U.S. State Privacy Laws

With the U.S. federal government sticking to a sectoral approach to data protection laws and regulations, only addressing subsets and specific markets such as healthcare, education and financial institutions, U.S. states have led the way.

California was the first U.S. state—in 2018—with the passage of the California Consumer Privacy Act (“CCPA”). The CCPA was the first broad, omnibus data protection law in the U.S. following in the footsteps of Europe’s General Data Protection Regulation. States across the U.S. began to “kick the tires” on passing similar legislation. Since then the flood gates opened.

There are also less recent laws that similarly touch on data protection, like the existing Nevada Security and Privacy of Personal Information law enacted in 2005 and most recently amended in 2021. Nevada’s law focused on requiring website operators to have privacy notices in place, but was also the first U.S. state law to codify the concept of “selling” personal information and a right for consumers to opt-out of such selling. While not an omnibus, overarching law like California’s and the other U.S. states, it shows how data protection regulation has grown in the U.S.

There are now almost two dozen U.S. states with omnibus data protection laws in place. While they vary in scope and applicability—with Florida having the most narrow and Texas likely having the most broad applicability thresholds respectively—they all address similar concepts: (i) transparency and notice requirements; (ii) data minimization principles (using the least amount of data for specific purposes, for the least amount of time); (iii) data subject privacy rights; (iv) special protections for sensitive personal data; (v) data security principles; (vi) vendor due diligence and management; and (vii) data protection reviews and audits.

The above list is not exhaustive. But it provides an example of the different requirements comprehensive data protection laws set forth and what businesses must consider in order to stay compliant with the expanding arena of U.S. state data protection laws.

For a high-level synopsis of U.S. state data protection laws and key requirements, please see below.

*Updated August 16, 2024

  • California

    • January 1, 2023

    Colorado

    • July 1, 2023

    Connecticut

    • July 1, 2023

    Delaware

    • January 1, 2025

    Florida

    • July 1, 2024

    Indiana

    • January 1, 2026

    Iowa

    • January 1, 2025

    • Kentucky

    • January 1, 2026

    • Maryland

    • October 1, 2025

    Minnesota

    • July 31, 2025

    Montana

    • October 1, 2024

    • Nebraska

    • January 1, 2025

    • New Hampshire

    • January 1, 2025

    • New Jersey

    • January 16, 2025

    Nevada

    • 2005

    Oregon

    • July 1, 2024

    Rhode Island

    • January 1, 2026

    Tennessee

    • July 1, 2025

    Texas

    • July 1, 2024

    Utah

    • December 31, 2023

    Virginia

    • January 1, 2023

  • OVERVIEW

    State data protection laws will generally apply to businesses doing business in the specific state and that meet specific applicability thresholds. The applicability thresholds are generally tied to collecting a certain quantity of the state’s residents’ data or whether a business is selling personal data.

    Some states are narrower, such as Utah and Florida, which provide that a business must first meet a certain annual revenue threshold before it needs to consider whether the law applies.

    It’s important to note that California is the only state thus far that regulates employee and business-to-business personal data. All other states only regulate consumer personal data.

    California

    • Over $25 million in gross, worldwide annual revenue; OR

    • Annually processing 100,000 or more California residents’ personal data; OR

    • 50% of gross, worldwide annual revenue from selling personal data

    Colorado

    • Annually processing 100,000 or more Colorado consumers’ personal data; OR

    • Receiving any profit from selling personal data and processing at least 25,000 Colorado consumers’ personal data per year

    • Processing any amount of biometric data from Colorado consumers.

    Connecticut

    • Annually processing 100,000 or more Connecticut consumers’ personal data (excluding, personal data processed solely to complete a payment transaction); OR

    • 25% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Connecticut consumers’ personal data per year

    Delaware

    • Annually processing 35,000 Delaware consumers’ personal data (excluding, personal data processed solely to complete a payment transaction);

    • 20% of gross, worldwide annual revenue from selling personal data and processing at least 10,000 Delaware consumers’ personal data per year

    Florida

    • $1 billion in gross, worldwide annual revenue; AND

    • 50% of gross, worldwide annual revenue from the sale of advertisements online; including targeted advertising; OR

    • Operates a consumer-facing smart speaker and voice command service connected to cloud computing services that are hands-free

    Indiana

    • Annually processing 100,000 or more Indiana consumers’ personal data; OR

    • 50% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Indiana consumers’ personal data per year

    Iowa

    • Annually processing 100,000 or more Iowa consumers’ personal data; OR

    • 50% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Iowa consumers’ personal data per year

    • Kentucky

    • Annually processing 100,000 or more Kentucky consumers’ personal data; OR

    • 50% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Kentucky consumers’ personal data per year

    • Maryland

    • Annually processing 35,000 or more Maryland consumers’ personal data (excluding, personal data processed solely to complete a payment transaction); OR

    • 20% of gross, worldwide annual revenue from selling personal data and processing at least 10,000 Maryland consumers’ personal data per year

