Data Privacy Laws — Comprehensive State Guide for 2025

The 21st century will be remembered as the time of the digital revolution, and you’ll probably agree that the Internet has changed the world forever.

Although it comes with many benefits, you should be aware that the Internet has exposed us to many issues that we didn’t have before — mainly concerning our privacy.

Companies make millions of dollars by accessing and using your personal data for advertising and other purposes. 

Although this seems scary when you hear it, you should know that countries worldwide are implementing strict laws to keep your data protected while browsing the Internet.

In this article, we will look at data privacy laws in the US and help you better understand your rights on the web.

Data privacy laws - cover
  • Data privacy laws regulate how organizations and companies can collect personal information from their consumers. 
  • There is no federal data privacy law in the United States yet.
  • The Fair Trade Commission is the main governing body that protects the rights of American consumers online. 
  • Currently, there are 20 states in the US with data protection regulations.
  • One of the world’s most well-known data privacy policies is the EU’s General Data Protection Regulation (GDPR).

What is a data privacy law?

A data privacy law is a legal framework that protects consumers from unapproved access to their data while using the internet. These laws also regulate how websites gather information, and how they are allowed to use it.

Every time you visit a website, you leave data behind, which websites later use for advertising and other purposes (e.g., enhancing user experience). Data privacy laws ensure that this data is well protected, and that users can safely browse the web without someone accessing their personal information by:

  • Defining which organizations must use data privacy laws,
  • Determining what type of data must be protected,
  • Defining how organizations can gather, store, and share data, 
  • Granting individuals the rights to their data (in some states), and
  • Ensuring that organizations comply with legal standards.

Data privacy laws can vary, and each state formulates its own rules. Yet, there are several key components that every data privacy legislation has::

  • Scope and applicability — defines what types of data have to be protected and which organizations have to comply with these rules,
  • User rights — determine what the users can do with their data. For example, users in some states are allowed to access, transfer, or delete their information,
  • Legal consent — before websites can gather data, the users must give their consent. This is also known as “cookie consent,” and there are rules on how websites need to do this accordingly, and
  • Transparency — websites must inform users how their data will be gathered and for what purposes they’ll use it.

Is there an official data privacy law in the US?

The US still has no official federal data privacy law. The main proposal for this type of law is the American Privacy Rights Act (APRA), which was introduced to Congress in 2024 but has yet to pass.

Nonetheless, there are several laws worth mentioning when it comes to data privacy and protection online::

What organization governs data privacy laws in the US?

When it comes to enforcing data privacy laws, the main governing body in the US is the Federal Trade Commission (FTC). The FTC is there to protect consumers in all aspects of commerce, and its primary statute is the Federal Trade Commission Act, allowing the Commission to:

  1. Stop unfair competition methods and unfair trade practices,
  2. Pursue financial redress for violations of consumer rights,
  3. Define acts and practices that are deceptive and establish rules to prevent them,
  4. Collect information and investigate organizations, businesses, practices, and management of entities in trade, and
  5. Report and suggest legislation to Congress and the public.

A good example of how the FTC handles data privacy infringements is when they accused Google of violating user privacy upon launching its social media platform, Google Buzz, back in 2010. This resulted in a settlement that prohibited Google from repeating any violation of this kind and required them to implement a comprehensive privacy program for the next 20 years.

🎓 To learn more about the Federal Trade Commission visit their website — What the FTC does?

What US states have data privacy laws?

In recent years, more and more states are adopting data privacy laws. This is due to the lack of a federal law governing privacy protection. Currently, there are 20 states with data privacy laws in the US

Let’s look at each of them in more detail.

States with data privacy laws in the US
States with data privacy laws

1. California Privacy Rights Act (CPRA)

Status: Effective since January 1, 2023.

Official legislation: California Privacy Rights Act

The CPRA is one of the largest data privacy laws out there and is an amendment to the California Consumer Privacy Act (CCPA). The law grants Californian citizens the rights to:

  • Disallow entities from collecting their data,
  • Access and correct data,
  • Delete data, and
  • Prohibit entities from sharing data.

