![\"Data](\"https:\/\/clockify.me\/learn\/wp-content\/uploads\/2024\/12\/Data-privacy-laws-cover.jpg\")
<\/figure>\n<\/div>\n\n\n- \n
- Data privacy laws regulate how organizations and companies can collect personal information from their consumers. <\/li>\n\n\n\n
- There is no federal data privacy law in the United States yet.<\/li>\n\n\n\n
- The Fair Trade Commission is the main governing body that protects the rights of American consumers online. <\/li>\n\n\n\n
- Currently, there are 20 states in the US with data protection regulations.<\/li>\n\n\n\n
- One of the world’s most well-known data privacy policies is the EU\u2019s General Data Protection Regulation (GDPR).<\/li>\n<\/ul>\n\n\n\n
What is a data privacy law?<\/h2>\n\n\n\n
A data privacy law is a legal framework that protects consumers<\/strong> from unapproved access to their data while using the internet. These laws also regulate how websites gather information, and how they are allowed to use it.<\/p>\n\n\n\n
Every time you visit a website, you leave data behind, which websites later use for advertising and other purposes (e.g., enhancing user experience). Data privacy laws ensure that this data is well protected, and that users can safely browse the web without someone accessing their personal information by:<\/p>\n\n\n\n
- \n
- Defining which organizations must use data privacy laws,<\/li>\n\n\n\n
- Determining what type of data must be protected,<\/li>\n\n\n\n
- Defining how organizations can gather, store, and share data, <\/li>\n\n\n\n
- Granting individuals the rights to their data (in some states), and<\/li>\n\n\n\n
- Ensuring that organizations comply with legal standards.<\/li>\n<\/ul>\n\n\n\n
Data privacy laws can vary, and each state formulates its own rules. Yet, there are several key components that every data privacy legislation has::<\/p>\n\n\n\n
- \n
- Scope and applicability <\/strong>\u2014 defines what types of data have to be protected and which organizations have to comply with these rules,<\/li>\n\n\n\n
- User rights<\/strong> \u2014 determine what the users can do with their data. For example, users in some states are allowed to access, transfer, or delete their information,<\/li>\n\n\n\n
- Legal consent<\/strong> \u2014 before websites can gather data, the users must give their consent. This is also known as \u201ccookie consent,\u201d and there are rules on how websites need to do this accordingly, and<\/li>\n\n\n\n
- Transparency<\/strong> \u2014 websites must inform users how their data will be gathered and for what purposes they\u2019ll use it.<\/li>\n<\/ul>\n\n\n\n
Is there an official data privacy law in the US?<\/h2>\n\n\n\n
The US still has no official federal data privacy law<\/strong>. The main proposal for this type of law is the American Privacy Rights Act (APRA)<\/a>, which was introduced to Congress in 2024 but has yet to pass.<\/p>\n\n\n\n
Nonetheless, there are several laws worth mentioning when it comes to data privacy and protection online:<\/p>\n\n\n\n
- \n
- Children’s Online Privacy Protection Act (COPPA)<\/a> \u2014 regulates how children’s information is collected, <\/li>\n\n\n\n
- Health Insurance Portability and Accounting Act (HIPAA)<\/a> \u2014 is a federal rule that protects sensitive health information from disclosure,<\/li>\n\n\n\n
- Gramm Leach Bliley Act (GLBA)<\/a> \u2014 regulates how banks and financial institutions collect information,<\/li>\n\n\n\n
- Fair Credit Reporting Act (FCRA)<\/a> \u2014 regulates the collection of credit information, and<\/li>\n\n\n\n
- Family Educational Rights and Privacy Act (FERPA)<\/a> \u2014 protects student education records.<\/li>\n<\/ul>\n\n\n\n
What organization governs data privacy laws in the US?<\/h3>\n\n\n\n
