Iubenda logo
Start generating

Documentation

Table of Contents

US privacy legislations overview

Disclaimer: Please note that this table does not provide exhaustive guidance on the single legislations and their application. For further information, we recommend to consult the link to the official texts of the legislations attached below.

  • Legislations already in force (highlighted in green)          
  • Legislations adopted but not in force (highlighted in yellow)          
  • Bills expected to be passed in the next five years (no highlight)

US privacy cheatsheet – Comparison table

Questions
nevada-flagNevada
california-flagCalifornia
colorado-flagColorado
virginia-flagVirginia
iowa-flagIowa
maryland-flagMaryland
illinois-flagIllinois
minnesota-flagMinnesota
alabama-flagAlabama
connecticut-flagConnecticut
oklahoma-flagOklahoma
washington-flagWashington
newyork-flagNew York
massachussetts-flagMassachussetts
utah-flagUtah
arizona-flagArizona
kentucky-flagKentucky
Date of entry into force

1 Oct 2019

1 Jan 2020

1 Jul 2023

1 Jul 2023

1 Jan 2024

N/A

1 Jul 2022

31 Jul 2022

1 Oct 2022

1 Jul 2023

1 Jan 2023

N/A

N/A

N/A

31 Dec 2023

N/A

N/A

Does it apply to me?

It applies to you if you fall into the category of either Data collector or Operator – whether you’re based in the State of Nevada or not. The law applies to businesses/ entities that operate online and those that do not.

The law applies to you if you’re Business (whether based in California or not) that targets Californian residents.

Read more about what a business is under the CCPA here

The law applies to you if you’re a legal entity that does business in Colorado or produces commercial products or services that intentionally targets Colorado residents and

  • controls or processes personal data of at least 100K consumers per year, or
  • control or process the personal data of at least 25,000 consumers and derive revenue (or receive a discount on the price of goods or services) from the sale of personal data.

The law applies to you if you’re a person that does business in Virginia or who targets Virginia residents and:

  • controls or processes personal data of at least 100K consumers per year, or
  • controls or processes personal data of at least 25K consumers and with over 50% of the gross revenue coming from the sale of personal data.

The law applies to you if you’re a Business (whether based in Maryland or not) that targets Maryland’s residents.

The law applies to you if you’re a Business (whether based in Illinois or not) that targets Illinois’ residents.

The law applies to you if you’re a legal entity that conducts business in Minnesota or produces products or services that are targeted to residents of Minnesota and that meet one or more of the following:

  • during a calendar year, controls or processes personal data of 100,000 consumers or more; or
  • derives over 25% of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.

The law applies to you if you’re a Business (whether based in Alabama or not) that targets Alabamas residents.

The law applies to you if you’re a Business (whether based in Connecticut or not) that targets Connecticut residents and that:

  • during a calendar year, control or process personal data of not less than 100,000 consumers; or
  • control or process personal data of not less than 25,000 consumers and derive more than 50% of their gross revenue from the sale of personal data.

The law applies to you if you’re a business that

  • does business in Oklahoma;
  • collects consumers’personal information or has the information collected alone or in conjunction with others; and
  • determines the purpose for and means of processing consumers’personal information.

The law applies to you if you’re a covered entity defined as a non-governmental entity (persons or legal entities) conducting business in the State, that processes personal information, and:

  • have earned or received $10,000,000 or more of annual revenue through 300 or more transactions; or
  • process and/or maintain the captured personal information of 1,000 or more unique individuals during the course of a calendar year.

The law applies to you if you’re a legal entity that conducts business in New York state or produces products or services that are intentionally targeted to residents of New York state.

The law applies to you if you’re a controller or processor that conducts business in Massachusetts AND a controller or processor not established in Massachusetts where its processing activities are related to:

  • the offering of goods or services that are targeted to individuals; or
  • the monitoring of behavior of individuals where such behavior takes place in the Commonwealth.

The law applies to any controller or processor who conducts business in Utah or produces a product or service that is targeted to residents of Utah, has annual revenue of $25,000,000 minimum, and satisfies one or more of the following:

  • during a calendar year, controls or processes personal data of 100,000 or more consumers; or
  • derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

The law applies to Legal entities with an annual gross revenue of at least $25,000,000 that conduct business in Arizona or produce products or services that are intentionally targeted to residents of Arizona and that meet one or more of the following:

  • control or process data of at least 100,000 consumers;
  • derive over 35% of gross revenue from the sale of personal information and process or control personal information of at least 25,000 consumers.