In addition to enhanced consumer protection, the law also sets responsibilities for entities that collect personal information, such as asking users for consent.

The governing body for the CPRA is the California Privacy Protection Agency (CPPA), which can hold hearings and impose fines for potential violations.

🎓 To learn more about employment laws in California, visit our website — California Labor Laws Guide

2. Colorado Privacy Act (CPA)

Status: Effective since July 1, 2023.

Official legislation: Colorado Privacy Act

The CPA is a part of Colorado’s Consumer Protection Act and is enforced and implemented by the Colorado Attorney General. This law grants Colorado consumers the following rights:

  • To access, delete, and correct personal information, and
  • To reject the use of their data for advertising purposes or other types of profiling.

Covered entities that collect personal information must protect data, acquire consent, and inform Colorado citizens on how their data is collected and used. The CPA applies to organizations that:

  • Gather information from 100,000 consumers, and 
  • Gather information from 25,000 consumers and generate revenue from it.

3. Connecticut Data Privacy Act (CTDPA)

Status: Effective since July 1, 2023.

Official legislation: Connecticut Data Privacy Act

The CDPA grants Connecticut residents the same rights as the other similar laws, which include:

  • The right to access, correct, or delete their data, 
  • The right to acquire a copy of their personal information, and
  • The right to reject the processing of their data for advertising or similar purposes.

This law applies to the following entities:

  • Organizations or individuals that gather the data of at least 100,000 consumers, or 
  • Organizations or individuals that gather the data of at least 25,000 consumers, but generate 25% of their revenue from selling that data.

4. Delaware Personal Data Privacy Act (DPDPA)

Status: It will take effect on January 1, 2025.

Official legislation: Delaware Personal Data Privacy Act

The DPDPA is modeled after other data privacy legislations, and it will grant Delaware citizens the following consumer rights:

  • The right to allow or disallow entities to collect personal data,
  • The right to correct or delete personal data,
  • The right to acquire copies of their personal information,
  • The right to acquire a list of third-party entities that have access to their data, and
  • The right to reject the use of their data for advertising or other similar purposes.

The law will apply to the following entities:

  • Organizations or individuals that gather information from more at least 35,000 consumers in Delaware, or
  • Organizations or individuals that gather information from at least 10,000 consumers in Delaware and generate at least 20% of revenue from selling it. 

The Department of Justice enforces this law, which can impose fines of up to $10,000 per violation.

5. Indiana Consumer Data Protection Act (INCDPA)

Status: It will take effect on January 1, 2026.

Official legislation: Indiana Consumer Data Protection Act

The INCDPA will grant Indiana residents the following rights concerning their data privacy and protection:

  • The right to access, correct, or delete personal data,
  • The right to acquire a copy of the data, and
  • The right to reject the processing of their data for advertising or similar purposes.

This law will apply to the following entities:

  • Organizations or individuals that gather the data from at least 100,000 Indiana residents, or
  • Organizations or individuals that gather the data from 25,000 Indiana residents and earn at least 50% of their revenue by selling it.

The attorney general will enforce data privacy law in Indiana and may impose sanctions of up to $7,500 per violation. The law predicts a cure period of 30 days before penalties.

6. Iowa Consumer Data Protection Act (ICDPA)

Status: It will take effect on January 1, 2025.

Official legislation: Iowa Consumer Data Protection Act

The ICDPA will grant Iowa residents the same rights:

  • The right to confirm data processing,
  • The right to access, correct, or delete personal data,
  • The right to acquire a copy of the data, and
  • The right to reject the selling of their data.

This law will apply to the following entities:

  • Organizations or individuals that gather the data from at least 100,000 Indiana residents, or
  • Organizations or individuals that gather the data from 25,000 Indiana residents and earn at least 50% of their revenue by selling it.