When it comes to enforcing data privacy laws, the main governing body in the US is the Federal Trade Commission (FTC)<\/a>. The FTC is there to protect consumers in all aspects of commerce, and its primary statute is the Federal Trade Commission Act<\/a>, allowing the Commission to:<\/p>\n\n\n\n
- \n
- Stop unfair competition methods and unfair trade practices,<\/li>\n\n\n\n
- Pursue financial redress for violations of consumer rights,<\/li>\n\n\n\n
- Define acts and practices that are deceptive and establish rules to prevent them,<\/li>\n\n\n\n
- Collect information and investigate organizations, businesses, practices, and management of entities in trade, and<\/li>\n\n\n\n
- Report and suggest legislation to Congress and the public.<\/li>\n<\/ol>\n\n\n\n
A good example of how the FTC handles data privacy infringements is when they accused Google of violating user privacy<\/a> upon launching its social media platform, Google Buzz, back in 2010. This resulted in a settlement that prohibited Google from repeating any violation of this kind and required them to implement a comprehensive privacy program for the next 20 years.<\/p>\n\n\n\n
\ud83c\udf93 To learn more about the Federal Trade Commission visit their website \u2014 What the FTC does?<\/a><\/p>\n\n\n\n
What US states have data privacy laws?<\/h2>\n\n\n\n
In recent years, more and more states are adopting data privacy laws. This is due to the lack of a federal law governing privacy protection. Currently, there are 20 states with data privacy laws in the US<\/strong>. <\/p>\n\n\n\n
Let\u2019s look at each of them in more detail.<\/p>\n\n\n
\n![\"States](\"https:\/\/clockify.me\/learn\/wp-content\/uploads\/2024\/12\/States-with-data-privacy-laws-in-the-US.jpg\")
States with data privacy laws<\/figcaption><\/figure>\n<\/div>\n\n\n 1. California Privacy Rights Act (CPRA)<\/h3>\n\n\n\n
Status<\/strong>: Effective since January 1, 2023.<\/p>\n\n\n\n
Official legislation<\/strong>: California Privacy Rights Act<\/a><\/p>\n\n\n\n
The CPRA is one of the largest data privacy laws out there and is an amendment to the California Consumer Privacy Act (CCPA)<\/a>. The law grants Californian citizens the rights to:<\/p>\n\n\n\n
- \n
- Disallow entities from collecting their data,<\/li>\n\n\n\n
- Access and correct data,<\/li>\n\n\n\n
- Delete data, and<\/li>\n\n\n\n
- Prohibit entities from sharing data.<\/li>\n<\/ul>\n\n\n\n
In addition to enhanced consumer protection, the law also sets responsibilities for entities that collect personal information, such as asking users for consent.<\/p>\n\n\n\n
The governing body for the CPRA is the California Privacy Protection Agency (CPPA)<\/a>, which can hold hearings and impose fines for potential violations.<\/p>\n\n\n\n
\ud83c\udf93 To learn more about employment laws in California, visit our website \u2014 California Labor Laws Guide<\/a><\/p>\n\n\n\n
2. Colorado Privacy Act (CPA)<\/h3>\n\n\n\n
Status<\/strong>: Effective since July 1, 2023.<\/p>\n\n\n\n
Official legislation<\/strong>: Colorado Privacy Act<\/a><\/p>\n\n\n\n
The CPA is a part of Colorado\u2019s Consumer Protection Act<\/a> and is enforced and implemented by the Colorado Attorney General. This law grants Colorado consumers the following rights:<\/p>\n\n\n\n
- \n
- To access, delete, and correct personal information, and<\/li>\n\n\n\n
- To reject the use of their data for advertising purposes or other types of profiling.<\/li>\n<\/ul>\n\n\n\n
Covered entities that collect personal information must protect data, acquire consent, and inform Colorado citizens on how their data is collected and used. The CPA applies to organizations that:<\/p>\n\n\n\n
- \n
- Gather information from 100,000 consumers, and <\/li>\n\n\n\n
- Gather information from 25,000 consumers and generate revenue from it.<\/li>\n<\/ul>\n\n\n\n
3. Connecticut Data Privacy Act (CTDPA)<\/h3>\n\n\n\n
