These Are the 13 States With Comprehensive Consumer Privacy Protection Laws

In order to show internet users personalized content and ads, gather analytics, and keep records of online searches, companies rely on technologies such as cookies and pixels implanted on smartphones, tablets, and computers. They collect personal data and track internet users' digital footprint through browsers, online sites, and apps.

Social networks and e-commerce stores are some of the main sources for users to give out information voluntarily. Such information is one of the market's most valuable commodities, even though most internet users are unaware of where their information goes and how it is used.

According to the Federal Trade Commission, a website or app can use first-party tracking to harvest the user's information directly. When it allows other companies to do so, it's referred to as third-party tracking—which Google is phasing out. Both instances sometimes carry unforeseeable risks that can lead to upsetting events or even illegal activities.

Public awareness about the need for digital privacy has consistently increased over the past two decades. The matter took center stage when Facebook was accused of a major data breach, compromising the information of over 87 million users. The 2018 case, known as the Cambridge Analytica scandal, prompted lawsuits and the first (but not last) of Mark Zuckerberg's congressional hearings, looking to hold tech giant Meta accountable for digital intrusion and its consequences.

Companies are now constraining the leak of sensitive information by installing filters that let users know the potential uses of their information.

Any means of online data tracking and privacy protection rights remained in legal limbo in the U.S. until 2003, when California passed the first bill addressing the issue. Since then, the state legislature has amended its consumer privacy protection law twice—the most recent taking effect on Jan. 1, 2023.

As of March 2024, 13 states have comprehensive privacy protection bills in effect, while 20 others have proposals in the approval process. The legislation covers two categories: consumer rights and business obligations.

Users' rights to access, correct, delete, opt out, and transfer information enables them to control data collection through online sites or social networks. Obligations of businesses center around age and transparency requirements, risk assessment, protection against discrimination, and data usage application and intent.

Drata compiled a breakdown of the 13 states that have passed consumer privacy protection laws using information collected by the International Association of Privacy Professionals.

California

- California Consumer Privacy Rights Act - Effective beginning Jan. 1, 2023

Covers the following: - Right to access - Right to correct - Right to delete - Right to opt out of certain processing: For sensitive data - Right to portability - Right to opt out of sales - Right against automated decision-making - Private right of action - Opt-in default (requirement age): 16 - Notice/transparency requirement - Risk assessments - Prohibition on discrimination (exercising rights) - Purpose/processing limitation

Colorado

- Colorado Privacy Act - Effective beginning July 1, 2023

Covers the following: - Right to access - Right to correct - Right to delete - Right to opt out of certain processing: For profiling/targeted advertising purposes - Right to portability - Right to opt out of sales - Right against automated decision-making: Certain decision making - Opt-in default (requirement age): 13 for sensitive data - Notice/transparency requirement - Risk assessments - Prohibition on discrimination (exercising rights) - Purpose/processing limitation

Connecticut

- Personal Data Privacy and Online Monitoring - Effective beginning July 1, 2023

Covers the following: - Right to access - Right to correct - Right to delete - Right to opt out of certain processing: For profiling/targeted advertising purposes - Right to portability - Right to opt out of sales - Right against automated decision-making: Certain decision making - Opt-in default (requirement age): 13 for sensitive data - Notice/transparency requirement - Risk assessments - Prohibition on discrimination (exercising rights) - Purpose/processing limitation

Utah

- Utah Consumer Privacy Act - Effective beginning Dec. 31, 2023

Covers the following: - Right to access - Right to delete - Right to opt out of certain processing: For profiling/targeted advertising purposes - Right to portability - Right to opt out of sales - Opt-in default (requirement age): 13 - Notice/transparency requirement - Prohibition on discrimination (exercising rights)

Virginia

- Consumer Data Protection Act - Effective beginning Jan. 1, 2023

Covers the following: - Right to access - Right to correct - Right to delete - Right to opt out of certain processing: For profiling/targeted advertising purposes - Right to portability - Right to opt out of sales - Right against automated decision-making: Certain decision making - Opt-in default (requirement age): 13 for sensitive data - Notice/transparency requirement - Risk assessments - Prohibition on discrimination (exercising rights) - Purpose/processing limitation

