consumer data privacy protections through several laws:

  • Maryland Online Data Privacy Act (2024): Maryland enacted a comprehensive consumer data privacy law giving residents the right to access, correct, delete, and port their personal data. It also restricts the sale of sensitive data and data of minors
  • Data breach notification (MD Code, Commercial Law § 14-3501 et seq.): Businesses must notify Maryland residents of data breaches involving personal information as quickly as possible, and notify the AG if the breach affects 1,000 or more residents
  • Student data privacy: Maryland has protections for student data collected by educational technology companies and schools
  • Maryland Genetic Information Nondiscrimination Act: Provides specific protections for genetic information beyond federal GINA requirements
  • AG enforcement: The Maryland Attorney General enforces data privacy and breach notification laws. Consumers can also bring private actions under the Maryland Consumer Protection Act for deceptive data practices

Massachusetts

Primary statute: MGL c. 93H — Massachusetts Data Breach Notification Law

Massachusetts does not yet have a comprehensive CCPA-style privacy law, but has strong data security and breach notification requirements:

  • MA Data Breach Notification Law (MGL c. 93H) requires businesses to notify consumers and the AG when personal information is compromised
  • MA Data Security Regulations (201 CMR 17.00) require businesses that handle MA residents' personal information to maintain a written information security program (WISP) — one of the few states with this proactive requirement
  • The WISP must include encryption of personal data on portable devices and transmitted wirelessly, risk assessments, employee training, and access controls
  • The MA Attorney General uses MGL c. 93A (Consumer Protection Act) aggressively for data privacy enforcement against companies that fail to protect consumer data
  • Breach notification must be provided "as soon as practicable and without unreasonable delay"
  • Affected consumers are entitled to 18 months of free credit monitoring for Social Security number breaches

Michigan

Primary statute: Michigan Identity Theft Protection Act, MCL § 445.61 et seq. (data breach notification)

Full Michigan guide →

Mississippi

Primary statute: Miss. Code Ann. § 75-24-29 — data breach notification

Mississippi has limited consumer data privacy protections — no comprehensive privacy law as of 2024:

  • Mississippi does not have a comprehensive consumer data privacy law as of 2024
  • Mississippi has a data breach notification law (Miss. Code Ann. § 75-24-29) requiring businesses to notify affected individuals of breaches of personal information within a reasonable time
  • Federal laws (HIPAA for health data, COPPA for children, GLBA for financial data) provide sector-specific protections for Mississippi residents
  • The Mississippi Consumer Protection Act (Miss. Code Ann. § 75-24-1 et seq.) prohibits unfair or deceptive acts in commerce, which can include deceptive data collection practices
  • Residents may opt out of data sales under the California CCPA if they interact with covered businesses that offer California opt-out rights to all consumers

Missouri

Primary statute: Missouri Data Breach Notification Law, RSMo § 407.1500

Missouri has limited consumer data privacy protections — no comprehensive privacy law as of 2024:

  • Missouri does not have a comprehensive consumer data privacy law as of 2024
  • Missouri has a data breach notification law (RSMo § 407.1500) requiring businesses to notify affected individuals promptly after a breach of personal information
  • The Missouri Merchandising Practices Act (RSMo § 407.010) prohibits unfair or deceptive acts in commerce, which can apply to deceptive data collection and use
  • Federal laws (HIPAA for health data, COPPA for children, GLBA for financial data) provide sector-specific protections for Missouri residents
  • Residents may have some opt-out rights under covered businesses that extend California CCPA rights to all consumers
  • Missouri legislation has been proposed but has not yet passed as of 2024

Nebraska

Primary statute: Neb. Rev. Stat. § 87-801 — Data Breach Notification

Nebraska does not have a comprehensive consumer data privacy law but provides some protections:

  • Nebraska has no comprehensive consumer data privacy statute comparable to California's CCPA
  • Nebraska's data breach notification law (Neb. Rev. Stat. § 87-801 et seq.) requires businesses to notify individuals of breaches involving personal information
  • The Nebraska Attorney General uses the Consumer Protection Act (Neb. Rev. Stat. § 59-1601 et seq.) to take enforcement action against deceptive data practices
  • Nebraska requires businesses to implement reasonable security measures to protect personal information
  • Nebraska has enacted the Student Online Personal Protection Act to protect student data privacy
  • Disposal of personal information must be done securely to prevent unauthorized access