Status<\/strong>: Effective since July 1, 2023.<\/p>\n\n\n\n
The CTDPA grants Connecticut residents the same rights as the other similar laws, which include:<\/p>\n\n\n\n
- \n
- The right to access, correct, or delete their data, <\/li>\n\n\n\n
- The right to acquire a copy of their personal information, and<\/li>\n\n\n\n
- The right to reject the processing of their data for advertising or similar purposes.<\/li>\n<\/ul>\n\n\n\n
This law applies to the following entities:<\/p>\n\n\n\n
- \n
- Organizations or individuals that gather the data of at least 100,000 consumers, or <\/li>\n\n\n\n
- Organizations or individuals that gather the data of at least 25,000 consumers, but generate 25% of their revenue from selling that data.<\/li>\n<\/ul>\n\n\n\n
4. Delaware Personal Data Privacy Act (DPDPA)<\/h3>\n\n\n\n
Status<\/strong>: It will take effect on January 1, 2025.<\/p>\n\n\n\n
Official legislation<\/strong>: Delaware Personal Data Privacy Act<\/a><\/p>\n\n\n\n
The DPDPA is modeled after other data privacy legislations, and it will grant Delaware citizens the following consumer rights:<\/p>\n\n\n\n
- \n
- The right to allow or disallow entities to collect personal data,<\/li>\n\n\n\n
- The right to correct or delete personal data,<\/li>\n\n\n\n
- The right to acquire copies of their personal information,<\/li>\n\n\n\n
- The right to acquire a list of third-party entities that have access to their data, and<\/li>\n\n\n\n
- The right to reject the use of their data for advertising or other similar purposes.<\/li>\n<\/ul>\n\n\n\n
The law will apply to the following entities:<\/p>\n\n\n\n
- \n
- Organizations or individuals that gather information from more at least 35,000 consumers in Delaware, or<\/li>\n\n\n\n
- Organizations or individuals that gather information from at least 10,000 consumers in Delaware and generate at least 20% of revenue from selling it. <\/li>\n<\/ul>\n\n\n\n
The Department of Justice<\/a> enforces this law, which can impose fines of up to $10,000 per violation.<\/p>\n\n\n\n
5. Indiana Consumer Data Protection Act (INCDPA)<\/h3>\n\n\n\n
Status<\/strong>: It will take effect on January 1, 2026.<\/p>\n\n\n\n
Official legislation<\/strong>: Indiana Consumer Data Protection Act<\/a><\/p>\n\n\n\n
The INCDPA will grant Indiana residents the following rights concerning their data privacy and protection:<\/p>\n\n\n\n
- \n
- The right to access, correct, or delete personal data,<\/li>\n\n\n\n
- The right to acquire a copy of the data, and<\/li>\n\n\n\n
- The right to reject the processing of their data for advertising or similar purposes.<\/li>\n<\/ul>\n\n\n\n
This law will apply to the following entities:<\/p>\n\n\n\n
- \n
- Organizations or individuals that gather the data from at least 100,000 Indiana residents, or<\/li>\n\n\n\n
- Organizations or individuals that gather the data from 25,000 Indiana residents and earn at least 50% of their revenue by selling it.<\/li>\n<\/ul>\n\n\n\n
The attorney general will enforce data privacy law in Indiana and may impose sanctions of up to $7,500 per violation. The law predicts a cure period of 30 days before penalties.<\/p>\n\n\n\n
6. Iowa Consumer Data Protection Act (ICDPA)<\/h3>\n\n\n\n
Status<\/strong>: It will take effect on January 1, 2025.<\/p>\n\n\n\n
Official legislation<\/strong>: Iowa Consumer Data Protection Act<\/a><\/p>\n\n\n\n
The ICDPA will grant Iowa residents the same rights:<\/p>\n\n\n\n
- \n
- The right to confirm data processing,<\/li>\n\n\n\n
- The right to access, correct, or delete personal data,<\/li>\n\n\n\n
- The right to acquire a copy of the data, and<\/li>\n\n\n\n
- The right to reject the selling of their data.<\/li>\n<\/ul>\n\n\n\n
This law will apply to the following entities:<\/p>\n\n\n\n
- \n
