These are the 13 states with comprehensive consumer privacy protection laws
This story originally appeared on Drata and was produced and distributed in partnership with Stacker Studio.
These are the 13 states with comprehensive consumer privacy protection laws
In order to show internet users personalized content and ads, gather analytics, and keep records of online searches, companies rely on technologies such as cookies and pixels implanted on smartphones, tablets, and computers. They collect personal data and track internet users' digital footprint through browsers, online sites, and apps.
Social networks and e-commerce stores are some of the main sources for users to give out information voluntarily. Such information is one of the market's most valuable commodities, even though most internet users are unaware of where their information goes and how it is used.
According to the Federal Trade Commission, a website or app can use first-party tracking to harvest the user's information directly. When it allows other companies to do so, it's referred to as third-party tracking. Both instances sometimes carry unforeseeable risks that can lead to upsetting events or even illegal activities.
Public awareness about the need for digital privacy has consistently increased over the past two decades. The matter took center stage when Facebook was accused of a major data breach, compromising the information of over 87 million users. The 2018 case, known as the Cambridge Analytica scandal, prompted lawsuits and the first (but not last) of Mark Zuckerberg's congressional hearings, looking to hold tech giant Meta accountable for digital intrusion and its consequences.
Companies are now constraining the leak of sensitive information by installing filters that let users know the potential uses of their information.
Any means of online data tracking and privacy protection rights remained in legal limbo in the U.S. until 2003, when California passed the first bill addressing the issue. Since then, the state legislature has amended its consumer privacy protection law twice—the most recent taking effect on Jan. 1, 2023.
As of March 2024, 13 states have comprehensive privacy protection bills in effect, while 20 others have proposals in the approval process. The legislation covers two categories: consumer rights and business obligations. Users' rights to access, correct, delete, opt out, and transfer information enables them to control data collection through online sites or social networks. Obligations of businesses center around age and transparency requirements, risk assessment, protection against discrimination, and data usage application and intent.
Drata compiled a breakdown of the 13 states that have passed consumer privacy protection laws using information collected by the International Association of Privacy Professionals.
California
- California Consumer Privacy Rights Act
- Effective beginning Jan. 1, 2023
Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For sensitive data
- Right to portability
- Right to opt out of sales
- Right against automated decision-making
- Private right of action
- Opt-in default (requirement age): 16
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation
Colorado
- Colorado Privacy Act
- Effective beginning July 1, 2023
Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making: Certain decision making
- Opt-in default (requirement age): 13 for sensitive data
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation
Connecticut
- Personal Data Privacy and Online Monitoring
- Effective beginning July 1, 2023
Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making: Certain decision making
- Opt-in default (requirement age): 13 for sensitive data
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation
Utah
- Utah Consumer Privacy Act
- Effective beginning Dec. 31, 2023
Covers the following:
- Right to access
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Opt-in default (requirement age): 13
- Notice/transparency requirement
- Prohibition on discrimination (exercising rights)
Virginia
- Consumer Data Protection Act
- Effective beginning Jan. 1, 2023
Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making: Certain decision making
- Opt-in default (requirement age): 13 for sensitive data
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation
Delaware
- Delaware Personal Data Privacy Act
- Effective beginning Jan. 1, 2025
Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making
- Opt-in default (requirement age): 17
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation
Indiana
- Indiana Consumer Data Protection Act
- Effective beginning Jan. 1, 2026
Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making: Certain decision making
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation
Iowa
- Iowa Consumer Data Protection Act
- Effective beginning Jan. 1, 2025
Covers the following:
- Right to access
- Right to delete
- Right to portability
- Right to opt out of sales
- Opt-in default (requirement age): 13 for sensitive data
- Notice/transparency requirement
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation
Montana
- Montana Consumer Data Privacy Act
- Effective beginning Oct. 1, 2024
Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making: Certain decision making
- Opt-in default (requirement age): 13 for sensitive data
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation
New Jersey
- Senate Bill 332
- Effective beginning Jan. 15, 2025
Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making: Certain decision making
- Opt-in default (requirement age): 13 for sensitive data
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation
Oregon
- Oregon Consumer Privacy Act
- Effective beginning July 1, 2024
Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making: Certain decision making
- Opt-in default (requirement age): 13 for sensitive data
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation
Tennessee
- Tennessee Information Protection Act
- Effective beginning July 1, 2025
Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making: Certain decision making
- Opt-in default (requirement age): 13 for sensitive data
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation
Texas
- Texas Data Privacy and Security Act
- Effective beginning July 1, 2024
Covers the following:
- Right to access
- Right to correct
- Right to delete
- Right to opt out of certain processing: For profiling/targeted advertising purposes
- Right to portability
- Right to opt out of sales
- Right against automated decision-making: Certain decision making
- Opt-in default (requirement age): 13 for sensitive data
- Notice/transparency requirement
- Risk assessments
- Prohibition on discrimination (exercising rights)
- Purpose/processing limitation
Story editing by Shannon Luders-Manuel. Copy editing by Kristen Wegrzyn.