Delaware

- Delaware Personal Data Privacy Act - Effective beginning Jan. 1, 2025

Covers the following: - Right to access - Right to correct - Right to delete - Right to opt out of certain processing: For profiling/targeted advertising purposes - Right to portability - Right to opt out of sales - Right against automated decision-making - Opt-in default (requirement age): 17 - Notice/transparency requirement - Risk assessments - Prohibition on discrimination (exercising rights) - Purpose/processing limitation

Indiana

- Indiana Consumer Data Protection Act - Effective beginning Jan. 1, 2026

Covers the following: - Right to access - Right to correct - Right to delete - Right to opt out of certain processing: For profiling/targeted advertising purposes - Right to portability - Right to opt out of sales - Right against automated decision-making: Certain decision making - Notice/transparency requirement - Risk assessments - Prohibition on discrimination (exercising rights) - Purpose/processing limitation

THE FASTEST PATH TO SOC 2 COMPLIANCE

With a team of experts and step-by-step instructions, achieving SOC 2 compliance has never been easier.

Iowa

- Iowa Consumer Data Protection Act - Effective beginning Jan. 1, 2025

Covers the following: - Right to access - Right to delete - Right to portability - Right to opt out of sales - Opt-in default (requirement age): 13 for sensitive data - Notice/transparency requirement - Prohibition on discrimination (exercising rights) - Purpose/processing limitation

Montana

- Montana Consumer Data Privacy Act - Effective beginning Oct. 1, 2024

Covers the following: - Right to access - Right to correct - Right to delete - Right to opt out of certain processing: For profiling/targeted advertising purposes - Right to portability - Right to opt out of sales - Right against automated decision-making: Certain decision making - Opt-in default (requirement age): 13 for sensitive data - Notice/transparency requirement - Risk assessments - Prohibition on discrimination (exercising rights) - Purpose/processing limitation

New Jersey

- Senate Bill 332 - Effective beginning Jan. 15, 2025

Covers the following: - Right to access - Right to correct - Right to delete - Right to opt out of certain processing: For profiling/targeted advertising purposes - Right to portability - Right to opt out of sales - Right against automated decision-making: Certain decision making - Opt-in default (requirement age): 13 for sensitive data - Notice/transparency requirement - Risk assessments - Prohibition on discrimination (exercising rights) - Purpose/processing limitation

Oregon

- Oregon Consumer Privacy Act - Effective beginning July 1, 2024

Covers the following: - Right to access - Right to correct - Right to delete - Right to opt out of certain processing: For profiling/targeted advertising purposes - Right to portability - Right to opt out of sales - Right against automated decision-making: Certain decision making - Opt-in default (requirement age): 13 for sensitive data - Notice/transparency requirement - Risk assessments - Prohibition on discrimination (exercising rights) - Purpose/processing limitation

Tennessee

- Tennessee Information Protection Act - Effective beginning July 1, 2025

Covers the following: - Right to access - Right to correct - Right to delete - Right to opt out of certain processing: For profiling/targeted advertising purposes - Right to portability - Right to opt out of sales - Right against automated decision-making: Certain decision making - Opt-in default (requirement age): 13 for sensitive data - Notice/transparency requirement - Risk assessments - Prohibition on discrimination (exercising rights) - Purpose/processing limitation

REDUCE GDPR COMPLEXITY

Mitigate business risk and reduce complexity with a complete GDPR control library and a team of experts.

Texas

- Texas Data Privacy and Security Act - Effective beginning July 1, 2024

Covers the following: - Right to access - Right to correct - Right to delete - Right to opt out of certain processing: For profiling/targeted advertising purposes - Right to portability - Right to opt out of sales - Right against automated decision-making: Certain decision making - Opt-in default (requirement age): 13 for sensitive data - Notice/transparency requirement - Risk assessments - Prohibition on discrimination (exercising rights) - Purpose/processing limitation