- Organizations or individuals that gather the data from at least 100,000 Indiana residents, or<\/li>\n\n\n\n
- Organizations or individuals that gather the data from 25,000 Indiana residents and earn at least 50% of their revenue by selling it.<\/li>\n<\/ul>\n\n\n\n
The attorney general will enforce data privacy law in Iowa and may impose sanctions of up to $7,500 per violation. The law predicts a cure period of 90 days before penalties.<\/p>\n\n\n\n
7. Kentucky Consumer Data Protection Act (KCDPA)<\/h3>\n\n\n\n
Status<\/strong>: Will take effect on January 1, 2025.<\/p>\n\n\n\n
Official legislation<\/strong>: Kentucky Consumer Data Protection Act<\/a><\/p>\n\n\n\n
The KCDPA will grant Kentucky residents the following rights concerning their data privacy and protection:<\/p>\n\n\n\n
- \n
- The right to access, correct, or delete personal data,<\/li>\n\n\n\n
- The right to acquire a copy of the data, and<\/li>\n\n\n\n
- The right to reject the processing of their data for advertising or similar purposes.<\/li>\n<\/ul>\n\n\n\n
This law will apply to the following entities:<\/p>\n\n\n\n
- \n
- Organizations or individuals that gather the data from at least 100,000 Indiana residents, or<\/li>\n\n\n\n
- Organizations or individuals that gather the data from 25,000 Kentucky residents and earn at least 50% of their revenue by selling it.<\/li>\n<\/ul>\n\n\n\n
The attorney general will enforce data privacy law in Kentucky and may impose sanctions of up to $7,500 per violation. The law predicts a cure period of 90 days before penalties.<\/p>\n\n\n\n
8. Maryland Online Data Privacy Act (MDODPA)<\/h3>\n\n\n\n
Status<\/strong>: It will take effect on October 1, 2025.<\/p>\n\n\n\n
Official legislation<\/strong>: Maryland Online Data Privacy Act<\/a><\/p>\n\n\n\n
The MDODPA is known as a more strict data privacy law as it requires organizations to take additional measures to protect consumers, such as allowing consumers not to accept the processing of their personal data.<\/p>\n\n\n\n
This law grants Maryland residents the following rights:<\/p>\n\n\n\n
- \n
- The right to access, correct, or delete personal data,<\/li>\n\n\n\n
- The right to acquire a copy of the data, <\/li>\n\n\n\n
- The right to reject the processing of their data for advertising or similar purposes,<\/li>\n\n\n\n
- The right to get a list of all third parties with access to the data, and<\/li>\n\n\n\n
- The right to revoke their consent.<\/li>\n<\/ul>\n\n\n\n
This law will apply to the following entities:<\/p>\n\n\n\n
- \n
- Organizations or individuals that gather the data from at least 35,000 Maryland residents, or<\/li>\n\n\n\n
- Organizations or individuals that gather the data from 10,000 Maryland residents and earn at least 20% of their revenue by selling it.<\/li>\n<\/ul>\n\n\n\n
Maryland’s Consumer Protection Division will enforce data privacy law in Maryland and may impose fines from $10,000 to $25,000 depending on the violation.<\/p>\n\n\n\n
9. Minnesota Consumer Data Privacy Act (MCDPA)<\/h3>\n\n\n\n
Status<\/strong>: Will take effect on July 31, 2025.<\/p>\n\n\n\n
Official legislation<\/strong>: Minnesota Consumer Data Privacy Act<\/a><\/p>\n\n\n\n
The MCDPA grants Minnesota residents the following rights:<\/p>\n\n\n\n
- \n
- The right to access, correct, or delete personal data,<\/li>\n\n\n\n
- The right to acquire a copy of the data, <\/li>\n\n\n\n
- The right to reject the processing of their data for advertising or similar purposes, and<\/li>\n\n\n\n
- The right to review and understand how data is being profiled. <\/li>\n<\/ul>\n\n\n\n
This law will apply to the following entities:<\/p>\n\n\n\n
- \n
- Organizations or individuals that gather the data from at least 100,000 Minnesota residents, or<\/li>\n\n\n\n
- Organizations or individuals that gather the data from 25,000 Minnesota residents and earn at least 25% of their revenue by selling it.<\/li>\n<\/ul>\n\n\n\n
