The US privacy landscape has changed considerably in the last few years.   Significantly, at least a dozen US states have enacted comprehensive state privacy laws and a number of other significant, but more narrowly applicable, state privacy laws have been enacted. While it would be nearly impossible to cover all of the developments, this page highlights key developments in the past few years, in the areas of “omnibus” or comprehensive privacy laws, consumer health privacy laws, and minor privacy laws. 


The California Consumer Privacy Act (CCPA) of 2018 represented a first-of-its-kind privacy law in the United States. Since the CCPA took effect in 2020, more than ten states have passed “omnibus” or comprehensive state privacy laws, and the CCPA has been substantially amended with the adoption of the California Privacy Rights Act of 2020 (CPRA), approved as a ballot initiative (Proposition 24) by California voters in 2020.   

New State Privacy Laws Taking Effect in 2023

On January 1, 2023, the CPRA amendments to the CCPA took effect,[1] as did the Virginia Consumer Data Protection Act, followed by comprehensive privacy laws in Connecticut and Colorado, which took effect July 1, 2023.  On December 31, 2023, the Utah Consumer Privacy Act will come into force.

In addition, the Colorado Attorney General finalized the Colorado Privacy Act Regulations, which took effect July 1, 2023, and expand on the requirements of the Colorado Privacy Act.  The California Privacy Protection Agency also finalized its first set of CPRA-related amendments to the CCPA Regulations.  However, while these modifications were slated to take effect July 1, 2023, a ruling from California Superior Court has delayed enforcement of the amended regulations to March 29, 2024.  

State Privacy Laws Beyond 2023

Comprehensive privacy laws in several new states are set to take effect over the next few years.  You can find a table and timeline of enacted state comprehensive privacy laws and related regulations below.

StateBillLaw or RegulationPassed/ EnactedEffective Date
CaliforniaProposition 24California Privacy Rights Act of 2020, amending the California Consumer Privacy Act (CCPA)[2]

CPRA Amendments to CCPA Regulations
Nov. 2020Jan 1, 2023

March 29, 2024
VirginiaSB 1392Virginia Consumer Data Protection ActJan 1, 2023
ColoradoSB 190
Colorado Privacy Act
Colorado Privacy Act Regulations 
July 1, 2023

July 1, 2023
ConnecticutSB 6 (2022)
SB 3 (2023
Connecticut Data Privacy Act (CDPA)
Amendments to CDPA (pertaining to consumer health data and child data)
May 10, 2022

June 26, 2023
July 1, 2023

July 1, 2024 – July 1, 2025[3]

UtahSB 227 (2022)Utah Consumer Privacy ActMarch 24, 2022December 31, 2023
TennesseeTennessee Information Protection Act (new)​May 24, 2023July 1, 2024​
TexasHB 4 (2023Texas Privacy and Security Act (new)​June 15, 2023​July 1, 2024​
OregonSB 619 (2023)Oregon Consumer Privacy ActJuly 18, 2023July 1, 2024​
MontanaSB 384 (2023)Montana Consumer Data Privacy Act (new)​May 19, 2023​Oct. 1, 2024​
IowaSF 262Iowa Consumer Data Protection Act (new)​March 28, 2023Jan. 1, 2025​
DelawareHB 154 (2023)Delaware Personal Data Privacy ActPassed legislature June 30, 2023; awaiting signature of governor.January 1, 2025
IndianaSB 5 (2023Indiana Consumer Data Protection Act (new)​May 1, 2023​Jan. 1, 2026​
Last Updated: September 2023


In addition to so-called “omnibus” or comprehensive state privacy laws, a number of states have passed significant privacy laws that introduce significant new requirements and restrictions but apply more narrowly.  In particular, state privacy laws focused on consumer health data and minor’s online data have been passed in several state and introduced as proposed legislation in many other states.

Highlights of key laws are summarized below.


Washington My Health My Data


Nevada S.B. 370 


Florida SB 262 and Digital Bill of Rights


California Age-Appropriate Design Code


[2] Note the amended law is still referred to as the California Consumer Privacy Act or CCPA.