Home  ›  US Data Privacy Laws: State-by-State Tracker for 2026
Bolt Image
Bolt Image

US Data Privacy Laws Tracker: State-by-State Map

Select a U.S. state below to get information on its data protection laws.

Arizona’s Partial Privacy Laws

Arizona has passed a data breach notification law:

Law Effective Since Description
Arizona Revised Statutes, Title 18. Information Technology. Chapter 4. Article 5. Section 18-552 2006, Last amended: March 29, 2022 Entities must notify anyone impacted by a data breach within 45 of determining the breach occurred, and follow clear guidelines for disposing of the data once the purpose for collecting it has been achieved.

California Consumer Privacy Act (CCPA)

Covered by Termly
Legislative Status In Force
Effective Date January 1, 2020
Pending Update
Territorial Scope
  • For-profit businesses that collect personal information from California residents, determines the purposes in California.
Organizational Exemptions
  • Pubic sector organizations in CaliforniaNon-profit organizations
Threshold
  • Gross annual revenue of over $25 million

OR

  • Buying, receiving, or selling the personal information of 50,000 or more California residents, households, or devices annually

OR

  • Deriving 50% or more of their annual revenue from selling California residents’ personal information.
Consumer Rights
  • Right to Know what personal information is collected
  • Right to Know if personal information is shared or sold and to whom
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Data Portability
  • Right to Opt Out of Share or Sale
  • Right to Non-Discrimination
  • Right to Limit Use and Disclosure of Sensitive Personal Information
  • Right to No Retaliation for Following Opt Out or Exercise of Other Rights
Consumers have the Right to Opt-Out of:
  • Sale of personal information
Timeframe to Respond to Data Subject Requests
  • 45 days with the possibility of a 45 day extension.
Appeal Timeframe N/A
Personal Information
  • Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Personal Information Does Not Include
  • Does not include publicly available information.
  • Does not include consumer information that is de-identified or aggregate consumer information.
Definition of Publicly Available Information
  • “Publicly available” means information that is lawfully made available from federal, state, or local government records.
  • “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.
Sensitive Information N/A
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • A natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations . . ., however identified, including by any unique identifier.
  • A California resident is any individual who is:
    • In the state of California for other than a temporary or transitory purpose or
    • Domiciled in the state of California and is outside of the state for a temporary or transitory purpose
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
Sell Does Not Include When A business does not sell personal information when:

  • A consumer uses or directs the business to intentionally (i) Disclose personal information (ii) Interact with one or more third parties.
  • The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information or limited the use of the consumer’s sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sale of the consumer’s personal information or limited the use of the consumer’s sensitive personal information.
  • The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business.

California Privacy Rights Act (CPRA)

Covered by Termly
Legislative Status In Force
Effective Date January 1, 2023
Pending Update
Territorial Scope
  • For-profit businesses that collect personal information from California residents, determines the purposes in California.
Organizational Exemptions
  • Pubic sector organizations in CaliforniaNon-profit organizations
Threshold
  • Gross annual revenue of over $25 million

OR

  • Buying, selling, or sharing the personal information of 100,000 or more California residents or households annually

OR

  • Deriving 50% or more of their annual revenue from selling or sharing California residents’ personal information.
Consumer Rights
  • Right to Know what personal information is collected, shared, or sold
  • Right to Know to whom personal information is shared or sold to
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Data Portability
  • Right to Opt Out of Share or Sale
  • Right to Non-Discrimination
  • Right to Limit Use and Disclosure of Sensitive Personal Information
  • Right to No Retaliation Following Opt Out or Exercise of Other Rights
Consumers have the Right to Opt-Out of:
  • Sale of personal information
  • Sharing of personal information for behavioral advertising
  • Consumers can also limit the use and disclosure of their sensitive personal information
Timeframe to Respond to Data Subject Requests
  • Same as CCPA
Appeal Timeframe N/A
Personal Information
  • Same as CCPA
Personal Information Does Not Include
  • Same as CCPA
Definition of Publicly Available Information
  • Same as CCPA
Sensitive Information Sensitive data means personal data that includes data revealing:

  • Social security, driver’s license, passport, state ID card numbers
  • Account log-in
  • Financial account combined with any required security or access code, password, or credentials allowing access to an account
  • Debit card or credit card number combined with any required security or access code, password, or credentials
  • A consumer’s exact geolocation
  • Racial origin, religious beliefs, or union membership
  • A consumer’s mail, email, or text message content unless the information was intentionally sent to the business
  • Genetic data
  • Biometric data
  • Health data
  • Sexual orientation data
Sensitive Information Does Not Include
  • Sensitive personal information that is “publicly available” shall not be considered sensitive personal information.
Definition of Consumer / Data Subject / Individual
  • Same as CCPA
Definition of Disclose N/A
Definition of Share
  • Sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.
Definition of Sell
  • Same as CCPA
Sell Does Not Include When
  • Same as CCPA

California Online Privacy Protection Act (CalOPPA)

Covered by Termly
Legislative Status In Force
Effective Date July 4, 2004
Pending Update
Territorial Scope
  • An operator of a commercial website or online service that collects personally identifiable information through the internet about individual consumers residing in California who use or visit its commercial website or online service.
Organizational Exemptions
  • Any third party that operates, hosts, or manages, but does not own, a website or online service on the owner’s behalf or by processing information on behalf of the owner
Threshold N/A
Consumer Rights
  • Right to Know what personal information is collected
  • Right to Correct
Consumers have the Right to Opt-Out of:
  • Tracking by websites
Timeframe to Respond to Data Subject Requests N/A
Appeal Timeframe N/A
Personal Information
  • Individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form.
Personal Information Does Not Include N/A
Definition of Publicly Available Information N/A
Sensitive Information N/A
Sensitive Information Does Not Include
Definition of Consumer / Data Subject / Individual
  • Any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell N/A
Sell Does Not Include When N/A

California’s Additional Privacy Laws

California is also protected by the following privacy-related laws:

Law Description
Shine the Light Law Outlines requirements for entities who share personal data with third parties who will use the information for direct marketing purposes.
California Invasion of Privacy Act (CIPA) Provides protections for individuals using landline or mobile telephones.
Confidentiality of Medical Information Act (CMIA) Outlines requirements for the confidentiality of medical records and information.
Patient Access to Health Records Act (PAHRA) Describes consumer rights over accessing their health and medical records.
California Financial Information Privacy Act (CALFIPA) Outlines restrictions and bans regarding selling or sharing financial consumer data without obtaining consent.
California Labor Code Outlines protections and requirements regarding employee data.
Privacy Rights for California Minors in the Digital World Act (Eraser Law) Protects the data of known minors in California, allowing them the right to “be forgotten.”

Kansas’ Partial Privacy Laws

There are partial privacy regulations in place in the Kansas Statutes, mostly located in Chapter 50, which focuses on consumer protections, including the following:

Law Description
The Data Breach Requirements Act Describes how entities must respond when a data breach occurs and outlines how to notify the appropriate parties.
Consumer Protection Act Protects consumers from entities committing deceptive or unconscionable practices.

Michigan’s Partial Privacy Laws

Michigan has a few privacy-related regulations in place, including the following:

Law Description
Identity Theft Protection Act Requires entities to provide a notice to Michigan residents if their unencrypted information is accessed without authorization, or if their encrypted data was accessed without authorization by a person who has the encryption key.
Internet Privacy Protection Act Prevents employers and educational institutions from requiring access to an individual’s personal account or disclosing information about their accounts.

New York’s Introduced Privacy Bills

Bill Description
New York Data Protection Act (Assembly Bill 2587) Introduced on January 26, 2023, this bill would establish the New York Data Protection Act and require government entities to disclose specific personal information they collect about individuals. It’s currently in the Assembly Committee.
Assembly Bill 7423 Introduced on May 19, 2023, this bill would require companies to disclose how they de-identify personal data and place safeguards around the information. It’s currently in the Assembly Committee.
Senate Bill 365 Introduced on January 4, 2023, this bill would require companies to disclose their methods of de-identifying personal information, place safeguards around protecting the data, and allow consumers to know who their data is shared with. It’s currently in the Assembly of Consumer Affairs and Protection.
Senate Bill 5555 Introduced on March 8, 2023, this bill would establish the ‘It’s Your Data Act’ and provide protections and transparency in collecting, using, and retaining personal information. It’s currently in the Senate Codes Committee.
Senate Bill 2998 Introduced on January 26, 2023, this bill would establish the Online Consumer Protection Act and require advertising networks to post a clear notice on their homepage about their privacy policy and data collection and uses. It’s currently in the Senate Consumer Protection Committee.

New York’s Partial Privacy Laws

New York is protected by partial privacy-related regulations, including all of the following:

Law Description
Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Expands the type of personal information consumers must be notified about if subject to a data breach, and requires entities to implement stronger safeguards to keep data safe.
Senate Bill 2628 Requires private sector employers to provide notice to employees upon hiring about their electronic monitoring processes.

New York’s Inactive Privacy Bills

All of the following unique bills were introduced in 2023 but became inactive for various reasons:

Bill
Assembly Bill 6319 (American Data Privacy and Protection Act)
Senate Bill 3162 and its companion bill Assembly Bill 4374
Assembly Bill 3593
Assembly Bill 3308 and its companion bill Senate Bill 2277 (Digital Fairness Act)
Senate Bill 365 (New York Privacy Act)
Assembly Bill 2587 (New York State Protection Act)
Senate Bill 5555 (It’s Your Data Act)

Colorado Privacy Act (CPA)

Covered by Termly
Legislative Status In Force
Effective Date July 1, 2023
Pending Update
Territorial Scope
  • Any data controller that conducts business in Colorado or data controllers that produce or deliver commercial products or services intentionally targeted to residents of Colorado.
Organizational Exemptions
  • Airlines
  • Public utilities
  • Organizations that process data for Colorado Health Insurance laws
  • State government organizations
  • Consumer reporting agencies
  • Higher education institutions
Threshold
  • Processing or controlling the personal data of at least 100,000 consumers annually

OR

  • Processing or controlling the personal data of 25,000 consumers or more and deriving revenue or receive discount on the price of goods or services from the sale of personal data.
Consumer Rights
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Data Portability
  • Right to Opt Out of Targeted Advertising, Profiling via a Universal Opt Out Mechanism, or Sale of Personal information
  • Right to Appeal
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 45 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • Information that is linked or reasonably linkable to an identified or identifiable individual.
Personal Information Does Not Include
  • “Personal data” does not include de-identified data or publicly available information.
Definition of Publicly Available Information
  • “Publicly available information” means information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.
Sensitive Information Sensitive data includes personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis
  • Sex life or sexual orientation
  • Citizenship status
  • Genetic or biometric data
  • Personal data from a known child
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • An individual who is a Colorado resident acting only in an individual or household context.
  • “Consumer” does not include and individual acting in a commerical or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • The exchange of personal data for monetary or other valuable consideration by a controller to a third party.
Sell Does Not Include When “Sale,” “sell,” or “sold” does not inlude the following:

  • (I) The disclosure of personal data to a processor that processes the personal data on behalf of a controller
  • (II) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer
  • (III) The disclosure or transfer of personal data to an affiliate of the controller
  • (IV) The disclosure or transfer to a third party of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets
  • (V) The disclosure of personal data (a) that a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party or (b) intentionally made available by a consumer to the general public via a channel of mass media.

Colorado’s Additional Privacy Laws

Colorado is also protected by the following privacy-related laws:

Law Description
Colorado Consumer Protection Act (CCPA) This applies to businesses that collect personal information and outlines guidelines regarding data breach notifications and the implementation of necessary protections.
Colorado’s Spam Reduction Act This law makes sending certain spam emails a deceptive trade practice.

Connecticut Data Privacy Act (CTDPA)

Covered by Termly
Legislative Status In Force
Effective Date July 1, 2023
Pending Update
Territorial Scope
  • Persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state
Organizational Exemptions
  • Connecticut state agencies
  • Non-profit organizations
  • Higher education institutions
  • Certain national securities associations
  • Financial institutions subject to GLBA
  • “Covered entities” or “business associates” as defined under HIPAA
Threshold
  • Controlled or processed the personal data of 35,000 or more consumers annually, excluding personal data controlled or processed
    solely for the purpose of completing a payment transaction

    OR

  • Control or process consumers’ sensitive data, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

    OR

  • Offer consumers’ personal data for sale in trade or commerce
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Data Portability
  • Right to Opt Out of Targeted Advertising, Sale of Personal information, or Automated Profiling
  • Right to Non-Discrimination
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • Information that is linked or reasonably linkable to an identified or identifiable individual.
Personal Information Does Not Include
  • “Personal data” does not include de-identified data or publicly available information.
Definition of Publicly Available Information “Publicly available information” means information that:

  • (A) is lawfully made available through federal, state or municipal government records or widely distributed media, and
  • (B) a controller has a reasonable basis to believe a consumer has lawfully made available to the general public.
Sensitive Information Sensitive data means personal data that includes data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis
  • Sex life or sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data for the purpose of uniquely identifying an individual
  • Personal data from a known child
  • Specific geolocation data (GPS)
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • An individual who is a resident of Connecticut
  • “Consumer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit or government agency.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • The exchange of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When “Sale of personal data” does not include:

  • (A) the disclosure of personal data to a processor that processes the personal data on behalf of the controller
  • (B) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer,
  • (C) the disclosure or transfer of personal data to an affiliate of the controller
  • (D) the disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses Substitute Senate Bill No. 6 Public Act No. 22-15 6 of 27 the controller to interact with a third party
  • (E) the disclosure of personal data that the consumer (i) intentionally made available to the general public via a channel of mass media, and (ii) did not restrict to a specific audience
  • (F) the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller’s assets

Connecticut’s Additional Privacy Laws

Connecticut is also protected by several privacy-related laws, including the following:

Law Description
Data Breach Notification Law; found in Chapter 669 of the General Statutes of Connecticut States that anyone collecting personal information must disclose a security breach to the Office of the Attorney General and say which residents were impacted.
Protection of Social Security Numbers and Personal Information; found in Chapter 743dd of the Statutes It prevents publicly displaying another person’s social security number or requiring it as a way to access an internet website, among other restrictions.
Employee Regulation; found in Chapter 5576 of the Statutes Describes notification requirements for businesses that track or monitor their employees.

Florida Digital Bill of Rights (FDBR)

Covered by Termly
Legislative Status In Force
Effective Date July 1, 2024
Pending Update
Territorial Scope
  • Persons that conduct business in Florida or produce products or services that are targeted to residents of Florida
Organizational Exemptions
  • State agency or a political subdivision of the state
  • Financial institution or data subject to Title V of the GLBA
  • Covered entity or business associate governed by the HIPAA
  • Non-profit organization
  • Postsecondary education institution
Threshold Makes in excess of $1 billion in global gross annual revenues AND satisfies at least one of the following:

  • Derives 50% or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online
  • Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation
  • Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, profiling in furtherance of a decision that produces a legal or similarly significant effect, the collection of sensitive data (including precise geolocation data), the processing of sensitive data, or the collection of personal data collected through the operation of a voice recognition or facial recognition feature
  • Right to Portability
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Targeted Advertising
  • Collection of sensitive data (including precise geolocation data) or the processing of sensitive data
  • Collection of personal data collected through the operation of a voice recognition or facial recognition feature
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 15 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
Personal Information
  • Information that is linked or reasonably linkable to an identified or identifiable child, including biometric information and unique identifiers to the child.
Personal Information Does Not Include
  • The term does not include de-identified data or publicly available information.
Definition of Publicly Available Information
  • Information lawfully made available through government records, or information that a business has a reasonable basis for believing is lawfully made available to the general public through widely distributed media, by a consumer, or by a person to whom a consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.
Sensitive Information Sensitive data means a category of personal data which includes any of the following:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data processed for the purpose of uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means an individual who is a resident of or is domiciled in this state acting only in an individual or household context.
  • The term does not include an individual acting in a commercial or employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale of personal data” means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When The term does not include any of the following:

  • (a) The disclosure of personal data to a processor who processes the personal data on the controller’s behalf.
  • (b) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer.
  • (c) The disclosure of information that the consumer:
    • 1. Intentionally made available to the general public through a mass media channel; and
    • 2. Did not restrict to a specific audience.
  • (d) The disclosure or transfer of personal data to a third party as an asset that is part of a merger or an acquisition.

Florida’s Additional Privacy Laws

Additionally, Florida has data breach notification requirements:

Law Description
Chapter 501, Title 33 of the Florida Statutes Entities must notify the Department of Legal Affairs if a breach occurs impacting 500 or more consumers

Indiana Consumer Data Protection Act (Indiana CDPA)

Covered by Termly
Legislative Status In Force
Effective Date January 1, 2026
Pending Update
Territorial Scope
  • Applies to a person that conducts business in Indiana or produces products or services that are targeted to consumers who are residents of Indiana.
Organizational Exemptions
  • State or government organizations.
  • Third parties under contract with a state or government organization, when acting on behalf of the entity.
  • Financial institutions and affiliates, or data subject to GLBA
  • Any covered entity or business associate governed by HIPAA.
  • Any nonprofit organization.
  • Any institution of higher education.
  • Any public utility or service company affiliated with a public utility.
Threshold During a calendar year:

  • Controls or processes personal data of at least 100,000 Indiana residents

OR

  • Controls or processes personal data of at least 25,000 Indiana residents and derives more than 50% of gross revenue from the sale of personal data.
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, profiling, or automated decision making
  • Right to Portability
  • Right to Non-Discrimination
  • Right to Opt-in for processing of sensitive data
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling
  • Targeted Advertising
  • Automated decision making
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 45 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • Personal data meansinformation that is linked or reasonably linkable to an identified or identifiable individual.
Personal Information Does Not Include The term does not include:

  • (1) de-identified data;
  • (2) aggregate data; or
  • (3) publicly available information
Definition of Publicly Available Information “Publicly available information” means information:

  • (1) that is lawfully made available through federal, state, or local government records; or
  • (2) that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media; by the consumer to whom the information pertains; or by a person to whom the consumer has disclosed the information
Sensitive Information “Sensitive data” means personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis made by a healthcare provider
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual
  • Personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual “Consumer” means an individual who:

  • (1) is a resident of Indiana; and
  • (2) is acting only for a personal, family, or household purpose

The term does not include an individual acting in a commercial or employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale of personal data” means the exchange of personal data for monetary consideration by a controller to a third party.
Sell Does Not Include When The term does not include:

  • (1) the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
  • (2) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer; or the parent of a child
  • (3) the disclosure or transfer of personal data to an affiliate of the controller;
  • (4) the disclosure of information that the consumer intentionally made available to the general public and did not restrict to a specific audience; or
  • (5) the disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy

Indiana’s Introduced Privacy Bills

Bill Description
House Bill 1554 Indiana lawmakers introduced House Bill 1554 on January 19, 2023. It will establish a new article concerning consumer data protection in the Indiana Code if it passes.

Indiana’s Additional Privacy Laws

Indiana has other pieces of data privacy-related legislation, including the following:

Law Description
Article 4.9; found in the Constitution of the State of Indiana Describes data breach notification requirements.

Iowa Consumer Data Protection Act (Iowa CDPA)

Covered by Termly
Legislative Status Signed
Effective Date January 1, 2025
Pending Update
Territorial Scope
  • Applicable to persons that conduct business in Iowa or produce products or services that are targeted to Iowa residents
Organizational Exemptions
  • State or government organizations.
  • Financial institutions and affiliates, or data subject to GLBA
  • Any covered entity or business associate governed by HIPAA.
  • Any nonprofit organization.
  • Any institution of higher education.
Threshold During a calendar year:

  • Controls or processes personal data of at least 100,000 consumers.

OR

  • Controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Delete
  • Right to Opt Out sale of personal data
  • Right to Portability
Consumers have the Right to Opt-Out of:
  • Sale of personal data
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person.
Personal Information Does Not Include
  • “Personal data” does not include de-identified or aggregate data or publicly available information.
Definition of Publicly Available Information “Publicly available information” means information:

  • (1) that is lawfully made available through federal, state, or local government records; or
  • (2) that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media; by the consumer to whom the information pertains; or by a person to whom the consumer has disclosed the information;
Sensitive Information “Sensitive data” means personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis made by a healthcare provider
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual
  • Personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual “Consumer” means an individual who:

  • (1) is a resident of Indiana; and
  • (2) is acting only for a personal,family, or householdpurpose.

The term does not include an individual acting in a commercial or employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale of personal data” means the exchange of personal data for monetary consideration by a controller to a third party.
Sell Does Not Include When The term does not include:

  • (1) the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
  • (2) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer; or the parent of a child
  • (3) the disclosure or transfer of personal data to an affiliate of the controller;
  • (4) the disclosure of information that the consumer intentionally made available to the general public and did not restrict to a specific audience; or
  • (5) the disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy

Iowa’s Additional Privacy Laws

Parts of the Iowa Code feature some privacy-related legislation, particularly in Title XVI:

Law Description
Personal Information Security Breach Protection Describes personal data breach notification requirements applicable whenever a breach occurs that impacts more than 500 individuals.

