Iubenda logo
Start generating

Documentation

Table of Contents

US privacy legislations overview

Disclaimer: Please note that this table does not provide exhaustive guidance on each single legislation and their application. For further information, we recommend consulting the link to the official texts of the legislations below.

This table is intended to present an overview of the state-level privacy legislations in the United States (“US”), that have been recently adopted or are expected to be passed in the near future.

The effective date of the bills that have not been passed yet and the content thereof may be subject to changes. The rights granted to users indicated in the table are identified through standard denominations. Although such denominations can overlap, the name attributed in each legislation, the content and the details relating to their exercise may differ.

As most of the US state-level privacy legislations have been broadly inspired by the California Consumer Privacy Act (“CCPA”), the table includes a column that identifies the specific elements of each legislation resembling the CCPA.

  • Legislations already in force (highlighted in green)          
  • Legislations adopted but not in force (highlighted in yellow)          
  • Bills expected to be passed in the next five years (no highlight)

US privacy cheatsheet – Comparison table

Questions
nevada-flagNevada
california-flagCalifornia
colorado-flagColorado
virginia-flagVirginia
iowa-flagIowa
maryland-flagMaryland
illinois-flagIllinois
minnesota-flagMinnesota
alabama-flagAlabama
connecticut-flagConnecticut
oklahoma-flagOklahoma
washington-flagWashington
newyork-flagNew York
massachussetts-flagMassachussetts
utah-flagUtah
arizona-flagArizona
kentucky-flagKentucky
Date of entry into force

2017
Subsequent amendments in 2019 and 2021, with latest version becoming effective on: 1 Oct 2021

1 Jan 2023

1 Jul 2023

1 Jan 2023

No comprehensive privacy legislation currently available

N/A

No comprehensive privacy legislation currently available

No comprehensive privacy legislation currently available

No comprehensive privacy legislation currently available

1 Jul 2023

No comprehensive privacy legislation currently available

No comprehensive privacy legislation currently available

No comprehensive privacy legislation currently available

No comprehensive privacy legislation currently available

31 Dec 2023

No comprehensive privacy legislation currently available

No comprehensive privacy legislation currently available

Does it apply to me?

It applies to you if you fall into the category of either Data collector, namely any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information.

Operators and data brokers are also included.

The law applies to you if you’re Business (whether based in California or not) that targets Californian residents.

Read more about what a business is under the CCPA here.

The law applies to you if you’re a legal entity that does business in Colorado or produces commercial products or services that intentionally targets Colorado residents and

  • controls or processes personal data of at least 100K consumers per year, or
  • control or process the personal data of at least 25,000 consumers and derive revenue (or receive a discount on the price of goods or services) from the sale of personal data.

The law applies to you if you’re a person that does business in Virginia or who targets Virginia residents and:

  • controls or processes personal data of at least 100K consumers per year, or
  • controls or processes personal data of at least 25K consumers and with over 50% of the gross revenue coming from the sale of personal data.

The law applies to you if you’re a Business (whether based in Maryland or not) that targets Maryland’s residents.

The law applies to you if you’re a Business (whether based in Connecticut or not) that targets Connecticut residents and that:

  • during a calendar year, control or process personal data of not less than 100,000 consumers; or
  • control or process personal data of not less than 25,000 consumers and derive more than 50% of their gross revenue from the sale of personal data.

The law applies to any controller or processor who conducts business in Utah or produces a product or service that is targeted to residents of Utah, has annual revenue of $25,000,000 minimum, and satisfies one or more of the following:

  • during a calendar year, controls or processes personal data of 100,000 or more consumers; or
  • derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

Who does it protect?

Residents of Nevada

Consumers. Natural persons who reside in the state of California.

Consumers. An individual who is a Colorado resident acting only in an individual or household context.

Consumers. Natural persons who reside in the state of Virginia.

Consumers. An individual who is a resident of Maryland.

Consumers. A natural person who is a resident of Connecticut

Consumer. An individual who is a resident of the state acting in anindividual or household context.

Which kind of data does the law apply to?

Any unencrypted Personal information.

Personal information that could reasonably be linked with a particular consumer or household.

Personal data. Information that is linked or reasonably linkable to an identified or identifiable individual.

Personal data* that could be reasonably associated with a natural person.

*Does not include de-identified data or publicly available information.

Personal information that could reasonably be linked with a particular consumer or the consumer’s device.

Personal data* that could be reasonably associated with a natural person.

*Does not include de-identified data or publicly available information.

