Published: Dezember 19, 2024 
- Data privacy laws regulate how organizations and companies can collect personal information from their consumers.
- There is no federal data privacy law in the United States yet.
- The Fair Trade Commission is the main governing body that protects the rights of American consumers online.
- Currently, there are 20 states in the US with data protection regulations.
- One of the world’s most well-known data privacy policies is the EU’s General Data Protection Regulation (GDPR).
What is a data privacy law?
- Defining which organizations must use data privacy laws,
- Determining what type of data must be protected,
- Defining how organizations can gather, store, and share data,
- Granting individuals the rights to their data (in some states), and
- Ensuring that organizations comply with legal standards.
- Scope and applicability — defines what types of data have to be protected and which organizations have to comply with these rules,
- User rights — determine what the users can do with their data. For example, users in some states are allowed to access, transfer, or delete their information,
- Legal consent — before websites can gather data, the users must give their consent. This is also known as “cookie consent,” and there are rules on how websites need to do this accordingly, and
- Transparency — websites must inform users how their data will be gathered and for what purposes they’ll use it.
Is there an official data privacy law in the US?
- Children’s Online Privacy Protection Act (COPPA) — regulates how children’s information is collected,
- Health Insurance Portability and Accounting Act (HIPAA) — is a federal rule that protects sensitive health information from disclosure,
- Gramm Leach Bliley Act (GLBA) — regulates how banks and financial institutions collect information,
- Fair Credit Reporting Act (FCRA) — regulates the collection of credit information, and
- Family Educational Rights and Privacy Act (FERPA) — protects student education records.
What organization governs data privacy laws in the US?
- Stop unfair competition methods and unfair trade practices,
- Pursue financial redress for violations of consumer rights,
- Define acts and practices that are deceptive and establish rules to prevent them,
- Collect information and investigate organizations, businesses, practices, and management of entities in trade, and
- Report and suggest legislation to Congress and the public.
What US states have data privacy laws?
1. California Privacy Rights Act (CPRA)
- Disallow entities from collecting their data,
- Access and correct data,
- Delete data, and
- Prohibit entities from sharing data.
2. Colorado Privacy Act (CPA)
- To access, delete, and correct personal information, and
- To reject the use of their data for advertising purposes or other types of profiling.
- Gather information from 100,000 consumers, and
- Gather information from 25,000 consumers and generate revenue from it.
3. Connecticut Data Privacy Act (CTDPA)
- The right to access, correct, or delete their data,
- The right to acquire a copy of their personal information, and
- The right to reject the processing of their data for advertising or similar purposes.
- Organizations or individuals that gather the data of at least 100,000 consumers, or
- Organizations or individuals that gather the data of at least 25,000 consumers, but generate 25% of their revenue from selling that data.
4. Delaware Personal Data Privacy Act (DPDPA)
- The right to allow or disallow entities to collect personal data,
- The right to correct or delete personal data,
- The right to acquire copies of their personal information,
- The right to acquire a list of third-party entities that have access to their data, and
- The right to reject the use of their data for advertising or other similar purposes.
- Organizations or individuals that gather information from more at least 35,000 consumers in Delaware, or
- Organizations or individuals that gather information from at least 10,000 consumers in Delaware and generate at least 20% of revenue from selling it.
5. Indiana Consumer Data Protection Act (INCDPA)
- The right to access, correct, or delete personal data,
- The right to acquire a copy of the data, and
- The right to reject the processing of their data for advertising or similar purposes.
- Organizations or individuals that gather the data from at least 100,000 Indiana residents, or
- Organizations or individuals that gather the data from 25,000 Indiana residents and earn at least 50% of their revenue by selling it.
6. Iowa Consumer Data Protection Act (ICDPA)
- The right to confirm data processing,
- The right to access, correct, or delete personal data,
- The right to acquire a copy of the data, and
- The right to reject the selling of their data.
- Organizations or individuals that gather the data from at least 100,000 Indiana residents, or
- Organizations or individuals that gather the data from 25,000 Indiana residents and earn at least 50% of their revenue by selling it.
7. Kentucky Consumer Data Protection Act (KCDPA)
- The right to access, correct, or delete personal data,
- The right to acquire a copy of the data, and
- The right to reject the processing of their data for advertising or similar purposes.
- Organizations or individuals that gather the data from at least 100,000 Indiana residents, or
- Organizations or individuals that gather the data from 25,000 Kentucky residents and earn at least 50% of their revenue by selling it.
8. Maryland Online Data Privacy Act (MDODPA)
- The right to access, correct, or delete personal data,
- The right to acquire a copy of the data,
- The right to reject the processing of their data for advertising or similar purposes,
- The right to get a list of all third parties with access to the data, and
- The right to revoke their consent.
- Organizations or individuals that gather the data from at least 35,000 Maryland residents, or
- Organizations or individuals that gather the data from 10,000 Maryland residents and earn at least 20% of their revenue by selling it.
