The US privacy landscape has changed considerably in the last few years. Significantly, at least a dozen US states have enacted comprehensive state privacy laws and a number of other significant, but more narrowly applicable, state privacy laws have been enacted. While it would be nearly impossible to cover all of the developments, this page highlights key developments in the past few years, in the areas of “omnibus” or comprehensive privacy laws, consumer health privacy laws, and minor privacy laws.
STATE COMPREHENSIVE PRIVACY LAWS
The California Consumer Privacy Act (CCPA) of 2018 represented a first-of-its-kind privacy law in the United States. Since the CCPA took effect in 2020, more than ten states have passed “omnibus” or comprehensive state privacy laws, and the CCPA has been substantially amended with the adoption of the California Privacy Rights Act of 2020 (CPRA), approved as a ballot initiative (Proposition 24) by California voters in 2020.
New State Privacy Laws Taking Effect in 2023
On January 1, 2023, the CPRA amendments to the CCPA took effect,[1] as did the Virginia Consumer Data Protection Act, followed by comprehensive privacy laws in Connecticut and Colorado, which took effect July 1, 2023. On December 31, 2023, the Utah Consumer Privacy Act will come into force.
In addition, the Colorado Attorney General finalized the Colorado Privacy Act Regulations, which took effect July 1, 2023, and expand on the requirements of the Colorado Privacy Act. The California Privacy Protection Agency also finalized its first set of CPRA-related amendments to the CCPA Regulations. However, while these modifications were slated to take effect July 1, 2023, a ruling from California Superior Court has delayed enforcement of the amended regulations to March 29, 2024.
State Privacy Laws Beyond 2023
Comprehensive privacy laws in several new states are set to take effect over the next few years. You can find a table and timeline of enacted state comprehensive privacy laws and related regulations below.
| State | Bill | Law or Regulation | Passed/ Enacted | Effective Date |
|---|---|---|---|---|
| California | Proposition 24 | California Privacy Rights Act of 2020, amending the California Consumer Privacy Act (CCPA)[2] CPRA Amendments to CCPA Regulations | Nov. 2020 | Jan 1, 2023 March 29, 2024 |
| Virginia | SB 1392 | Virginia Consumer Data Protection Act | Jan 1, 2023 | |
| Colorado | SB 190 (2022) | Colorado Privacy Act Colorado Privacy Act Regulations | July 1, 2023 July 1, 2023 | |
| Connecticut | SB 6 (2022) SB 3 (2023 | Connecticut Data Privacy Act (CDPA) Amendments to CDPA (pertaining to consumer health data and child data) | May 10, 2022 June 26, 2023 | July 1, 2023 July 1, 2024 – July 1, 2025[3] |
| Utah | SB 227 (2022) | Utah Consumer Privacy Act | March 24, 2022 | December 31, 2023 |
| Tennessee | Tennessee Information Protection Act (new) | May 24, 2023 | July 1, 2024 | |
| Texas | HB 4 (2023 | Texas Privacy and Security Act (new) | June 15, 2023 | July 1, 2024 |
| Oregon | SB 619 (2023) | Oregon Consumer Privacy Act | July 18, 2023 | July 1, 2024 |
| Montana | SB 384 (2023) | Montana Consumer Data Privacy Act (new) | May 19, 2023 | Oct. 1, 2024 |
| Iowa | SF 262 | Iowa Consumer Data Protection Act (new) | March 28, 2023 | Jan. 1, 2025 |
| Delaware | HB 154 (2023) | Delaware Personal Data Privacy Act | Passed legislature June 30, 2023; awaiting signature of governor. | January 1, 2025 |
| Indiana | SB 5 (2023 | Indiana Consumer Data Protection Act (new) | May 1, 2023 | Jan. 1, 2026 |
OTHER NOTABLE STATE PRIVACY LAWS
In addition to so-called “omnibus” or comprehensive state privacy laws, a number of states have passed significant privacy laws that introduce significant new requirements and restrictions but apply more narrowly. In particular, state privacy laws focused on consumer health data and minor’s online data have been passed in several state and introduced as proposed legislation in many other states.
Highlights of key laws are summarized below.
Washington
Washington My Health My Data
Nevada
Florida
Florida SB 262 and Digital Bill of Rights
California
California Age-Appropriate Design Code
[1] INSERT NOTE RE THE DELAY OF THE CPRA REGS
[2] Note the amended law is still referred to as the California Consumer Privacy Act or CCPA.
[3] INSERT EXPLANATION