The attorney general will enforce data privacy law in Iowa and may impose sanctions of up to $7,500 per violation. The law predicts a cure period of 90 days before penalties.

7. Kentucky Consumer Data Protection Act (KCDPA)

Status: Will take effect on January 1, 2025.

Official legislation: Kentucky Consumer Data Protection Act

The KCDPA will grant Kentucky residents the following rights concerning their data privacy and protection:

  • The right to access, correct, or delete personal data,
  • The right to acquire a copy of the data, and
  • The right to reject the processing of their data for advertising or similar purposes.

This law will apply to the following entities:

  • Organizations or individuals that gather the data from at least 100,000 Indiana residents, or
  • Organizations or individuals that gather the data from 25,000 Kentucky residents and earn at least 50% of their revenue by selling it.

The attorney general will enforce data privacy law in Kentucky and may impose sanctions of up to $7,500 per violation. The law predicts a cure period of 90 days before penalties.

8. Maryland Online Data Privacy Act (MDODPA)

Status: It will take effect on October 1, 2025.

Official legislation: Maryland Online Data Privacy Act

The MODPA is known as a more strict data privacy law as it requires organizations to take additional measures to protect consumers, such as allowing consumers not to accept the processing of their personal data.

This law grants Maryland residents the following rights:

  • The right to access, correct, or delete personal data,
  • The right to acquire a copy of the data, 
  • The right to reject the processing of their data for advertising or similar purposes,
  • The right to get a list of all third parties with access to the data, and
  • The right to revoke their consent.

This law will apply to the following entities:

  • Organizations or individuals that gather the data from at least 35,000 Maryland residents, or
  • Organizations or individuals that gather the data from 10,000 Maryland residents and earn at least 20% of their revenue by selling it.

Maryland’s Consumer Protection Division will enforce data privacy law in Maryland and may impose fines from $10,000 to $25,000 depending on the violation.

9. Minnesota Consumer Data Privacy Act (MCDPA)

Status: Will take effect on July 31, 2025.

Official legislation: Minnesota Consumer Data Privacy Act

The MCDPA grants Minnesota residents the following rights:

  • The right to access, correct, or delete personal data,
  • The right to acquire a copy of the data, 
  • The right to reject the processing of their data for advertising or similar purposes, and
  • The right to review and understand how data is being profiled. 

This law will apply to the following entities:

  • Organizations or individuals that gather the data from at least 100,000 Minnesota residents, or
  • Organizations or individuals that gather the data from 25,000 Minnesota residents and earn at least 25% of their revenue by selling it.

The attorney general will enforce data privacy law in Minnesota and may impose fines of up to $7,500 per violation. However, the attorney general must issue a warning letter first and provide a way to cure the breach.

10. Montana Consumer Data Privacy Act (MTCDPA)

Status: Effective since October 1, 2024.

Official legislation: Montana Consumer Data Privacy Act

Under the MTCDPA, consumers have the right to:

  • Access, correct, or delete personal data,
  • Acquire a copy of the data, and
  • Reject the processing of their data for advertising or similar purposes.

The law applies to the following entities:

  • Organizations or individuals that gather the data from at least 50,000 Montana residents, or
  • Organizations or individuals that gather the data from 25,000 Montana residents and earn at least 25% of their revenue by selling it.

The attorney general will enforce data privacy law in Montana, but there are no specific fines for violations. The cure period for violations is 60 days.

11. Nebraska Data Privacy Act (NDPA)

Status: It will take effect on January 1, 2025.

Official legislation: Nebraska Data Privacy Act

Under the NDPA, residents in Nebraska will have the following rights:

  • The right to access, correct, or delete personal data,
  • The right to acquire a copy of the data, and
  • The right to reject the processing of their data for advertising or similar purposes.

The Nebraska data privacy law will apply to individuals or organizations (excluding small businesses) that collect personal and sensitive data from consumers. However, there is no revenue or volume requirement as in most other states.