9. Minnesota Consumer Data Privacy Act (MCDPA)
- The right to access, correct, or delete personal data,
- The right to acquire a copy of the data,
- The right to reject the processing of their data for advertising or similar purposes, and
- The right to review and understand how data is being profiled.
- Organizations or individuals that gather the data from at least 100,000 Minnesota residents, or
- Organizations or individuals that gather the data from 25,000 Minnesota residents and earn at least 25% of their revenue by selling it.
10. Montana Consumer Data Privacy Act (MTCDPA)
- Access, correct, or delete personal data,
- Acquire a copy of the data, and
- Reject the processing of their data for advertising or similar purposes.
- Organizations or individuals that gather the data from at least 50,000 Montana residents, or
- Organizations or individuals that gather the data from 25,000 Montana residents and earn at least 25% of their revenue by selling it.
11. Nebraska Data Privacy Act (NDPA)
- The right to access, correct, or delete personal data,
- The right to acquire a copy of the data, and
- The right to reject the processing of their data for advertising or similar purposes.
12. New Hampshire Privacy Act (NHPA)
- The right to access, correct, or delete personal data,
- The right to acquire a copy of the data, and
- The right to reject the processing of their data for advertising or similar purposes.
- Organizations or individuals that gather the data from at least 35,000 New Hampshire residents, or
- Organizations or individuals that gather the data from 10,000 New Hampshire residents and earn at least 25% of their revenue by selling it.
13. New Jersey Data Privacy Act (NJDPA)
- The right to access, correct, or delete personal data,
- The right to acquire a copy of the data, and
- The right to reject the processing of their data for advertising or similar purposes.
- Organizations or individuals that gather the data from at least 100,000 New Jersey residents, or
- Organizations or individuals that gather the data from 25,000 New Jersey residents and earn revenue by selling it (no amount is specified).
14. Oregon Consumer Privacy Act (OCPA)
- Users have the right to get a list of all third-party entities that handle their data,
- Users can opt-out from letting entities sell their information for advertising or other purposes,
- Users can ask for a copy of the personal data that businesses have about them,
- Users can know what information an organization has about them,
- Users can edit inaccurate data, and
- Users can delete personal or sensitive information a business has about them.
- Organizations or individuals that gather data from at least 100,000 Oregon residents, or
- Organizations or individuals that gather data from at least 25,000 Oregon residents and earn a minimum of 25% of their revenue by selling it.
15. Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)
- Organizations or individuals that gather data from at least 35,000 Rhode Island residents, or
- Organizations or individuals that gather data from at least 10,000 Rhode Island residents and earn a minimum of 20% of their revenue by selling it.
16. Tennessee Information Protection Act (TIPA)
- The right to access, correct, or delete personal data,
- The right to acquire a copy of the data, and
- The right to reject the processing of their data for advertising or similar purposes.
- Gather data from at least 175,000 Tennessee residents, or
- Gather data from at least 25,000 Oregon residents and earn a minimum of 50% of their revenue by selling it.
17. Texas Data Privacy and Security Act (TDPSA)
- The right to access, correct, or delete personal data,
- The right to acquire a copy of the data, and
- The right to reject the processing of their data for advertising or similar purposes.
18. Utah Consumer Privacy Act (UCPA)
- The right to access, correct, or delete personal data,
- The right to acquire a copy of the data, and
- The right to reject the processing of their data for advertising or similar purposes.
- Gather data from at least 100,000 Utah residents, or
- Gather data from at least 25,000 Utah residents and earn a minimum of 50% of their revenue by selling it.
19. Virginia’s Consumer Data Protection Act (VCDPA)
- The right to access, correct, or delete personal data,
- The right to acquire a copy of the data, and
- The right to reject the processing of their data for advertising or similar purposes.
- Organizations or individuals that gather the data from at least 100,000 Virginia residents, or
- Organizations or individuals that gather the data from 25,000 Virginia residents and earn at least 50% of their revenue by selling it.
20. Florida Digital Bill of Rights (FDBR)
- The right to access, correct, or delete personal data,
- The right to acquire a copy of the data, and
- The right to reject the processing of their data for advertising or similar purposes.
- At least 50% of their revenue comes from digital platforms,
- Use an app with more than 250,000 applications, and
- Have a smart speaker that is connected to the cloud.
What are the data privacy laws in Europe?
1. General Data Protection Regulation (GDPR)
- Lawfulness, fairness, and transparency — all processed data must be fair, transparent, and compliant with the law,
- Purpose — data can only be gathered for legitimate purposes specified to the user,
- Minimization — the amount of data gathered must be minimal for the required purpose,
- Accuracy — all data must be accurate,
- Storage limitation — data can be stored only for the amount of time necessary for the purpose,
- Integrity & confidentiality — all processing must ensure security, integrity, and privacy (e.g., encryption), and
- Accountability — every organization that processes data is accountable for demonstrating compliance with the GDPR rules.
