Data Privacy Laws by State: A Complete US Guide
The United States takes a patchwork approach to data privacy. With no comprehensive federal privacy law, protection depends on where you live, what sector your data falls under, and which companies handle it. Twenty states have enacted their own comprehensive consumer privacy laws, while all 50 states require businesses to notify consumers after a data breach. This guide covers every state.
The US Data Privacy Landscape
Unlike the European Union, which adopted a single regulation (the GDPR) covering all member states, the United States has no equivalent omnibus privacy statute. Instead, American data privacy operates on two tracks: federal laws that regulate specific industries, and state laws that fill the gaps with varying levels of ambition.
The federal track includes HIPAA for healthcare data, GLBA for financial data, COPPA for children under 13, and the FTC Act for unfair or deceptive data practices. These laws are powerful within their scope but leave vast categories of personal data unregulated at the federal level.
The state track has accelerated dramatically since California enacted the CCPA in 2018. As of 2026, twenty states have comprehensive privacy laws in effect, covering consumer rights like the ability to access, delete, and opt out of the sale of personal data. The remaining 30 states rely primarily on data breach notification laws and consumer protection statutes to address privacy concerns.
States With Comprehensive Privacy Laws
These 20 states have enacted omnibus consumer data privacy laws granting residents specific rights over their personal data. Click any state for the full guide including statute citations, consumer rights, penalties, and compliance requirements.
| State | Law | Effective |
|---|---|---|
| California | CCPA/CPRA | 2020 |
| Virginia | VCDPA | 2023 |
| Colorado | CPA | 2023 |
| Connecticut | CTDPA | 2023 |
| Utah | UCPA | 2023 |
| Oregon | OCPA | 2024 |
| Montana | MCDPA | 2024 |
| Texas | TDPSA | 2024 |
| Florida | FDBR | 2024 |
| Delaware | DPDPA | 2025 |
| Iowa | ICDPA | 2025 |
| Nebraska | NDPA | 2025 |
| New Hampshire | NHPA | 2025 |
| New Jersey | NJDPA | 2025 |
| Tennessee | TIPA | 2025 |
| Minnesota | MCDPA | 2025 |
| Maryland | MODPA | 2025 |
| Indiana | INCDPA | 2026 |
| Kentucky | KCDPA | 2026 |
| Rhode Island | RIDTPPA | 2026 |
Federal Privacy Framework
While there is no comprehensive federal data privacy law, several sector-specific statutes provide strong protections within their domains.
| Law | Protects | Enforced By |
|---|---|---|
| HIPAA | Health data | HHS OCR |
| GLBA | Financial data | FTC, banking regulators |
| COPPA | Children under 13 | FTC |
| FERPA | Education records | Dept. of Education |
| FTC Act Sec. 5 | Unfair/deceptive practices | FTC |
| FCRA | Credit reports | CFPB, FTC |
| ECPA/SCA | Electronic communications | DOJ |
| TCPA | Telemarketing, robocalls | FCC |
The American Privacy Rights Act (APRA) was the most recent attempt at a comprehensive federal privacy law. It passed a House subcommittee in May 2024 but was never brought to a full committee vote. The bill expired when the 118th Congress adjourned and has not been reintroduced in the 119th Congress.
Data Breach Notification Laws
All 50 states and the District of Columbia require businesses to notify individuals when their personal information is compromised in a data breach. Alabama was the last state to enact a breach notification law in 2018. While every state has one, the specific requirements vary significantly.
Notification timelines range from 30 days (California, Colorado, New York, and Florida) to 45 days (North Carolina, Ohio) to no specific deadline at all (many states use "without unreasonable delay" or "most expedient time possible"). Iowa gives businesses the longest cure period at 90 days. Most states require attorney general notification when breaches exceed a threshold, typically 250 to 1,000 affected residents.
Penalties for failing to notify range from minimal in some states to substantial in others. Texas can impose $100 to $250,000 per breach plus $50,000 per day for delayed notification. Florida assesses $1,000 per day for the first 30 days, escalating to $50,000 per 30-day period, with a $500,000 cap. Massachusetts allows private treble-damages suits under Chapter 93A.
