Resource Center / Reports and Surveys / US State Comprehensive Privacy Laws Report

US State Comprehensive Privacy Laws Report

Overview

This report analyzes similarities and differences between enacted U.S. state comprehensive privacy laws. The full version of the report, available only to IAPP members, can be accessed here.

Published: October 2024

Contributor:

Müge Fazlioglu

Comprehensive US state privacy legislation in 2024

Since the enactment of the California Consumer Privacy Act in 2018, comprehensive U.S. state privacy legislation has become more robust and dynamic with each passing year. Within the U.S. — where states act as the proverbial "laboratories of democracy" — the experimentation in privacy continues unabated.

Understandably, balancing compliance with the existing ensemble of effective comprehensive privacy laws with the integration of newly enacted ones is an ongoing challenge for privacy professionals. This report — as a complement to the IAPP US State Privacy Legislation Tracker — analyzes the scope, applicability, exemptions, consumer rights, business obligations, rulemaking activities, enforcement duties and key definitions for each of the 19 laws that have been passed to date. It sketches the contours of the nationwide portrait of privacy regulation that has emerged, while highlighting the idiosyncrasies of each state law that constitutes the U.S. privacy regime patchwork. Overall, this report aims to keep privacy pros informed about all the comprehensive privacy bills that have become law, the rights they offer to consumers and the obligations they require from regulated entities.

The growth of US state privacy legislation

Number of bills considered

Number of bills enacted

In recent years, the number of comprehensive U.S. state privacy bills introduced — and laws passed — has steadily increased. In 2018, two bills were introduced, with one becoming law in California. In 2019, 15 bills were introduced throughout the U.S., although none passed. Of the 24 bills introduced in 2020, one was enacted, this time in the form of an update to the CCPA: the California Privacy Rights Act. In 2021, two of 29 introduced bills were enacted in Virginia and Colorado. In 2022, two of 59 introduced bills became laws in Utah and Connecticut. In 2023, seven of 54 introduced bills became laws in Delaware, Indiana, Iowa, Montana, Oregon, Tennessee and Texas. Currently 41 bills are active in 2024, including some holdover legislation from 2023, resulting in the enactment of 7 new laws this year in New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, Minnesota and Rhode Island.

Birds of a feather?

This report analyzes similarities and differences between the 19 enacted comprehensive U.S. state privacy laws. So far, the U.S. has seen at least two primary approaches to comprehensive privacy lawmaking taken by state legislatures. While California crafted its own approach, the other states initially based their laws on a version of the yet-to-pass Washington Privacy Act, which was introduced in 2019. Against the WPA-inspired crowd, California remains an outlier in several important respects. It is the only state requiring notice at collection. With the CPRA amending the CCPA, California is now the only state that gives consumers the right to limit the use and disclosure of sensitive personal information. Also, unlike the other states, California has a dedicated privacy agency, the California Privacy Protection Agency.

With the passage of each new comprehensive state privacy law, the definitions, scopes and enforceability of the laws on the books undergo iterative changes. Recent amendments to existing legislation, such as the CCPA, Virginia Consumer Data Privacy Act and Colorado Privacy Act, further accent lawmakers' differing approaches to privacy during successive legislative sessions. This report thus aims to demystify this evolution and provide clarity around the scope, rights and requirements of all currently effective comprehensive U.S. state privacy laws.

Comprehensive US State Privacy Laws

Note: This report is limited to comprehensive U.S. state privacy laws enacted as of June 2024. Further information on our methodology can be found here. The IAPP US State Privacy Legislation Tracker, maintained with an identical scope in mind, lists any U.S. state privacy law proposed or passed since this report was published.

What's in the full report?

The full report consists of the following sections:

Snapshots of state privacy laws

The full report contains a snapshot profile of each U.S. state comprehensive privacy law, providing analysis on applicability thresholds, key definitions, exemptions, consumer rights and sensitive information. A sample snapshot profile for Minnesota's comprehensive privacy law can be viewed here.

Additional resources