Montana Consumer Data Privacy Act (MCDPA)

Covered by Termly
Legislative Status Signed
Effective Date October 1, 2024
New Amendments take effect October 1, 2025
Pending Update
Territorial Scope
  • Applicable to persons that conduct business in Montana or produce products or services that are targeted to Montana residents
Organizational Exemptions
  • Body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state
  • Nonprofit organization
  • Institution of higher education
  • National securities association that is registered under the Securities Exchange Act of 1934
  • Financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with the GLBA
  • Covered entity or business associate as defined in the privacy regulations of HIPAA
Threshold
  • Control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

OR

  • Control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data

As of October 1, 2025, the scope will expand to:

  • Control or process the personal data of not less than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

OR

  • Control or process the personal data of not less than 15,000 consumers and derive more than 25% of gross revenue from the sale of personal data
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, profiling in furtherance of a decision that produces a legal or similarly significant effect, or automated decision making
  • Right to Portability
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Targeted Advertising
  • Automated decision making
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual.
Personal Information Does Not Include
  • The term does not include deidentified data or publicly available information.
Definition of Publicly Available Information “Publicly available information” means information that:

  • (a) is lawfully made available through federal, state, or municipal government records or widely distributed media; or
  • (b) a controller has a reasonable basis to believe a consumer has lawfully made available to the public.
Sensitive Information “Sensitive data” means personal data that includes data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis
  • Information about a person’s sex life or sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data for the purpose of uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means an individual who is a resident of this state.
  • The term does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When The term does not include:

  • (i) the disclosure of personal data to a processor that processes the personal data on behalf of the controller
  • (ii) the disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer
  • (iii) the disclosure or transfer of personal data to an affiliate of the controller
  • (iv) the disclosure of personal data in which the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party
  • (v) the disclosure of personal data that the consumer: (A) intentionally made available to the public via a channel of mass media; and (B) did not restrict to a specific audience
  • (vi) the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

Montana’s Additional Privacy Laws

Montana has a few additional privacy-related laws, including:

Law Description
Montana Pupil Online Personal Information Protection Act Prevents entities from engaging in targeted advertising through K-12 online applications.
Senate Bill 419 Bans the use of the social media app TikTok in the state and goes into effect in January 2024.
Montana Code Annotated, Title 30, Chapter 14, Part 17 Outlines the data and computer security breach notification requirements for the state.

Oregon Consumer Privacy Act (OCPA)

Covered by Termly
Legislative Status In Force
Effective Date July 1, 2024
Pending Update
Territorial Scope
  • Applicable to persons that conduct business in Oregon or produce products or services that are targeted to Oregon residents
Organizational Exemptions
  • Body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state
  • Financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with the GLBA
  • An individual, firm, association, corporation, or other entity that is licensed in this state as an insurance company and transacts insurance business
  • Nonprofit organization
  • Institution of higher education
  • Covered entity or business associate as defined in the privacy regulations of HIPAA
Threshold During a calendar year, they control or process:

  • The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction

OR

  • The personal data of 25,000 or more consumers, while deriving 25% or more of the annual gross revenue from selling personal data
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, profiling in furtherance of a decision that produces a legal or similarly significant effect, or automated decision making
  • Right to Portability
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Targeted Advertising
  • Automated decision making
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual.
Personal Information Does Not Include Does not include information that is:

  • (i) Publicly available information; or
  • (ii) De-identified or aggregate consumer information
Definition of Publicly Available Information
  • “Publicly available information” means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience
Sensitive Information “Sensitive data” means a category of personal information that includes personal information revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • The processing of genetic or biometric data for the purpose of uniquely identifying a natural person
  • The personal information collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual “Consumer”:

  • (A) Means a natural person who is a resident of Tennessee acting only in a personal context; and
  • (B) Does not include a natural person acting in a commercial or employment context
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When Does not include:

  • (i) The disclosure of personal information to a processor that processes the personal information on behalf of the controller;
  • (ii) The disclosure of personal information to a third party for purposes of providing a product or service requested by the consumer;
  • (iii) The disclosure or transfer of personal information to an affiliate of the controller;
  • (iv) The disclosure of information that the consumer intentionally made available to the general public via a channel of mass media; and did not restrict to a specific audience; or
  • (v) The disclosure or transfer of personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

Oregon’s Additional Privacy Laws

There are a few other privacy-related laws in place protecting residents of Oregon, according to the Oregon Department of Justice, including the:

Law Description
Oregon Consumer Identity Theft Protection Act Is the data breach notification law in the state and gives residents tools and resources to protect themselves from identity theft and cybercrimes.
Oregon Student Information Protection Act Prohibits sharing student data gathered from educational websites and platforms for non-educational purposes.

Tennessee Information Protection Act (TIPA)

Covered by Termly
Legislative Status In Force
Effective Date July 1, 2025
Pending Update
Territorial Scope
  • Applies to persons that conduct business in Tennessee producing products or services that target residents of Tennessee
Organizational Exemptions N/A
Threshold
  • Exceed $25,000,000 in revenue;

AND

  • Control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information;

OR

  • During a calendar year, control or process personal information of at least 175,000 consumers.
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, profiling, automated decision making
  • Right to Portability
  • Right to Non-Discrimination
  • Right to Opt-in for processing of sensitive data
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling
  • Targeted Advertising
  • Automated decision making
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 45 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • Means information that is linked or reasonably linkable to an identified or identifiable natural person
Personal Information Does Not Include Does not include information that is:

  • (i) Publicly available information; or
  • (ii) De-identified or aggregate consumer information
Definition of Publicly Available Information
  • “Publicly available information” means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience
Sensitive Information “Sensitive data” means a category of personal information that includes personal information revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • The processing of genetic or biometric data for the purpose of uniquely identifying a natural person
  • The personal information collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual “Consumer”:

  • (A) Means a natural person who is a resident of Tennessee acting only in a personal context; and
  • (B) Does not include a natural person acting in a commercial or employment context
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • Means the exchange of personal information for valuablemonetary consideration by the controller to a third party
Sell Does Not Include When Does not include:

  • (i) The disclosure of personal information to a processor that processes the personal information on behalf of the controller;
  • (ii) The disclosure of personal information to a third party for purposes of providing a product or service requested by the consumer;
  • (iii) The disclosure or transfer of personal information to an affiliate of the controller;
  • (iv) The disclosure of information that the consumer intentionally made available to the general public via a channel of mass media; and did not restrict to a specific audience; or
  • (v) The disclosure or transfer of personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

Tennessee’s Additional Privacy Laws

Tennessee also has a few privacy-related laws in place, including:

Law Description
Tennessee Code Data Breach Requirements Outlines when and how entities must notify individuals whose data is compromised in a data breach.
Genetic Information Privacy Act Prevents insurance providers from requiring people who receive coverage to disclose genetic information about themselves or their families.

Texas Data Privacy and Security Act (TDPSA)

Covered by Termly
Legislative Status In Force
Effective Date July 1, 2024
Pending Update
Territorial Scope Applies only to a person that:

  • (1) conducts business in Texas or produces a product or service consumed by residents of Texas
  • (2) processes or engages in the sale of personal data;

AND

  • (3) is not a small business as defined by the United States Small Business Administration, except to the extent that the small business is engaged in the sale of sensitive personal data
Organizational Exemptions
  • State agency or subdivision
  • Financial institutions and affiliates, or data subject to GLBA
  • Any covered entity or business associate governed by HIPAA
  • A nonprofit organization
  • An institution of higher education
Threshold
  • The SBA defines a small business as an independent business having fewer than 500 employees
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, profiling, automated decision making
  • Right to Portability
  • Right to Non-Discrimination
  • Right to Opt-in for processing of sensitive data
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling
  • Targeted Advertising
  • Automated decision making
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • Any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual.
  • The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.
Personal Information Does Not Include
  • Does not include de-identified data or publicly available information.
Definition of Publicly Available Information
  • “Publicly available information” means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience
Sensitive Information “Sensitive data” means personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data that is processed for the purpose of uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means an individual who is a resident of this state acting only in an individual or household context.
  • The term does not include an individual acting in a commercial or employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • Means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When The term does not include:

  • (A) the disclosure of personal data to a processor that processes the personal data on the controller ’s behalf;
  • (B) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
  • (C) the disclosure or transfer of personal data to an affiliate of the controller;
  • (D) the disclosure of information that the consumer intentionally made available to the general public through a mass media channel; and did not restrict to a specific audience; or the disclosure or transfer of personal data to a third party as an asset that is part of a merger or acquisition.

Texas’ Introduced Privacy Bills

Bill Description
House Bill 1844 Introduced on February 3, 2023, this bill would impose a civil penalty on entities based on their collection, use, processing, and treatment of consumer personal data. It’s currently in the Business & Industry House Committee.

Texas’ Additional Privacy Laws

Texas has other laws that are adjacent to data privacy, including the following:

Law Description
Texas Identify Theft Enforcement and Protection Act Requires officers in different jurisdictions to write reports whenever a person falls victim to a data breach.
Texas Medical Records Privacy Act Protects sensitive health information and medical data from being released for marketing purposes without individual consent.

Virginia Consumer Data Protection Act (VCDPA)

Covered by Termly
Legislative Status In Force
Effective Date January 1, 2023
Pending Update
Territorial Scope
  • Persons that do business in the Commonwealth of Virginia or persons who produce products or services that are targeted to residents of the Commonwealth of Virginia.
Organizational Exemptions
  • Public sector organizations in Virginia
  • Non-profit organizations
  • Higher education institutions
Threshold
  • Processing or controlling personal data of at least 100,000 consumers annually

OR

  • Processing or controlling the personal data of at least 25,000 consumers and deriving over 50% of gross revenue from selling that data.
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of Targeted Advertising, Profiling, or Sale of Personal information
  • Right to Appeal
  • Right to Data Portability
  • Right to Non-Discrimination
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling
  • Targeted Advertising reasonable efforts
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • Information that is linked or reasonably linkable to an identified individual or an identifiable individual.
Personal Information Does Not Include
  • “Personal data” does not include de-identified data or publicly available information.
Definition of Publicly Available Information
  • “Publicly available information” means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.
Sensitive Information Sensitive data includes personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Immigration or citizenship standing
  • Genetic or biometric data
  • Personal data from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • A natural person who is a resident of Virginia acting only in anindividual or household context.
  • “Consumer” does not include a natural person acting in a commercial or employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • The exchange of personal data for monetary consideration by the controller to a third party.
Sell Does Not Include When “Sale of personal data” does not include:

  • 1. The disclosure of personal data to a processor that processes the personal data on behalf of the controller
  • 2. The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer
  • 3. The disclosure or transfer of personal data to an affiliate of the controller
  • 4. The disclosure of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience
  • 5. The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets

Virginia’s Additional Privacy Laws

Additionally, Virginia also passed the following privacy-related laws:

Law Description
Personal Information Privacy Act Restricts the sale of personal information, like social security numbers, by merchants.
Virginia’s Breach of Personal Information Notification Describes notification requirements whenever a breach occurs impacting Virginia residents.
Virginia Genetic Privacy Act Outlines provisions regarding the collection of genetic data.
Virginia Telephone Privacy Protection Act Prohibits solicitation calls after a person states they do not wish to receive the call.

West Virginia’s Introduced Privacy Bills

Bill Description
House Bill 3453 Introduced on February 14, 2023, this bill would establish consumer rights regarding their data privacy and create a private cause of action. It was passed to the House Technology and Infrastructure Committee.
House Bill 3498 Introduced on February 14, 2023, this bill would amend the Code of West Virginia by adding an article relating to consumer data protection. It was passed to the House Finance Committee.

West Virginia’s Partial Privacy Laws

West Virginia is protected by a few privacy-related laws worth noting, including the following:

Law Description
Article 2A of Chapter 46A of the West Virginia Code Dictates data breach and breach of security notifications for West Virginia residents.
West Virginia Health Care Records Law Requires healthcare providers to give patients a copy of their medical records upon request.
Article 5H of Chapter 21 of the West Virginia Code Restricts employers from forcing employees to share certain information about their personal social media accounts.
Electronic Mail Protection Act Prevents the transmission of unauthorized electronic messages with the intention to deceive or defraud a resident of the state.
Student Data, Transparency, and Accountability Act Restricts the transfer and disclosure of student records and protects student personal data.

North Carolina’s Introduced Privacy Bills

Bill Description
North Carolina Consumer Privacy Act (Senate Bill 525) Introduced on April 3, 2023, this bill would grant consumers the right to access and delete their personal data collected by controllers and give them opt-out rights for targeted advertising and the sale of their data. It passed its first reading and was sent to the Committee on Rules and Operations of the Senate.

North Carolina’s Partial Privacy Laws

North Carolina is protected by a privacy-related regulation shown below:

Law Description
Identity Theft Protection Act (ITPA) Imposes restrictions on collecting social security numbers with other personal information. It also describes data breach notification requirements.

Alabama Personal Data Protection Act

Covered by Termly
  • Coming soon
Legislative Process  Signed
Effective Date  May 1, 2027
Pending Update 
Territorial Scope 
  • Persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state
Organizational Exemptions 
  • A political subdivision of the state
  • Any board, authority, district, or public corporation organized to manage local services and infrastructure
  • A two-year or four-year institution of higher education, including affiliates of a two-year or four-year institution of higher education
  • National securities associations
  • A financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with Title V of the GLBA
  • HIPAA covered entities
  • A business with fewer than 500 employees, provided the business does not engage in the sale of personal data
  • A nonprofit entity with less than 100 employees, provided the entity does not engage in the sale of personal data
  • Any entity involved in the securities industry, including broker-dealers
  • Licensed money transmitters
  • Any trade association explicitly authorized to receive documents or evidence
  • A political action committee, political party, or principal campaign committee, or any political organization
  • A business entity that sells data primarily to a political action committee, political party, or principal campaign committee, or any political organization
  • An electric provider that is subject to the requirements or reliability standards of the North American Electric Reliability Corporation
Threshold  During a calendar year:

  • Control or process the personal data of more than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transactionOR
  • Derive more than 25% of gross revenue from the sale of personal data, regardless of the number of consumers whose data the person controls or processes”
Consumer Rights 
  • Right to Know if a controller, or a processor or third party acting on a controller’s behalf, is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, and profiling in futherance of solely automated significant decisions concerning the consumer
  • Right to Portability
  • Right to Non-Discrimination
Consumers have the Right to Opt-Out of: 
  • Targeted Advertising
  • Sale of personal data
  • Profiling in furtherance of solely automated significant decisions concerning the consumer
Timeframe to Respond to Data Subject Requests 
  • Within 45 days with the possibility of a 45 day extension.
Appeal Timeframe 
  • N/A
Personal Information 
  • “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual.
Personal Information Does Not Include 
  • “Personal data” does not include deidentified data or publicly available information.
Definition of Publicly Available Information 
  • “Publicly available information” means either of the following:
  • A.) Information that is lawfully made available through federal, state, or local government records or widely distributed media.
  • B.) Information that a controller has a reasonable basis to believe a consumer has lawfully made available to the public.
Sensitive Information  “Sensitive data” means personal data that includes data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis
  • Sex life or sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data for the purpose of uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data
  • Specific geolocation data (GPS)
Sensitive Information Does Not Include  N/A
Definition of Consumer / Data Subject / Individual / Customer 
  • “Consumer” means an individual who is a resident of this state.
  • The term does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency.
Definition of Disclose  N/A
Definition of Share  N/A
Definition of Sell 
  • “Sale of personal data” means the exchange of personal data for monetary consideration by a controller to a third party, or for other valuable consideration by a controller to a third party where the controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data.
Sell Does Not Include When The term does not include any of the following:

  • a. The disclosure of personal data to a processor that processes the personal data on behalf of the controller.
  • b. The disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer.
  • c. The disclosure or transfer of personal data to an affiliate of the controller.
  • d. The disclosure of personal data in which the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party.
  • e. The disclosure of personal data that the consumer intentionally made available to the public via a channel of mass media and did not restrict to a specific audience.
  • f. The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.
  • g. The disclosure or transfer of personal data to a third party for the purposes of providing analytics services.
  • h. The disclosure or transfer of personal data to a third party for the purposes of providing marketing services solely to the controller.

Alabama’s Partial Privacy Laws

Alabama residents are protected by other pieces of data privacy-related legislation, including the following:

Law Effective Since Description
Alabama Data Breach Notification Act of 2018 June 1, 2018 If an entity believes sensitive personal information was accessed without authorization and may cause harm, the entity must notify affected individuals as soon as possible and no later than 45 days.

Alabama was the 50th state to enact this type of breach notification law.
Alabama Insurance Data Security Law May 1, 2019 Covered entities licensed by the Alabama Department of Insurance must develop, implement, and maintain an information security program regarding the scope of its activities and the sensitivity of the non-public information in its possession, custody, or control.
Alabama Right of Publicity Act 2019 Officially Article 39 of the Alabama Code, this act explains what rights individuals have to remain out of the public eye while living and for 55 years after their passing.

Alaska’s Partial Privacy Laws

Alaska has a privacy-related law that protects residents of the state if a cyber breach occurs:

Law Effective Since Description
Alaska’s Personal Information Protection Act July 1, 2009 It requires businesses to “expeditiously” notify users of a data breach concerning personal information, mandates that personal data must be disposed of after it’s been used for its intended purposes, and gives the ability to place a security freeze on consumer credit reports.

Arkansas’s Partial Privacy Laws

Arizona is protected by a data breach notification law:

Law Effective Since Description
Arkansas Personal Information Protection Act August 2019 This law requires entities to destroy personal information once their purpose for using it is complete. It also requires those entities to provide adequate safeguards to keep the information safe, and to disclose certain security breaches.

Delaware Personal Data Privacy Act

Covered by Termly
Legislative Status Signed
Effective Date January 1, 2025
Pending Update
Territorial Scope
  • Persons that conduct business in the Delaware or persons that produce products or services that are targeted to residents of the Delaware
Organizational Exemptions
  • Delaware state agenciesNon-profit organizations dedicated exclusively to preventing and addressing insurance crime
  • Certain national securities associations
  • Financial institutions subject to GLBA
Threshold
  • During the preceding calendar year:Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

OR

  • Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal informationRight to Access
  • Right to Correct
  • Right to Delete
  • Right to Data Portability
  • Right to Obtain a List of Categories of Third Partes to which the controller disclosed the personal information
  • Right to Opt Out of Targeted Advertising, Sale of Personal information, or Automated Profiling
  • Right to Appeal
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.The controller must provide the consumer with a means to refer his or her concerns to the Departement of Justice.
Personal Information
  • Information that is linked or reasonably linkable to an identified or identifiable individual.
Personal Information Does Not Include
  • “Personal data” does not include de-identified data or publicly available information.
Definition of Publicly Available Information “Publicly available information” means any of the following:

  • a. Information that is lawfully made available through federal, state, or local government records.
  • b. Information that a controller has a reasonable basis to believe that the consumer has lawfully made available to the general public through widely distributed media.
Sensitive Information “Sensitive data” means personal data that includes any of the following data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis (including pregnancy)
  • Sex life, sexual orientation, status as transgender or nonbinary
  • Citizenship or immigration status
  • Genetic or biometric data
  • Personal data of a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means an individual who is a resident of this State.
  • “Consumer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit organization, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or government agency.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • The exchange of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When “Sale of personal data” does not include any of the following:

  • a. The disclosure of personal data to a processor that processes the personal data on behalf of the controller where limited to the purpose of such processing.
  • b. The disclosure of personal data to a third party for purposes of providing a product or service affirmatively requested by the consumer.
  • c. The disclosure or transfer of personal data to an affiliate of the controller.
  • d. The disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party.
  • e. The disclosure of personal data that the consumer intentionally made available to the general public via a channel of mass media, and did not restrict to a specific audience.
  • f. The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller’s assets, or a proposed merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller’s assets.

Delaware’s Additional Privacy Laws

Delaware is also protected by a few privacy-related laws, which include the following:

Law Description
Delaware Online Privacy Protection Act (DOPPA) Describes guidelines for websites or online and cloud computing services directed at children.
Student Data Privacy Protection Act (SDPPA) Provides protection for student personal data in the state.
Title 6 of the Delaware Code The data breach notification law and requires entities to notify residents if their data is part of a possible breach within 60 days of the incident.

Washington D.C.’s Partial Privacy Laws

The Nation’s capital does have some partial privacy regulations in place, which include the following:

Law Description
Security Breach Protection Amendment Act of 2020 Amended the Breach Notification Law by expanding definitions concerning business data breaches and specifying the contents required in the notification sent to individuals.
Consumer Protection Procedures Act Is in place to provide protection to consumers from unfair, deceitful business practices.

Georgia’s Partial Privacy Laws

Georgia has some partial privacy-related legislation in place.

Law Description
Personal Identity Protection Act (PIPA) Requires anyone storing personal data to notify individuals if a data breach occurs.
Georgia Open Records Act Part of the Georgia Code, makes all public records available to the public and can be copied by any person.
Student Data Privacy, Accessibility, and Transparency Act (SDPAT) Outlines restrictions for accessing and processing student data in the state.

Georgia’s Inactive Privacy Bills

Georgia has a few privacy bills that are now inactive:

Bill Description
Georgia Data Privacy Act (House Bill 798) Introduced on March 23, 2023, this Georgia bill — officially House Bill 798 — outlined opt-out rights for state residents but died after its second reading.

Hawaii’s Introduced Privacy Bills

Hawaii has a few privacy bills that are now inactive:

Bill Description
Senate Bill 974 Introduced on January 20, 2023, this bill establishes regulations for controllers and processors regarding data processing and makes a new consumer privacy special fund. It was referred to the House Economic Development Committee on March 9, 2023.
House Bill 1497 & its companion bill, Senate Bill 1110 These two companion bills were introduced on January 20, 2023, and they outline a framework to regulate how controllers and processors access and use personal data, allowing for a private right of action. Both were referred to the House Consumer Protection & Commerce Committee on February 6, 2023.

Hawaii’s Partial Privacy Laws

Hawaii has a few privacy-related regulations:

Law Description
Security Breach of Personal Information; found in Chapter 487N of Hawaii’s Revised Statutes Requires notification of any data to be made without unreasonable delay.
Destruction of Personal Information Records; found in Chapter 487R of Hawaii’s Revised Statutes Requires entities conducting business in Hawaii who collect personal information to dispose of it and take measures to protect it from unauthorized access.
Uniform Employee and Student Online Privacy Protection Act Outlines restrictions on requesting students to give consent to accessing their personal accounts.

Idaho’s Partial Privacy Laws

Idaho does have a data breach notification law in place.

Law Description
Found in Title 28, Chapter  51 of the Idaho Statutes Describes notification requirements when a data breach occurs, and applies to individuals and businesses.