    Minnesota

    • Annually processing 100,000 or more Minnesota consumers’ personal data (excluding, personal data processed solely to complete a payment transaction); OR

    • 25% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Minnesota consumers’ personal data per year

    Montana

    • Annually processing 50,000 or more Montana consumers’ personal data (excluding, personal data processed solely to complete a payment transaction); OR

    • 25% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Montana consumers’ personal data per year

    • Nebraska

    • Conduct business in Nebraska; AND

    • Process or sell any amount of Nebraska consumers’ personal data; AND

    • Are not a small business as defined by Federal regulations

    • New Hampshire

    • Annually processing 35,000 or more New Hampshire consumers’ personal data (excluding, personal data processed solely to complete a payment transaction); OR

    • Over 25% of gross, worldwide annual revenue from selling personal data and processing at least 10,000 New Hampshire consumers’ personal data per year

    • New Jersey

    • Annually processing 100,000 or more New Jersey consumers’ personal data; OR

    • Receiving any profit from selling personal data and processing at least 25,000 New Jersey consumers’ personal data per year

    Nevada

    • Own or operate a website or online service for a commercial purpose; AND

    • Collecting or storing personal information from Nevada consumer visiting the website or online service; AND

    • Purposefully directing activity and doing business in the state

    Oregon

    • Annually processing 100,000 or more Oregon consumers’ personal data (excluding, personal data processed solely to complete a payment transaction); OR

    • 25% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Oregon consumers’ personal data per year

    Rhode Island*

    • Annually processing 35,000 or more Rhode Island consumers’ personal data (excluding, personal data processed solely to complete a payment transaction); OR

    • 20% of gross, worldwide annual revenue from selling personal data and processing at least 10,000 Rhode Island consumers’ personal data per year

    *privacy notice requirements apply to any business no matter the thresholds

    Tennessee

    • The business exceeds $25 million in annual revenue AND either

    • Annually processing 175,000 or more Tennessee consumers’ personal data; OR

    • 50% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Tennessee consumers’ personal data per year

    Texas

    • Conduct business in Texas; AND

    • Process or sell any amount of Texas consumers’ personal data; AND

    • Are not a small business as defined by Federal regulations

    Utah

    • $25 million in gross, worldwide annual revenue; AND

    • Annually processing 100,000 or more Utah consumers’ personal data; OR

    • 50% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Utah consumers’ personal data per year

    Virginia

    • Annually processing 100,000 or more Virginia consumers’ personal data; OR

    • 50% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Virginia consumers’ personal data per year

  • OVERVIEW

    Privacy notices and policies have become common place. All of the U.S. state data protection laws (1) generally require businesses adhere to a general principle of transparency; and (2) provide specific information to individuals via privacy notices.

    The U.S. state data protection laws still largely rely on the U.S. principle of notice and implied consent with regard to the collection and use of personal data (outside of some states that require consent for sensitive personal data).

    With the broadly applicable nature of some new privacy laws (Rhode Island and Texas), all businesses should be annually reviewing their website and consumer privacy notices.

  • OVERVIEW

    Privacy rights have proliferated with the advent of broad, data protection laws—both in foreign data protection laws and U.S. state data protection laws. The privacy rights are generally tied to furthering transparency requirements (e.g., rights to know, access, correct, delete, data portability) and to further give individuals control over their information (e.g., opt-out rights related to selling, targeted advertising, profiling, and sensitive data).

    California

    • Right to know or access a consumer's personal data

    • Right to correct their personal data

    • Right to have their personal data deleted

    • Right to opt-out of the sale of personal data

    • Right to opt-out of cross-contextual behavioral targeted advertising

    • Right to limit the processing of sensitive personal data to what is necessary

    • Right to not be discriminated against for exercising the above rights

    Colorado

    • Right to confirm whether a business is processing a consumer’s personal data

    • Right to access their personal data

    • Right to correct their personal data

    • Right to have their personal data deleted

    • Right to receive a copy of their personal data (data portability)

    • Right to opt-out of the sale of personal data

    • Right to opt-out of cross-contextual behavioral targeted advertising

    • Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

    • Right to appeal

    Connecticut

    • Right to confirm whether a business is processing a consumer’s personal data

    • Right to access their personal data

    • Right to correct their personal data

    • Right to have their personal data deleted

    • Right to receive a copy of their personal data (data portability)

    • Right to opt-out of the sale of personal data

    • Right to opt-out of cross-contextual behavioral targeted advertising

    • Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

    • Right to appeal

    Delaware

    • Right to confirm whether a business is processing a consumer’s personal data

    • Right to access their personal data

    • Right to obtain a list of specific third parties receiving personal data

    • Right to correct their personal data

    • Right to have their personal data deleted

    • Right to receive a copy of their personal data (data portability)