The attorney general will enforce data privacy law in Nebraska and impose fines of up to $7,500 per violation. The attorney general must first inform the subject of the breach and give them a 30-day cure period. After curing the violation, the subject must provide a written statement declaring they won’t repeat it.

12. New Hampshire Privacy Act (NHPA)

Status: It will take effect on January 1, 2025.

Official legislation: New Hampshire Privacy Act

Under the NHPA, residents in New Hampshire will have the following rights:

  • The right to access, correct, or delete personal data,
  • The right to acquire a copy of the data, and
  • The right to reject the processing of their data for advertising or similar purposes.

The law will apply to the following entities:

  • Organizations or individuals that gather the data from at least 35,000 New Hampshire residents, or
  • Organizations or individuals that gather the data from 10,000 New Hampshire residents and earn at least 25% of their revenue by selling it.

The attorney general will enforce New Hampshire data privacy law and may impose fines of up to $10,000 per violation. If the violation is on purpose, the attorney general may seek criminal penalties of up to $100,000 per violation.

13. New Jersey Data Privacy Act (NJDPA)

Status: It will take effect on January 15, 2025.

Official legislation: New Jersey Data Privacy Act

Under NJDPA, residents of New Jersey will have the following rights:

  • The right to access, correct, or delete personal data,
  • The right to acquire a copy of the data, and
  • The right to reject the processing of their data for advertising or similar purposes.

The law will apply to the following entities:

  • Organizations or individuals that gather the data from at least 100,000 New Jersey residents, or
  • Organizations or individuals that gather the data from 25,000 New Jersey residents and earn revenue by selling it (no amount is specified).

The attorney general will enforce New Jersey data privacy law and may impose fines of up to $2,500 for the first violation, up to $5,000 for the second violation, up to $10,000 for the third violation, and up to $20,000 for the fourth and every consecutive violation.

🎓 To learn more about employment laws in New Jersey, visit our website — New Jersey Labor Laws Guide

14. Oregon Consumer Privacy Act (OCPA)

Status: Effective since July 1, 2024.

Official legislation: Oregon Consumer Privacy Act

Under OCPA, residents of Oregon have several rights. The law explains this easily by using the phrase LOCKED, which includes the following:

  • Users have the right to get a list of all third-party entities that handle their data,
  • Users can opt-out from letting entities sell their information for advertising or other purposes, 
  • Users can ask for a copy of the personal data that businesses have about them,
  • Users can know what information an organization has about them,
  • Users can edit inaccurate data, and
  • Users can delete personal or sensitive information a business has about them.

This law applies to the following entities:

  • Organizations or individuals that gather data from at least 100,000 Oregon residents, or
  • Organizations or individuals that gather data from at least 25,000 Oregon residents and earn a minimum of 25% of their revenue by selling it.

The attorney general will enforce Oregon data privacy law and may impose fines of up to $7,500 per violation. There is a 30-day cure period for the breach.

15. Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

Status: It will take effect on January 1, 2026.

Official legislation: Rhode Island Data Transparency and Privacy Protection Act

Under RIDTPPA, residents of Rhode Island have the right to know how their personal information is collected and for what it is used. In addition, before collecting information, users must give consent to entities that gather it. However, companies aren’t required to create an opt-out mechanism.

This law applies to the following entities:

  • Organizations or individuals that gather data from at least 35,000 Rhode Island residents, or
  • Organizations or individuals that gather data from at least 10,000 Rhode Island residents and earn a minimum of 20% of their revenue by selling it.

The attorney general will enforce Rhode Island data privacy law and may impose fines from $100 to $500 per violation. There is no cure period for the breach.

16. Tennessee Information Protection Act (TIPA)

Status: It will take effect on July 1, 2025.

Official legislation: Tennessee Information Protection Act

Under TIPA, residents of Tennessee will have the following rights:

  • The right to access, correct, or delete personal data,
  • The right to acquire a copy of the data, and
  • The right to reject the processing of their data for advertising or similar purposes.