The law applies to businesses defined as:
Entities organized or operated for commercial purposes that collect and maintain personal information from consumers who reside in Kentucky. Their activity is directed toward Kentucky and Kentucky residents, in line with the United States Constitution.Moreover, they have to satisfy one or more of the following:

  • annual gross revenues in excess of $25,000,000;
  • alone or in combination, annually buy, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices;
  • derive 50% or more of their annual revenues from selling consumers’ personal infomation.

Who does it protect?

Residents of Nevada

Consumers. Natural persons who reside in the state of California.

Consumers. An individual who is a Colorado resident acting only in an individual or household context.

Consumers. Natural persons who reside in the state of Virginia.

Consumers. An individual who is a resident of Maryland.

Consumers. Natural persons who reside in the state of Illionis.

Consumer. A natural person who is a Minnesota resident acting only in an individual or household context.

Consumers. An individual who is a resident of Alabama.

Consumers. A natural person who is a resident of Connecticut

Consumers. A natural person who is a resident of Oklahoma

Individuals. A natural person who is a Washington state resident.

Consumers. A natural person who is a New York resident.

Individual. A natural person who is a resident of Massachusetts.

Consumer. An individual who is a resident of the state acting in anindividual or household context.

Consumer. A natural person who is a resident of Arizona acting only in an individual, noncommercial or household context.

Consumer. A person who seeks or acquires, by purchase or lease, any good, service, money, or credit for personal, family, or household purposes

Which kind of data does the law apply to?

Any unencrypted Personal information.

Personal information that could reasonably be linked with a particular consumer or household.

Personal data. Information that is linked or reasonably linkable to an identified or identifiable individual.

Consumers. Natural persons who reside in the state of Virginia.

Personal information that could reasonably be linked with a particular consumer or the consumer’s device.

Personal information that could reasonably be linked with a particular consumer or household.

Personal data* that could be reasonably associated with a natural person.

*Does not include de-identified data or publicly available information.

Personal information that could reasonably be linked with a particular consumer or household.

Personal data* that could be reasonably associated with a natural person.

*Does not include de-identified data or publicly available information.

Personal data* that could be reasonably associated with a natural person.

*Does not include de-identified data or publicly available information.

Personal information that could reasonably be linked with a particular consumer or household or device if it can be used on its own or in combination with other information.

The Bill uses “Personal data,” meaning information relating to an identified or identifiable natural person. Personal data includes personal identifiers (name, gender identity, sexual orientation, physical characteristics or description, etc.), commercial information, information related to internet activity, geolocation data, etc.

Personal information that could reasonably be linked with a particular consumer or household or device if it can be used on its own or in combination with other information.

Personal data. Information that is linked or reasonably linkable to an identified or identifiable individual.

Personal data and personal information that could reasonably be linked to an identified or identifiable natural person. It includes sensitive data.

Personal data and personal information that could reasonably be linked to an identified or identifiable natural person. It includes sensitive data.

What rights does the law grant to users?

The right to opt-out of the sale or sharing of their personal information.

  • Rights of access and portability
  • Right to erasure
  • Right to rectification
  • Right to opt-out of the sale or sharing of personal information

Read here for more info on CCPA consumer rights.

  • Rights of access and data portability
  • Right to correction
  • Right to deletionRight to opt-out of processing for purposes of targeted advertising, profiling, or the sale of personal data.

  • Rights of access and data portability
  • Right to erasure
  • Right to rectification
  • Right to opt-out of processing for purposes of targeted advertising, profiling, or the sale of personal data.