Illinois’ Partial Privacy Laws

Illinois has some partial privacy regulations that can be found in the Illinois Compiled Statutes, including the following:

Law Description
Chapter 815, Personal Information Protection Act Requires entities to notify individuals and/or the attorney general about data breaches.
Chapter 740, Biometric Information Privacy Act Prohibits entities from collecting biometric information from individuals unless they meet specific requirements.

Illinois Inactive Privacy Bills

Illinois has a privacy bill that is now inactive:

Bill Description
House Bill 3385 Titled the Illinois Data Privacy and Protection Act. It was introduced on February 17, 2023, and made it to the House Rules Committee in March before all movement stopped.

Kentucky Consumer Data Protection Act (KCDPA)

Covered by Termly
Legislative Process In Force
Effective Date January 1, 2026
Pending Update
Territorial Scope
  • Applicable to persons that conduct business in Kentucky or produce products or services that are targeted to residents of Kentucky
Organizational Exemptions
  • City, state agency, or any political subdivision of the state
  • Financial institutions and affiliates, or data subject to GLBA
  • Any covered entity or business associate governed by HIPAA
  • Any nonprofit organization
  • Any institution of higher education
  • Certain insurance fraud-related organizations
  • Small telephone utility, a Tier III CMRS provider, or a municipally owned utility that does not sell or share personal data with any third-party processor
Threshold During a calendar year:

  • Controls or processes personal data of at least 100,000 consumers.

OR

  • Controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer
  • Right to Portability
  • Right to Non-Discrimination
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person.
Personal Information Does Not Include
  • Personal data does not include de-identified data or publicly available information.
Definition of Publicly Available Information
  • “Publicly available information” means information that lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience
Sensitive Information “Sensitive data” means a category of personal data that includes:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data that is processed for the purpose of uniquely identifying a natural person
  • Personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context.
  • Consumer does not include a natural person acting in a commercial or employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale of personal data” means the exchange of personal data for monetary consideration by the controller to a third party.
Sell Does Not Include When Sale of personal data does not include:

  • (a) The disclosure of personal data to a processor that processes the personal data on behalf of the controller;
  • (b) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
  • (c) The disclosure or transfer of personal data to an affiliate of the controller;
  • (d) The disclosure of information that the consumer:
    • 1. Intentionally made available to the general public via a channel of mass media; and
    • 2. Did not restrict to a specific audience; or
  • (e) The disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets

Kentucky’s Partial Privacy Laws

Kentucky has a few laws in place that provide partial privacy protections to residents of the state, including the following:

Law Description
Chapter 365, Part 365.732 of the Kentucky Revised Statutes Describes the data breach notification requirements in the state.
The Genetic Information Privacy Act Entered into action on June 1, 2022, and gives consumers control over how their genetic materials are collected, used, and disclosed by external entities.
The Insurance Data Security Act Requires insurance carriers to provide protection for consumer data and conduct a risk assessment, among other requirements.

Kentucky’s Inactive Privacy Bills

Bill Description
House Bill 301 Introduced on February 15, 2023, this bill would create consumer rights relating to personal data, including access, deletion, and portability. It died in the House Small Business & Information Technology Committee on February 17, 2023.
Senate Bill 15 Introduced on January 3, 2023, this bill would establish consumer rights over the processing of their data and require controllers to follow through on such requests. It died after being returned to the Committee on Committees (H) on March 16, 2023.

Louisiana’s Introduced Privacy Bills

Bill Description
Louisiana Consumer Privacy Act (Senate Bill 199) Lawmakers introduced this bill to establish the Louisiana Consumer Privacy Act on March 31, 2023. It would develop relative protections for the data of residents of the state. It was referred to the Committee on Commerce, Consumer Protection, and International Affairs on April 10, 2023.

Louisiana’s Partial Privacy Laws

Louisiana is protected by a data breach notification law:

Law Description
Data Security Breach Notification Act Applies to anyone who owns data from Louisiana residents and requires them to notify individuals if their information is accessed without authorization.

Maine’s Introduced Privacy Bills

Bill Description
Data Privacy and Protection Act (House Legislative Document 1977) Introduced on May 23, 2023, this bill outlines requirements for controllers, data brokers, and small businesses regarding the processing of personal data of Maine residents. It was referred to the Committee on Judiciary on July 26, 2023.
Maine Consumer Privacy Act (Senate Legislative Document 1973) Introduced on May 18, 2023, this bill describes guidelines for data controllers regarding the processing of personal information of Maine residents. It was referred to the Committee on Judiciary on July 26, 2023.

Maine’s Partial Privacy Laws

Maine has some partial privacy regulations in place, including the following:

Law Description
Data Breach Act The state’s data breach notification law and applies to anyone who stores categories of personal data. Entities must notify state regulators and, if necessary, the individuals impacted by the breach.
An Act to Protect the Privacy of Online Customer Information Went into effect in 2020 and applies to internet service providers. Internet service providers must make efforts to protect customers’ personal information and obtain consent to use their data in certain situations.

Maryland Online Data Protection Act (MODPA)

Covered by Termly
Legislative Process In Force
Effective Date October 1, 2025
Pending Update
Territorial Scope
  • Applicable to a person that conducts business in Maryland or provides products or services that are targeted to residents of Maryland
Organizational Exemptions
  • A regulatory, administrative, advisory, executive, appointive, legislative, judicial body or instrumentality of the state including a board, bureau, commission, or unit of the state or any political subdivision of the state
  • Nonprofit controller that processes or shares personal data solely for the purposes of assisting: (1) Law enforcement agencies in investigating criminal or fraudulent acts relating to insurance or (2) First responders in responding to catastrophic events
  • National securities association that is registered under § 15 of the Federal Securities Exchange Act of 1934 or a registered futures association designated in accordance with § 17 of the Federal Commodity Exchange Act
  • Financial institution, an affiliate of a financial institution, or data that is subject to Title V of the Federal Gramm-Leach-Bliley Act and regulations adopted under that Act
Threshold During the preceding calendar year did any of the following:

  • Controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction,

OR

  • Controlled or processed the personal data of at least 10,000 consumers and derived over 20% of gross revenue from the sale of personal data.
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Obtain a List of Categories of Third Partes to which the controller disclosed the consumer’s personal data
  • Right to Opt Out of targeted advertising, sale of personal data, profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer
  • Right to Portability
  • Right to Non-Discrimination
Consumers have the Right to Opt-Out of
  • Sale of personal data
  • Profiling in furtherance of solely automated decisions that produces a legal or similarly significant effect
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Division.
Personal Information
  • “Personal data” means any information that is linked or can be reasonably linked to an identified or identifiable consumer.
Personal Information Does Not Include
  • “Personal data” does not include de-identified data or publicly available information.
Definition of Publicly Available Information “Publicly available information” means information that a person:

  • (I) Lawfully obtains from a record of a governmental entity;
  • (II) Reasonably believes a consumer or widely distributed media have lawfully made available to the general public; or
  • (III) If the conumser has not restricted the information to a specific audience, obtains from a person to whom the consumer disclosed the information.
Sensitive Information “Sensitive data” means personal data that includes data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Consumer health data
  • Sex life
  • Sexual orientation
  • Status as transgender or nonbinary
  • National origin
  • Citizenship or immigration status
  • Genetic or biometric data
  • Personal data of a consumer that the controller knows or has reason to know is a child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means an individual who is a resident of Maryland.
  • “Consumer” does not include:
    • (I) An individual acting in a commercial or employment context
    • (II) An individual acting as an employee, an owner, a director, an officer, or a contractor of a company, a partnership, a sole proprietorship, a nonprofit organization, or a governmental unit whose communications or transactions with a controller occur only within the context of the individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or governmental unit.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale of personal data” means the exchange of personal data by a controller, a processor, or an affiliate of a controller or processor to a third party for monetary or other valuable consideration.

Maryland’s Partial Privacy Laws

Maryland has partial privacy regulations codified in the Commercial Law of the Code of Maryland, including all of the following:

Law Description
Section 14–350 of the Maryland Code, called the Personal Information Protection Act Describes the data breach notification laws in the state, imposing obligations on businesses that collect personal information and experience a breach. It was amended in 2022.
Medical Records Statute of the Maryland Code Requires all medical information to remain confidential and gives individuals a right to private action.

Massachusetts’ Introduced Privacy Bills

These bills were all introduced on February 16, 2023:

Bill Description
Massachusetts Data Privacy Protection Act (HD 2281 and its companion bill, SD 745) These two companion bills were introduced on January 19, 2023, and describe requirements for data brokers, small businesses, and covered entities regarding the processing of personal data of Massachusetts consumers. The bills were referred to the Joint Committee on Advanced Information Technology, the Internet, and Cybersecurity in February 2023.
Massachusetts Information Privacy and Security Act (HD 3263 and its companion bill, SD 1971) These two companion bills were introduced on January 20, 2023, and outline obligations for controllers who process personal information from Massachusetts residents. Both were referred to the Committee on Advanced Information Technology, the Internet, and Cybersecurity on November 2, 2023.
Internet Bill of Rights (HD 3245) Introduced on January 20, 2023, this bill aims to establish a bill of rights regarding how personal data is processed and used by covered entities and describes obligations for preventing and responding to data breaches. It was referred to the Joint Committee on the Judiciary in November 2023.

Massachusetts’ Partial Privacy Laws

Massachusetts has several other privacy-related regulations, including:

Law Description
Data Breach Notification Law Required entities to notify the Office of Consumer Affairs and Business Regulation and the Office of Attorney General if they believe or have reason to believe a cyber breach has occurred.
Safeguards Regulation Sets forth all requirements for protecting the personal data of residents.
Consumer Protection Law Prohibits unfair or deceptive practices.
Data Disposal Law Outlines requirements for disposing of personal data of Massachusetts residents

Minnesota Consumer Data Privacy Act (MCDPA)

Covered by Termly Pending
Legislative Process In Force
Effective Date July 31, 2025
Pending Update
Territorial Scope
  • Applicable to legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota
Organizational Exemptions
  • A government entity
  • Nonprofit organizations established to detect and prevent insurance fraud
  • A federally recognized Indian tribe
  • Certain kinds of banks, credit unions, or insurance companies
  • Small businesses as defined by the US Small Business Administration regulations
  • Air carriers under the Airline Deregulation Act
  • Protected health information governed by HIPAA, financial data regulated by the GLBA, consumer credit-reporting data, and data covered by the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Education Rights and Privacy Act, the Farm Credit Act, and the Minnesota Insurance Fair Information Reporting Act
  • Data for the purposes of job applications or employment, data necessary to administer benefits, as well as data processed or maintained for emergency contact purposes
Threshold During a calendar year:

  • Controls or processes the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

OR

  • Derives over 25% of gross revenue from the sale of personal data and processes or controls personal data of at least 25,000 consumers
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Obtain a List of Specific Third Partes to which the controller disclosed the consumer’s personal data
  • Right to Opt Out of targeted advertising, sale of personal data, profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the consumer
  • Right to Question the Results of a Controller’s Profiling, to be informed of the reason that the profiling resulted in the decision, and to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future, to review the consumer’s personal data used in the profiling, and to have the data corrected and the profiling decision reevaluated based upon the corrected data.
  • Right to Portability
  • Right to Non-Discrimination
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling in furtherance of automated decisions that produces a legal or similarly significant effect
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 45 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person.
Personal Information Does Not Include
  • “Personal data” does not include deidentified data or publicly available information.
Definition of Publicly Available Information “Publicly available information” means information that:

  • (1) is lawfully made available from federal, state, or local government records or widely distributed media, or
  • (2) a controller has a reasonable basis to believe has lawfully been made available to the general public
Sensitive Information “Sensitive data” means personal data that includes data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data
  • Personal data of a known child
  • Specific geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means a natural person who is a Minnesota resident acting only in an individual or household context.
  • “Consumer” does not include a natural person acting in a commercial or employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale,” “sell,” or “sold” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When “Sale” does not include the following:

  • (1) the disclosure of personal data to a processor who processes the personal data on behalf of the controller;
  • (2) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
  • (3) the disclosure or transfer of personal data to an affiliate of the controller;
  • (4) the disclosure of information that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience;
  • (5) the disclosure or transfer of personal data to a third party as an asset that is part of a completed or proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets; or
  • (6) the exchange of personal data between the producer of a good or service and authorized agents of the producer who sell and service the goods and services, to enable the cooperative provisioning of goods and services by both the producer and the producer’s agents.

Minnesota’s Partial Privacy Laws

There are a few partial privacy regulations that exist in the Minnesota Statutes, including the following:

Law Description
Chapter 325M, Internet Privacy Outlines when disclosure of personal information on the Internet is prohibited, when it’s required, and describes the guidelines for permissions and authorizations with respect to Internet Service Providers (ISPs).
Chapter 325E, Section 61, the Breach Notification Law Describes guidelines for notifying individuals if their data was compromised in a breach and the responsibilities of the covered entity.
Chapter 325E, Section 64, Plastic Card Security Act Describes breach notification requirements in relation to financial institutions.
Chapter 325E, Section 59, Use of Social Security Numbers Prohibits entities from requiring consumers to share social security numbers over the internet without proper protections in place.
Chapter 626A, Section 02, Intersection and Disclosure of Communications Prevents entities from intercepting certain forms of communication through wire, electronic, or other means.
Chapter 609, Section 527, Identity Theft Describes the penalties if someone transfers or uses another person’s data or identity for nefarious purposes.
Chapter 13, the Minnesota Government Data Practices Act (MGDPA) Describes the requirements for government entities to collect and use personal information.

Minnesota’s Introduced Privacy Bills

Bill Description
Senate File 950 & companion bill House File 1892 These companion bills were introduced on January 30, 2023, and would require consent from consumers before collecting their personal information. These bills are in recess with the Senate Commerce and Consumer Protection Committee.
Senate File 2915 & companion bill House File 2309 These companion bills were introduced on March 15, 2023, and would place obligations on certain businesses regarding their data collection and processing activities and grant rights to state residents. These bills currently are in recess with the Senate Commerce and Consumer Protection Committee.
House File 1367 Introduced on February 6, 2023, this bill would give various rights to consumers over their data and outlines transparency obligations for businesses, creating a private right of action. It’s currently in recess with the House Commerce Finance & Policy Committee.

Mississippi’s Partial Privacy Laws

The Mississippi Annotated Code 1972 provides some privacy-related protections for consumers, like:

Law Description
Section 97-45-33 Bans the impersonation of another person through the Internet for the purpose of harming, intimidating, or defrauding them.
Section 97-45-5(1)(b) Prevents using another person’s numbers, codes, passwords, or other means of access to a computer without their consent.
Section 75-24-29(3) Describes data breach notification requirements and guidelines and other protections for residents.

Missouri’s Introduced Privacy Bills

Bill Description
House Bill 667 Introduced on January 5, 2023, this bill would amend the Personal Privacy Protection Act and prevent public agencies from requiring individuals to provide personal information or compelling them to release their information under specific circumstances.

Missouri’s Partial Privacy Laws

Missouri has a privacy-related data breach notification law:

Law Description
Notice to Consumer for Breach of Security It’s been in effect since August 28, 2009, and states that you must disclose to individuals if there’s any unauthorized access to their personal information maintained in a computerized format. You must notify the Attorney General if the breach involved more than 1,000 consumers.

Nebraska Data Privacy Act (NDPA)

Covered by Termly Pending
Legislative Process In Force
Effective Date January 1, 2025
Pending Update
Territorial Scope
  • Applicable to persons that conduct business in Nebraska or produce products or services that are consumed by Nebraska residents
Organizational Exemptions
  • State agency or political subdivision of this state
  • Nonprofit organization
  • Institution of higher education
  • National securities association that is registered under the Securities Exchange Act of 1934
  • Financial institution, affiliate of a financial institution, or data subject to Title V of the GLBA
  • Covered entity or business associate governed by the privacy, security, and breach notification rules of regulations of HIPAA
  • Electric supplier
  • Natural gas public utility
  • Natural gas utility owned or operated by a city or metropolitan utilities district
Threshold
  • Processes or engages in the sale of personal data

AND

  • Is not a small business as determined under the federal Small Business Act
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, and profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Right to Portability
  • Right to Non-Discrimination
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with the online mechanism through which to contact the Attorney General.
Personal Information
  • “Personal data” means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, and includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.
Personal Information Does Not Include
  • The term does not include deidentified data or publicly available information.
Definition of Publicly Available Information
  • “Publicly available information” means information that is lawfully made available through government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by a consumer, or by a person to whom a consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.
Sensitive Information “Sensitive data” means a category of personal data, and includes personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data that is processed for the purpose of uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means an individual who is a resident of this state acting only in an individual or household context.
  • Consumer does not include an individual acting in a commercial or employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When Sale of personal data does not include:

  • (i) the disclosure of personal data to a processor that processes the personal data on behalf of the controller
  • (ii) the disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer
  • (iii) the disclosure or transfer of personal data to an affiliate of the controller
  • (iv) the disclosure of information that the consumer:
    • (A) Intentionally made available to the public through a mass media channel; and
    • (B) Did not restrict to a specific audience
  • (v) the disclosure or transfer of personal data to a third party as an asset in which the third party assumes control of all or part of the controller’s assets that is part of a proposed or actual:
    • (A) Merger;
    • (B) Acquisition;
    • (C) Bankruptcy; or
    • (D) Other Transaction

Nebraska’s Partial Privacy Laws

Nebraska has a few partial privacy regulations in place, including the following:

Law Description
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Describes all data breach notification requirements for the state.
Mental Health Practice Act Prohibits mental health practitioners from disclosing information about their patients unless they obtain consent or are required by law.
Workplace Privacy Act Prohibits employers from accessing an employee’s personal accounts, with some exceptions.

Nevada’s Partial Privacy Laws

Nevada does have a few partial privacy regulations.

Law Description
Senate Bill 260, An Act Relating to Internet Privacy and Other Purposes Gives rights to residents regarding the collection of their personal data by data brokers and entered into effect in October 2021.
Security and Privacy of Personal Information Nevada’s data breach notification law, which outlines all breach notification response times and requirements.

New Hampshire Privacy Act (NHPA)

Covered by Termly
Legislative Process In Force
Effective Date January 1, 2025
Pending Update
Territorial Scope
  • Applicable to persons that conduct business in New Hampshire or produce products or services that are targeted to New Hampshire residents
Organizational Exemptions
  • Body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state
  • Nonprofit organization
  • Institution of higher education
  • National securities association that is registered under the Securities Exchange Act of 1934
  • Financial institution or data subject to Title V of the GLBA
  • Covered entity or business associate as defined in the privacy regulations of HIPAA
Threshold During a one year period:

  • (a) Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

OR

  • (b) Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25% of their gross revenue from the sale of personal data
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Right to Portability
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual.
Personal Information Does Not Include
  • “Personal data” does not include de-identified data or publicly available information.
Definition of Publicly Available Information
  • “Publicly available information” means information that is lawfully made available through federal, state, municipal government records, or widely distributed media, and a controller has a reasonable basis to believe a consumer has lawfully made available to the general public.
Sensitive Information “Sensitive data” means personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sex life or sexual orientation
  • Citizenship or immigration status
  • The processing of genetic or biometric data for the purpose of uniquely identifying a natural person
  • The personal information collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means an individual who is a resident of this state.
  • “Consumer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit or government agency.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When “Sale of personal data” does not include:

  • (a) The disclosure of personal data to a processor that processes the personal data on behalf of the controller
  • (b) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer
  • (c) The disclosure or transfer of personal data to an affiliate of the controller
  • (d) The disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party
  • (e) The disclosure of personal data that the consumer intentionally made available to the general public via a channel of mass media, and did not restrict to a specific audience
  • (f) The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller’s assets.

New Hampshire’s Introduced Privacy Bills

Bill Description
House Bill 314 Introduced on January 5, 2023, this bill outlines privacy expectations regarding New Hampshire consumers’ personal information. It’s currently in the House Judiciary Committee.

New Hampshire’s Partial Privacy Laws

New Hampshire has some privacy-related laws, including:

Law Description
New Hampshire Right To Privacy Act Describes data breach and cybersecurity guidelines for entities that have a license to collect personal information.
Student and Teacher Information Protection and Privacy Outlines restrictions on website operators used or marketed for K-12 school purposes, prohibiting targeted advertising and the sale of student data.
Regulation of Business Practices for Consumer Protection States that entities cannot engage in unfair or deceptive business practices, which can include using false or misleading privacy policies.

New Jersey Data Privacy Act (NJDPA)

Covered by Termly
Legislative Status In Force
Effective Date January 16, 2025
Pending Update
Territorial Scope
  • Applicable to persons that conduct business in New Jersey or produce products or services that are targeted to New Jersey residents
Organizational Exemptions
  • Some insurance institutions
  • Some secondary market institutions
  • Financial institution or an affiliate of a financial institution this is subject to the GLBA
  • Covered entity or business associate as defined in the privacy regulations of HIPAA
Threshold
  • Control or process the personal data of not less than 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction

OR

  • Control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Data Portability
  • Right to Opt Out of Targeted Advertising, sale of personal information, or automated profiling
  • Right to Appeal
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling
  • Targeted advertising
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 45 days.
  • The controller must provide the consumer with a means to contact the Division of Consumer Affairs in the Department of Law and Public Safety to submit a complaint.
Personal Information
  • “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable person.
Personal Information Does Not Include
  • The term does not include deidentified data or publicly available information.
Definition of Publicly Available Information
  • “Publicly available information” means information that is lawfully made available from federal, State, or local government records, or widely-distributed media or information that a controller has a reasonable basis to believe a consumer has lawfully made available to the general public and has not restricted to a specific audience.
Sensitive Information “Sensitive data” means personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition, treatment, or diagnosis
  • Financial information which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account
  • Sex life or sexual orientation
  • Citizenship or immigration status
  • Status as transgender or non-binary
  • Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means an identified person who is a resident of this State acting only in an individual or household context.
  • “Consumer” shall not include a person acting in a commercial or employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale” means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When “Sale” shall not include:

  • The disclosure of personal data to a processor that processes the personal data on the controller’s behalf
  • The disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer
  • The disclosure or transfer of personal data to an affiliate of the controller
  • The disclosure of personal data that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience
  • The disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

New Jersey’s Introduced Privacy Bills

Bill Description
New Jersey Disclosure and Accountability Transparency Act (NJ DATA) Assembly Bill 505 was originally introduced on January 11, 2022 and was referred to the Science, Innovation, and Technology Committee. An identical bill, Senate Bill 3714, was then introduced on March 13, 2023;

Together, they create the foundation for the New Jersey Disclosure and Accountability Transparency Act (NJ DATA), which now sits in the Senate Commerce Committee.