This law applies to entities that exceed $25 million in revenue and either:

  • Gather data from at least 175,000 Tennessee residents, or
  • Gather data from at least 25,000 Oregon residents and earn a minimum of 50% of their revenue by selling it.

The attorney general will enforce Tennessee data privacy law and may impose fines of up to $7,500 per violation, or in some cases the triple amount if the violation is wilful. There is a 60-day cure period for the breach.

🎓 To learn more about employment laws in Tennessee, visit our website — Tennessee Labor Laws Guide

17. Texas Data Privacy and Security Act (TDPSA)

Status: Enforceable since January 1, 2024, but businesses have a grace period until January 1, 2025, to comply with the law.

Official legislation: Texas Data Privacy and Security Act

Under TDPSA, users have the common data privacy laws used in most states, which include:

  • The right to access, correct, or delete personal data,
  • The right to acquire a copy of the data, and
  • The right to reject the processing of their data for advertising or similar purposes.

This law doesn’t have the standard eligibility requirements (revenue-based) used by other states. Instead, entities that are covered by this law are businesses that gather or sell data in Texas. 

The attorney general will enforce Texas data privacy law and may impose fines of up to $7,500 per violation. There is a 30-day cure period.

18. Utah Consumer Privacy Act (UCPA)

Status: Effective since December 31, 2023.

Official legislation: Utah Consumer Privacy Act

The UCPA grants Utah residents the following rights:

  • The right to access, correct, or delete personal data,
  • The right to acquire a copy of the data, and
  • The right to reject the processing of their data for advertising or similar purposes.

The law has similar eligibility requirements as TIPA and applies to entities that exceed $25 million in revenue and either:

  • Gather data from at least 100,000 Utah residents, or
  • Gather data from at least 25,000 Oregon residents and earn a minimum of 50% of their revenue by selling it. 

The attorney general enforces Utah data privacy law and may impose fines of up to $7,500 per violation. There is a 30-day cure period.

19. Virginia’s Consumer Data Protection Act (VCDPA)

Status: Effective since January 1, 2023.

Official legislation: Virginia’s Consumer Data Protection Act

Under VCDPA, the residents of Virginia have the usual data privacy rights, which include:

  • The right to access, correct, or delete personal data,
  • The right to acquire a copy of the data, and
  • The right to reject the processing of their data for advertising or similar purposes.

The law applies to the following entities:

  • Organizations or individuals that gather the data from at least 100,000 Virginia residents, or
  • Organizations or individuals that gather the data from 25,000 Virginia residents and earn at least 50% of their revenue by selling it.

The attorney general enforces Virginia data privacy law and may impose fines of up to $7,500 per violation. There is a 30-day cure period.

20. Florida Digital Bill of Rights (FDBR)

Status: Effective since July 1, 2024.

Official legislation: Florida Digital Bill of Rights

Under FDBR, residents of Florida have the following online privacy rights: 

  • The right to access, correct, or delete personal data,
  • The right to acquire a copy of the data, and
  • The right to reject the processing of their data for advertising or similar purposes.

The law applies to the entities in Florida that earn at least $1 billion of annual revenue and:

  • At least 50% of their revenue comes from digital platforms,
  • Use an app with more than 250,000 applications, and
  • Have a smart speaker that is connected to the cloud.

The attorney general enforces Florida data privacy law and may impose fines of up to $50,000 per violation. There is a 45-day cure period.

🎓 To learn more about employment laws in Florida, visit our website — Florida Labor Laws Guide

What are the data privacy laws in Europe?

Europe has several data privacy laws that are used to protect the right to privacy of its residents. The most popular among these laws is the General Data Protection Regulation (GDPR), one of the world’s most comprehensive data privacy laws. 

In addition to the GDPR, in recent years, Europe has enacted a few additional data privacy legislations, such as the Digital Markets Act (DMA)

Let’s look at these laws in more detail.

1. General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a very strict privacy and security law affecting countries worldwide. The European Union (EU) drafted this document and signed it into law in 2016, and it became effective on May 25, 2018.