The attorney general will enforce data privacy law in Minnesota and may impose fines of up to $7,500 per violation. However, the attorney general must issue a warning letter first and provide a way to cure the breach.<\/p>\n\n\n\n
10. Montana Consumer Data Privacy Act (MTCDPA)<\/h3>\n\n\n\n
Status<\/strong>: Effective since October 1, 2024.<\/p>\n\n\n\n
Official legislation<\/strong>: Montana Consumer Data Privacy Act<\/a><\/p>\n\n\n\n
Under the MTCDPA, consumers have the right to:<\/p>\n\n\n\n
- \n
- Access, correct, or delete personal data,<\/li>\n\n\n\n
- Acquire a copy of the data, and<\/li>\n\n\n\n
- Reject the processing of their data for advertising or similar purposes.<\/li>\n<\/ul>\n\n\n\n
The law applies to the following entities:<\/p>\n\n\n\n
- \n
- Organizations or individuals that gather the data from at least 50,000 Montana residents, or<\/li>\n\n\n\n
- Organizations or individuals that gather the data from 25,000 Montana residents and earn at least 25% of their revenue by selling it.<\/li>\n<\/ul>\n\n\n\n
The attorney general will enforce data privacy law in Montana, but there are no specific fines for violations. The cure period for violations is 60 days.<\/p>\n\n\n\n
11. Nebraska Data Privacy Act (NDPA)<\/h3>\n\n\n\n
Status<\/strong>: It will take effect on January 1, 2025.<\/p>\n\n\n\n
Official legislation<\/strong>: Nebraska Data Privacy Act<\/a><\/p>\n\n\n\n
Under the NDPA, residents in Nebraska will have the following rights:<\/p>\n\n\n\n
- \n
- The right to access, correct, or delete personal data,<\/li>\n\n\n\n
- The right to acquire a copy of the data, and<\/li>\n\n\n\n
- The right to reject the processing of their data for advertising or similar purposes.<\/li>\n<\/ul>\n\n\n\n
The Nebraska data privacy law will apply to individuals or organizations (excluding small businesses) that collect personal and sensitive data from consumers. However, there is no revenue or volume requirement as in most other states.<\/p>\n\n\n\n
The attorney general will enforce data privacy law in Nebraska and impose fines of up to $7,500 per violation. The attorney general must first inform the subject of the breach and give them a 30-day cure period. After curing the violation, the subject must provide a written statement declaring they won\u2019t repeat it.<\/p>\n\n\n\n
12. New Hampshire Privacy Act (NHPA)<\/h3>\n\n\n\n
Status<\/strong>: It will take effect on January 1, 2025.<\/p>\n\n\n\n
Official legislation<\/strong>: New Hampshire Privacy Act<\/a><\/p>\n\n\n\n
Under the NHPA, residents in New Hampshire will have the following rights:<\/p>\n\n\n\n
- \n
- The right to access, correct, or delete personal data,<\/li>\n\n\n\n
- The right to acquire a copy of the data, and<\/li>\n\n\n\n
- The right to reject the processing of their data for advertising or similar purposes.<\/li>\n<\/ul>\n\n\n\n
The law will apply to the following entities:<\/p>\n\n\n\n
- \n
- Organizations or individuals that gather the data from at least 35,000 New Hampshire residents, or<\/li>\n\n\n\n
- Organizations or individuals that gather the data from 10,000 New Hampshire residents and earn at least 25% of their revenue by selling it.<\/li>\n<\/ul>\n\n\n\n
The attorney general will enforce New Hampshire data privacy law and may impose fines of up to $10,000 per violation. If the violation is on purpose, the attorney general may seek criminal penalties of up to $100,000 per violation.<\/p>\n\n\n\n
13. New Jersey Data Privacy Act (NJDPA)<\/h3>\n\n\n\n
Status<\/strong>: It will take effect on January 15, 2025.<\/p>\n\n\n\n
Official legislation<\/strong>: New Jersey Data Privacy Act<\/a><\/p>\n\n\n\n
Under NJDPA, residents of New Jersey will have the following rights:<\/p>\n\n\n\n
- \n