It describes requirements for disclosing and processing personally identifiable information and would establish an Office of Data Protection and Responsible Use in the Division of Consumer Affairs.

New Jersey’s Partial Privacy Laws

Other privacy-related laws that exist in New Jersey are:

Law Description
Identity Theft Protection Act Describes steps businesses must take to protect personal information collected from customers, employees, and individuals from identity theft and breaches.
Daniel Anderl Judicial Security and Privacy Act of 2020 Makes it illegal to disclose the home address of any active or retired judge, prosecutor, or law enforcement officer in the state, and excludes their address from the definition of ‘government record’.

New Mexico’s Partial Privacy Laws

There are a few privacy-related laws in place that appear in the New Mexico Statutes:

Law Description
New Mexico’s Privacy Protection Act (PPA) Can be found in Chapter 57, Article 12B and focuses on protecting social security numbers and states that businesses aren’t allowed to collect them as a requirement of a purchase.
Data Breach Notification Act Located in Chapter 57, Article 12C, provides a definition for personal information and outlines notification requirements following a data breach.
Chapter 14, Article 6 of the Statute Outlines laws protecting the confidentiality of medical records in the state, and specifics that they should never be made a matter of public record.
The Employee Privacy Act; found in Chapter 50, Article 11 of the Statutes Protects employees from limited levels of discrimination.

North Dakota’s Partial Privacy Laws

North Dakota is protected by some partial privacy-related regulations, including:

Law Description
Notice of Security Breach for Personal Information Outlines when an entity must inform impacted individuals about a data breach, and has been in place since 2005.
Legislative Management Study of Consumer Personal Data Disclosures Passed in 2019 so legislative management could study protections, enforcements, and remedies relating to consumer personal data and report its findings.

Ohio’s Partial Privacy Laws

Ohio is protected by some partial privacy protections, including:

Law Description
Private Disclosure of Security Breach of Computerized Personal Information Data Outlines how entities must respond to data breaches and inform impacted individuals.
Cybersecurity Safe Harbor Act Covers entities that create, maintain, and comply with cybersecurity programs as specified by the law.

Oklahoma Consumer Privacy Law

Covered by Termly
  • Coming soon
Legislative Process  Signed
Effective Date  January 1, 2027
Pending Update 
Territorial Scope 
  • Applicable to a controller or processor who conducts business in Oklahoma or produces a product or service targeted to Oklahoma residents
Organizational Exemptions 
  • A state agency or a political subdivision of this state, or a service provider processing data on behalf of a state agency or political subdivision of this state
  • A financial institution or data subject to Title V of the Gramm-Leach-Bliley Act
  • A covered entity or business associate governed by the privacy, security, and breach notification rules issued by the US Department of Health and Human Services, established under HIPAA, and the Health Information Technology for Economic and Clinical Health Act
  • A nonprofit organization
  • An institution of higher education
Threshold  During a calendar year:

  • Controls or processes personal data of at least 100,000 consumers

OR

  • Controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data
Consumer Rights 
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, and profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Right to Portability
  • Right to Non-Discrimination
Consumers have the Right to Opt-Out of: 
  • Sale of personal data
  • Profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests 
  • No later than 45 days with the possibility of a 45 day extension
Appeal Timeframe 
  • A controller shall inform the consumer in writing of any action taken or not taken in response to an appeal within 60 days.
  • The controller must provide the consumer with an online mechanism to contact the Attorney General.
Personal Information 
  • “Personal data” means any information including sensitive data that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.
Personal Information Does Not Include 
  • “Personal data” does not include deidentified data or publicly available information.
Definition of Publicly Available Information 
  • “Publicly available information” means information that is lawfully made available through government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by a consumer, or by a person to whom a consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.
Sensitive Information  “Sensitive data” means a category of personal data. The term includes:

  • Personal data revealing racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data that is processed for the purpose of uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include  N/A
Definition of Consumer / Data Subject / Individual / Customer 
  • “Consumer” means an individual who is a resident of this state acting only in an individual or household context.The term does not include an individual acting in a commercial or employment context.
Definition of Disclose  N/A
Definition of Share  N/A
Definition of Sell 
  • “Sale of personal data” means the exchange of personal data for monetary consideration by the controller to a third party.
Sell Does Not Include When The term does not include the:

  • (a) Disclosure of personal data to a processor that processes the personal data on the controller’s behalf,
  • (b) Disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer
  • (c) Disclosure or transfer of personal data to an affiliate of the controller
  • (d) Disclosure of information or personal data that the consumer: (1a) intentionally made available to the general public through a mass media channel, and (1b) did not restrict to a specific audience, or (2) directs the controller to disclose or intentionally uses the controller to interact with a third party
  • (e) Disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets

Oklahoma’s Partial Privacy Laws

Oklahoma is protected by partial privacy regulation regarding data breach notifications:

Law Description
Security Breach Notification Act Entities that collect computerized personal data are required to encrypt the information and inform residents if their data is involved in a breach.

Pennsylvania’s Introduced Privacy Bills

Bill Description
Pennsylvania Consumer Data Privacy Act (House Bill 1201) The Consumer Data Privacy Act — officially House Bill 1201 — was introduced on May 19th and was also referred to the Committee on Commerce. It provides similar duties for controllers and processors of personal information, outlines consumer privacy rights, and imposes specific penalties, but differs in scope and specifics from House Bill 708.
Consumer Data Protection Act (House Bill 708) Introduced on March 27, 2023, House Bill 708, also called the Consumer Data Protection Act, was referred to the House Commerce Committee. It describes consumer protections and data privacy rights, obligations for processors and controllers, and outlines penalties for violating portions of the act.

Pennsylvania’s Partial Privacy Laws

Pennsylvania is also protected by the following privacy-related provisions:

Law Description
Breach of Personal Information Notification Act of 2005 Describes requirements entities must follow if they believe the personal data they store was breached or victim to a cyber attack.
Pennsylvania Wiretapping and Electronic Surveillance Control Act Prohibits individuals from wiretapping or intentionally intercepting wire, electronic, and oral conversations.
Privacy of Social Security Numbers Law Makes it so social security numbers are subject to a right of confidentiality in the state.
Title 18, Chapter 41, Section 4106.1 of the Pennsylvania Statutes Prohibits making and distributing devices designed to read and store internal memory data on a chip or magnetic strip.
Title 42 of the Pennsylvania Statutes Recognizes a private right of action against the disemmenation of an intimate image.
Title 18, Chapter 75 of the Pennsylvania Statutes Criminalizes invasions or violations of a person’s privacy.

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

Covered by Termly
Legislative Process  In Force
Effective Date  January 1, 2026
Pending Update 
Territorial Scope 
  • Applicable to for-profit entities that conduct business in Rhode Island or produce products or services that are targeted to Rhode Island residents
Organizational Exemptions 
  • Body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state
  • Nonprofit organization
  • Institution of higher education
  • National securities association that is registered under the Securities Exchange Act of 1934
  • Financial institution or data subject to Title V of the Gramm-Leach-Bliley Act
  • Covered entity or business associate as defined in the privacy regulations of HIPAA
Threshold  During the preceding calendar year, controlled or processed:

  • The personal data of 35,000 or more consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

OR

  • The personal data of 10,000 or more consumers and derived more than 20% of gross revenue from the sale of personal data
Consumer Rights 
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, and profiling in furtherance of solely automated decision that produce a legal or similarly significant effects
  • Right to Portability
  • Right to Non-Discrimination
  • Right to Opt-in for processing of sensitive data
Consumers have the Right to Opt-Out of: 
  • Sale of personal data
  • Profiling in furtherance of solely automated decisions that produce a legal or similarly significant effects
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests 
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe 
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information 
  • “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual.
Personal Information Does Not Include 
  • “Personal data” does not include deidentified data or publicly available information.
Definition of Publicly Available Information 
  • “Publicly available information” means information that is lawfully made available through federal, state or municipal government records or widely distributed media, or a controller has a reasonable basis to believe a customer has lawfully made available to the general public.
Sensitive Information  “Sensitive data” means personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis
  • Sex life or sexual orientation
  • Citizenship or immigration status
  • The processing of genetic or biometric data for the purpose of uniquely identifying an individual
  • The personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include  N/A
Definition of Consumer / Data Subject / Individual / Customer 
  • “Customer” means an individual residing in this state acting in an individual or household context.
  • “Customer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit or government agency.
Definition of Disclose  N/A
Definition of Share  N/A
Definition of Sell 
  • “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When “Sale of personal data” does not include:

  • (i) The disclosure of personal data to a processor that processes the personal data on behalf of the controller;
  • (ii) The disclosure of personal data to a third party for purposes of providing a product or service requested by the customer;
  • (iii) The disclosure or transfer of personal data to an affiliate of the controller;
  • (iv) The disclosure of personal data where the customer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party
  • (iv) The disclosure of personal data that the customer intentionally made available to the general public via a channel of mass media; and did not restrict to a specific audience; or
  • (v) The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

Rhode Island’s Partial Privacy Laws

Some privacy-related legislation does exist in Rhode Island, including the following:

Law Description
Identity Theft Protection Act of 2015 Outlines some protections for personal information regarding the disclosure of breaches of security systems and requires the implementation of risk-based security programs to prevent such cybercrimes.
Consumer Empowerment and Identity Theft Prevention Act of 2006 Also provides protections for consumers regarding data breaches, giving consumers the right to place a security freeze on their credit reports.

Rhode Island’s Introduced Privacy Bills

Rhode Island has a few privacy bills that are now inactive:

Bill Description
House Bill 5745 First introduced on February 21, 2023, this bill describes requirements for controllers over how they process and use personal data. It was recommended to be held for further study.
Senate Bill 754 First introduced on March 23, 2023, this bill outlines guidelines for businesses to transparently disclose how they collect and use personally identifiable information. It was recommended to be held for further study.
House Bill 6263 First introduced on April 4, 2023, this bill requires entities to better inform consumers about what kind of personally identifiable information they share with other businesses. It was recommended to be held for further study.
House Bill 5354 First introduced on February 3, 2023, this bill describes opt-in and opt-out requirements for consumers concerning the collection and processing of personal data. It was recommended to be held for further study.

South Carolina’s Partial Privacy Laws

South Carolina has a few privacy-related regulations, including the following:

Law Description
South Carolina Freedom of Information Act Creates broad rights for public records held by public bodies in the state.
Personal Financial Security Act Makes committing financial identity fraud or theft by using personal information unlawful and establishes the specific criminal violations.
Physicians Patient Records Act Describes ownership of a patient’s medical records and how to release them.
The Insurance Data Security Act Requires all covered entities to maintain a security program and establish investigation and notification frameworks following a data breach.

South Dakota’s Partial Privacy Laws

South Dakota has a data breach notification law:

Law Description
Chapter 40, Title 22 of the South Dakota Codified Laws States that any information holder must inform an individual following the discovery of a data breach of any personal information.

Utah Consumer Privacy Act (UCPA)

Covered by Termly
Legislative Status In Force
Effective Date December 31, 2023
Pending Update
Territorial Scope
  • Any controller or processor who conducts business in Utah or produces a product or service that is targeted to consumers who are residents of Utah.
Organizational Exemptions
  • Government organizations
  • Third parties under contract with a government organization
  • Tribes
  • Higher education institutions
  • Non-profit organizations
  • Covered entities and business associates under HIPAA
  • Consumer reporting agencies
  • Air carriers
Threshold Any controller or processor who has annual revenue of $25,000,000 or more and satisfies one or more of the following thresholds:

  • Annually, controls or processes personal data of 100,000 or more consumers
  • Derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Delete
  • Right to Data Portability
  • Right to Opt Out of Processing of Personal information for purposes of Target Advertising or Sale of Personal information
  • Right to Non-Discrimination
Consumers have the Right to Opt-Out of:
  • Sale of personal dataTargeted Advertising (doesn’t include the data gathered from your website, form/ticket)
Timeframe to Respond to Data Subject Requests
  • 45 days with the possibility of a 45 day extension.
Appeal Timeframe N/A
Personal Information
  • Information that is linked or reasonably linkable to an identified individual or an identifiable individual.
Personal Information Does Not Include
  • “Personal data” does not include de-identified data, aggregated data, or publicly available information.
Definition of Publicly Available Information
  • Publicly available information” means information that a person (a) lawfully obtains from a record of a governmental entity (b) reasonably believes a consumer or widely distributed media has lawfully made available to the general public; or (c) if the consumer has not restricted the information to a specific audience, obtains from a person to whom the consumer disclosed the information.
Sensitive Information Sensitive data includes personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Sexual orientation
  • Citizenship or immigration status
  • Medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional
  • Genetic personal data
  • Biometric data, if the processing is for the purpose of identifying a specific individual
  • Specific geolocation data
Sensitive Information Does Not Include
  • “Sensitive data” does not include personal data that reveals an individual’s racial or ethnic origin when processed by a video communication service or certain medical data processed by licensed healthcare providers.
Definition of Consumer / Data Subject / Individual
  • An individual who is a resident of the state acting in an individual or household context.”Consumer” does not include an individual acting in an employment or commercial context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • The exchange of personal data for monetary consideration by a controller to a third party.
Sell Does Not Include When “Sale,” “sell,” or “sold” does not include:

  • (i) a controller’s disclosure of personal data to a processor who processes the personal data on behalf of the controller;
  • (ii) a controller’s disclosure of personal data to an affiliate of the controller
  • (iii) considering the context in which the consumer provided the personal data to the controller, a controller’s disclosure of personal data to a third party if the purpose is consistent with a consumer’s reasonable expectations
  • (iv) the disclosure or transfer of personal data when a consumer directs a controller to (A) disclose the personal data; or (B) interact with one or more third parties
  • (v) a consumer’s disclosure of personal data to a third party for the purpose of providing a product or service requested by the consumer or a parent or legal guardian of a child
  • (vi) the disclosure of information that the consumer (A) intentionally makes available to the general public via a channel of mass media; and (B) does not restrict to a specific audience
  • (vii) a controller’s transfer of personal data to a third party as an asset that is part of a proposed or actual merger, an acquisition, or a bankruptcy in which the third party assumes control of all or part of the controller’s assets

Utah’s Additional Privacy Laws

Utah also has a few additional privacy-related laws, including the following:

Law Description
Electronic Information Privacy Act Gives law enforcement agencies the right to obtain specific information from electronic devices for criminal investigative purposes without obtaining a search warrant.
Genetic Testing Privacy Act Prohibits employers and insurers from accessing and using genetic information about an individual and their blood relatives.
Genetic Information Privacy Act Requires genetic testing companies to obtain consumer consent before disclosing the data to an entity that offers health insurance, life insurance, or long-term care insurance, and to employers.
Utah E-Commerce Integrity Act Prohibits the copying of computer software on another computer knowingly if the software is used to collect personal information through deceptive means.
Utah Protection of Personal Information Act Requires the reasonable protection of personal information and outlines the notice requirements if a data breach occurs.

Vermont’s Introduced Privacy Bills

Bill Description
House Bill 121 Introduced on January 26, 2023, this bill describes guidelines relating to consumer privacy enhancements. It’s currently sitting in the House Committee on Commerce and Economic Development.

Vermont’s Partial Privacy Laws

Vermont is protected by other privacy-adjacent laws, including the following:

Law Description
Security Breach Notice Act Vermont’s data breach notification law states that data collectors must inform individuals if a security breach occurs and if their personal data has been compromised.
Document Safe Destruction Act Businesses are required to take reasonable steps to destroy personal data about consumers that they no longer need to retain.

Vermont’s Inactive Privacy Bills

Vermont has a few privacy bills that are now inactive:

Bill Description
Senate Bill 49 First read on January 1, 2023, currently sitting in the Senate Committee on Economic Development, Housing, and General Affairs. This bill describes requirements for protecting genetic confirmation privacy and consumer health.
House Bill 116 First read on January 26, 2023, currently sitting in the House Committee on General and Housing. This act relates to employment protections and standards.
House Bill 343 First read on February 22, 2023, currently sitting in the House Committee on Commerce and Economic Development. This act also describes details about protecting genetic data and consumer health information.
House Bill 159 First read on February 1, 2023, currently sitting in the House Committee on Commerce and Economic Development. This act describes privacy as it relates to broadband internet access services.
Senate Bill 129 First read on March 15, 2023, currently sitting in the Senate Committee on Economic Development, Housing, and General Affairs. This act describes provisions relating to protecting employees.

Washington’s Introduced Privacy Bills

Bill Description
House Bill 1616 Introduced on January 25, 2023, this bill grants rights to Washington consumers and outlines penalties for data controllers who breach those rights. It was referred to the Civil Rights & Judiciary Committee.
Senate Bill 5643 Introduced on January 31, 2023, this bill describes the People’s Privacy Act, granting rights to Washington residents regarding how their personal data gets collected, processed, and used. It was referred to the Environment, Energy, & Technology Committee.

Washington’s Partial Privacy Laws

Washington is protected by other privacy-adjacent laws, including the following:

Law Description
Data Breach Notification Law Entered into effect in 2020 and requires entities to notify affected individuals about a breach if it impacts more than 500 individuals.
House Bill 4607 Passed in 2022 and recognized January 28 as ‘digital privacy day’ to encourage Washington residents to take steps to protect their personal information.
The Privacy Act Recognizes a right to privacy for residents of the state.

Washington’s Inactive Privacy Bills

Washington has a few privacy bills that are now inactive:

Bill Description
Senate Bill 5062 Made it through to a third reading until it died during the 2022 Regular Session on February 24th.

Wisconsin’s Introduced Privacy Bills

Bill Description
Assembly Bill 466 Introduced on October 5, 2023, this bill establishes requirements for controllers and processors of personal data and gives rights to Wisconsin residents. On November 9, 2023, it was recommended for passage as amended by the Committee on Consumer Protection.

Wisconsin’s Partial Privacy Laws

Wisconsin is protected by a few privacy-related regulations, including the following:

Law Description
Wisconsin’s Data Breach Legislation Gives companies 45 days maximum to notify affected individuals when a data breach occurs.
Wisconsin’s Insurance Data Security Law Creates state standards for licensed insurance entities regarding data breaches specific to their industry.

Wyoming’s Partial Privacy Laws

Wyoming does have a few privacy-related laws that give partial protections to residents, including the following:

Law Description
Wyoming Genetic Data Privacy Act Gives consumers rights over their genetic information and outlines obligations for genetic testing companies, like posting a privacy policy.
Wyoming Consumer Protection Act Prevents businesses from taking unfair advantage of consumers in the state.
Wyoming Data Breach Notification Law Outlines guidelines and notification requirements entities must follow if a data breach occurs.