Every company that processes personal data or sells goods and services to EU residents must comply with the GDPR rules. The GDPR outlines 7 key protection and responsibility principles that include:

  1. Lawfulness, fairness, and transparency — all processed data must be fair, transparent, and compliant with the law,
  2. Purpose — data can only be gathered for legitimate purposes specified to the user,
  3. Minimization — the amount of data gathered must be minimal for the required purpose,
  4. Accuracy — all data must be accurate,
  5. Storage limitation — data can be stored only for the amount of time necessary for the purpose,
  6. Integrity & confidentiality —  all processing must ensure security, integrity, and privacy (e.g., encryption), and
  7. Accountability — every organization that processes data is accountable for demonstrating compliance with the GDPR rules.

When it comes to penalties, the GDPR fines are incredibly high. They can max out at €20 million or 4% of the company’s revenue. In addition, subjects have the right to seek compensation for damages. 

🎓 To learn more about the GDPR, visit their official website — What is GDPR, the EU’s new data protection law?

2. Digital Markets Act (DMA)

The Digital Markets Act (DMA) is a European law that covers the largest digital platforms, such as Facebook, Google, and Apple, in the EU. This law became effective in March 2024 and aims to prevent large companies from imposing unfair market conditions on their competitors.

Companies that fail to comply with the DMA can be fined up to 10% of their revenue and sometimes up to 20% if they repeat the violation.

3. European Union AI Act

With artificial intelligence becoming increasingly popular, the EU has approved the European Union AI Act, which will go into effect in late 2025 or 2026. This law will apply to all companies that develop AI systems and require them to respect ethical and fundamental rights when designing them.

4. Digital Services Act (DSA)

The Digital Services Act (DSA) sets clear rules protecting consumers and their online rights. The main purpose of this law is to prevent illegal and harmful online activities, such as spreading misinformation or posting prohibited content.

Frequently asked questions about data privacy laws

To make this guide as comprehensive as possible, we’ve included an FAQ section where we’ll answer the most common questions about this topic.

Do US companies need to comply with GDPR?

Yes, if a company operates on EU soil or has customers from the EU, it will have to respect GDPR rules.

What is the difference between GDPR and CCPA?

The main difference between the two is that GDPR applies to all companies that operate on EU soil, and the CCPA applies only to California residents.

How many states have data privacy laws?

Currently, there are 20 states in the US that have enacted data protection laws. Some of them are already effective, and some will become effective in 2025 or 2026.

Protect your company’s privacy with the CAKE.com bundle

With the rise of data privacy laws, companies must find ways to improve their security and keep their customer’s data safe.

For many, this can be pretty expensive.

Why, you ask? Well, you’ll need appropriate software that is secure.

That’s where CAKE.com can help you, as it offers 3 robust pieces of software that keep all your data safe.

With Clockify, you get a time tracking software you can use to track employee activities, send invoices, schedule shifts, and much more.

With Pumble, you get access to a modern team communication software that keeps all information your team shares safe and secure.

Last but not least, Plaky is your go-to project management software that lets you track tasks and projects within your team.

Oh, and did I mention that you can get all 3 of these tools for the amount you spend on your regular project management software? 

Conclusion/Disclaimer

We hope this data privacy laws guide will be helpful. Please pay attention to the links provided, which will lead you to the official government websites and other relevant information.

Please note that this guide was written in December 2024, so any changes in the laws that were included later may not be in this guide.

We strongly advise you to consult with the appropriate institutions or certified representatives before acting on legal matters.

Clockify isn’t responsible for any losses or risks incurred should this guide be used without further guidance from legal or tax advisors.

Free time tracker

Time tracking software used by millions. Clockify is a time tracker and timesheet app that lets you track work hours across projects.

FREE FOREVER • UNLIMITED USERS

Learn more Arrow Right Primary
Clockify time tracker
Watch demo (12:35)
Closing video