Date of entry into force
2017 Subsequent amendments in 2019 and 2021, with latest version becoming effective on: 1 Oct 2021
California Privacy Rights Act (CPRA)
1 Jan 2023
The upcoming CPRA will become effective in 2023. The CPRA expands on a few key elements of the CCPA and can be thought of as a more comprehensive iteration of the law.
Colorado Privacy Act
1 Jul 2023
Virginia Consumer Data Protection Act (VCDPA)
1 Jan 2023
An Act Concerning Personal Data Privacy and Online Monitoring
1 Jul 2023
Utah Consumer Privacy Act
31 Dec 2023
Maryland Online Consumer Personal Information Privacy Act
No comprehensive privacy legislation currently available
The bill died, after passing third reading in Senate and pending readint in the House, due to unfavorable report by Economic Matters. Maryland enacted and regularly updated and amended the Personal Information Protection Act (PIPA), which appears to be a sectorial, rather than comprehensive privacy act, as it mainly focuses on data breaches.
A Bill for an Act relating to consumer data protection
No comprehensive privacy legislation currently available
The bill, pending first reading in Senate, has been deferred to Judiciary Committee. The bill appears to be dead and no further information is available.
Consumer Privacy Act
No comprehensive privacy legislation currently available
The bill died during the 2021 State legislature and no further information is available. Illinois appears not to have adopted a comprehensive privacy law to date.
Consumer Data Privacy Act
No comprehensive privacy legislation currently available
The bill has not completed its legislative procedure and there are no updates. Apparently the bill died following failure to pass the Minnesota House Commerce Finance and Policy Committee, as the legislative session has ended. Minnesota does not seem to have adopted a comprehensive privacy law to date.
Consumer Privacy Act
No comprehensive privacy legislation currently available
The bill died after failing to pass before the end of the legislative session at the Alabama House Technology and Research Committee on May 30, 2021 and no further information is available.
The Oklahoma Computer Data Privacy Act
No comprehensive privacy legislation currently available
The bill, pending second reading in Senate, has been deferred to Judiciary Committee then to Appropriations Committee. The bill appears to be dead and no further information is available.
People’s Privacy Act
No comprehensive privacy legislation currently available
The Bill has died because it failed to be passed before the end of the legislative session.
Privacy Act
No comprehensive privacy legislation currently available
The bill has been pending before the Assembly Consumer Affairs and Protection Committee since January 7, 2022. The bill appears to be inactive and no further information is available.
Massachusetts Information Privacy and Security Act
No comprehensive privacy legislation currently available
The bill underwent a study order and is currently pending before the House Rules Committee. No further information is available.
No comprehensive privacy legislation currently available
The bill has not completed the legislative procedure and appears to be dead.
No comprehensive privacy legislation currently available
The State of Kentucky does not appear to have passed a comprehensive privacy law to date.
No comprehensive privacy legislation currently available
The State of Maine appears to have enacted sectorial rather than comprehensive privacy Acts. Bill LD 913, for example, originally intended to enact the Maine Data Collection Protection Act, has been amended to regulate access to civil court records.
Does it apply to me?
It applies to you if you fall into the category of either Data collector, namely any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information. Operators and data brokers are also included.
Operators. Means a person who:owns or operates a website or online service for commercial purposes; collects and maintains covered information from consumers who reside in Nevada and use or visit the internet website or online service; and purposefully directs its activities towards Nevada, consummates some transaction with the state of Nevada or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with the state of Nevada to satisfy the requirements of the United States Constitution. Data brokers. Means a person whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship and who reside in Nevada from operators or other data brokers and making sales of such covered information.**Third parties that process personal information on behalf of the owner of the website or online service are not included in this definition of Operator.
The law applies to you if you’re a legal entity doing business in California for profit , that collect consumers’ personal information, or on behalf of which such information is collected and alone , or jointly with others, determine the purposes and means of the processing of consumers’ personal information and that meet one or more of the following : annual gross revenues in excess of $25,000,000; annually buy, sell, or share the personal information of 100,000 or more consumers or households; and/or derive 50% or more of their annual revenues from selling, or sharing consumers’ personal information.
Subsidiaries and joint ventures that are at least 40% owned are also included.
The law applies to you if you’re a legal entity that does business in Colorado or produces commercial products or services that intentionally targets Colorado residents andcontrols or processes personal data of at least 100K consumers per year, or control or process the personal data of at least 25,000 consumers and derive revenue (or receive a discount on the price of goods or services) from the sale of personal data.