Alabama Alabama
Dedicated Data Privacy Laws (Signed)

arrow

Alaska Alaska
Partial Privacy Laws

arrow

Arizona Arizona
Partial Privacy Laws

arrow

Arkansas Arkansas
Partial Privacy Laws

arrow

California California
Data Privacy Laws in Force

arrow

Colorado Colorado
Data Privacy Law in Force

arrow

Connecticut Connecticut
Data Privacy Law in Force

arrow

Delaware Delaware
Signed Data Privacy Law

arrow

Florida Florida
Data Privacy Laws in Force

arrow

Georgia Georgia
Partial Privacy Laws

arrow

Hawaii Hawaii
Introduced Data Privacy Law

arrow

Idaho Idaho
Partial Privacy Laws

arrow

Illinois Illinois
Partial Privacy Laws

arrow

Indiana Indiana
Data Privacy Laws in Force

arrow

Iowa Iowa
Signed Data Privacy Law

arrow

Kansas Kansas
Partial Privacy Laws

arrow

Kentucky Kentucky
Data Privacy Laws in Force

arrow

Louisiana Louisiana
Introduced Data Privacy Law

arrow

Maine Maine
Introduced Data Privacy Law

arrow

Maryland Maryland
Data Privacy Laws in Force

arrow

Massachusetts Massachusetts
Introduced Data Privacy Law

arrow

Michigan Michigan
Partial Privacy Laws

arrow

Minnesota Minnesota
Data Privacy Laws in Force

arrow

Mississippi Mississippi
Partial Privacy Laws

arrow

Missouri Missouri
Introduced Data Privacy Law

arrow

Montana Montana
Signed Data Privacy Law

arrow

Nebraska Nebraska
Dedicated Data Privacy Laws (Signed)

arrow

Nevada Nevada
Partial Privacy Laws

arrow

New Hampshire New Hampshire
Signed Data Privacy Law

arrow

New Jersey New Jersey
Data Privacy Laws in Force

arrow

New Mexico New Mexico
Partial Privacy Laws

arrow

New York New York
Introduced Data Privacy Law

arrow

North Carolina North Carolina
Introduced Data Privacy Law

arrow

North Dakota North Dakota
Partial Privacy Laws

arrow

Ohio Ohio
Partial Privacy Laws

arrow

Oklahoma Oklahoma
Dedicated Data Privacy Laws (Signed)

arrow

Oregon Oregon
Data Privacy Laws in Force

arrow

Pennsylvania Pennsylvania
Introduced Data Privacy Law

arrow

Rhode Island Rhode Island
Data Privacy Laws in Force

arrow

South Carolina South Carolina
Partial Privacy Laws

arrow

South Dakota South Dakota
Partial Privacy Laws

arrow

Tennessee Tennessee
Data Privacy Laws in Force

arrow

Texas Texas
Data Privacy Laws in Force

arrow

Utah Utah
Signed Data Privacy Law

arrow

Vermont Vermont
Introduced Data Privacy Law

arrow

Virginia Virginia
Data Privacy Laws in Force

arrow

Washington Washington
Introduced Data Privacy Law

arrow

West Virginia West Virginia
Introduced Data Privacy Law

arrow

Wisconsin Wisconsin
Introduced Data Privacy Law

arrow

Wyoming Wyoming
Partial Privacy Laws

arrow

Washington D.C. Washington D.C.
Partial Privacy Laws

arrow

Alabama Personal Data Protection Act

Covered by Termly
  • Coming soon
Legislative Process  Signed
Effective Date  May 1, 2027
Pending Update 
Territorial Scope 
  • Persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state
Organizational Exemptions 
  • A political subdivision of the state
  • Any board, authority, district, or public corporation organized to manage local services and infrastructure
  • A two-year or four-year institution of higher education, including affiliates of a two-year or four-year institution of higher education
  • National securities associations
  • A financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with Title V of the GLBA
  • HIPAA covered entities
  • A business with fewer than 500 employees, provided the business does not engage in the sale of personal data
  • A nonprofit entity with less than 100 employees, provided the entity does not engage in the sale of personal data
  • Any entity involved in the securities industry, including broker-dealers
  • Licensed money transmitters
  • Any trade association explicitly authorized to receive documents or evidence
  • A political action committee, political party, or principal campaign committee, or any political organization
  • A business entity that sells data primarily to a political action committee, political party, or principal campaign committee, or any political organization
  • An electric provider that is subject to the requirements or reliability standards of the North American Electric Reliability Corporation
Threshold  During a calendar year:

  • Control or process the personal data of more than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transactionOR
  • Derive more than 25% of gross revenue from the sale of personal data, regardless of the number of consumers whose data the person controls or processes”
Consumer Rights 
  • Right to Know if a controller, or a processor or third party acting on a controller’s behalf, is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, and profiling in futherance of solely automated significant decisions concerning the consumer
  • Right to Portability
  • Right to Non-Discrimination
Consumers have the Right to Opt-Out of: 
  • Targeted Advertising
  • Sale of personal data
  • Profiling in furtherance of solely automated significant decisions concerning the consumer
Timeframe to Respond to Data Subject Requests 
  • Within 45 days with the possibility of a 45 day extension.
Appeal Timeframe 
  • N/A
Personal Information 
  • “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual.
Personal Information Does Not Include 
  • “Personal data” does not include deidentified data or publicly available information.
Definition of Publicly Available Information 
  • “Publicly available information” means either of the following:
  • A.) Information that is lawfully made available through federal, state, or local government records or widely distributed media.
  • B.) Information that a controller has a reasonable basis to believe a consumer has lawfully made available to the public.
Sensitive Information  “Sensitive data” means personal data that includes data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis
  • Sex life or sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data for the purpose of uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data
  • Specific geolocation data (GPS)
Sensitive Information Does Not Include  N/A
Definition of Consumer / Data Subject / Individual / Customer 
  • “Consumer” means an individual who is a resident of this state.
  • The term does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency.
Definition of Disclose  N/A
Definition of Share  N/A
Definition of Sell 
  • “Sale of personal data” means the exchange of personal data for monetary consideration by a controller to a third party, or for other valuable consideration by a controller to a third party where the controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data.
Sell Does Not Include When The term does not include any of the following:

  • a. The disclosure of personal data to a processor that processes the personal data on behalf of the controller.
  • b. The disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer.
  • c. The disclosure or transfer of personal data to an affiliate of the controller.
  • d. The disclosure of personal data in which the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party.
  • e. The disclosure of personal data that the consumer intentionally made available to the public via a channel of mass media and did not restrict to a specific audience.
  • f. The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.
  • g. The disclosure or transfer of personal data to a third party for the purposes of providing analytics services.
  • h. The disclosure or transfer of personal data to a third party for the purposes of providing marketing services solely to the controller.

Alabama’s Partial Privacy Laws

Alabama residents are protected by other pieces of data privacy-related legislation, including the following:

Law Effective Since Description
Alabama Data Breach Notification Act of 2018 June 1, 2018 If an entity believes sensitive personal information was accessed without authorization and may cause harm, the entity must notify affected individuals as soon as possible and no later than 45 days.

Alabama was the 50th state to enact this type of breach notification law.
Alabama Insurance Data Security Law May 1, 2019 Covered entities licensed by the Alabama Department of Insurance must develop, implement, and maintain an information security program regarding the scope of its activities and the sensitivity of the non-public information in its possession, custody, or control.
Alabama Right of Publicity Act 2019 Officially Article 39 of the Alabama Code, this act explains what rights individuals have to remain out of the public eye while living and for 55 years after their passing.

Alaska’s Partial Privacy Laws

Alaska has a privacy-related law that protects residents of the state if a cyber breach occurs:

Law Effective Since Description
Alaska’s Personal Information Protection Act July 1, 2009 It requires businesses to “expeditiously” notify users of a data breach concerning personal information, mandates that personal data must be disposed of after it’s been used for its intended purposes, and gives the ability to place a security freeze on consumer credit reports.

Arizona’s Partial Privacy Laws

Arizona has passed a data breach notification law:

Law Effective Since Description
Arizona Revised Statutes, Title 18. Information Technology. Chapter 4. Article 5. Section 18-552 2006, Last amended: March 29, 2022 Entities must notify anyone impacted by a data breach within 45 of determining the breach occurred, and follow clear guidelines for disposing of the data once the purpose for collecting it has been achieved.

Arkansas’s Partial Privacy Laws

Arizona is protected by a data breach notification law:

Law Effective Since Description
Arkansas Personal Information Protection Act August 2019 This law requires entities to destroy personal information once their purpose for using it is complete. It also requires those entities to provide adequate safeguards to keep the information safe, and to disclose certain security breaches.

California Consumer Privacy Act (CCPA)

Covered by Termly
Legislative Status In Force
Effective Date January 1, 2020
Pending Update
Territorial Scope
  • For-profit businesses that collect personal information from California residents, determines the purposes in California.
Organizational Exemptions
  • Pubic sector organizations in CaliforniaNon-profit organizations
Threshold
  • Gross annual revenue of over $25 million

OR

  • Buying, receiving, or selling the personal information of 50,000 or more California residents, households, or devices annually

OR

  • Deriving 50% or more of their annual revenue from selling California residents’ personal information.
Consumer Rights
  • Right to Know what personal information is collected
  • Right to Know if personal information is shared or sold and to whom
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Data Portability
  • Right to Opt Out of Share or Sale
  • Right to Non-Discrimination
  • Right to Limit Use and Disclosure of Sensitive Personal Information
  • Right to No Retaliation for Following Opt Out or Exercise of Other Rights
Consumers have the Right to Opt-Out of:
  • Sale of personal information
Timeframe to Respond to Data Subject Requests
  • 45 days with the possibility of a 45 day extension.
Appeal Timeframe N/A
Personal Information
  • Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Personal Information Does Not Include
  • Does not include publicly available information.
  • Does not include consumer information that is de-identified or aggregate consumer information.
Definition of Publicly Available Information
  • “Publicly available” means information that is lawfully made available from federal, state, or local government records.
  • “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.
Sensitive Information N/A
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • A natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations . . ., however identified, including by any unique identifier.
  • A California resident is any individual who is:
    • In the state of California for other than a temporary or transitory purpose or
    • Domiciled in the state of California and is outside of the state for a temporary or transitory purpose
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
Sell Does Not Include When A business does not sell personal information when:

  • A consumer uses or directs the business to intentionally (i) Disclose personal information (ii) Interact with one or more third parties.
  • The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information or limited the use of the consumer’s sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sale of the consumer’s personal information or limited the use of the consumer’s sensitive personal information.
  • The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business.

California Privacy Rights Act (CPRA)

Covered by Termly
Legislative Status In Force
Effective Date January 1, 2023
Pending Update
Territorial Scope
  • For-profit businesses that collect personal information from California residents, determines the purposes in California.
Organizational Exemptions
  • Pubic sector organizations in CaliforniaNon-profit organizations
Threshold
  • Gross annual revenue of over $25 million

OR

  • Buying, selling, or sharing the personal information of 100,000 or more California residents or households annually

OR

  • Deriving 50% or more of their annual revenue from selling or sharing California residents’ personal information.
Consumer Rights
  • Right to Know what personal information is collected, shared, or sold
  • Right to Know to whom personal information is shared or sold to
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Data Portability
  • Right to Opt Out of Share or Sale
  • Right to Non-Discrimination
  • Right to Limit Use and Disclosure of Sensitive Personal Information
  • Right to No Retaliation Following Opt Out or Exercise of Other Rights
Consumers have the Right to Opt-Out of:
  • Sale of personal information
  • Sharing of personal information for behavioral advertising
  • Consumers can also limit the use and disclosure of their sensitive personal information
Timeframe to Respond to Data Subject Requests
  • Same as CCPA
Appeal Timeframe N/A
Personal Information
  • Same as CCPA
Personal Information Does Not Include
  • Same as CCPA
Definition of Publicly Available Information
  • Same as CCPA
Sensitive Information Sensitive data means personal data that includes data revealing:

  • Social security, driver’s license, passport, state ID card numbers
  • Account log-in
  • Financial account combined with any required security or access code, password, or credentials allowing access to an account
  • Debit card or credit card number combined with any required security or access code, password, or credentials
  • A consumer’s exact geolocation
  • Racial origin, religious beliefs, or union membership
  • A consumer’s mail, email, or text message content unless the information was intentionally sent to the business
  • Genetic data
  • Biometric data
  • Health data
  • Sexual orientation data
Sensitive Information Does Not Include
  • Sensitive personal information that is “publicly available” shall not be considered sensitive personal information.
Definition of Consumer / Data Subject / Individual
  • Same as CCPA
Definition of Disclose N/A
Definition of Share
  • Sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.
Definition of Sell
  • Same as CCPA
Sell Does Not Include When
  • Same as CCPA

California Online Privacy Protection Act (CalOPPA)

Covered by Termly
Legislative Status In Force
Effective Date July 4, 2004
Pending Update
Territorial Scope
  • An operator of a commercial website or online service that collects personally identifiable information through the internet about individual consumers residing in California who use or visit its commercial website or online service.
Organizational Exemptions
  • Any third party that operates, hosts, or manages, but does not own, a website or online service on the owner’s behalf or by processing information on behalf of the owner
Threshold N/A
Consumer Rights
  • Right to Know what personal information is collected
  • Right to Correct
Consumers have the Right to Opt-Out of:
  • Tracking by websites
Timeframe to Respond to Data Subject Requests N/A
Appeal Timeframe N/A
Personal Information
  • Individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form.
Personal Information Does Not Include N/A
Definition of Publicly Available Information N/A
Sensitive Information N/A
Sensitive Information Does Not Include
Definition of Consumer / Data Subject / Individual
  • Any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell N/A
Sell Does Not Include When N/A

California’s Additional Privacy Laws

California is also protected by the following privacy-related laws:

Law Description
Shine the Light Law Outlines requirements for entities who share personal data with third parties who will use the information for direct marketing purposes.
California Invasion of Privacy Act (CIPA) Provides protections for individuals using landline or mobile telephones.
Confidentiality of Medical Information Act (CMIA) Outlines requirements for the confidentiality of medical records and information.
Patient Access to Health Records Act (PAHRA) Describes consumer rights over accessing their health and medical records.
California Financial Information Privacy Act (CALFIPA) Outlines restrictions and bans regarding selling or sharing financial consumer data without obtaining consent.
California Labor Code Outlines protections and requirements regarding employee data.
Privacy Rights for California Minors in the Digital World Act (Eraser Law) Protects the data of known minors in California, allowing them the right to “be forgotten.”

Colorado Privacy Act (CPA)

Covered by Termly
Legislative Status In Force
Effective Date July 1, 2023
Pending Update
Territorial Scope
  • Any data controller that conducts business in Colorado or data controllers that produce or deliver commercial products or services intentionally targeted to residents of Colorado.
Organizational Exemptions
  • Airlines
  • Public utilities
  • Organizations that process data for Colorado Health Insurance laws
  • State government organizations
  • Consumer reporting agencies
  • Higher education institutions
Threshold
  • Processing or controlling the personal data of at least 100,000 consumers annually

OR

  • Processing or controlling the personal data of 25,000 consumers or more and deriving revenue or receive discount on the price of goods or services from the sale of personal data.
Consumer Rights
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Data Portability
  • Right to Opt Out of Targeted Advertising, Profiling via a Universal Opt Out Mechanism, or Sale of Personal information
  • Right to Appeal
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 45 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • Information that is linked or reasonably linkable to an identified or identifiable individual.
Personal Information Does Not Include
  • “Personal data” does not include de-identified data or publicly available information.
Definition of Publicly Available Information
  • “Publicly available information” means information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.
Sensitive Information Sensitive data includes personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis
  • Sex life or sexual orientation
  • Citizenship status
  • Genetic or biometric data
  • Personal data from a known child
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • An individual who is a Colorado resident acting only in an individual or household context.
  • “Consumer” does not include and individual acting in a commerical or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • The exchange of personal data for monetary or other valuable consideration by a controller to a third party.
Sell Does Not Include When “Sale,” “sell,” or “sold” does not inlude the following:

  • (I) The disclosure of personal data to a processor that processes the personal data on behalf of a controller
  • (II) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer
  • (III) The disclosure or transfer of personal data to an affiliate of the controller
  • (IV) The disclosure or transfer to a third party of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets
  • (V) The disclosure of personal data (a) that a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party or (b) intentionally made available by a consumer to the general public via a channel of mass media.

Colorado’s Additional Privacy Laws

Colorado is also protected by the following privacy-related laws:

Law Description
Colorado Consumer Protection Act (CCPA) This applies to businesses that collect personal information and outlines guidelines regarding data breach notifications and the implementation of necessary protections.
Colorado’s Spam Reduction Act This law makes sending certain spam emails a deceptive trade practice.

Connecticut Data Privacy Act (CTDPA)

Covered by Termly
Legislative Status In Force
Effective Date July 1, 2023
Pending Update
Territorial Scope
  • Persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state
Organizational Exemptions
  • Connecticut state agencies
  • Non-profit organizations
  • Higher education institutions
  • Certain national securities associations
  • Financial institutions subject to GLBA
  • “Covered entities” or “business associates” as defined under HIPAA
Threshold
  • Controlled or processed the personal data of 35,000 or more consumers annually, excluding personal data controlled or processed
    solely for the purpose of completing a payment transaction

    OR

  • Control or process consumers’ sensitive data, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

    OR

  • Offer consumers’ personal data for sale in trade or commerce
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Data Portability
  • Right to Opt Out of Targeted Advertising, Sale of Personal information, or Automated Profiling
  • Right to Non-Discrimination
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • Information that is linked or reasonably linkable to an identified or identifiable individual.
Personal Information Does Not Include
  • “Personal data” does not include de-identified data or publicly available information.
Definition of Publicly Available Information “Publicly available information” means information that:

  • (A) is lawfully made available through federal, state or municipal government records or widely distributed media, and
  • (B) a controller has a reasonable basis to believe a consumer has lawfully made available to the general public.
Sensitive Information Sensitive data means personal data that includes data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis
  • Sex life or sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data for the purpose of uniquely identifying an individual
  • Personal data from a known child
  • Specific geolocation data (GPS)
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • An individual who is a resident of Connecticut
  • “Consumer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit or government agency.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • The exchange of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When “Sale of personal data” does not include:

  • (A) the disclosure of personal data to a processor that processes the personal data on behalf of the controller
  • (B) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer,
  • (C) the disclosure or transfer of personal data to an affiliate of the controller
  • (D) the disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses Substitute Senate Bill No. 6 Public Act No. 22-15 6 of 27 the controller to interact with a third party
  • (E) the disclosure of personal data that the consumer (i) intentionally made available to the general public via a channel of mass media, and (ii) did not restrict to a specific audience
  • (F) the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller’s assets

Connecticut’s Additional Privacy Laws

Connecticut is also protected by several privacy-related laws, including the following:

Law Description
Data Breach Notification Law; found in Chapter 669 of the General Statutes of Connecticut States that anyone collecting personal information must disclose a security breach to the Office of the Attorney General and say which residents were impacted.
Protection of Social Security Numbers and Personal Information; found in Chapter 743dd of the Statutes It prevents publicly displaying another person’s social security number or requiring it as a way to access an internet website, among other restrictions.
Employee Regulation; found in Chapter 5576 of the Statutes Describes notification requirements for businesses that track or monitor their employees.

Delaware Personal Data Privacy Act

Covered by Termly
Legislative Status Signed
Effective Date January 1, 2025
Pending Update
Territorial Scope
  • Persons that conduct business in the Delaware or persons that produce products or services that are targeted to residents of the Delaware
Organizational Exemptions
  • Delaware state agenciesNon-profit organizations dedicated exclusively to preventing and addressing insurance crime
  • Certain national securities associations
  • Financial institutions subject to GLBA
Threshold
  • During the preceding calendar year:Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

OR

  • Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal informationRight to Access
  • Right to Correct
  • Right to Delete
  • Right to Data Portability
  • Right to Obtain a List of Categories of Third Partes to which the controller disclosed the personal information
  • Right to Opt Out of Targeted Advertising, Sale of Personal information, or Automated Profiling
  • Right to Appeal
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.The controller must provide the consumer with a means to refer his or her concerns to the Departement of Justice.
Personal Information
  • Information that is linked or reasonably linkable to an identified or identifiable individual.
Personal Information Does Not Include
  • “Personal data” does not include de-identified data or publicly available information.
Definition of Publicly Available Information “Publicly available information” means any of the following:

  • a. Information that is lawfully made available through federal, state, or local government records.
  • b. Information that a controller has a reasonable basis to believe that the consumer has lawfully made available to the general public through widely distributed media.
Sensitive Information “Sensitive data” means personal data that includes any of the following data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis (including pregnancy)
  • Sex life, sexual orientation, status as transgender or nonbinary
  • Citizenship or immigration status
  • Genetic or biometric data
  • Personal data of a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means an individual who is a resident of this State.
  • “Consumer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit organization, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or government agency.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • The exchange of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When “Sale of personal data” does not include any of the following:

  • a. The disclosure of personal data to a processor that processes the personal data on behalf of the controller where limited to the purpose of such processing.
  • b. The disclosure of personal data to a third party for purposes of providing a product or service affirmatively requested by the consumer.
  • c. The disclosure or transfer of personal data to an affiliate of the controller.
  • d. The disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party.
  • e. The disclosure of personal data that the consumer intentionally made available to the general public via a channel of mass media, and did not restrict to a specific audience.
  • f. The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller’s assets, or a proposed merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller’s assets.

Delaware’s Additional Privacy Laws

Delaware is also protected by a few privacy-related laws, which include the following:

Law Description
Delaware Online Privacy Protection Act (DOPPA) Describes guidelines for websites or online and cloud computing services directed at children.
Student Data Privacy Protection Act (SDPPA) Provides protection for student personal data in the state.
Title 6 of the Delaware Code The data breach notification law and requires entities to notify residents if their data is part of a possible breach within 60 days of the incident.

Florida Digital Bill of Rights (FDBR)

Covered by Termly
Legislative Status In Force
Effective Date July 1, 2024
Pending Update
Territorial Scope
  • Persons that conduct business in Florida or produce products or services that are targeted to residents of Florida
Organizational Exemptions
  • State agency or a political subdivision of the state
  • Financial institution or data subject to Title V of the GLBA
  • Covered entity or business associate governed by the HIPAA
  • Non-profit organization
  • Postsecondary education institution
Threshold Makes in excess of $1 billion in global gross annual revenues AND satisfies at least one of the following:

  • Derives 50% or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online
  • Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation
  • Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, profiling in furtherance of a decision that produces a legal or similarly significant effect, the collection of sensitive data (including precise geolocation data), the processing of sensitive data, or the collection of personal data collected through the operation of a voice recognition or facial recognition feature
  • Right to Portability
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Targeted Advertising
  • Collection of sensitive data (including precise geolocation data) or the processing of sensitive data
  • Collection of personal data collected through the operation of a voice recognition or facial recognition feature
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 15 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
Personal Information
  • Information that is linked or reasonably linkable to an identified or identifiable child, including biometric information and unique identifiers to the child.
Personal Information Does Not Include
  • The term does not include de-identified data or publicly available information.
Definition of Publicly Available Information
  • Information lawfully made available through government records, or information that a business has a reasonable basis for believing is lawfully made available to the general public through widely distributed media, by a consumer, or by a person to whom a consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.
Sensitive Information Sensitive data means a category of personal data which includes any of the following:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data processed for the purpose of uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means an individual who is a resident of or is domiciled in this state acting only in an individual or household context.
  • The term does not include an individual acting in a commercial or employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale of personal data” means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When The term does not include any of the following:

  • (a) The disclosure of personal data to a processor who processes the personal data on the controller’s behalf.
  • (b) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer.
  • (c) The disclosure of information that the consumer:
    • 1. Intentionally made available to the general public through a mass media channel; and
    • 2. Did not restrict to a specific audience.
  • (d) The disclosure or transfer of personal data to a third party as an asset that is part of a merger or an acquisition.

Florida’s Additional Privacy Laws

Additionally, Florida has data breach notification requirements:

Law Description
Chapter 501, Title 33 of the Florida Statutes Entities must notify the Department of Legal Affairs if a breach occurs impacting 500 or more consumers

Georgia’s Partial Privacy Laws

Georgia has some partial privacy-related legislation in place.