- The right to access, correct, or delete personal data,<\/li>\n\n\n\n
- The right to acquire a copy of the data, and<\/li>\n\n\n\n
- The right to reject the processing of their data for advertising or similar purposes.<\/li>\n<\/ul>\n\n\n\n
The law will apply to the following entities:<\/p>\n\n\n\n
- \n
- Organizations or individuals that gather the data from at least 100,000 New Jersey residents, or<\/li>\n\n\n\n
- Organizations or individuals that gather the data from 25,000 New Jersey residents and earn revenue by selling it (no amount is specified).<\/li>\n<\/ul>\n\n\n\n
The attorney general will enforce New Jersey data privacy law and may impose fines of up to $2,500 for the first violation, up to $5,000 for the second violation, up to $10,000 for the third violation, and up to $20,000 for the fourth and every consecutive violation.<\/p>\n\n\n\n
\ud83c\udf93 To learn more about employment laws in New Jersey, visit our website \u2014 New Jersey Labor Laws Guide<\/a><\/p>\n\n\n\n
14. Oregon Consumer Privacy Act (OCPA)<\/h3>\n\n\n\n
Status<\/strong>: Effective since July 1, 2024.<\/p>\n\n\n\n
Official legislation<\/strong>: Oregon Consumer Privacy Act<\/a><\/p>\n\n\n\n
Under OCPA, residents of Oregon have several rights. The law explains this easily by using the phrase LOCKED<\/strong>, which includes the following:<\/p>\n\n\n\n
- \n
- Users have the right to get a list<\/strong> of all third-party entities that handle their data,<\/li>\n\n\n\n
- Users can opt-out<\/strong> from letting entities sell their information for advertising or other purposes, <\/li>\n\n\n\n
- Users can ask for a copy<\/strong> of the personal data that businesses have about them,<\/li>\n\n\n\n
- Users can know<\/strong> what information an organization has about them,<\/li>\n\n\n\n
- Users can edit<\/strong> inaccurate data, and<\/li>\n\n\n\n
- Users can delete<\/strong> personal or sensitive information a business has about them.<\/li>\n<\/ul>\n\n\n\n
This law applies to the following entities:<\/p>\n\n\n\n
- \n
- Organizations or individuals that gather data from at least 100,000 Oregon residents, or<\/li>\n\n\n\n
- Organizations or individuals that gather data from at least 25,000 Oregon residents and earn a minimum of 25% of their revenue by selling it.<\/li>\n<\/ul>\n\n\n\n
The attorney general will enforce Oregon data privacy law and may impose fines of up to $7,500 per violation. There is a 30-day cure period for the breach.<\/p>\n\n\n\n
15. Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)<\/h3>\n\n\n\n
Status<\/strong>: It will take effect on January 1, 2026.<\/p>\n\n\n\n
Official legislation<\/strong>: Rhode Island Data Transparency and Privacy Protection Act<\/a><\/p>\n\n\n\n
Under RIDTPPA, residents of Rhode Island have the right to know how their personal information is collected and for what it is used. In addition, before collecting information, users must give consent to entities that gather it. However, companies aren\u2019t required to create an opt-out mechanism.<\/p>\n\n\n\n
This law applies to the following entities:<\/p>\n\n\n\n
- \n
- Organizations or individuals that gather data from at least 35,000 Rhode Island residents, or<\/li>\n\n\n\n
- Organizations or individuals that gather data from at least 10,000 Rhode Island residents and earn a minimum of 20% of their revenue by selling it.<\/li>\n<\/ul>\n\n\n\n
The attorney general will enforce Rhode Island data privacy law and may impose fines from $100 to $500 per violation. There is no cure period for the breach.<\/p>\n\n\n\n
16. Tennessee Information Protection Act (TIPA)<\/h3>\n\n\n\n
Status<\/strong>: It will take effect on July 1, 2025.<\/p>\n\n\n\n
Official legislation<\/strong>: Tennessee Information Protection Act<\/a><\/p>\n\n\n\n
Under TIPA, residents of Tennessee will have the following rights:<\/p>\n\n\n\n
