A woman using a laptop in a cafe.
Stacker Studio

These are the 13 states with comprehensive consumer privacy protection laws

Written by:
Data work by:
Emma Rubin
May 20, 2024
Canva

This story originally appeared on Drata and was produced and distributed in partnership with Stacker Studio.

These are the 13 states with comprehensive consumer privacy protection laws

In order to show internet users personalized content and ads, gather analytics, and keep records of online searches, companies rely on technologies such as cookies and pixels implanted on smartphones, tablets, and computers. They collect personal data and track internet users' digital footprint through browsers, online sites, and apps.

Social networks and e-commerce stores are some of the main sources for users to give out information voluntarily. Such information is one of the market's most valuable commodities, even though most internet users are unaware of where their information goes and how it is used.

According to the Federal Trade Commission, a website or app can use first-party tracking to harvest the user's information directly. When it allows other companies to do so, it's referred to as third-party tracking. Both instances sometimes carry unforeseeable risks that can lead to upsetting events or even illegal activities.

Public awareness about the need for digital privacy has consistently increased over the past two decades. The matter took center stage when Facebook was accused of a major data breach, compromising the information of over 87 million users. The 2018 case, known as the Cambridge Analytica scandal, prompted lawsuits and the first (but not last) of Mark Zuckerberg's congressional hearings, looking to hold tech giant Meta accountable for digital intrusion and its consequences.

Companies are now constraining the leak of sensitive information by installing filters that let users know the potential uses of their information.

Any means of online data tracking and privacy protection rights remained in legal limbo in the U.S. until 2003, when California passed the first bill addressing the issue. Since then, the state legislature has amended its consumer privacy protection law twice—the most recent taking effect on Jan. 1, 2023.

As of March 2024, 13 states have comprehensive privacy protection bills in effect, while 20 others have proposals in the approval process. The legislation covers two categories: consumer rights and business obligations. Users' rights to access, correct, delete, opt out, and transfer information enables them to control data collection through online sites or social networks. Obligations of businesses center around age and transparency requirements, risk assessment, protection against discrimination, and data usage application and intent.

Drata compiled a breakdown of the 13 states that have passed consumer privacy protection laws using information collected by the International Association of Privacy Professionals.

A busy street in Hollywood.
1 / 13
Canva

California

- California Consumer Privacy Rights Act
- Effective beginning Jan. 1, 2023

Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For sensitive data
- Right to portability
- Right to opt out of sales
- Right against automated decision-making
- Private right of action
- Opt-in default (requirement age): 16
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation

The Denver skyline.
2 / 13
Canva

Colorado

- Colorado Privacy Act
- Effective beginning July 1, 2023

Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making: Certain decision making
- Opt-in default (requirement age): 13 for sensitive data
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation

The ornate historic Capitol building in Hartford with a gold dome on top.
3 / 13
Canva

Connecticut

- Personal Data Privacy and Online Monitoring
- Effective beginning July 1, 2023

Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making: Certain decision making
- Opt-in default (requirement age): 13 for sensitive data
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation

Aerial view of the capitol building in Salt Lake City.
4 / 13
Canva

Utah

- Utah Consumer Privacy Act
- Effective beginning Dec. 31, 2023

Covers the following:
- Right to access
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Opt-in default (requirement age): 13
- Notice/transparency requirement
- Prohibition on discrimination (exercising rights)

Richmond in the evening.
5 / 13
Canva

Virginia

- Consumer Data Protection Act
- Effective beginning Jan. 1, 2023

Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making: Certain decision making
- Opt-in default (requirement age): 13 for sensitive data
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation

The capitol building in Dover.
6 / 13
Canva

Delaware

- Delaware Personal Data Privacy Act
- Effective beginning Jan. 1, 2025

Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making
- Opt-in default (requirement age): 17
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation

Downtown Indianapolis.
7 / 13
Canva

Indiana

- Indiana Consumer Data Protection Act
- Effective beginning Jan. 1, 2026

Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making: Certain decision making
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation

The Des Moines skyline at sunset.
8 / 13
Canva

Iowa

- Iowa Consumer Data Protection Act
- Effective beginning Jan. 1, 2025

Covers the following:
- Right to access
- Right to delete
- Right to portability
- Right to opt out of sales
- Opt-in default (requirement age): 13 for sensitive data
- Notice/transparency requirement
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation

An aerial view of Billings at sunset.
9 / 13
Canva

Montana

- Montana Consumer Data Privacy Act
- Effective beginning Oct. 1, 2024

Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making: Certain decision making
- Opt-in default (requirement age): 13 for sensitive data
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation

An aerial view of the capitol building in Trenton with the Delaware River in the background.
10 / 13
Canva

New Jersey

- Senate Bill 332
- Effective beginning Jan. 15, 2025

Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making: Certain decision making
- Opt-in default (requirement age): 13 for sensitive data
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation

The capitol building in Salem with blossoming cherry trees lining the lawn.
11 / 13
Canva

Oregon

- Oregon Consumer Privacy Act
- Effective beginning July 1, 2024

Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making: Certain decision making
- Opt-in default (requirement age): 13 for sensitive data
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation

The Nashville skyline.
12 / 13
Canva

Tennessee

- Tennessee Information Protection Act
- Effective beginning July 1, 2025

Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making: Certain decision making
- Opt-in default (requirement age): 13 for sensitive data
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation

The skyline in Austin with the capitol in the background.
13 / 13
Canva

Texas

- Texas Data Privacy and Security Act
- Effective beginning July 1, 2024

Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making: Certain decision making
- Opt-in default (requirement age): 13 for sensitive data
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation

Story editing by Shannon Luders-Manuel. Copy editing by Kristen Wegrzyn.

Trending Now