  • Right of access
  • Right to erasure
  • Right to information portability
  • Right to opt out of the sale of personal information

  • Right of access
  • Right to erasure
  • Right to information portability
  • Right to opt out of the sale of personal information

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to data portability
  • Right to opt out of the sale of personal information

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to data portability
  • Right to opt out of the sale of personal information
  • Right to opt in for minors (less than 18y of age)

  • Right to rectification
  • Right to erasure
  • Right to data portability
  • Right to opt-out of the processing of the personal data for purposes of
    • targeted advertising
    • the sale of personal data
    • profiling

  • Right of access
  • Right to erasure
  • Right to opt out of the sale of personal information

  • Right to know what personal information are processed
  • Right of access
  • Right to rectification

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to opt out of the sale of personal data

  • Right of access
  • Right to data portability
  • Right to rectification
  • Right to erasure
  • Right to opt out of the sale of personal information
  • Right to Limit Use and Disclosure of Sensitive Information

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to data portability
  • Right to opt-out of the processing of the consumer’s personal data for purposes of:
    • targeted advertising
    • the sale of personal data
    • profiling

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to object to the processing of personal data

Right to opt out of the sale of personal information

Do I need to provide a privacy notice?

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

Not specified.

YES

Are trackers (e.g. cookies) regulated?

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

What are the consequences for violation of the law?

Civil penalty for violation or injunction.

Fines of $2,500 per unintentional violation or $7,500 if the violation is intentional or involves the personal information of a child.

Fines of up to $500,000 in total for any related series of violations (not more than $2,000 per individual violation).

Penalty fines of up to $7,500 for each violation.

Amount not specified in the Bill.

Penalty fines of:

  • $2,500 for each violation; or
  • $7,500 for each intentional violation.

Penalty fines up to $7,500& for each violation.

Penalties to be established in accordance with requirements disclosed in the Act.

Penalty fine of up to $7,500 for each violation, plus expenses incurred by the Advocate General in investigating and preparing the case, including attorney fees.

Penalty fines of:

  • $2,500 for each violation; or
  • $7,500 if the violation is intentional.

The law also grants affected consumers the right to sue the business.

Damages of $10,000 per violation or higher amount.

Penalty fines of up to $25,000 per violation or up to 4% of the annual revenue of the covered entity, data processor, or third party, whichever is greater.

Liability for damages and civil penalty.

Civil penalty of up to $10,000 dollars for each violation.

Not mentioned

Penalty fines of:

  • $2,500 for each violation; or
  • $7,500 for each intentional violation.
.

Penalty fines of up to $5,000 for each violation.


Nevada

Entry into force 1 Oct 2019:
https://www.leg.state.nv.us/NRS/NRS-603A.html#NRS603ASec330

Amended version in force as of 1 Oct 2021:

California

California Privacy Rights Act
https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5

Virginia

Virginia Consumer Data Protection Act
https://lis.virginia.gov/cgi-bin/legp604.exe?212+sum+SB1392

Vermont

Vermont Consumer Protection in Data and Technology Act
https://legislature.vermont.gov/bill/status/2022/H.75

Florida

The Florida Information Protection Act (FIPA)
http://www.leg.state.fl.us/Statutes/index.cfm?App_mode=Display_Statute&URL=0500-0599/0501/Sections/0501.171.html

Maryland

Maryland Online Consumer Protection Act
http://mgaleg.maryland.gov/mgawebsite/Legislation/Details/SB0930?ys=2021RS

Illinois

Illinois Consumer Privacy Act
https://legiscan.com/IL/text/HB3910/id/2302440

Minnesota

Minnesota Consumer Data Privacy Act
https://www.revisor.mn.gov/bills/bill.php?b=House&f=HF1492&ssn=0&y=2021

Alabama

Alabama Consumer Privacy Act
http://alisondb.legislature.state.al.us/alison/searchableinstruments/2021RS/bills/HB216.htm

Connecticut

https://www.cga.ct.gov/asp/cgabillstatus/cgabillstatus.asp?selBillType=Bill&bill_num=SB00893&which_year=2021

Oklahoma

Oklahoma Computer Data Privacy Act
http://www.oklegislature.gov/BillInfo.aspx?Bill=hb2968&Session=2200

Washington

Washington People’s Privacy Act
https://app.leg.wa.gov/billsummary?BillNumber=1433&Year=2021&Initiative=false

New York

New York Privacy Act
https://www.nysenate.gov/legislation/bills/2021/A680

Massachusetts

Massachusetts Information Privacy Act
https://malegislature.gov/Bills/192/SD1726

Utah

Utah Consumer Privacy Act
https://le.utah.gov/~2021/bills/static/SB0200.html

Arizona

https://apps.azleg.gov/BillStatus/BillOverview/76066

Kentucky

https://apps.legislature.ky.gov/record/21rs/hb408.html