- \n
- The right to access, correct, or delete personal data,<\/li>\n\n\n\n
- The right to acquire a copy of the data, and<\/li>\n\n\n\n
- The right to reject the processing of their data for advertising or similar purposes.<\/li>\n<\/ul>\n\n\n\n
This law applies to entities that exceed $25 million in revenue and either:<\/p>\n\n\n\n
- \n
- Gather data from at least 175,000 Tennessee residents, or<\/li>\n\n\n\n
- Gather data from at least 25,000 Oregon residents and earn a minimum of 50% of their revenue by selling it.<\/li>\n<\/ul>\n\n\n\n
The attorney general will enforce Tennessee data privacy law and may impose fines of up to $7,500 per violation, or in some cases the triple amount if the violation is wilful. There is a 60-day cure period for the breach.<\/p>\n\n\n\n
\ud83c\udf93 To learn more about employment laws in Tennessee, visit our website \u2014 Tennessee Labor Laws Guide<\/a><\/p>\n\n\n\n
17. Texas Data Privacy and Security Act (TDPSA)<\/h3>\n\n\n\n
Status<\/strong>: Enforceable since January 1, 2024, but businesses have a grace period until January 1, 2025, to comply with the law.<\/p>\n\n\n\n
Official legislation<\/strong>: Texas Data Privacy and Security Act<\/a><\/p>\n\n\n\n
Under TDPSA, users have the common data privacy laws used in most states, which include:<\/p>\n\n\n\n
- \n
- The right to access, correct, or delete personal data,<\/li>\n\n\n\n
- The right to acquire a copy of the data, and<\/li>\n\n\n\n
- The right to reject the processing of their data for advertising or similar purposes.<\/li>\n<\/ul>\n\n\n\n
This law doesn\u2019t have the standard eligibility requirements (revenue-based) used by other states. Instead, entities that are covered by this law are businesses that gather or sell data in Texas. <\/p>\n\n\n\n
The attorney general will enforce Texas data privacy law and may impose fines of up to $7,500 per violation. There is a 30-day cure period.<\/p>\n\n\n\n
18. Utah Consumer Privacy Act (UCPA)<\/h3>\n\n\n\n
Status<\/strong>: Effective since December 31, 2023.<\/p>\n\n\n\n
Official legislation<\/strong>: Utah Consumer Privacy Act<\/a><\/p>\n\n\n\n
The UCPA grants Utah residents the following rights:<\/p>\n\n\n\n
- \n
- The right to access, correct, or delete personal data,<\/li>\n\n\n\n
- The right to acquire a copy of the data, and<\/li>\n\n\n\n
- The right to reject the processing of their data for advertising or similar purposes.<\/li>\n<\/ul>\n\n\n\n
The law has similar eligibility requirements as TIPA and applies to entities that exceed $25 million in revenue and either:<\/p>\n\n\n\n
- \n
- Gather data from at least 100,000 Utah residents, or<\/li>\n\n\n\n
- Gather data from at least 25,000 Utah residents and earn a minimum of 50% of their revenue by selling it. <\/li>\n<\/ul>\n\n\n\n
The attorney general enforces Utah data privacy law and may impose fines of up to $7,500 per violation. There is a 30-day cure period.<\/p>\n\n\n\n
19. Virginia’s Consumer Data Protection Act (VCDPA)<\/h3>\n\n\n\n
Status<\/strong>: Effective since January 1, 2023.<\/p>\n\n\n\n
Official legislation<\/strong>: Virginia’s Consumer Data Protection Act<\/a><\/p>\n\n\n\n
Under VCDPA, the residents of Virginia have the usual data privacy rights, which include:<\/p>\n\n\n\n
- \n
- The right to access, correct, or delete personal data,<\/li>\n\n\n\n
- The right to acquire a copy of the data, and<\/li>\n\n\n\n
- The right to reject the processing of their data for advertising or similar purposes.<\/li>\n<\/ul>\n\n\n\n
The law applies to the following entities:<\/p>\n\n\n\n
- \n
- Organizations or individuals that gather the data from at least 100,000 Virginia residents, or<\/li>\n\n\n\n
- Organizations or individuals that gather the data from 25,000 Virginia residents and earn at least 50% of their revenue by selling it.<\/li>\n<\/ul>\n\n\n\n