Law Description
Personal Identity Protection Act (PIPA) Requires anyone storing personal data to notify individuals if a data breach occurs.
Georgia Open Records Act Part of the Georgia Code, makes all public records available to the public and can be copied by any person.
Student Data Privacy, Accessibility, and Transparency Act (SDPAT) Outlines restrictions for accessing and processing student data in the state.

Georgia’s Inactive Privacy Bills

Georgia has a few privacy bills that are now inactive:

Bill Description
Georgia Data Privacy Act (House Bill 798) Introduced on March 23, 2023, this Georgia bill — officially House Bill 798 — outlined opt-out rights for state residents but died after its second reading.

Hawaii’s Introduced Privacy Bills

Hawaii has a few privacy bills that are now inactive:

Bill Description
Senate Bill 974 Introduced on January 20, 2023, this bill establishes regulations for controllers and processors regarding data processing and makes a new consumer privacy special fund. It was referred to the House Economic Development Committee on March 9, 2023.
House Bill 1497 & its companion bill, Senate Bill 1110 These two companion bills were introduced on January 20, 2023, and they outline a framework to regulate how controllers and processors access and use personal data, allowing for a private right of action. Both were referred to the House Consumer Protection & Commerce Committee on February 6, 2023.

Hawaii’s Partial Privacy Laws

Hawaii has a few privacy-related regulations:

Law Description
Security Breach of Personal Information; found in Chapter 487N of Hawaii’s Revised Statutes Requires notification of any data to be made without unreasonable delay.
Destruction of Personal Information Records; found in Chapter 487R of Hawaii’s Revised Statutes Requires entities conducting business in Hawaii who collect personal information to dispose of it and take measures to protect it from unauthorized access.
Uniform Employee and Student Online Privacy Protection Act Outlines restrictions on requesting students to give consent to accessing their personal accounts.

Idaho’s Partial Privacy Laws

Idaho does have a data breach notification law in place.

Law Description
Found in Title 28, Chapter  51 of the Idaho Statutes Describes notification requirements when a data breach occurs, and applies to individuals and businesses.

Illinois’ Partial Privacy Laws

Illinois has some partial privacy regulations that can be found in the Illinois Compiled Statutes, including the following:

Law Description
Chapter 815, Personal Information Protection Act Requires entities to notify individuals and/or the attorney general about data breaches.
Chapter 740, Biometric Information Privacy Act Prohibits entities from collecting biometric information from individuals unless they meet specific requirements.

Illinois Inactive Privacy Bills

Illinois has a privacy bill that is now inactive:

Bill Description
House Bill 3385 Titled the Illinois Data Privacy and Protection Act. It was introduced on February 17, 2023, and made it to the House Rules Committee in March before all movement stopped.

Indiana Consumer Data Protection Act (Indiana CDPA)

Covered by Termly
Legislative Status In Force
Effective Date January 1, 2026
Pending Update
Territorial Scope
  • Applies to a person that conducts business in Indiana or produces products or services that are targeted to consumers who are residents of Indiana.
Organizational Exemptions
  • State or government organizations.
  • Third parties under contract with a state or government organization, when acting on behalf of the entity.
  • Financial institutions and affiliates, or data subject to GLBA
  • Any covered entity or business associate governed by HIPAA.
  • Any nonprofit organization.
  • Any institution of higher education.
  • Any public utility or service company affiliated with a public utility.
Threshold During a calendar year:

  • Controls or processes personal data of at least 100,000 Indiana residents

OR

  • Controls or processes personal data of at least 25,000 Indiana residents and derives more than 50% of gross revenue from the sale of personal data.
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, profiling, or automated decision making
  • Right to Portability
  • Right to Non-Discrimination
  • Right to Opt-in for processing of sensitive data
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling
  • Targeted Advertising
  • Automated decision making
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 45 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • Personal data meansinformation that is linked or reasonably linkable to an identified or identifiable individual.
Personal Information Does Not Include The term does not include:

  • (1) de-identified data;
  • (2) aggregate data; or
  • (3) publicly available information
Definition of Publicly Available Information “Publicly available information” means information:

  • (1) that is lawfully made available through federal, state, or local government records; or
  • (2) that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media; by the consumer to whom the information pertains; or by a person to whom the consumer has disclosed the information
Sensitive Information “Sensitive data” means personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis made by a healthcare provider
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual
  • Personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual “Consumer” means an individual who:

  • (1) is a resident of Indiana; and
  • (2) is acting only for a personal, family, or household purpose

The term does not include an individual acting in a commercial or employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale of personal data” means the exchange of personal data for monetary consideration by a controller to a third party.
Sell Does Not Include When The term does not include:

  • (1) the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
  • (2) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer; or the parent of a child
  • (3) the disclosure or transfer of personal data to an affiliate of the controller;
  • (4) the disclosure of information that the consumer intentionally made available to the general public and did not restrict to a specific audience; or
  • (5) the disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy

Indiana’s Introduced Privacy Bills

Bill Description
House Bill 1554 Indiana lawmakers introduced House Bill 1554 on January 19, 2023. It will establish a new article concerning consumer data protection in the Indiana Code if it passes.

Indiana’s Additional Privacy Laws

Indiana has other pieces of data privacy-related legislation, including the following:

Law Description
Article 4.9; found in the Constitution of the State of Indiana Describes data breach notification requirements.

Iowa Consumer Data Protection Act (Iowa CDPA)

Covered by Termly
Legislative Status Signed
Effective Date January 1, 2025
Pending Update
Territorial Scope
  • Applicable to persons that conduct business in Iowa or produce products or services that are targeted to Iowa residents
Organizational Exemptions
  • State or government organizations.
  • Financial institutions and affiliates, or data subject to GLBA
  • Any covered entity or business associate governed by HIPAA.
  • Any nonprofit organization.
  • Any institution of higher education.
Threshold During a calendar year:

  • Controls or processes personal data of at least 100,000 consumers.

OR

  • Controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Delete
  • Right to Opt Out sale of personal data
  • Right to Portability
Consumers have the Right to Opt-Out of:
  • Sale of personal data
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person.
Personal Information Does Not Include
  • “Personal data” does not include de-identified or aggregate data or publicly available information.
Definition of Publicly Available Information “Publicly available information” means information:

  • (1) that is lawfully made available through federal, state, or local government records; or
  • (2) that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media; by the consumer to whom the information pertains; or by a person to whom the consumer has disclosed the information;
Sensitive Information “Sensitive data” means personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis made by a healthcare provider
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual
  • Personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual “Consumer” means an individual who:

  • (1) is a resident of Indiana; and
  • (2) is acting only for a personal,family, or householdpurpose.

The term does not include an individual acting in a commercial or employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale of personal data” means the exchange of personal data for monetary consideration by a controller to a third party.
Sell Does Not Include When The term does not include:

  • (1) the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
  • (2) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer; or the parent of a child
  • (3) the disclosure or transfer of personal data to an affiliate of the controller;
  • (4) the disclosure of information that the consumer intentionally made available to the general public and did not restrict to a specific audience; or
  • (5) the disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy

Iowa’s Additional Privacy Laws

Parts of the Iowa Code feature some privacy-related legislation, particularly in Title XVI:

Law Description
Personal Information Security Breach Protection Describes personal data breach notification requirements applicable whenever a breach occurs that impacts more than 500 individuals.

Kansas’ Partial Privacy Laws

There are partial privacy regulations in place in the Kansas Statutes, mostly located in Chapter 50, which focuses on consumer protections, including the following:

Law Description
The Data Breach Requirements Act Describes how entities must respond when a data breach occurs and outlines how to notify the appropriate parties.
Consumer Protection Act Protects consumers from entities committing deceptive or unconscionable practices.

Kentucky Consumer Data Protection Act (KCDPA)

Covered by Termly
Legislative Process In Force
Effective Date January 1, 2026
Pending Update
Territorial Scope
  • Applicable to persons that conduct business in Kentucky or produce products or services that are targeted to residents of Kentucky
Organizational Exemptions
  • City, state agency, or any political subdivision of the state
  • Financial institutions and affiliates, or data subject to GLBA
  • Any covered entity or business associate governed by HIPAA
  • Any nonprofit organization
  • Any institution of higher education
  • Certain insurance fraud-related organizations
  • Small telephone utility, a Tier III CMRS provider, or a municipally owned utility that does not sell or share personal data with any third-party processor
Threshold During a calendar year:

  • Controls or processes personal data of at least 100,000 consumers.

OR

  • Controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer
  • Right to Portability
  • Right to Non-Discrimination
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person.
Personal Information Does Not Include
  • Personal data does not include de-identified data or publicly available information.
Definition of Publicly Available Information
  • “Publicly available information” means information that lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience
Sensitive Information “Sensitive data” means a category of personal data that includes:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data that is processed for the purpose of uniquely identifying a natural person
  • Personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context.
  • Consumer does not include a natural person acting in a commercial or employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale of personal data” means the exchange of personal data for monetary consideration by the controller to a third party.
Sell Does Not Include When Sale of personal data does not include:

  • (a) The disclosure of personal data to a processor that processes the personal data on behalf of the controller;
  • (b) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
  • (c) The disclosure or transfer of personal data to an affiliate of the controller;
  • (d) The disclosure of information that the consumer:
    • 1. Intentionally made available to the general public via a channel of mass media; and
    • 2. Did not restrict to a specific audience; or
  • (e) The disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets

Kentucky’s Partial Privacy Laws

Kentucky has a few laws in place that provide partial privacy protections to residents of the state, including the following:

Law Description
Chapter 365, Part 365.732 of the Kentucky Revised Statutes Describes the data breach notification requirements in the state.
The Genetic Information Privacy Act Entered into action on June 1, 2022, and gives consumers control over how their genetic materials are collected, used, and disclosed by external entities.
The Insurance Data Security Act Requires insurance carriers to provide protection for consumer data and conduct a risk assessment, among other requirements.

Kentucky’s Inactive Privacy Bills

Bill Description
House Bill 301 Introduced on February 15, 2023, this bill would create consumer rights relating to personal data, including access, deletion, and portability. It died in the House Small Business & Information Technology Committee on February 17, 2023.
Senate Bill 15 Introduced on January 3, 2023, this bill would establish consumer rights over the processing of their data and require controllers to follow through on such requests. It died after being returned to the Committee on Committees (H) on March 16, 2023.

Louisiana’s Introduced Privacy Bills

Bill Description
Louisiana Consumer Privacy Act (Senate Bill 199) Lawmakers introduced this bill to establish the Louisiana Consumer Privacy Act on March 31, 2023. It would develop relative protections for the data of residents of the state. It was referred to the Committee on Commerce, Consumer Protection, and International Affairs on April 10, 2023.

Louisiana’s Partial Privacy Laws

Louisiana is protected by a data breach notification law:

Law Description
Data Security Breach Notification Act Applies to anyone who owns data from Louisiana residents and requires them to notify individuals if their information is accessed without authorization.

Maine’s Introduced Privacy Bills

Bill Description
Data Privacy and Protection Act (House Legislative Document 1977) Introduced on May 23, 2023, this bill outlines requirements for controllers, data brokers, and small businesses regarding the processing of personal data of Maine residents. It was referred to the Committee on Judiciary on July 26, 2023.
Maine Consumer Privacy Act (Senate Legislative Document 1973) Introduced on May 18, 2023, this bill describes guidelines for data controllers regarding the processing of personal information of Maine residents. It was referred to the Committee on Judiciary on July 26, 2023.

Maine’s Partial Privacy Laws

Maine has some partial privacy regulations in place, including the following:

Law Description
Data Breach Act The state’s data breach notification law and applies to anyone who stores categories of personal data. Entities must notify state regulators and, if necessary, the individuals impacted by the breach.
An Act to Protect the Privacy of Online Customer Information Went into effect in 2020 and applies to internet service providers. Internet service providers must make efforts to protect customers’ personal information and obtain consent to use their data in certain situations.

Maryland Online Data Protection Act (MODPA)

Covered by Termly
Legislative Process In Force
Effective Date October 1, 2025
Pending Update
Territorial Scope
  • Applicable to a person that conducts business in Maryland or provides products or services that are targeted to residents of Maryland
Organizational Exemptions
  • A regulatory, administrative, advisory, executive, appointive, legislative, judicial body or instrumentality of the state including a board, bureau, commission, or unit of the state or any political subdivision of the state
  • Nonprofit controller that processes or shares personal data solely for the purposes of assisting: (1) Law enforcement agencies in investigating criminal or fraudulent acts relating to insurance or (2) First responders in responding to catastrophic events
  • National securities association that is registered under § 15 of the Federal Securities Exchange Act of 1934 or a registered futures association designated in accordance with § 17 of the Federal Commodity Exchange Act
  • Financial institution, an affiliate of a financial institution, or data that is subject to Title V of the Federal Gramm-Leach-Bliley Act and regulations adopted under that Act
Threshold During the preceding calendar year did any of the following:

  • Controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction,

OR

  • Controlled or processed the personal data of at least 10,000 consumers and derived over 20% of gross revenue from the sale of personal data.
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Obtain a List of Categories of Third Partes to which the controller disclosed the consumer’s personal data
  • Right to Opt Out of targeted advertising, sale of personal data, profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer
  • Right to Portability
  • Right to Non-Discrimination
Consumers have the Right to Opt-Out of
  • Sale of personal data
  • Profiling in furtherance of solely automated decisions that produces a legal or similarly significant effect
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Division.
Personal Information
  • “Personal data” means any information that is linked or can be reasonably linked to an identified or identifiable consumer.
Personal Information Does Not Include
  • “Personal data” does not include de-identified data or publicly available information.
Definition of Publicly Available Information “Publicly available information” means information that a person:

  • (I) Lawfully obtains from a record of a governmental entity;
  • (II) Reasonably believes a consumer or widely distributed media have lawfully made available to the general public; or
  • (III) If the conumser has not restricted the information to a specific audience, obtains from a person to whom the consumer disclosed the information.
Sensitive Information “Sensitive data” means personal data that includes data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Consumer health data
  • Sex life
  • Sexual orientation
  • Status as transgender or nonbinary
  • National origin
  • Citizenship or immigration status
  • Genetic or biometric data
  • Personal data of a consumer that the controller knows or has reason to know is a child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means an individual who is a resident of Maryland.
  • “Consumer” does not include:
    • (I) An individual acting in a commercial or employment context
    • (II) An individual acting as an employee, an owner, a director, an officer, or a contractor of a company, a partnership, a sole proprietorship, a nonprofit organization, or a governmental unit whose communications or transactions with a controller occur only within the context of the individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or governmental unit.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale of personal data” means the exchange of personal data by a controller, a processor, or an affiliate of a controller or processor to a third party for monetary or other valuable consideration.

Maryland’s Partial Privacy Laws

Maryland has partial privacy regulations codified in the Commercial Law of the Code of Maryland, including all of the following:

Law Description
Section 14–350 of the Maryland Code, called the Personal Information Protection Act Describes the data breach notification laws in the state, imposing obligations on businesses that collect personal information and experience a breach. It was amended in 2022.
Medical Records Statute of the Maryland Code Requires all medical information to remain confidential and gives individuals a right to private action.

Massachusetts’ Introduced Privacy Bills

These bills were all introduced on February 16, 2023:

Bill Description
Massachusetts Data Privacy Protection Act (HD 2281 and its companion bill, SD 745) These two companion bills were introduced on January 19, 2023, and describe requirements for data brokers, small businesses, and covered entities regarding the processing of personal data of Massachusetts consumers. The bills were referred to the Joint Committee on Advanced Information Technology, the Internet, and Cybersecurity in February 2023.
Massachusetts Information Privacy and Security Act (HD 3263 and its companion bill, SD 1971) These two companion bills were introduced on January 20, 2023, and outline obligations for controllers who process personal information from Massachusetts residents. Both were referred to the Committee on Advanced Information Technology, the Internet, and Cybersecurity on November 2, 2023.
Internet Bill of Rights (HD 3245) Introduced on January 20, 2023, this bill aims to establish a bill of rights regarding how personal data is processed and used by covered entities and describes obligations for preventing and responding to data breaches. It was referred to the Joint Committee on the Judiciary in November 2023.

Massachusetts’ Partial Privacy Laws

Massachusetts has several other privacy-related regulations, including:

Law Description
Data Breach Notification Law Required entities to notify the Office of Consumer Affairs and Business Regulation and the Office of Attorney General if they believe or have reason to believe a cyber breach has occurred.
Safeguards Regulation Sets forth all requirements for protecting the personal data of residents.
Consumer Protection Law Prohibits unfair or deceptive practices.
Data Disposal Law Outlines requirements for disposing of personal data of Massachusetts residents

Michigan’s Partial Privacy Laws

Michigan has a few privacy-related regulations in place, including the following:

Law Description
Identity Theft Protection Act Requires entities to provide a notice to Michigan residents if their unencrypted information is accessed without authorization, or if their encrypted data was accessed without authorization by a person who has the encryption key.
Internet Privacy Protection Act Prevents employers and educational institutions from requiring access to an individual’s personal account or disclosing information about their accounts.

Minnesota Consumer Data Privacy Act (MCDPA)

Covered by Termly Pending
Legislative Process In Force
Effective Date July 31, 2025
Pending Update
Territorial Scope
  • Applicable to legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota
Organizational Exemptions
  • A government entity
  • Nonprofit organizations established to detect and prevent insurance fraud
  • A federally recognized Indian tribe
  • Certain kinds of banks, credit unions, or insurance companies
  • Small businesses as defined by the US Small Business Administration regulations
  • Air carriers under the Airline Deregulation Act
  • Protected health information governed by HIPAA, financial data regulated by the GLBA, consumer credit-reporting data, and data covered by the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Education Rights and Privacy Act, the Farm Credit Act, and the Minnesota Insurance Fair Information Reporting Act
  • Data for the purposes of job applications or employment, data necessary to administer benefits, as well as data processed or maintained for emergency contact purposes
Threshold During a calendar year:

  • Controls or processes the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

OR

  • Derives over 25% of gross revenue from the sale of personal data and processes or controls personal data of at least 25,000 consumers
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Obtain a List of Specific Third Partes to which the controller disclosed the consumer’s personal data
  • Right to Opt Out of targeted advertising, sale of personal data, profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the consumer
  • Right to Question the Results of a Controller’s Profiling, to be informed of the reason that the profiling resulted in the decision, and to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future, to review the consumer’s personal data used in the profiling, and to have the data corrected and the profiling decision reevaluated based upon the corrected data.
  • Right to Portability
  • Right to Non-Discrimination
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling in furtherance of automated decisions that produces a legal or similarly significant effect
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 45 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person.
Personal Information Does Not Include
  • “Personal data” does not include deidentified data or publicly available information.
Definition of Publicly Available Information “Publicly available information” means information that:

  • (1) is lawfully made available from federal, state, or local government records or widely distributed media, or
  • (2) a controller has a reasonable basis to believe has lawfully been made available to the general public
Sensitive Information “Sensitive data” means personal data that includes data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data
  • Personal data of a known child
  • Specific geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means a natural person who is a Minnesota resident acting only in an individual or household context.
  • “Consumer” does not include a natural person acting in a commercial or employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale,” “sell,” or “sold” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When “Sale” does not include the following:

  • (1) the disclosure of personal data to a processor who processes the personal data on behalf of the controller;
  • (2) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
  • (3) the disclosure or transfer of personal data to an affiliate of the controller;
  • (4) the disclosure of information that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience;
  • (5) the disclosure or transfer of personal data to a third party as an asset that is part of a completed or proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets; or
  • (6) the exchange of personal data between the producer of a good or service and authorized agents of the producer who sell and service the goods and services, to enable the cooperative provisioning of goods and services by both the producer and the producer’s agents.

Minnesota’s Partial Privacy Laws

There are a few partial privacy regulations that exist in the Minnesota Statutes, including the following:

Law Description
Chapter 325M, Internet Privacy Outlines when disclosure of personal information on the Internet is prohibited, when it’s required, and describes the guidelines for permissions and authorizations with respect to Internet Service Providers (ISPs).
Chapter 325E, Section 61, the Breach Notification Law Describes guidelines for notifying individuals if their data was compromised in a breach and the responsibilities of the covered entity.
Chapter 325E, Section 64, Plastic Card Security Act Describes breach notification requirements in relation to financial institutions.
Chapter 325E, Section 59, Use of Social Security Numbers Prohibits entities from requiring consumers to share social security numbers over the internet without proper protections in place.
Chapter 626A, Section 02, Intersection and Disclosure of Communications Prevents entities from intercepting certain forms of communication through wire, electronic, or other means.
Chapter 609, Section 527, Identity Theft Describes the penalties if someone transfers or uses another person’s data or identity for nefarious purposes.
Chapter 13, the Minnesota Government Data Practices Act (MGDPA) Describes the requirements for government entities to collect and use personal information.

Minnesota’s Introduced Privacy Bills

Bill Description
Senate File 950 & companion bill House File 1892 These companion bills were introduced on January 30, 2023, and would require consent from consumers before collecting their personal information. These bills are in recess with the Senate Commerce and Consumer Protection Committee.
Senate File 2915 & companion bill House File 2309 These companion bills were introduced on March 15, 2023, and would place obligations on certain businesses regarding their data collection and processing activities and grant rights to state residents. These bills currently are in recess with the Senate Commerce and Consumer Protection Committee.
House File 1367 Introduced on February 6, 2023, this bill would give various rights to consumers over their data and outlines transparency obligations for businesses, creating a private right of action. It’s currently in recess with the House Commerce Finance & Policy Committee.

Mississippi’s Partial Privacy Laws

The Mississippi Annotated Code 1972 provides some privacy-related protections for consumers, like:

Law Description
Section 97-45-33 Bans the impersonation of another person through the Internet for the purpose of harming, intimidating, or defrauding them.
Section 97-45-5(1)(b) Prevents using another person’s numbers, codes, passwords, or other means of access to a computer without their consent.
Section 75-24-29(3) Describes data breach notification requirements and guidelines and other protections for residents.

