Resource Center / Reports and Surveys / US State Comprehensive Privacy Laws Report

US State Comprehensive Privacy Laws Report

This report analyzes similarities and differences between enacted U.S. state comprehensive privacy laws.

Published: October 2024

Contributor:

Müge Fazlioglu

Comprehensive US state privacy legislation in 2024

Since the enactment of the California Consumer Privacy Act in 2018, comprehensive U.S. state privacy legislation has become more robust and dynamic with each passing year. Within the U.S. — where states act as the proverbial "laboratories of democracy" — the experimentation in privacy continues unabated.

Understandably, balancing compliance with the existing ensemble of effective comprehensive privacy laws with the integration of newly enacted ones is an ongoing challenge for privacy professionals. This report — as a complement to the IAPP US State Privacy Legislation Tracker — analyzes the scope, applicability, exemptions, consumer rights, business obligations, rulemaking activities, enforcement duties and key definitions for each of the 19 laws that have been passed to date. It sketches the contours of the nationwide portrait of privacy regulation that has emerged, while highlighting the idiosyncrasies of each state law that constitutes the U.S. privacy regime patchwork. Overall, this report aims to keep privacy pros informed about all the comprehensive privacy bills that have become law, the rights they offer to consumers and the obligations they require from regulated entities.

The growth of US state privacy legislation

Number of bills considered

Number of bills enacted

This report analyzes similarities and differences between the 19 enacted comprehensive U.S. state privacy laws. So far, the U.S. has seen at least two primary approaches to comprehensive privacy lawmaking taken by state legislatures. While California crafted its own approach, the other states initially based their laws on a version of the yet-to-pass Washington Privacy Act, which was introduced in 2019. Against the WPA-inspired crowd, California remains an outlier in several important respects. It is the only state requiring notice at collection. With the CPRA amending the CCPA, California is now the only state that gives consumers the right to limit the use and disclosure of sensitive personal information. Also, unlike the other states, California has a dedicated privacy agency, the California Privacy Protection Agency.

With the passage of each new comprehensive state privacy law, the definitions, scopes and enforceability of the laws on the books undergo iterative changes. Recent amendments to existing legislation, such as the CCPA, Virginia Consumer Data Privacy Act and Colorado Privacy Act, further accent lawmakers' differing approaches to privacy during successive legislative sessions. This report thus aims to demystify this evolution and provide clarity around the scope, rights and requirements of all currently effective comprehensive U.S. state privacy laws.

Comprehensive US State Privacy Laws

Note: This report is limited to comprehensive U.S. state privacy laws enacted as of June 2024. Further information on our methodology can be found here. The IAPP US State Privacy Legislation Tracker, maintained with an identical scope in mind, lists any U.S. state privacy law proposed or passed since this report was published.

Key takeaways

Scope

Each U.S. state privacy law has a unique scope of applicability, based on a variety of thresholds related to an entity's jurisdiction, revenue, volume of personal data processing and revenue from the sale of personal data.

Exemptions

Each of the 19 state privacy laws exclude from their scope various entities — such as government agencies, nonprofits and institutions of higher education — as well as entities already subject to federal, sectoral privacy legislation.

Consumer rights

Each U.S. state comprehensive privacy law establishes various consumer rights, from the rights to access, correct and delete their data held by companies to the right to opt out of processing for targeted or cross-contextual behavioral advertising, sale of personal data and profiling.

Business obligations

In addition to granting a series of rights to consumers, U.S. state privacy laws impose a series of obligations for entities that fall within their scope. In general, these obligations revolve around privacy notices, data minimization and purpose limitation of data collection and processing, sensitive personal information, data protection assessments, and universal opt-out mechanisms.

Sensitive information

Each U.S. state privacy law recognizes some types of information as sensitive and deserving of heightened legal protection. Companies that collect and process any of the defined categories of sensitive personal information must comply with heightened requirements to protect it from misuse, loss or abuse.

Rulemaking

Four states — Colorado, California, New Jersey and New Hampshire — give rulemaking authority to a state agency.

Rulemaking

Privacy-related enforcement and compliance activities have also picked up across the states in 2024. Indeed, this year has seen the largest privacy-related fine in any state to date with the Texas attorney general's settlement with Meta for USD1.4 billion due to allegations of unauthorized capture of biometric data.

Snapshots of US state comprehensive privacy laws

The full report contains a snapshot profile of each U.S. state comprehensive privacy law, providing analysis on applicability thresholds, key definitions, exemptions, consumer rights and sensitive information. A sample snapshot profile for Minnesota's comprehensive privacy law can be viewed here.

Additional resources