Biometric Privacy Laws
Three states have standalone biometric privacy statutes. Illinois BIPA (740 ILCS 14) is the most consequential, providing a private right of action with damages of $1,000 per negligent violation and $5,000 per intentional violation. Major settlements include Facebook ($650 million), BNSF Railway ($228 million jury verdict), Google ($100 million), and TikTok ($92 million).
Texas CUBI (Bus. & Com. Code Ch. 503) carries penalties up to $25,000 per violation but is enforced only by the attorney general. The Texas AG secured a $1.4 billion settlement with Meta for biometric data violations in 2024. Washington HB 1493 covers biometric identifiers except facial geometry and is enforced under the Consumer Protection Act.
Beyond these standalone laws, most comprehensive state privacy statutes classify biometric data as "sensitive data" requiring opt-in consent before collection, including California, Colorado, Connecticut, Virginia, Oregon, Delaware, Maryland, and Minnesota.
Consumer Rights Under State Law
Comprehensive state privacy laws grant consumers a set of rights over their personal data. While the specifics vary, most states provide these core protections:
- Right to know/access: Request what personal data a business has collected about you. Available in all 20 comprehensive law states.
- Right to delete: Request that a business delete your personal data. Available in all 20 states, though some limit this to data you provided directly.
- Right to opt out of sale: Tell businesses not to sell your personal data or use it for targeted advertising. Available in all 20 states.
- Right to correct: Request that a business fix inaccurate personal data. Available in 18 states (not Iowa or Utah, though Utah adds this in 2026).
- Right to portability: Receive a copy of your data in a portable, machine-readable format. Available in all 20 states.
- Right to non-discrimination: Businesses cannot penalize you for exercising your privacy rights. Explicit in most states.
Minnesota stands out with the broadest consumer rights, including the right to question automated profiling decisions and obtain explanations of the reasoning behind them. Maryland has the strongest data minimization requirements, limiting what businesses can collect regardless of consumer consent. Rhode Island uniquely requires businesses to disclose not just current data recipients but potential future recipients as well.
Enforcement and Penalties
State data privacy laws are enforced almost exclusively by state attorneys general. California is the only state with a dedicated privacy enforcement agency (the California Privacy Protection Agency, or CPPA). No state other than California provides a general private right of action for privacy violations, though California's is limited to data breach scenarios.
Penalties vary significantly. Texas has led enforcement with its $1.375 billion settlement with Google and $1.4 billion settlement with Meta in 2024. California's CPPA issued its largest fine of $1.35 million against Tractor Supply Company in October 2025. Connecticut secured the first CTDPA monetary penalty of $85,000 against TicketNetwork in July 2025.
Cure periods are another key distinction. Several states (New Jersey, Minnesota, Rhode Island) have no cure period, allowing enforcement immediately. Others maintain permanent cure periods (Virginia, Utah, Iowa, Kentucky, Indiana) that require the attorney general to give businesses time to fix violations before imposing penalties.
Find Your State
Select your state below for a detailed guide to its data privacy laws, including breach notification requirements, consumer rights, penalties, and relevant federal protections. States with comprehensive privacy laws are highlighted.
For data privacy laws outside the United States, see our World Data Privacy Laws guide covering GDPR, national data protection laws, and regulatory frameworks in 70+ countries.
This information is general legal information, not legal advice. Data privacy laws change frequently. Consult an attorney for advice specific to your situation.
Frequently Asked Questions
Which states have comprehensive data privacy laws?
As of 2026, twenty states have enacted comprehensive consumer data privacy laws: California, Virginia, Colorado, Connecticut, Utah, Oregon, Montana, Texas, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, and Florida. Each law varies in scope, consumer rights, and enforcement mechanisms. California, Virginia, Colorado, and Connecticut were the earliest adopters (2020 to 2023), while Indiana, Kentucky, and Rhode Island took effect on January 1, 2026.
What rights do consumers have under state data privacy laws?
Most comprehensive state privacy laws grant consumers five core rights: the right to know what personal data a business collects, the right to delete personal data, the right to opt out of the sale of personal data or targeted advertising, the right to correct inaccurate data, and the right to data portability (receiving a copy of your data in a usable format). Iowa is the narrowest, offering only access, deletion, portability, and opt-out of sale. Minnesota is the broadest, adding a right to question automated profiling decisions.