Missouri’s Introduced Privacy Bills

Bill Description
House Bill 667 Introduced on January 5, 2023, this bill would amend the Personal Privacy Protection Act and prevent public agencies from requiring individuals to provide personal information or compelling them to release their information under specific circumstances.

Missouri’s Partial Privacy Laws

Missouri has a privacy-related data breach notification law:

Law Description
Notice to Consumer for Breach of Security It’s been in effect since August 28, 2009, and states that you must disclose to individuals if there’s any unauthorized access to their personal information maintained in a computerized format. You must notify the Attorney General if the breach involved more than 1,000 consumers.

Montana Consumer Data Privacy Act (MCDPA)

Covered by Termly
Legislative Status Signed
Effective Date October 1, 2024
New Amendments take effect October 1, 2025
Pending Update
Territorial Scope
  • Applicable to persons that conduct business in Montana or produce products or services that are targeted to Montana residents
Organizational Exemptions
  • Body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state
  • Nonprofit organization
  • Institution of higher education
  • National securities association that is registered under the Securities Exchange Act of 1934
  • Financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with the GLBA
  • Covered entity or business associate as defined in the privacy regulations of HIPAA
Threshold
  • Control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

OR

  • Control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data

As of October 1, 2025, the scope will expand to:

  • Control or process the personal data of not less than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

OR

  • Control or process the personal data of not less than 15,000 consumers and derive more than 25% of gross revenue from the sale of personal data
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, profiling in furtherance of a decision that produces a legal or similarly significant effect, or automated decision making
  • Right to Portability
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Targeted Advertising
  • Automated decision making
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual.
Personal Information Does Not Include
  • The term does not include deidentified data or publicly available information.
Definition of Publicly Available Information “Publicly available information” means information that:

  • (a) is lawfully made available through federal, state, or municipal government records or widely distributed media; or
  • (b) a controller has a reasonable basis to believe a consumer has lawfully made available to the public.
Sensitive Information “Sensitive data” means personal data that includes data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis
  • Information about a person’s sex life or sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data for the purpose of uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means an individual who is a resident of this state.
  • The term does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When The term does not include:

  • (i) the disclosure of personal data to a processor that processes the personal data on behalf of the controller
  • (ii) the disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer
  • (iii) the disclosure or transfer of personal data to an affiliate of the controller
  • (iv) the disclosure of personal data in which the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party
  • (v) the disclosure of personal data that the consumer: (A) intentionally made available to the public via a channel of mass media; and (B) did not restrict to a specific audience
  • (vi) the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

Montana’s Additional Privacy Laws

Montana has a few additional privacy-related laws, including:

Law Description
Montana Pupil Online Personal Information Protection Act Prevents entities from engaging in targeted advertising through K-12 online applications.
Senate Bill 419 Bans the use of the social media app TikTok in the state and goes into effect in January 2024.
Montana Code Annotated, Title 30, Chapter 14, Part 17 Outlines the data and computer security breach notification requirements for the state.

Nebraska Data Privacy Act (NDPA)

Covered by Termly Pending
Legislative Process In Force
Effective Date January 1, 2025
Pending Update
Territorial Scope
  • Applicable to persons that conduct business in Nebraska or produce products or services that are consumed by Nebraska residents
Organizational Exemptions
  • State agency or political subdivision of this state
  • Nonprofit organization
  • Institution of higher education
  • National securities association that is registered under the Securities Exchange Act of 1934
  • Financial institution, affiliate of a financial institution, or data subject to Title V of the GLBA
  • Covered entity or business associate governed by the privacy, security, and breach notification rules of regulations of HIPAA
  • Electric supplier
  • Natural gas public utility
  • Natural gas utility owned or operated by a city or metropolitan utilities district
Threshold
  • Processes or engages in the sale of personal data

AND

  • Is not a small business as determined under the federal Small Business Act
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, and profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Right to Portability
  • Right to Non-Discrimination
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with the online mechanism through which to contact the Attorney General.
Personal Information
  • “Personal data” means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, and includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.
Personal Information Does Not Include
  • The term does not include deidentified data or publicly available information.
Definition of Publicly Available Information
  • “Publicly available information” means information that is lawfully made available through government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by a consumer, or by a person to whom a consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.
Sensitive Information “Sensitive data” means a category of personal data, and includes personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data that is processed for the purpose of uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means an individual who is a resident of this state acting only in an individual or household context.
  • Consumer does not include an individual acting in a commercial or employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When Sale of personal data does not include:

  • (i) the disclosure of personal data to a processor that processes the personal data on behalf of the controller
  • (ii) the disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer
  • (iii) the disclosure or transfer of personal data to an affiliate of the controller
  • (iv) the disclosure of information that the consumer:
    • (A) Intentionally made available to the public through a mass media channel; and
    • (B) Did not restrict to a specific audience
  • (v) the disclosure or transfer of personal data to a third party as an asset in which the third party assumes control of all or part of the controller’s assets that is part of a proposed or actual:
    • (A) Merger;
    • (B) Acquisition;
    • (C) Bankruptcy; or
    • (D) Other Transaction

Nebraska’s Partial Privacy Laws

Nebraska has a few partial privacy regulations in place, including the following:

Law Description
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Describes all data breach notification requirements for the state.
Mental Health Practice Act Prohibits mental health practitioners from disclosing information about their patients unless they obtain consent or are required by law.
Workplace Privacy Act Prohibits employers from accessing an employee’s personal accounts, with some exceptions.

Nevada’s Partial Privacy Laws

Nevada does have a few partial privacy regulations.

Law Description
Senate Bill 260, An Act Relating to Internet Privacy and Other Purposes Gives rights to residents regarding the collection of their personal data by data brokers and entered into effect in October 2021.
Security and Privacy of Personal Information Nevada’s data breach notification law, which outlines all breach notification response times and requirements.

New Hampshire Privacy Act (NHPA)

Covered by Termly
Legislative Process In Force
Effective Date January 1, 2025
Pending Update
Territorial Scope
  • Applicable to persons that conduct business in New Hampshire or produce products or services that are targeted to New Hampshire residents
Organizational Exemptions
  • Body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state
  • Nonprofit organization
  • Institution of higher education
  • National securities association that is registered under the Securities Exchange Act of 1934
  • Financial institution or data subject to Title V of the GLBA
  • Covered entity or business associate as defined in the privacy regulations of HIPAA
Threshold During a one year period:

  • (a) Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

OR

  • (b) Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25% of their gross revenue from the sale of personal data
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Right to Portability
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual.
Personal Information Does Not Include
  • “Personal data” does not include de-identified data or publicly available information.
Definition of Publicly Available Information
  • “Publicly available information” means information that is lawfully made available through federal, state, municipal government records, or widely distributed media, and a controller has a reasonable basis to believe a consumer has lawfully made available to the general public.
Sensitive Information “Sensitive data” means personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sex life or sexual orientation
  • Citizenship or immigration status
  • The processing of genetic or biometric data for the purpose of uniquely identifying a natural person
  • The personal information collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means an individual who is a resident of this state.
  • “Consumer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit or government agency.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When “Sale of personal data” does not include:

  • (a) The disclosure of personal data to a processor that processes the personal data on behalf of the controller
  • (b) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer
  • (c) The disclosure or transfer of personal data to an affiliate of the controller
  • (d) The disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party
  • (e) The disclosure of personal data that the consumer intentionally made available to the general public via a channel of mass media, and did not restrict to a specific audience
  • (f) The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller’s assets.

New Hampshire’s Introduced Privacy Bills

Bill Description
House Bill 314 Introduced on January 5, 2023, this bill outlines privacy expectations regarding New Hampshire consumers’ personal information. It’s currently in the House Judiciary Committee.

New Hampshire’s Partial Privacy Laws

New Hampshire has some privacy-related laws, including:

Law Description
New Hampshire Right To Privacy Act Describes data breach and cybersecurity guidelines for entities that have a license to collect personal information.
Student and Teacher Information Protection and Privacy Outlines restrictions on website operators used or marketed for K-12 school purposes, prohibiting targeted advertising and the sale of student data.
Regulation of Business Practices for Consumer Protection States that entities cannot engage in unfair or deceptive business practices, which can include using false or misleading privacy policies.

New Jersey Data Privacy Act (NJDPA)

Covered by Termly
Legislative Status In Force
Effective Date January 16, 2025
Pending Update
Territorial Scope
  • Applicable to persons that conduct business in New Jersey or produce products or services that are targeted to New Jersey residents
Organizational Exemptions
  • Some insurance institutions
  • Some secondary market institutions
  • Financial institution or an affiliate of a financial institution this is subject to the GLBA
  • Covered entity or business associate as defined in the privacy regulations of HIPAA
Threshold
  • Control or process the personal data of not less than 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction

OR

  • Control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Data Portability
  • Right to Opt Out of Targeted Advertising, sale of personal information, or automated profiling
  • Right to Appeal
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling
  • Targeted advertising
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 45 days.
  • The controller must provide the consumer with a means to contact the Division of Consumer Affairs in the Department of Law and Public Safety to submit a complaint.
Personal Information
  • “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable person.
Personal Information Does Not Include
  • The term does not include deidentified data or publicly available information.
Definition of Publicly Available Information
  • “Publicly available information” means information that is lawfully made available from federal, State, or local government records, or widely-distributed media or information that a controller has a reasonable basis to believe a consumer has lawfully made available to the general public and has not restricted to a specific audience.
Sensitive Information “Sensitive data” means personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition, treatment, or diagnosis
  • Financial information which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account
  • Sex life or sexual orientation
  • Citizenship or immigration status
  • Status as transgender or non-binary
  • Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means an identified person who is a resident of this State acting only in an individual or household context.
  • “Consumer” shall not include a person acting in a commercial or employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale” means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When “Sale” shall not include:

  • The disclosure of personal data to a processor that processes the personal data on the controller’s behalf
  • The disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer
  • The disclosure or transfer of personal data to an affiliate of the controller
  • The disclosure of personal data that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience
  • The disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

New Jersey’s Introduced Privacy Bills

Bill Description
New Jersey Disclosure and Accountability Transparency Act (NJ DATA) Assembly Bill 505 was originally introduced on January 11, 2022 and was referred to the Science, Innovation, and Technology Committee. An identical bill, Senate Bill 3714, was then introduced on March 13, 2023;

Together, they create the foundation for the New Jersey Disclosure and Accountability Transparency Act (NJ DATA), which now sits in the Senate Commerce Committee.

It describes requirements for disclosing and processing personally identifiable information and would establish an Office of Data Protection and Responsible Use in the Division of Consumer Affairs.

New Jersey’s Partial Privacy Laws

Other privacy-related laws that exist in New Jersey are:

Law Description
Identity Theft Protection Act Describes steps businesses must take to protect personal information collected from customers, employees, and individuals from identity theft and breaches.
Daniel Anderl Judicial Security and Privacy Act of 2020 Makes it illegal to disclose the home address of any active or retired judge, prosecutor, or law enforcement officer in the state, and excludes their address from the definition of ‘government record’.

New Mexico’s Partial Privacy Laws

There are a few privacy-related laws in place that appear in the New Mexico Statutes:

Law Description
New Mexico’s Privacy Protection Act (PPA) Can be found in Chapter 57, Article 12B and focuses on protecting social security numbers and states that businesses aren’t allowed to collect them as a requirement of a purchase.
Data Breach Notification Act Located in Chapter 57, Article 12C, provides a definition for personal information and outlines notification requirements following a data breach.
Chapter 14, Article 6 of the Statute Outlines laws protecting the confidentiality of medical records in the state, and specifics that they should never be made a matter of public record.
The Employee Privacy Act; found in Chapter 50, Article 11 of the Statutes Protects employees from limited levels of discrimination.

New York’s Introduced Privacy Bills

Bill Description
New York Data Protection Act (Assembly Bill 2587) Introduced on January 26, 2023, this bill would establish the New York Data Protection Act and require government entities to disclose specific personal information they collect about individuals. It’s currently in the Assembly Committee.
Assembly Bill 7423 Introduced on May 19, 2023, this bill would require companies to disclose how they de-identify personal data and place safeguards around the information. It’s currently in the Assembly Committee.
Senate Bill 365 Introduced on January 4, 2023, this bill would require companies to disclose their methods of de-identifying personal information, place safeguards around protecting the data, and allow consumers to know who their data is shared with. It’s currently in the Assembly of Consumer Affairs and Protection.
Senate Bill 5555 Introduced on March 8, 2023, this bill would establish the ‘It’s Your Data Act’ and provide protections and transparency in collecting, using, and retaining personal information. It’s currently in the Senate Codes Committee.
Senate Bill 2998 Introduced on January 26, 2023, this bill would establish the Online Consumer Protection Act and require advertising networks to post a clear notice on their homepage about their privacy policy and data collection and uses. It’s currently in the Senate Consumer Protection Committee.

New York’s Partial Privacy Laws

New York is protected by partial privacy-related regulations, including all of the following:

Law Description
Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Expands the type of personal information consumers must be notified about if subject to a data breach, and requires entities to implement stronger safeguards to keep data safe.
Senate Bill 2628 Requires private sector employers to provide notice to employees upon hiring about their electronic monitoring processes.

New York’s Inactive Privacy Bills

All of the following unique bills were introduced in 2023 but became inactive for various reasons:

Bill
Assembly Bill 6319 (American Data Privacy and Protection Act)
Senate Bill 3162 and its companion bill Assembly Bill 4374
Assembly Bill 3593
Assembly Bill 3308 and its companion bill Senate Bill 2277 (Digital Fairness Act)
Senate Bill 365 (New York Privacy Act)
Assembly Bill 2587 (New York State Protection Act)
Senate Bill 5555 (It’s Your Data Act)

North Carolina’s Introduced Privacy Bills

Bill Description
North Carolina Consumer Privacy Act (Senate Bill 525) Introduced on April 3, 2023, this bill would grant consumers the right to access and delete their personal data collected by controllers and give them opt-out rights for targeted advertising and the sale of their data. It passed its first reading and was sent to the Committee on Rules and Operations of the Senate.

North Carolina’s Partial Privacy Laws

North Carolina is protected by a privacy-related regulation shown below:

Law Description
Identity Theft Protection Act (ITPA) Imposes restrictions on collecting social security numbers with other personal information. It also describes data breach notification requirements.

North Dakota’s Partial Privacy Laws

North Dakota is protected by some partial privacy-related regulations, including:

Law Description
Notice of Security Breach for Personal Information Outlines when an entity must inform impacted individuals about a data breach, and has been in place since 2005.
Legislative Management Study of Consumer Personal Data Disclosures Passed in 2019 so legislative management could study protections, enforcements, and remedies relating to consumer personal data and report its findings.

Ohio’s Partial Privacy Laws

Ohio is protected by some partial privacy protections, including:

Law Description
Private Disclosure of Security Breach of Computerized Personal Information Data Outlines how entities must respond to data breaches and inform impacted individuals.
Cybersecurity Safe Harbor Act Covers entities that create, maintain, and comply with cybersecurity programs as specified by the law.

Oklahoma Consumer Privacy Law

Covered by Termly
  • Coming soon
Legislative Process  Signed
Effective Date  January 1, 2027
Pending Update 
Territorial Scope 
  • Applicable to a controller or processor who conducts business in Oklahoma or produces a product or service targeted to Oklahoma residents
Organizational Exemptions 
  • A state agency or a political subdivision of this state, or a service provider processing data on behalf of a state agency or political subdivision of this state
  • A financial institution or data subject to Title V of the Gramm-Leach-Bliley Act
  • A covered entity or business associate governed by the privacy, security, and breach notification rules issued by the US Department of Health and Human Services, established under HIPAA, and the Health Information Technology for Economic and Clinical Health Act
  • A nonprofit organization
  • An institution of higher education
Threshold  During a calendar year:

  • Controls or processes personal data of at least 100,000 consumers

OR

  • Controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data
Consumer Rights 
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, and profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Right to Portability
  • Right to Non-Discrimination
Consumers have the Right to Opt-Out of: 
  • Sale of personal data
  • Profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests 
  • No later than 45 days with the possibility of a 45 day extension
Appeal Timeframe 
  • A controller shall inform the consumer in writing of any action taken or not taken in response to an appeal within 60 days.
  • The controller must provide the consumer with an online mechanism to contact the Attorney General.
Personal Information 
  • “Personal data” means any information including sensitive data that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.
Personal Information Does Not Include 
  • “Personal data” does not include deidentified data or publicly available information.
Definition of Publicly Available Information 
  • “Publicly available information” means information that is lawfully made available through government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by a consumer, or by a person to whom a consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.
Sensitive Information  “Sensitive data” means a category of personal data. The term includes:

  • Personal data revealing racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data that is processed for the purpose of uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include  N/A
Definition of Consumer / Data Subject / Individual / Customer 
  • “Consumer” means an individual who is a resident of this state acting only in an individual or household context.The term does not include an individual acting in a commercial or employment context.
Definition of Disclose  N/A
Definition of Share  N/A
Definition of Sell 
  • “Sale of personal data” means the exchange of personal data for monetary consideration by the controller to a third party.
Sell Does Not Include When The term does not include the:

  • (a) Disclosure of personal data to a processor that processes the personal data on the controller’s behalf,
  • (b) Disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer
  • (c) Disclosure or transfer of personal data to an affiliate of the controller
  • (d) Disclosure of information or personal data that the consumer: (1a) intentionally made available to the general public through a mass media channel, and (1b) did not restrict to a specific audience, or (2) directs the controller to disclose or intentionally uses the controller to interact with a third party
  • (e) Disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets

Oklahoma’s Partial Privacy Laws

Oklahoma is protected by partial privacy regulation regarding data breach notifications:

Law Description
Security Breach Notification Act Entities that collect computerized personal data are required to encrypt the information and inform residents if their data is involved in a breach.

Oregon Consumer Privacy Act (OCPA)

Covered by Termly
Legislative Status In Force
Effective Date July 1, 2024
Pending Update
Territorial Scope
  • Applicable to persons that conduct business in Oregon or produce products or services that are targeted to Oregon residents
Organizational Exemptions
  • Body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state
  • Financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with the GLBA
  • An individual, firm, association, corporation, or other entity that is licensed in this state as an insurance company and transacts insurance business
  • Nonprofit organization
  • Institution of higher education
  • Covered entity or business associate as defined in the privacy regulations of HIPAA
Threshold During a calendar year, they control or process:

  • The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction

OR

  • The personal data of 25,000 or more consumers, while deriving 25% or more of the annual gross revenue from selling personal data
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, profiling in furtherance of a decision that produces a legal or similarly significant effect, or automated decision making
  • Right to Portability
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling in furtherance of a decision that produces a legal or similarly significant effect
  • Targeted Advertising
  • Automated decision making
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual.
Personal Information Does Not Include Does not include information that is:

  • (i) Publicly available information; or
  • (ii) De-identified or aggregate consumer information
Definition of Publicly Available Information
  • “Publicly available information” means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience
Sensitive Information “Sensitive data” means a category of personal information that includes personal information revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • The processing of genetic or biometric data for the purpose of uniquely identifying a natural person
  • The personal information collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual “Consumer”:

  • (A) Means a natural person who is a resident of Tennessee acting only in a personal context; and
  • (B) Does not include a natural person acting in a commercial or employment context
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When Does not include:

  • (i) The disclosure of personal information to a processor that processes the personal information on behalf of the controller;
  • (ii) The disclosure of personal information to a third party for purposes of providing a product or service requested by the consumer;
  • (iii) The disclosure or transfer of personal information to an affiliate of the controller;
  • (iv) The disclosure of information that the consumer intentionally made available to the general public via a channel of mass media; and did not restrict to a specific audience; or
  • (v) The disclosure or transfer of personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

Oregon’s Additional Privacy Laws

There are a few other privacy-related laws in place protecting residents of Oregon, according to the Oregon Department of Justice, including the:

Law Description
Oregon Consumer Identity Theft Protection Act Is the data breach notification law in the state and gives residents tools and resources to protect themselves from identity theft and cybercrimes.
Oregon Student Information Protection Act Prohibits sharing student data gathered from educational websites and platforms for non-educational purposes.

Pennsylvania’s Introduced Privacy Bills

Bill Description
Pennsylvania Consumer Data Privacy Act (House Bill 1201) The Consumer Data Privacy Act — officially House Bill 1201 — was introduced on May 19th and was also referred to the Committee on Commerce. It provides similar duties for controllers and processors of personal information, outlines consumer privacy rights, and imposes specific penalties, but differs in scope and specifics from House Bill 708.
Consumer Data Protection Act (House Bill 708) Introduced on March 27, 2023, House Bill 708, also called the Consumer Data Protection Act, was referred to the House Commerce Committee. It describes consumer protections and data privacy rights, obligations for processors and controllers, and outlines penalties for violating portions of the act.

Pennsylvania’s Partial Privacy Laws

Pennsylvania is also protected by the following privacy-related provisions:

Law Description
Breach of Personal Information Notification Act of 2005 Describes requirements entities must follow if they believe the personal data they store was breached or victim to a cyber attack.
Pennsylvania Wiretapping and Electronic Surveillance Control Act Prohibits individuals from wiretapping or intentionally intercepting wire, electronic, and oral conversations.
Privacy of Social Security Numbers Law Makes it so social security numbers are subject to a right of confidentiality in the state.
Title 18, Chapter 41, Section 4106.1 of the Pennsylvania Statutes Prohibits making and distributing devices designed to read and store internal memory data on a chip or magnetic strip.
Title 42 of the Pennsylvania Statutes Recognizes a private right of action against the disemmenation of an intimate image.
Title 18, Chapter 75 of the Pennsylvania Statutes Criminalizes invasions or violations of a person’s privacy.

