Which US states have data privacy laws?

Asked by: Rahul Borer  |  Last update: April 30, 2026
Score: 4.3/5 (24 votes)

The U.S. has a growing patchwork of state data privacy laws, with about 20 states like California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), and Texas (TDPSA) having comprehensive laws providing consumers rights to access, delete, and opt-out of data selling/sharing, while other states (e.g., Florida, Oregon, New Hampshire, New Jersey) also have laws in effect or coming soon, creating a complex compliance environment for businesses operating nationwide. These laws generally require transparency through privacy notices and vary in scope, thresholds, and specific consumer rights, though many build on the CCPA's foundation, focusing on personal data, targeted advertising, and sensitive data protections.

How many US states have data privacy laws?

Currently, there are 20 states – including California, Virginia, and Colorado, among others – that have comprehensive data privacy laws in place.

What state privacy laws are going into effect in 2025?

In 2025 alone, comprehensive laws became enforceable in Delaware, Iowa, Minnesota, Nebraska, New Hampshire, New Jersey, Tennessee, and Maryland.

What are the data privacy laws in the United States?

Some of the main federal laws that provide for data protection include the Health Insurance Portability and Accountability Act (medical records), the Family Educational Rights and Privacy Act (educational records), the Fair Credit Reporting Act (consumer reporting data), and the Federal Information Security Management ...

What state has the toughest consumer protection laws?

These are the states that offer the strongest UDAP protection in the country.

  • Hawaii. Hawaii is named by the NCLC as one of the state's with a particularly strong collection of UDAP laws. ...
  • Massachusetts. ...
  • Connecticut. ...
  • Vermont. ...
  • Illinois.

Which States Have Consumer Privacy Laws? - CountyOffice.org

25 related questions found

Which US state passed the most stringent consumer data privacy measures in 2018?

California Consumer Privacy Act (CCPA) The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.

Do all 50 states have data breach laws?

All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws requiring private businesses, and in most states, governmental entities as well, to notify individuals of security breaches of information involving personally identifiable information.

What are the 7 data protections?

The 7 core data protection principles, primarily from GDPR, are: Lawfulness, Fairness, and Transparency; Purpose Limitation; Data Minimisation; Accuracy; Storage Limitation; Integrity and Confidentiality (Security); and Accountability, guiding organizations to process personal data ethically, legally, and securely by being open, limiting data collection, keeping it accurate, not keeping it longer than needed, securing it, and being able to prove compliance.
 

What is the toughest data privacy law in the world?

The EU general data protection regulation (GDPR) is the strongest privacy and security law in the world. This regulation updated and modernised the principles of the 1995 data protection directive. It was adopted in 2016 and entered into application on 25 May 2018.

Why is everyone updating their privacy policy in September 2025?

These new rules clarify when special categories of personal data may be processed without consent, including for insurance purposes in the public interest and to protect children from emotional or physical harm.

What state has the most strict laws?

According to the State RegData Definitive Edition, the most heavily regulated states in America in 2022 were: California – 403,774. New York – 298,804. New Jersey – 286,933.

Is Texas a right to delete state?

Consumer Rights and Requests

These rights provide consumers with a right to access, correct, delete, and obtain a copy of their personal data, and to opt-out of the selling of personal data and/or sharing of personal data for targeted advertising.

What are the four states of privacy?

While different models exist, four commonly cited types of privacy include Information Privacy (control over personal data), Bodily Privacy (control over one's physical self), Territorial Privacy (control over physical space), and Communication Privacy (control over messages and interactions). Another framework categorizes them as Intrusion upon Seclusion, Public Disclosure of Private Facts, False Light Publicity, and Appropriation of name/likeness, focusing on legal invasions.
 

What are the 8 rules of the data protection Act?

Lawfulness, fairness, and transparency; ▪ Purpose limitation; ▪ Data minimisation; ▪ Accuracy; ▪ Storage limitation; ▪ Integrity and confidentiality; and ▪ Accountability. These principles are found right at the outset of the GDPR, and inform and permeate all other provisions of that legislation.

What are the 4 types of data privacy?

The document outlines four types of privacy: physical privacy, which protects against physical harm; territorial privacy, which involves setting boundaries to control access to a locality; communication privacy, which maintains the security of personal data during exchanges; and informational privacy, which focuses on ...

What are the golden rules of data protection?

This module introduces the six fundamental principles of personal data protection: purpose, accuracy, transparency, minimization, security and retention period.

What are the 4 A's of data security?

The adoption of the 4A Data Security Governance framework—comprising Access, Authorization, Authentication, and Audit—serves as a cornerstone in enabling secure, scalable, and role-based access to enterprise data assets.

How can I protect my personal data?

Follow this advice to protect the personal information on your devices and in your online accounts.

  1. Keep Your Software Up to Date.
  2. Secure Your Home Wi-Fi Network.
  3. Protect Your Online Accounts with Strong Passwords and Two-Factor Authentication.
  4. Protect Yourself from Attempts To Steal Your Information.

Why is my iPhone saying my password appeared in a data leak?

An iPhone data leak password alert means a password in your iCloud Keychain was found in a list of credentials stolen from a third-party website or app during a breach; it doesn't mean your iPhone was hacked, but rather that the password you used on that compromised service is now vulnerable, requiring you to change it immediately on that site and others using the same password to prevent hackers from using it to access your accounts via techniques like credential stuffing.
 

Can I sue a company if my data is breached?

You can't sue just because your email got leaked. But when a company's negligence causes measurable harm, it crosses into personal injury territory. You may have a case if you experience: Identity theft or credit fraud linked directly to the breach.

What is the largest data breach in history?

10 Most Impactful Data Breaches Ever

  1. 1. Yahoo – 3,000,000,000 records lost. ...
  2. National Public Data – 2,900,000,000 records lost. ...
  3. River City Media – 1,370,000,000 records lost. ...
  4. Aadhaar – 1,100,000,000 records lost. ...
  5. Indian Council of Medical Research (ICMR) – 815,000,000 records lost. ...
  6. Spambot – 711,000,000 records lost.

What has replaced the data protection Act?

Parts of the UK GDPR have been changed and replaced by the Data (Use and Access) Act 2025. Find out what this means for your legal practice and what you need to do to stay compliant. The Data (Use and Access) Act 2025 (DUAA) amends the: UK General Data Protection Regulation (UK GDPR)

What are the 7 principles of data privacy?

The principles are: Lawfulness, Fairness, and Transparency; Purpose Limitation; Data Minimisation; Accuracy; Storage Limitations; Integrity and Confidentiality; and Accountability.

Can individuals opt out of their personal data being in the US?

Under state privacy laws, data subjects must have the option to opt out of sale, sharing, targeted advertising, profiling, automated decision-making, or other use of their personal data, depending on the specific data privacy law.