The law applies to you if you’re a person that does business in Virginia or who targets Virginia residents and:controls or processes personal data of at least 100K consumers per year, or controls or processes personal data of at least 25K consumers and with over 50% of the gross revenue coming from the sale of personal data.
The law applies to you if you’re a Business (whether based in Connecticut or not) that targets Connecticut residents and that:during a calendar year, control or process personal data of not less than 100,000 consumers; or control or process personal data of not less than 25,000 consumers and derive more than 50% of their gross revenue from the sale of personal data.
Under the law, a “business” is defined as:Any for-profit entity that collects the personal information of an individual or consumer
The law applies to any controller or processor who conducts business in Utah or produces a product or service that is targeted to residents of Utah, has annual revenue of $25,000,000 minimum, and satisfies one or more of the following:during a calendar year, controls or processes personal data of 100,000 or more consumers; or derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
Who does it protect?
Residents of Nevada
Consumers. Natural persons who reside in the state of California.
Consumers. An individual who is a Colorado resident acting only in an individual or household context.
Consumers. Natural persons who reside in the state of Virginia.
Consumers. A natural person who is a resident of Connecticut
Consumer. An individual who is a resident of the state acting in an individual or household context.
What rights does the law grant to users?
Right to opt-out of the sale of personal information.
Sale Means the exchange of covered information for monetary consideration by an operator or data broker to another person. The term does not include:The disclosure of covered information by an operator or data broker to a person who processes the covered information on behalf of the operator or data broker; The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer; The disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator; The disclosure of covered information by an operator or data broker to a person who is an affiliate of the operator or data broker; or The disclosure or transfer of covered information by an operator or data broker to a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator or data broker.
Right to know and access Right to delete personal information Right to correct inaccurate personal information Right to opt-out of the sale or sharing of personal information Right to limit the use/disclosure of sensitive personal information Right to non-discrimination for the exercise of consumers’ privacy rights
Sale
Means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration. For purposes of this title, a business does not sell personal information when:
A consumer uses or directs the business to intentionally:
Disclose personal information.
Interact with one or more third parties.
The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information or limited the use of the consumer’s sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sale of the consumer’s personal information or limited the use of the consumer’s sensitive personal information.
The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with this title. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with this title. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).
“Share”, “shared”, or “sharing”
Means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged. For purposes of this title, a business does not share personal information when:
A consumer uses or directs the business to intentionally disclose personal information or intentionally interact with one or more third parties.
The business uses or shares an identifier for a consumer who has opted out of the sharing of the consumer’s personal information or limited the use of the consumer’s sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sharing of the consumer’s personal information or limited the use of the consumer’s sensitive personal information.
The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with this title. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with this title. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code)
Targeted advertising
Cross-context behavioral advertising means the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.
Profiling
Means any form of automated processing of personal information, as further defined by regulations pursuant to paragraph (16) of subdivision (a) of Section 1798.185, to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Rights of access and data portability Right to correction Right to deletion Right to opt-out of processing for purposes of targeted advertising, profiling, or the sale of personal data, and right to appeal.
Sale
“Sale”, “Sell” or “Sold” means the exchange of personal data for monetary or other valuable consideration by a controller to a third party. It does not include the following:
the disclosure of personal data to a processor that processes the personal data on behalf of a controller;
the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
the disclosure or transfer of personal data to an affiliate of the controller;
the disclosure or transfer to a third party of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets; or
the disclosure of personal data:
that a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party; or
intentionally made available by a consumer to the general public via a channel of mass media.
Targeted advertising
Means displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer’s activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests.It does not include:
advertising to a consumer in response to the consumer’s request for information or feedback;
advertisements based on activities within a controller’s own websites or online applications;
advertisements based on the context of a consumer’s current search query, visit to a website, or online application; or
processing personal data solely for measuring or reporting advertising performance, reach, or frequency.
Profiling
Means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Rights of access and data portability Right to erasure Right to rectification Right to opt-out of processing for purposes of targeted advertising, profiling, or the sale of personal data.
Sale
“Sale of personal data” means the exchange of personal data for monetary consideration by the controller to a third party.
It does not include:
the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
the disclosure or transfer of personal data to an affiliate of the controller;
the disclosure of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience; or
the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.
Targeted advertising
“Targeted advertising” means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests. It does not include:
advertisements based on activities within a controller’s own websites or online applications;
advertisements based on the context of a consumer’s current search query, visit to a website, or online application;
advertisements directed to a consumer in response to the consumer’s request for information or feedback; or
processing personal data processed solely for measuring or reporting advertising performance, reach, or frequency.
Profiling
Means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Rights of access and data portability Right to correction Right to deletion Right to opt-out of processing for purposes of targeted advertising, profiling, or the sale of personal data, and right to appeal.