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

Covered by Termly
Legislative Process  In Force
Effective Date  January 1, 2026
Pending Update 
Territorial Scope 
  • Applicable to for-profit entities that conduct business in Rhode Island or produce products or services that are targeted to Rhode Island residents
Organizational Exemptions 
  • Body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state
  • Nonprofit organization
  • Institution of higher education
  • National securities association that is registered under the Securities Exchange Act of 1934
  • Financial institution or data subject to Title V of the Gramm-Leach-Bliley Act
  • Covered entity or business associate as defined in the privacy regulations of HIPAA
Threshold  During the preceding calendar year, controlled or processed:

  • The personal data of 35,000 or more consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

OR

  • The personal data of 10,000 or more consumers and derived more than 20% of gross revenue from the sale of personal data
Consumer Rights 
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, and profiling in furtherance of solely automated decision that produce a legal or similarly significant effects
  • Right to Portability
  • Right to Non-Discrimination
  • Right to Opt-in for processing of sensitive data
Consumers have the Right to Opt-Out of: 
  • Sale of personal data
  • Profiling in furtherance of solely automated decisions that produce a legal or similarly significant effects
  • Targeted Advertising
Timeframe to Respond to Data Subject Requests 
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe 
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information 
  • “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual.
Personal Information Does Not Include 
  • “Personal data” does not include deidentified data or publicly available information.
Definition of Publicly Available Information 
  • “Publicly available information” means information that is lawfully made available through federal, state or municipal government records or widely distributed media, or a controller has a reasonable basis to believe a customer has lawfully made available to the general public.
Sensitive Information  “Sensitive data” means personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition or diagnosis
  • Sex life or sexual orientation
  • Citizenship or immigration status
  • The processing of genetic or biometric data for the purpose of uniquely identifying an individual
  • The personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include  N/A
Definition of Consumer / Data Subject / Individual / Customer 
  • “Customer” means an individual residing in this state acting in an individual or household context.
  • “Customer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit or government agency.
Definition of Disclose  N/A
Definition of Share  N/A
Definition of Sell 
  • “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When “Sale of personal data” does not include:

  • (i) The disclosure of personal data to a processor that processes the personal data on behalf of the controller;
  • (ii) The disclosure of personal data to a third party for purposes of providing a product or service requested by the customer;
  • (iii) The disclosure or transfer of personal data to an affiliate of the controller;
  • (iv) The disclosure of personal data where the customer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party
  • (iv) The disclosure of personal data that the customer intentionally made available to the general public via a channel of mass media; and did not restrict to a specific audience; or
  • (v) The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

Rhode Island’s Partial Privacy Laws

Some privacy-related legislation does exist in Rhode Island, including the following:

Law Description
Identity Theft Protection Act of 2015 Outlines some protections for personal information regarding the disclosure of breaches of security systems and requires the implementation of risk-based security programs to prevent such cybercrimes.
Consumer Empowerment and Identity Theft Prevention Act of 2006 Also provides protections for consumers regarding data breaches, giving consumers the right to place a security freeze on their credit reports.

Rhode Island’s Introduced Privacy Bills

Rhode Island has a few privacy bills that are now inactive:

Bill Description
House Bill 5745 First introduced on February 21, 2023, this bill describes requirements for controllers over how they process and use personal data. It was recommended to be held for further study.
Senate Bill 754 First introduced on March 23, 2023, this bill outlines guidelines for businesses to transparently disclose how they collect and use personally identifiable information. It was recommended to be held for further study.
House Bill 6263 First introduced on April 4, 2023, this bill requires entities to better inform consumers about what kind of personally identifiable information they share with other businesses. It was recommended to be held for further study.
House Bill 5354 First introduced on February 3, 2023, this bill describes opt-in and opt-out requirements for consumers concerning the collection and processing of personal data. It was recommended to be held for further study.

South Carolina’s Partial Privacy Laws

South Carolina has a few privacy-related regulations, including the following:

Law Description
South Carolina Freedom of Information Act Creates broad rights for public records held by public bodies in the state.
Personal Financial Security Act Makes committing financial identity fraud or theft by using personal information unlawful and establishes the specific criminal violations.
Physicians Patient Records Act Describes ownership of a patient’s medical records and how to release them.
The Insurance Data Security Act Requires all covered entities to maintain a security program and establish investigation and notification frameworks following a data breach.

South Dakota’s Partial Privacy Laws

South Dakota has a data breach notification law:

Law Description
Chapter 40, Title 22 of the South Dakota Codified Laws States that any information holder must inform an individual following the discovery of a data breach of any personal information.

Tennessee Information Protection Act (TIPA)

Covered by Termly
Legislative Status In Force
Effective Date July 1, 2025
Pending Update
Territorial Scope
  • Applies to persons that conduct business in Tennessee producing products or services that target residents of Tennessee
Organizational Exemptions N/A
Threshold
  • Exceed $25,000,000 in revenue;

AND

  • Control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information;

OR

  • During a calendar year, control or process personal information of at least 175,000 consumers.
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, profiling, automated decision making
  • Right to Portability
  • Right to Non-Discrimination
  • Right to Opt-in for processing of sensitive data
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling
  • Targeted Advertising
  • Automated decision making
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 45 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • Means information that is linked or reasonably linkable to an identified or identifiable natural person
Personal Information Does Not Include Does not include information that is:

  • (i) Publicly available information; or
  • (ii) De-identified or aggregate consumer information
Definition of Publicly Available Information
  • “Publicly available information” means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience
Sensitive Information “Sensitive data” means a category of personal information that includes personal information revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • The processing of genetic or biometric data for the purpose of uniquely identifying a natural person
  • The personal information collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual “Consumer”:

  • (A) Means a natural person who is a resident of Tennessee acting only in a personal context; and
  • (B) Does not include a natural person acting in a commercial or employment context
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • Means the exchange of personal information for valuablemonetary consideration by the controller to a third party
Sell Does Not Include When Does not include:

  • (i) The disclosure of personal information to a processor that processes the personal information on behalf of the controller;
  • (ii) The disclosure of personal information to a third party for purposes of providing a product or service requested by the consumer;
  • (iii) The disclosure or transfer of personal information to an affiliate of the controller;
  • (iv) The disclosure of information that the consumer intentionally made available to the general public via a channel of mass media; and did not restrict to a specific audience; or
  • (v) The disclosure or transfer of personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

Tennessee’s Additional Privacy Laws

Tennessee also has a few privacy-related laws in place, including:

Law Description
Tennessee Code Data Breach Requirements Outlines when and how entities must notify individuals whose data is compromised in a data breach.
Genetic Information Privacy Act Prevents insurance providers from requiring people who receive coverage to disclose genetic information about themselves or their families.

Texas Data Privacy and Security Act (TDPSA)

Covered by Termly
Legislative Status In Force
Effective Date July 1, 2024
Pending Update
Territorial Scope Applies only to a person that:

  • (1) conducts business in Texas or produces a product or service consumed by residents of Texas
  • (2) processes or engages in the sale of personal data;

AND

  • (3) is not a small business as defined by the United States Small Business Administration, except to the extent that the small business is engaged in the sale of sensitive personal data
Organizational Exemptions
  • State agency or subdivision
  • Financial institutions and affiliates, or data subject to GLBA
  • Any covered entity or business associate governed by HIPAA
  • A nonprofit organization
  • An institution of higher education
Threshold
  • The SBA defines a small business as an independent business having fewer than 500 employees
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of targeted advertising, sale of personal data, profiling, automated decision making
  • Right to Portability
  • Right to Non-Discrimination
  • Right to Opt-in for processing of sensitive data
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling
  • Targeted Advertising
  • Automated decision making
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.
  • The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • Any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual.
  • The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.
Personal Information Does Not Include
  • Does not include de-identified data or publicly available information.
Definition of Publicly Available Information
  • “Publicly available information” means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience
Sensitive Information “Sensitive data” means personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data that is processed for the purpose of uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • “Consumer” means an individual who is a resident of this state acting only in an individual or household context.
  • The term does not include an individual acting in a commercial or employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • Means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.
Sell Does Not Include When The term does not include:

  • (A) the disclosure of personal data to a processor that processes the personal data on the controller ’s behalf;
  • (B) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
  • (C) the disclosure or transfer of personal data to an affiliate of the controller;
  • (D) the disclosure of information that the consumer intentionally made available to the general public through a mass media channel; and did not restrict to a specific audience; or the disclosure or transfer of personal data to a third party as an asset that is part of a merger or acquisition.

Texas’ Introduced Privacy Bills

Bill Description
House Bill 1844 Introduced on February 3, 2023, this bill would impose a civil penalty on entities based on their collection, use, processing, and treatment of consumer personal data. It’s currently in the Business & Industry House Committee.

Texas’ Additional Privacy Laws

Texas has other laws that are adjacent to data privacy, including the following:

Law Description
Texas Identify Theft Enforcement and Protection Act Requires officers in different jurisdictions to write reports whenever a person falls victim to a data breach.
Texas Medical Records Privacy Act Protects sensitive health information and medical data from being released for marketing purposes without individual consent.

Utah Consumer Privacy Act (UCPA)

Covered by Termly
Legislative Status In Force
Effective Date December 31, 2023
Pending Update
Territorial Scope
  • Any controller or processor who conducts business in Utah or produces a product or service that is targeted to consumers who are residents of Utah.
Organizational Exemptions
  • Government organizations
  • Third parties under contract with a government organization
  • Tribes
  • Higher education institutions
  • Non-profit organizations
  • Covered entities and business associates under HIPAA
  • Consumer reporting agencies
  • Air carriers
Threshold Any controller or processor who has annual revenue of $25,000,000 or more and satisfies one or more of the following thresholds:

  • Annually, controls or processes personal data of 100,000 or more consumers
  • Derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Delete
  • Right to Data Portability
  • Right to Opt Out of Processing of Personal information for purposes of Target Advertising or Sale of Personal information
  • Right to Non-Discrimination
Consumers have the Right to Opt-Out of:
  • Sale of personal dataTargeted Advertising (doesn’t include the data gathered from your website, form/ticket)
Timeframe to Respond to Data Subject Requests
  • 45 days with the possibility of a 45 day extension.
Appeal Timeframe N/A
Personal Information
  • Information that is linked or reasonably linkable to an identified individual or an identifiable individual.
Personal Information Does Not Include
  • “Personal data” does not include de-identified data, aggregated data, or publicly available information.
Definition of Publicly Available Information
  • Publicly available information” means information that a person (a) lawfully obtains from a record of a governmental entity (b) reasonably believes a consumer or widely distributed media has lawfully made available to the general public; or (c) if the consumer has not restricted the information to a specific audience, obtains from a person to whom the consumer disclosed the information.
Sensitive Information Sensitive data includes personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Sexual orientation
  • Citizenship or immigration status
  • Medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional
  • Genetic personal data
  • Biometric data, if the processing is for the purpose of identifying a specific individual
  • Specific geolocation data
Sensitive Information Does Not Include
  • “Sensitive data” does not include personal data that reveals an individual’s racial or ethnic origin when processed by a video communication service or certain medical data processed by licensed healthcare providers.
Definition of Consumer / Data Subject / Individual
  • An individual who is a resident of the state acting in an individual or household context.”Consumer” does not include an individual acting in an employment or commercial context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • The exchange of personal data for monetary consideration by a controller to a third party.
Sell Does Not Include When “Sale,” “sell,” or “sold” does not include:

  • (i) a controller’s disclosure of personal data to a processor who processes the personal data on behalf of the controller;
  • (ii) a controller’s disclosure of personal data to an affiliate of the controller
  • (iii) considering the context in which the consumer provided the personal data to the controller, a controller’s disclosure of personal data to a third party if the purpose is consistent with a consumer’s reasonable expectations
  • (iv) the disclosure or transfer of personal data when a consumer directs a controller to (A) disclose the personal data; or (B) interact with one or more third parties
  • (v) a consumer’s disclosure of personal data to a third party for the purpose of providing a product or service requested by the consumer or a parent or legal guardian of a child
  • (vi) the disclosure of information that the consumer (A) intentionally makes available to the general public via a channel of mass media; and (B) does not restrict to a specific audience
  • (vii) a controller’s transfer of personal data to a third party as an asset that is part of a proposed or actual merger, an acquisition, or a bankruptcy in which the third party assumes control of all or part of the controller’s assets

Utah’s Additional Privacy Laws

Utah also has a few additional privacy-related laws, including the following:

Law Description
Electronic Information Privacy Act Gives law enforcement agencies the right to obtain specific information from electronic devices for criminal investigative purposes without obtaining a search warrant.
Genetic Testing Privacy Act Prohibits employers and insurers from accessing and using genetic information about an individual and their blood relatives.
Genetic Information Privacy Act Requires genetic testing companies to obtain consumer consent before disclosing the data to an entity that offers health insurance, life insurance, or long-term care insurance, and to employers.
Utah E-Commerce Integrity Act Prohibits the copying of computer software on another computer knowingly if the software is used to collect personal information through deceptive means.
Utah Protection of Personal Information Act Requires the reasonable protection of personal information and outlines the notice requirements if a data breach occurs.

Vermont’s Introduced Privacy Bills

Bill Description
House Bill 121 Introduced on January 26, 2023, this bill describes guidelines relating to consumer privacy enhancements. It’s currently sitting in the House Committee on Commerce and Economic Development.

Vermont’s Partial Privacy Laws

Vermont is protected by other privacy-adjacent laws, including the following:

Law Description
Security Breach Notice Act Vermont’s data breach notification law states that data collectors must inform individuals if a security breach occurs and if their personal data has been compromised.
Document Safe Destruction Act Businesses are required to take reasonable steps to destroy personal data about consumers that they no longer need to retain.

Vermont’s Inactive Privacy Bills

Vermont has a few privacy bills that are now inactive:

Bill Description
Senate Bill 49 First read on January 1, 2023, currently sitting in the Senate Committee on Economic Development, Housing, and General Affairs. This bill describes requirements for protecting genetic confirmation privacy and consumer health.
House Bill 116 First read on January 26, 2023, currently sitting in the House Committee on General and Housing. This act relates to employment protections and standards.
House Bill 343 First read on February 22, 2023, currently sitting in the House Committee on Commerce and Economic Development. This act also describes details about protecting genetic data and consumer health information.
House Bill 159 First read on February 1, 2023, currently sitting in the House Committee on Commerce and Economic Development. This act describes privacy as it relates to broadband internet access services.
Senate Bill 129 First read on March 15, 2023, currently sitting in the Senate Committee on Economic Development, Housing, and General Affairs. This act describes provisions relating to protecting employees.

Virginia Consumer Data Protection Act (VCDPA)

Covered by Termly
Legislative Status In Force
Effective Date January 1, 2023
Pending Update
Territorial Scope
  • Persons that do business in the Commonwealth of Virginia or persons who produce products or services that are targeted to residents of the Commonwealth of Virginia.
Organizational Exemptions
  • Public sector organizations in Virginia
  • Non-profit organizations
  • Higher education institutions
Threshold
  • Processing or controlling personal data of at least 100,000 consumers annually

OR

  • Processing or controlling the personal data of at least 25,000 consumers and deriving over 50% of gross revenue from selling that data.
Consumer Rights
  • Right to Know if a controller is processing the consumer’s personal information
  • Right to Access
  • Right to Correct
  • Right to Delete
  • Right to Opt Out of Targeted Advertising, Profiling, or Sale of Personal information
  • Right to Appeal
  • Right to Data Portability
  • Right to Non-Discrimination
Consumers have the Right to Opt-Out of:
  • Sale of personal data
  • Profiling
  • Targeted Advertising reasonable efforts
Timeframe to Respond to Data Subject Requests
  • Without undue delay and within 45 days with the possibility of a 45 day extension.
Appeal Timeframe
  • The controller must act on a consumer’s appeal within 60 days.The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.
Personal Information
  • Information that is linked or reasonably linkable to an identified individual or an identifiable individual.
Personal Information Does Not Include
  • “Personal data” does not include de-identified data or publicly available information.
Definition of Publicly Available Information
  • “Publicly available information” means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.
Sensitive Information Sensitive data includes personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Immigration or citizenship standing
  • Genetic or biometric data
  • Personal data from a known child
  • Precise geolocation data
Sensitive Information Does Not Include N/A
Definition of Consumer / Data Subject / Individual
  • A natural person who is a resident of Virginia acting only in anindividual or household context.
  • “Consumer” does not include a natural person acting in a commercial or employment context.
Definition of Disclose N/A
Definition of Share N/A
Definition of Sell
  • The exchange of personal data for monetary consideration by the controller to a third party.
Sell Does Not Include When “Sale of personal data” does not include:

  • 1. The disclosure of personal data to a processor that processes the personal data on behalf of the controller
  • 2. The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer
  • 3. The disclosure or transfer of personal data to an affiliate of the controller
  • 4. The disclosure of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience
  • 5. The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets

Virginia’s Additional Privacy Laws

Additionally, Virginia also passed the following privacy-related laws:

Law Description
Personal Information Privacy Act Restricts the sale of personal information, like social security numbers, by merchants.
Virginia’s Breach of Personal Information Notification Describes notification requirements whenever a breach occurs impacting Virginia residents.
Virginia Genetic Privacy Act Outlines provisions regarding the collection of genetic data.
Virginia Telephone Privacy Protection Act Prohibits solicitation calls after a person states they do not wish to receive the call.

Washington’s Introduced Privacy Bills

Bill Description
House Bill 1616 Introduced on January 25, 2023, this bill grants rights to Washington consumers and outlines penalties for data controllers who breach those rights. It was referred to the Civil Rights & Judiciary Committee.
Senate Bill 5643 Introduced on January 31, 2023, this bill describes the People’s Privacy Act, granting rights to Washington residents regarding how their personal data gets collected, processed, and used. It was referred to the Environment, Energy, & Technology Committee.

Washington’s Partial Privacy Laws

Washington is protected by other privacy-adjacent laws, including the following:

Law Description
Data Breach Notification Law Entered into effect in 2020 and requires entities to notify affected individuals about a breach if it impacts more than 500 individuals.
House Bill 4607 Passed in 2022 and recognized January 28 as ‘digital privacy day’ to encourage Washington residents to take steps to protect their personal information.
The Privacy Act Recognizes a right to privacy for residents of the state.

Washington’s Inactive Privacy Bills

Washington has a few privacy bills that are now inactive:

Bill Description
Senate Bill 5062 Made it through to a third reading until it died during the 2022 Regular Session on February 24th.

West Virginia’s Introduced Privacy Bills

Bill Description
House Bill 3453 Introduced on February 14, 2023, this bill would establish consumer rights regarding their data privacy and create a private cause of action. It was passed to the House Technology and Infrastructure Committee.
House Bill 3498 Introduced on February 14, 2023, this bill would amend the Code of West Virginia by adding an article relating to consumer data protection. It was passed to the House Finance Committee.

West Virginia’s Partial Privacy Laws

West Virginia is protected by a few privacy-related laws worth noting, including the following:

Law Description
Article 2A of Chapter 46A of the West Virginia Code Dictates data breach and breach of security notifications for West Virginia residents.
West Virginia Health Care Records Law Requires healthcare providers to give patients a copy of their medical records upon request.
Article 5H of Chapter 21 of the West Virginia Code Restricts employers from forcing employees to share certain information about their personal social media accounts.
Electronic Mail Protection Act Prevents the transmission of unauthorized electronic messages with the intention to deceive or defraud a resident of the state.
Student Data, Transparency, and Accountability Act Restricts the transfer and disclosure of student records and protects student personal data.

Wisconsin’s Introduced Privacy Bills

Bill Description
Assembly Bill 466 Introduced on October 5, 2023, this bill establishes requirements for controllers and processors of personal data and gives rights to Wisconsin residents. On November 9, 2023, it was recommended for passage as amended by the Committee on Consumer Protection.

Wisconsin’s Partial Privacy Laws

Wisconsin is protected by a few privacy-related regulations, including the following:

Law Description
Wisconsin’s Data Breach Legislation Gives companies 45 days maximum to notify affected individuals when a data breach occurs.
Wisconsin’s Insurance Data Security Law Creates state standards for licensed insurance entities regarding data breaches specific to their industry.

Wyoming’s Partial Privacy Laws

Wyoming does have a few privacy-related laws that give partial protections to residents, including the following:

Law Description
Wyoming Genetic Data Privacy Act Gives consumers rights over their genetic information and outlines obligations for genetic testing companies, like posting a privacy policy.
Wyoming Consumer Protection Act Prevents businesses from taking unfair advantage of consumers in the state.
Wyoming Data Breach Notification Law Outlines guidelines and notification requirements entities must follow if a data breach occurs.

Washington D.C.’s Partial Privacy Laws

The Nation’s capital does have some partial privacy regulations in place, which include the following:

Law Description
Security Breach Protection Amendment Act of 2020 Amended the Breach Notification Law by expanding definitions concerning business data breaches and specifying the contents required in the notification sent to individuals.
Consumer Protection Procedures Act Is in place to provide protection to consumers from unfair, deceitful business practices.

US Privacy Laws FAQ

Does Termly cover US data privacy laws?

How often is the US state privacy legislation tracker updated?

What are US data privacy laws?

How many US states have privacy laws?

Which US states have data privacy laws?

Why do individual US states have their own data privacy laws?

How do US state data privacy laws differ from federal data privacy laws?

Which US states have the strictest data privacy laws?

Do businesses need to comply with the data privacy laws of every US state?

What are the penalties for non-compliance with US state data privacy laws?

How do US state privacy laws compare to the GDPR?

What rights do individuals typically have under US state data privacy laws?

How can businesses stay compliant with evolving US data privacy laws?

Are there any efforts to create a unified US national privacy law?

How do US state privacy laws address data breaches?

Where can I find more information about my state’s data privacy law?

Termly Bolt
Termly Helps You Comply With US Data Protection Laws
Sign Me Up! Learn More

Termly allows our users to focus more on their business instead of spending countless hours figuring out data privacy compliance. – Raffaele, Head of Marketing & Partnerships @ Termly