Nevada

Primary statute: NRS 603A — Security and Privacy of Personal Information

Nevada was one of the first states to enact online privacy protections:

  • Nevada's SB 220 (NRS 603A.340 et seq., effective 2019) gives consumers the right to opt out of the sale of their personal information by website operators
  • Nevada's breach notification law (NRS 603A.010 et seq.) requires businesses to notify individuals of data breaches involving personal information
  • Nevada requires businesses to implement reasonable security measures to protect personal data (NRS 603A.210)
  • The Nevada Attorney General enforces data privacy violations under the Consumer Fraud Act
  • Nevada provides protections for student data privacy and health data privacy
  • SB 370 (2019) requires data brokers to comply with consumer opt-out requests

New Mexico

Primary statute: NMSA § 57-12C-1 et seq. — Data Breach Notification Act

New Mexico provides data privacy protections through multiple statutes:

  • New Mexico's Data Breach Notification Act (NMSA § 57-12C-1 et seq.) requires businesses to notify individuals of data breaches involving personal information within 45 days
  • The New Mexico Unfair Practices Act (NMSA § 57-12-1 et seq.) prohibits deceptive trade practices including misrepresentation of data privacy practices
  • New Mexico requires businesses to implement reasonable security measures to protect personal data
  • The New Mexico Attorney General enforces data privacy violations
  • New Mexico provides protections for student data privacy under state education regulations
  • New Mexico has not enacted a comprehensive consumer privacy law comparable to California's CCPA, but consumer data is protected under existing consumer protection statutes

New York

Primary statute: NY General Business Law § 899-bb — data security requirements (SHIELD Act)

Full New York guide →

North Carolina

Primary statute: N.C. Gen. Stat. § 75-61 et seq. — NC Identity Theft Protection Act

North Carolina does not have a comprehensive consumer privacy law, but provides data protection through targeted statutes:

  • The NC Identity Theft Protection Act (N.C. Gen. Stat. § 75-61 et seq.) requires businesses to notify consumers of data breaches involving personal information
  • Breach notification must be provided without unreasonable delay to affected NC residents
  • NC does not have a comprehensive consumer data privacy law (no equivalent to California's CCPA)
  • The NC Attorney General enforces data privacy practices under the Unfair and Deceptive Trade Practices Act (N.C. Gen. Stat. § 75-1.1)
  • Businesses must implement reasonable security measures to protect personal information
  • Social Security number protections: businesses may not publicly display or require transmission of SSNs over unsecured connections
  • NC law requires proper disposal of records containing personal information

Ohio

Primary statute: Ohio Rev. Code § 1354 — Ohio Data Protection Act (cybersecurity safe harbor)

Ohio does not have a comprehensive consumer data privacy law comparable to California's CCPA or similar state laws. Instead, Ohio takes an unusual approach:

  • Ohio Data Protection Act (SB 220, 2018): Rather than granting consumer rights, this law creates a legal safe harbor for businesses that implement recognized cybersecurity frameworks — rewarding companies that protect data rather than giving consumers tools to control their information
  • Breach notification: Ohio requires businesses to notify consumers of data breaches (ORC § 1349.19) — notification must be made in the most expedient time possible
  • No right to access, delete, or opt out of the sale of personal data under Ohio law
  • Ohio consumers rely primarily on federal privacy protections and sector-specific laws

Oklahoma

Primary statute: Oklahoma Security Breach Notification Act, Okla. Stat. tit. 24 §§ 161–166

Oklahoma does not have a comprehensive consumer data privacy law:

  • No comprehensive privacy law: Oklahoma has not enacted a broad consumer data privacy statute comparable to California's CCPA or Connecticut's CTDPA
  • Data breach notification: Oklahoma's Security Breach Notification Act (Okla. Stat. tit. 24 § 161–166) requires businesses to notify individuals when personal information is compromised
  • Notification must occur in the most expedient time possible and without unreasonable delay
  • Oklahoma has enacted a Student Data Accessibility, Transparency, and Accountability Act (SDATA) to protect student data privacy
  • The Oklahoma Attorney General can enforce consumer protection claims under the Oklahoma Consumer Protection Act
  • Federal privacy laws (HIPAA, GLBA, FERPA, COPPA) apply where relevant