The attorney general enforces Virginia data privacy law and may impose fines of up to $7,500 per violation. There is a 30-day cure period.<\/p>\n\n\n\n
20. Florida Digital Bill of Rights (FDBR)<\/h3>\n\n\n\n
Status<\/strong>: Effective since July 1, 2024.<\/p>\n\n\n\n
Official<\/strong> legislation<\/strong>: Florida Digital Bill of Rights<\/a><\/p>\n\n\n\n
Under FDBR, residents of Florida have the following online privacy rights: <\/p>\n\n\n\n
- \n
- The right to access, correct, or delete personal data,<\/li>\n\n\n\n
- The right to acquire a copy of the data, and<\/li>\n\n\n\n
- The right to reject the processing of their data for advertising or similar purposes.<\/li>\n<\/ul>\n\n\n\n
The law applies to the entities in Florida that earn at least $1 billion of annual revenue and:<\/p>\n\n\n\n
- \n
- At least 50% of their revenue comes from digital platforms,<\/li>\n\n\n\n
- Use an app with more than 250,000 applications, and<\/li>\n\n\n\n
- Have a smart speaker that is connected to the cloud.<\/li>\n<\/ul>\n\n\n\n
The attorney general enforces Florida data privacy law and may impose fines of up to $50,000 per violation. There is a 45-day cure period.<\/p>\n\n\n\n
\ud83c\udf93 To learn more about employment laws in Florida, visit our website \u2014 Florida Labor Laws Guide<\/a><\/p>\n\n\n\n
What are the data privacy laws in Europe?<\/h2>\n\n\n\n
Europe has several data privacy laws that are used to protect the right to privacy of its residents. The most popular among these laws is the General Data Protection Regulation (GDPR)<\/a>, one of the world’s most comprehensive data privacy laws. <\/p>\n\n\n\n
In addition to the GDPR, in recent years, Europe has enacted a few additional data privacy legislations, such as the Digital Markets Act (DMA)<\/a>. <\/p>\n\n\n\n
Let\u2019s look at these laws in more detail.<\/p>\n\n\n\n
1. General Data Protection Regulation (GDPR)<\/h3>\n\n\n\n
The General Data Protection Regulation (GDPR) is a very strict privacy and security law affecting countries worldwide. The European Union (EU) drafted this document and signed it into law in 2016, and it became effective on May 25, 2018.<\/p>\n\n\n\n
Every company that processes personal data or sells goods and services to EU residents must comply with the GDPR rules. The GDPR outlines 7 key protection and responsibility principles that include:<\/p>\n\n\n\n
- \n
- Lawfulness, fairness, and transparency<\/strong> \u2014 all processed data must be fair, transparent, and compliant with the law,<\/li>\n\n\n\n
- Purpose<\/strong> \u2014 data can only be gathered for legitimate purposes specified to the user,<\/li>\n\n\n\n
- Minimization <\/strong>\u2014 the amount of data gathered must be minimal for the required purpose,<\/li>\n\n\n\n
- Purpose<\/strong> \u2014 data can only be gathered for legitimate purposes specified to the user,<\/li>\n\n\n\n
- Lawfulness, fairness, and transparency<\/strong> \u2014 all processed data must be fair, transparent, and compliant with the law,<\/li>\n\n\n\n
- Users can opt-out<\/strong> from letting entities sell their information for advertising or other purposes, <\/li>\n\n\n\n
- Users have the right to get a list<\/strong> of all third-party entities that handle their data,<\/li>\n\n\n\n
- Health Insurance Portability and Accounting Act (HIPAA)<\/a> \u2014 is a federal rule that protects sensitive health information from disclosure,<\/li>\n\n\n\n
- User rights<\/strong> \u2014 determine what the users can do with their data. For example, users in some states are allowed to access, transfer, or delete their information,<\/li>\n\n\n\n
- Scope and applicability <\/strong>\u2014 defines what types of data have to be protected and which organizations have to comply with these rules,<\/li>\n\n\n\n