Is there a federal data privacy law in the United States?
No. The United States does not have a single, comprehensive federal data privacy law like the EU's GDPR. Instead, federal law addresses specific sectors: HIPAA covers health data, GLBA covers financial data, COPPA protects children under 13, FERPA governs education records, and the FTC Act prohibits unfair or deceptive data practices. The American Privacy Rights Act (APRA) was the most recent federal attempt, passing a House subcommittee in May 2024, but it expired without a full vote and has not been reintroduced.
What is a data breach notification law?
Data breach notification laws require businesses to notify affected individuals (and usually the state attorney general) when personal information like Social Security numbers, financial account data, or biometric identifiers is accessed by unauthorized parties. All 50 states plus the District of Columbia have enacted these laws. Notification timelines range from 30 days (California, Colorado, New York) to 60 days (Texas, Florida) to no specific deadline ("without unreasonable delay" in many states). Alabama was the last state to adopt a breach notification law, in 2018.
Can I sue a company for violating my data privacy in the United States?
In most states, no. Only California provides a private right of action under its data privacy law, and it is limited to data breach situations (not general privacy violations). All other 19 comprehensive state privacy laws are enforced exclusively by the state attorney general. However, Massachusetts allows treble damages under Chapter 93A for breach notification violations, and Illinois BIPA permits private lawsuits for biometric data misuse with statutory damages of $1,000 to $5,000 per violation.
Do data privacy laws apply to small businesses?
It depends on the state. Most comprehensive privacy laws set applicability thresholds based on the number of consumers whose data a business processes (commonly 100,000) or the share of revenue derived from selling data (usually 25% to 50%). Texas and Nebraska are notable exceptions that apply to all businesses except those meeting the SBA small business definition. Utah has the highest combined threshold, requiring both $25 million in revenue and 100,000 consumers. Every state's data breach notification law applies to businesses of all sizes.
What is the difference between CCPA and GDPR?
The California Consumer Privacy Act (CCPA/CPRA) and the EU's General Data Protection Regulation (GDPR) are both comprehensive privacy frameworks, but they differ in significant ways. GDPR requires a lawful basis for all data processing and applies to all organizations, while CCPA applies only to for-profit businesses meeting revenue or data volume thresholds. GDPR grants a broader right to erasure and requires Data Protection Officers, while CCPA uniquely provides an opt-out of the "sale" and "sharing" of personal information. GDPR penalties reach up to 4% of global revenue; CCPA penalties top out at roughly $7,988 per violation.
What are biometric privacy laws?
Biometric privacy laws specifically regulate the collection and use of biometric identifiers such as fingerprints, facial scans, iris scans, and voiceprints. Illinois BIPA is the most significant, providing a private right of action with damages of $1,000 to $5,000 per violation. Major settlements include Facebook ($650 million), BNSF Railway ($228 million jury verdict), and Google ($100 million). Texas CUBI and Washington HB 1493 also have standalone biometric laws but are enforced only by the attorney general. Many comprehensive state privacy laws classify biometric data as "sensitive data" requiring opt-in consent.
Sources and References
- California Consumer Privacy Act (Cal. Civ. Code 1798.100-1798.199.100)(leginfo.legislature.ca.gov).gov
- Virginia Consumer Data Protection Act (Va. Code 59.1-575 to 59.1-585)(law.lis.virginia.gov).gov
- Colorado Privacy Act (C.R.S. 6-1-1301 to 6-1-1313)(leg.colorado.gov).gov
- Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ch. 541)(statutes.capitol.texas.gov).gov
- HIPAA Privacy Rule(hhs.gov).gov
- FTC Act Section 5 (15 U.S.C. 45)(ftc.gov).gov
- COPPA Rule (16 CFR Part 312)(ftc.gov).gov
- Illinois Biometric Information Privacy Act (740 ILCS 14)(ilga.gov).gov
- NCSL Security Breach Notification Laws(ncsl.org)
- Maryland Online Data Privacy Act (SB 541)(mgaleg.maryland.gov).gov