Oregon

Primary statute: Oregon Consumer Privacy Act — ORS § 646A

Oregon enacted comprehensive consumer data privacy legislation in 2023:

  • Oregon Consumer Privacy Act (OCPA, effective July 1, 2024): Gives Oregon consumers the right to access, correct, delete, and obtain a portable copy of their personal data. Also provides the right to opt out of targeted advertising, the sale of personal data, and profiling.
  • Sensitive data protections: Processing sensitive data (health data, biometric data, racial/ethnic origin, sexual orientation, precise geolocation, children's data) requires opt-in consent
  • Non-profit coverage: Unlike most state privacy laws, the OCPA applies to non-profit organizations — making Oregon one of the first states to do so
  • Data breach notification: Oregon's Identity Theft Protection Act (ORS § 646A.600 et seq.) requires notification to consumers and the AG within 45 days of discovering a breach
  • Enforcement: The Oregon Attorney General has enforcement authority with a 30-day cure period (until January 2026)
  • Universal opt-out mechanism: Oregon requires businesses to honor universal opt-out signals starting January 2026

Rhode Island

Primary statute: R.I. Gen. Laws § 11-49.3 — Identity Theft Protection Act (breach notification)

Rhode Island has data breach notification and identity theft protections:

  • Identity Theft Protection Act (R.I. Gen. Laws § 11-49.3): Requires businesses and state agencies to notify affected Rhode Island residents of a security breach involving personal information. Notification must occur within a reasonable time of discovery.
  • Rhode Island Data Transparency and Privacy Protection Act (2024): Rhode Island enacted a comprehensive data privacy law providing consumers with rights to access, delete, and opt out of the sale of their personal data. The law applies to businesses that control or process data of 35,000+ RI consumers, or 10,000+ consumers while deriving 20%+ of revenue from data sales.
  • Deceptive Trade Practices Act: The Attorney General can pursue businesses that mislead consumers about data collection and privacy practices under the state's unfair business practices law.
  • Student privacy: Rhode Island has protections for student data through state education regulations.
  • Insurance data protections: Rhode Island regulates the collection and use of personal information by insurance companies under the Insurance Data Security Act.

South Carolina

Primary statute: S.C. Code § 39-1-90 — Data Breach Notification

South Carolina does not have a comprehensive consumer data privacy law:

  • No comprehensive privacy law: SC has not enacted a broad consumer data privacy statute comparable to California's CCPA
  • Data breach notification: SC requires businesses to notify consumers of data breaches involving personal identifying information (S.C. Code § 39-1-90)
  • Insurance Data Security Act: SC enacted an Insurance Data Security Act based on the NAIC model, imposing cybersecurity requirements on insurance companies
  • AG enforcement: The SC Attorney General can pursue unfair or deceptive data practices under general consumer protection authority
  • Federal privacy laws (HIPAA, GLBA, FERPA, COPPA) apply where relevant

Tennessee

Primary statute: Tennessee Information Protection Act (TIPA), TCA § 47-18-3201 et seq.

Tennessee enacted a comprehensive consumer data privacy law effective July 2025:

  • Tennessee Information Protection Act (TIPA, TCA § 47-18-3201 et seq.): Gives Tennessee consumers the right to access, correct, delete, and obtain a copy of their personal data held by businesses
  • Opt-out rights: Consumers can opt out of the sale of personal data, targeted advertising, and profiling that produces legal or similarly significant effects
  • Applies to large businesses: TIPA applies to businesses that conduct business in Tennessee and process personal data of at least 100,000 consumers or 25,000 consumers if more than 50% of revenue comes from data sales
  • Data breach notification (TCA § 47-18-2107): Businesses must notify Tennessee residents of data breaches involving personal information within 60 days
  • AG enforcement only: TIPA is enforced exclusively by the Tennessee Attorney General — there is no private right of action

Texas

Primary statute: Texas Data Privacy and Security Act (TDPSA), Tex. Bus. & Com. Code Ch. 541

Full Texas guide →

Utah

Primary statute: Utah Consumer Privacy Act — Utah Code § 13-61

Utah enacted the Utah Consumer Privacy Act (UCPA), making it one of the first states with comprehensive data privacy legislation:

  • The Utah Consumer Privacy Act (UCPA) (Utah Code § 13-61) took effect December 31, 2023
  • The UCPA applies to businesses that conduct business in Utah, have annual revenue of $25 million or more, and meet data processing thresholds
  • Consumer rights under the UCPA include: the right to access, delete, and obtain a portable copy of personal data, and the right to opt out of targeted advertising and the sale of personal data
  • The UCPA is considered business-friendly compared to California's CCPA — it does not include a private right of action
  • Enforcement is exclusively through the Utah Attorney General
  • Utah's data breach notification law (Utah Code § 13-44-202) requires businesses to notify individuals of data breaches involving personal information

Vermont

Primary statute: 9 V.S.A. § 2430 — Vermont data broker registration requirement

Full Vermont guide →

Virginia

Primary statute: Virginia Consumer Data Protection Act, Va. Code § 59.1-575 et seq.

Virginia enacted the Consumer Data Protection Act (VCDPA), one of the first comprehensive state privacy laws in the country:

  • Va. Code § 59.1-575 et seq., effective January 1, 2023
  • Applies to businesses that control or process personal data of 100,000+ Virginia consumers, or 25,000+ consumers if deriving over 50% of gross revenue from data sales
  • Consumer rights include: right to access, delete, correct personal data, and opt out of sale of data, targeted advertising, and profiling
  • Businesses must provide clear privacy notices and obtain opt-in consent for processing sensitive data
  • Enforcement is exclusively through the Virginia Attorney General — there is no private right of action
  • Businesses receive a 30-day cure period after notice of a violation (this cure period sunsets in 2025)

Washington

Primary statute: Washington My Health My Data Act, RCW 19.373

Washington has enacted some of the strongest health data privacy protections in the nation:

  • The Washington My Health My Data Act (2023) is the strongest health data privacy law in the US — it covers health data broadly, including data from fitness apps, reproductive health tracking, and mental health apps
  • The My Health My Data Act includes a private right of action, allowing consumers to sue for violations
  • Washington has a data breach notification law (RCW 19.255.010) requiring businesses to notify consumers of breaches involving personal information
  • Washington does not yet have a comprehensive CCPA-style consumer privacy law, though the legislature has considered several proposals
  • Washington's Consumer Protection Act (RCW 19.86) provides additional protections against deceptive data practices
  • Washington has specific protections for biometric data and student data privacy

West Virginia

Primary statute: W. Va. Code § 46A-2A-101 et seq. — Data breach notification

West Virginia provides data privacy protections through consumer protection statutes:

  • West Virginia's data breach notification law (W. Va. Code § 46A-2A-101 et seq.) requires businesses to notify individuals of data breaches involving personal information
  • The WV Consumer Credit and Protection Act (W. Va. Code § 46A-1-101 et seq.) prohibits deceptive practices including misrepresentation of data privacy practices
  • West Virginia requires businesses to implement reasonable security measures to protect personal data
  • The WV Attorney General enforces data privacy violations under consumer protection statutes
  • West Virginia enacted the Student Data Accessibility, Transparency, and Accountability Act protecting student data
  • West Virginia has not enacted a comprehensive consumer privacy law comparable to California's CCPA

Wisconsin

Primary statute: Wis. Stat. § 134.98 — Data Breach Notification

Wisconsin has limited consumer data privacy protections — no comprehensive privacy law as of 2024, but strong breach notification requirements:

  • Wisconsin does not have a comprehensive consumer data privacy law as of 2024
  • Wisconsin has a data breach notification law (Wis. Stat. § 134.98) — businesses must notify affected Wisconsin residents of breaches of personal information within a reasonable time
  • The Wisconsin Consumer Act (Wis. Stat. § 421 et seq.) prohibits unfair or deceptive acts, which can apply to deceptive data collection practices
  • Federal laws (HIPAA for health data, COPPA for children, GLBA for financial data) provide sector-specific protections
  • Wisconsin residents may have some opt-out rights under businesses that voluntarily extend California CCPA rights nationwide
  • Wisconsin legislation has been proposed but has not passed as of 2024

Wyoming

Primary statute: Wyo. Stat. § 40-12-501 et seq. — data breach notification requirements

Full Wyoming guide →

Data Privacy Rights by State

Every state has its own thresholds and procedures. Pick yours to see your state's exact rules, statutes, and local specifics.

You came here to know your rights — help someone else know theirs.

Support This Mission