Personal data. Information that is linked or reasonably linkable to an identified or identifiable individual.

What rights does the law grant to users?

The right to opt-out of the sale or sharing of their personal information.

  • Right to know and access
  • Right to delete personal information
  • Right to correct inaccurate personal information
  • Right to opt-out of the sale or sharing of personal information
  • Right to limit the use/disclosure of sensitive personal information
  • Right to non-discrimination for the exercise of consumers’ privacy rights

Read here for more info on CCPA consumer rights.

  • Rights of access and data portability
  • Right to correction
  • Right to deletion
  • Right to opt-out of processing for purposes of targeted advertising, profiling, or the sale of personal data.

  • Rights of access and data portability
  • Right to erasure
  • Right to rectification
  • Right to opt-out of processing for purposes of targeted advertising, profiling, or the sale of personal data.

  • Right of access
  • Right to erasure
  • Right to information portability
  • Right to opt out of the sale of personal information

  • Right to rectification
  • Right to erasure
  • Right to data portability
  • Right to opt-out of the processing of the personal data for purposes of
    • targeted advertising
    • the sale of personal data
    • profiling

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to data portability
  • Right to opt-out of the processing of the consumer’s personal data for purposes of:
    • targeted advertising
    • the sale of personal data
    • profiling

Do I need to provide a privacy notice?

YES

YES

YES

YES

YES

YES

YES

Are trackers (e.g. cookies) regulated?

NO

NO

NO

NO

NO

NO

NO

What are the consequences for violation of the law?

Civil penalty for violation or injunction. Civil penalties up to $5,000 per violation.

Fines of $2,500 per unintentional violation or $7,500 if the violation is intentional or involves the personal information of a child.

Fines of up to $500,000 in total for any related series of violations (not more than $2,000 per individual violation).

Penalty fines of up to $7,500 for each violation.

Amount not specified in the Bill.

Penalty fine of up to $7,500 for each violation, plus expenses incurred by the Advocate General in investigating and preparing the case, including attorney fees.

Not mentioned


Nevada

Entry into force 1 Oct 2019:
https://www.leg.state.nv.us/NRS/NRS-603A.html#NRS603ASec330

Amended version in force as of 1 Oct 2021:

California

California Privacy Rights Act
https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5

Virginia

Virginia Consumer Data Protection Act
https://lis.virginia.gov/cgi-bin/legp604.exe?212+sum+SB1392

Vermont

Vermont Consumer Protection in Data and Technology Act
https://legislature.vermont.gov/bill/status/2022/H.75

Florida

The Florida Information Protection Act (FIPA)
http://www.leg.state.fl.us/Statutes/index.cfm?App_mode=Display_Statute&URL=0500-0599/0501/Sections/0501.171.html

Maryland

Maryland Online Consumer Protection Act
http://mgaleg.maryland.gov/mgawebsite/Legislation/Details/SB0930?ys=2021RS

Illinois

Illinois Consumer Privacy Act
https://legiscan.com/IL/text/HB3910/id/2302440

Minnesota

Minnesota Consumer Data Privacy Act
https://www.revisor.mn.gov/bills/bill.php?b=House&f=HF1492&ssn=0&y=2021

Alabama

Alabama Consumer Privacy Act
http://alisondb.legislature.state.al.us/alison/searchableinstruments/2021RS/bills/HB216.htm

Connecticut

https://www.cga.ct.gov/asp/cgabillstatus/cgabillstatus.asp?selBillType=Bill&bill_num=SB00893&which_year=2021

Oklahoma

Oklahoma Computer Data Privacy Act
http://www.oklegislature.gov/BillInfo.aspx?Bill=hb2968&Session=2200

Washington

Washington People’s Privacy Act
https://app.leg.wa.gov/billsummary?BillNumber=1433&Year=2021&Initiative=false

New York

New York Privacy Act
https://www.nysenate.gov/legislation/bills/2021/A680

Massachusetts

Massachusetts Information Privacy Act
https://malegislature.gov/Bills/192/SD1726

Utah

Utah Consumer Privacy Act
https://le.utah.gov/~2021/bills/static/SB0200.html

Arizona

https://apps.azleg.gov/BillStatus/BillOverview/76066

Kentucky

https://apps.legislature.ky.gov/record/21rs/hb408.html

Are you or your users based in the US?

Figuring out how to be compliant with US legislations can be tricky. Make sure to check out this short guide:

👉 Marketer Operating on a Global Scale? Avoid this 1 Mistake