Sale
“Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.
It does not include:
the disclosure of personal data to a processor that processes the personal data on behalf of the controller,
the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer,
the disclosure or transfer of personal data to an affiliate of the controller,
the disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party,
the disclosure of personal data that the consumer:
intentionally made available to the general public via a channel of mass media, and
did not restrict to a specific audience, or
the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller’s assets.
Targeted advertising
Means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated Internet web sites or online applications to predict such consumer’s preferences or interests. It does not include:
advertisements based on activities within a controller’s own Internet web sites or online applications;
advertisements based on the context of a consumer’s current search query, visit to an Internet web site or online application;
advertisements directed to a consumer in response to the consumer’s request for information or feedback; or
processing personal data solely to measure or report advertising frequency, performance or reach.
Profiling
Means any form of automated processing performed on personal data to evaluate, analyze or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Right of access Right to rectification Right to erasure Right to data portability Right to opt-out of the processing of the consumer’s personal data for purposes of:targeted advertising the sale of personal data
Sale
“Sale”, “sell”, or “sold” means the exchange of personal data for monetary consideration by a controller to a third party.
It does not include:
a controller’s disclosure of personal data to a processor who processes the personal data on behalf of the controller;
a controller’s disclosure of personal data to an affiliate of the controller;
considering the context in which the consumer provided the personal data to the controller, a controller’s disclosure of personal data to a third party if the purpose is consistent with a consumer’s reasonable expectations;
the disclosure or transfer of personal data when a consumer directs a controller to:
disclose the personal data; or
interact with one or more third parties;
a consumer’s disclosure of personal data to a third party for the purpose of providing a product or service requested by the consumer or a parent or legal guardian of a child;
the disclosure of information that the consumer:
intentionally makes available to the general public via a channel of mass media; and
does not restrict to a specific audience; or
a controller’s transfer of personal data to a third party as an asset that is part of a proposed or actual merger, an acquisition, or a bankruptcy in which the third party assumes control of all or part of the controller’s assets.
Targeted advertising
means displaying an advertisement to a consumer where the advertisement is selected based on personal data obtained from the consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests. It does not include:
based on a consumer’s activities within a controller’s website or online application or any affiliated website or online application;
based on the context of a consumer’s current search query or visit to a website or online application;
directed to a consumer in response to the consumer’s request for information, product, a service, or feedback; or
processing personal data solely to measure or report advertising:
Do I need to provide a privacy notice?
YES
The following must be included in your privacy notice:
the categories of personal information that you collect through your online service and the third parties you may share the information with; a description of the process (if any) for individual consumers to review and request changes to any of their information, collected through your online service; whether or not you sell consumers’ personal information; a designated request address where consumers can submit a request asking you not to sell their personal information; a description of your process for notifying consumers of changes to your privacy notice; a statement on whether or not third-parties may collect personal information about an individual consumer’s online activities over time and across different Internet websites or online services; and the effective date of the notice.
YES
The following must be included in your privacy notice:
the categories of personal information, if any, that the business has sold or shared to third parties in the preceding 12 months, indication of relevant third parties and business or commercial purpose; a statement regarding whether the business has actual knowledge that it sells or shares personal information of consumers under 16 years of age; the categories of personal information, if any, that the business has disclosed for a business purpose to third parties in the preceding 12 months, indication of relevant third parties and business/commercial purpose; a statement regarding whether or not the business uses or discloses sensitive personal information for purposes other than those specified; any links to an online request form or portal for making a request to know about personal information collected, disclosed, or sold; if the business uses or discloses sensitive personal information for reasons other than those specified, consumers shall be informed of their right to limit the use or disclosure of their sensitive personal information; a general description of the process the business uses to verify a consumer request to know, delete and correct, when applicable, including any information the consumer must provide; explanation of how an opt-out preference signal will be processed for the consumer (i.e., whether the signal applies to the device, browser, consumer account, and/or offline sales, and in what circumstances) and how the consumer can use an opt-out preference signal; additional reporting requirements for businesses collecting large amounts of personal information, if applicable Please refer to Section 7102 of the subsequent regulations for a comprehensive list of the additional reporting requirements and other related information) .
YES
The following must be included in your privacy notice:
categories of personal data collected or processed by the controller or a processor on behalf of the controller the purposes for which the categories of personal data are processed how consumers may exercise their rights how consumer may appeal a controller’s action with regard to the consumer’s request the controller’s contact information the categories of personal data that the controller shares with third parties, if any the categories of third parties, if any, with whom the controller share personal data.
YES
The following must be included in your privacy notice:
categories of personal data processed by the controller; the purpose for processing personal data; how consumers may exercise their consumer’s rights how a consumer may appeal a controller’s decision with regard to the consumer’s request the categories of personal data that the controller shares with third parties (if any) the categories of third parties (if any) with whom the controller shares personal data
YES
Information to be disclosed in the notice:
the categories of personal data processed by the controller; the purpose for processing personal data; how consumers may exercise their consumer rights (including how a consumer may appeal a controller’s decision with regard to the consumer’s request); the categories of personal data that the controller shares with third parties (if any); the categories of third parties (if any) with whom the controller shares personal data; one or more secure and reliable means for consumers to submit a request to exercise their consumer rights.
YES
The following information must be disclosed in the notice:
the categories of personal data processed by the controller; the purposes for which the categories of personal data are processed; how and where consumers may exercise a right, including how a consumer may appeal a controller’s action with regard to the consumer’s request to exercise a right; the categories of personal data that the controller shares with third parties (if any); the categories of third parties (if any) with whom the controller shares personal data; if the sale of personal data to third parties or the processing for targeted advertising are involved, the controller shall disclose to the consumer how the consumer may exercise the right to opt-out.
Are trackers (e.g. cookies) regulated?
NO
NO
NO
NO
NO
NO
Do I need to honor consumers’ opt-out preference signals? (e.g. GPC – Global Privacy Control )
NO
YES
Under the CPRA, it should be noted that businesses must also allow and process consumers’ Opt-out Preference Signals
Opt out preference signal means a signal that is sent by a platform, technology, or mechanism, on behalf of the consumer that communicates the consumer’s choice to opt out of the sale and sharing of personal information. The signal will automatically opt consumers out the sale and sharing of their personal information for all websites they visit, without them having to make individual requests.
YES
If you are processing personal data for targeted advertising/sale purposes, you are required to allow consumers to exercise their right to opt out of such processing, through a user-selected universal opt-out mechanism.
This requirement becomes effective on July 1, 2024.
Despite a consumer’s decision to exercise its right to opt out through a universal opt-out mechanism, you may still provide consumers with the opportunity to give their consent to the processing of their personal data for purposes of targeted advertising/sale.
NO
YES
No later than January 1, 2025, you are required to allow consumers to opt out of the processing of their personal data for targeted advertising/sale purposes, through an opt-out preference signal. Such signal migh be sent by a platform, technology or mechanism and indicates the consumers’ intent to opt out of any such processing or sale.
NO
Do I need to allow consumers to opt-out of the processing of personal data with regard to certain purposes?
YES
A consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer.
YES
Consumers are granted the right to opt-out of the sale or sharing of their personal information and to limit the use/disclosure of their sensitive personal information.
YES
The Act grants consumers the right to opt out of the processing of personal data for the purpose of: targeted advertising; the sale of personal data; or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
YES
The Act grant consumers the right to opt out of the processing of personal data for the purpose of: targeted advertising; selling personal data; or profiling in support of decisions that produce legal or similarly significant effects concerning the consumer.
YES
Consumers are granted the right to opt out of the processing of personal data for the purposes of: targeted advertising; the sale of personal data; or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
YES
Right to opt-out of the processing of the consumer’s personal data for purposes of: targeted advertising; the sale of personal data.
Do I need to obtain consumers’ prior consent (opt-in) before processing sensitive data?
NO
NO
YES
Controllers shall not process consumers sensitive data without first obtaining their consent or, in the case of the processing of personal data concerning a known child, without first obtaining consent from the child’s parent or lawful guardian.
YES
Controllers shall not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the COPPA
YES
Controllers shall not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA.
NO
N/A (the processing of sensitive data is regulated according to an opt-out approach), however, a controller may not process sensitive data collected from a consumer without: first presenting the consumer with clear notice and an opportunity to opt out of the processing; or, in the case of the processing of personal data concerning a known child, processing the data in accordance with the federal Children’s Online Privacy Protection Act (COPPA)
What are the consequences in case of violation?
Civil penalty for violation or injunction. Civil penalties up to $5,000 per violation.
Civil penalty of $2,500 per violation or $7,500 if the violation is intentional or involves the personal information of a child.
Civil penalty of not more than $20,000 per violation.
Civil penalty of up to $7,500 for each violation.
Civil penalty of not more than $5,000 for each willful violation, plus expenses incurred by the Attorney General in investigating and preparing the case, including attorney fees.
By initiating an action, Attorney General may recover (i) actual damages to the consumer; and (ii) an amount not to exceed $7,500 for each violation.