    • Right to opt-out of the sale of personal data

    • Right to opt-out of cross-contextual behavioral targeted advertising

    • Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

    • Right to appeal

    Florida

    • Right to confirm whether a business is processing a consumer’s personal data

    • Right to access their personal data

    • Right to correct their personal data

    • Right to have their personal data deleted

    • Right to receive a copy of their personal data (data portability)

    • Right to opt-out of the sale of personal data

    • Right to opt-out of cross-contextual behavioral targeted advertising

    • Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

    • Right to opt-out of the collection and processing of sensitive personal data

    • Right to opt-out of collection or personal data through the operation of voice recognition or facial recognition features

    • Right to appeal

    Indiana

    • Right to confirm whether a business is processing a consumer’s personal data

    • Right to access their personal data

    • Right to correct their personal data

    • Right to have their personal data deleted

    • Right to receive a copy of their personal data (data portability)

    • Right to opt-out of the sale of personal data

    • Right to opt-out of cross-contextual behavioral targeted advertising

    • Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

    • Right to appeal

    Iowa

    • Right to confirm whether a business is processing a consumer’s personal data

    • Right to access their personal data

    • Right to have their personal data deleted

    • Right to receive a copy of their personal data (data portability)

    • Right to opt-out of the sale of personal data

    • Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

    • Right to appeal

    • Kentucky

    • Right to confirm whether a business is processing a consumer’s personal data

    • Right to access their personal data

    • Right to correct their personal data

    • Right to have their personal data deleted

    • Right to receive a copy of their personal data (data portability)

    • Right to opt-out of the sale of personal data

    • Right to opt-out of cross-contextual behavioral targeted advertising

    • Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

    • Right to appeal

    • Maryland

    • Right to confirm whether a business is processing a consumer’s personal data

    • Right to access their personal data

    • Right to correct their personal data

    • Right to have their personal data deleted

    • Right to receive a copy of their personal data (data portability)

    • Right to opt-out of the sale of personal data

    • Right to opt-out of cross-contextual behavioral targeted advertising

    • Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

    • Right to appeal

    Minnesota

    • Right to access their personal data

    • Right to correct their personal data

    • Right to have their personal data deleted

    • Right to receive a copy of their personal data (data portability)

    • Right to opt-out of the sale of personal data

    • Right to opt-out of cross-contextual behavioral targeted advertising

    • Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

    • Right to be informed about automated profiling decisions and be re-evaluated

    • Right to receive a list of specific third parties that personal data was disclosed to

    • Right to appeal

    Montana

    • Right to confirm whether a business is processing a consumer’s personal data

    • Right to access their personal data

    • Right to correct their personal data

    • Right to have their personal data deleted

    • Right to receive a copy of their personal data (data portability)

    • Right to opt-out of the sale of personal data

    • Right to opt-out of cross-contextual behavioral targeted advertising

    • Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

    • Right to appeal

    • Nebraska

    • Right to confirm whether a business is processing a consumer’s personal data

    • Right to access their personal data

    • Right to correct their personal data

    • Right to have their personal data deleted

    • Right to receive a copy of their personal data (data portability)

    • Right to opt-out of the sale of personal data

    • Right to opt-out of cross-contextual behavioral targeted advertising

    • Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

    • Right to appeal

    • New Hampshire

    • Right to confirm whether a business is processing a consumer’s personal data

    • Right to access their personal data

    • Right to correct their personal data

    • Right to have their personal data deleted

    • Right to receive a copy of their personal data (data portability)

    • Right to opt-out of the sale of personal data

    • Right to opt-out of cross-contextual behavioral targeted advertising

    • Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

    • Right to appeal

    • New Jersey

    • Right to confirm whether a business is processing a consumer’s personal data

    • Right to access their personal data

    • Right to correct their personal data

    • Right to have their personal data deleted

    • Right to receive a copy of their personal data (data portability)

    • Right to opt-out of the sale of personal data

    • Right to opt-out of cross-contextual behavioral targeted advertising

    • Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

    • Right to appeal

    • Nevada

    • Right to opt-out of the selling their personal data

    • If a business has a pre-existing process, a right for consumers to review and request changes to their personal information collected through the website or online services

    Oregon

    • Right to confirm whether a business is processing a consumer’s personal data

    • Right to access their personal data

    • Right to request a list of specific third parties receiving personal data

    • Right to correct their personal data

    • Right to have their personal data deleted

    • Right to receive a copy of their personal data (data portability)

    • Right to opt-out of the sale of personal data

    • Right to opt-out of cross-contextual behavioral targeted advertising

    • Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

    • Right to appeal

    Rhode Island

    • Right to confirm whether a business is processing a consumer’s personal data

    • Right to access their personal data

    • Right to correct their personal data

    • Right to have their personal data deleted

    • Right to receive a copy of their personal data (data portability)

    • Right to opt-out of the sale of personal data

    • Right to opt-out of cross-contextual behavioral targeted advertising

    • Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

    • Right to appeal

    Tennessee

    • Right to confirm whether a business is processing a consumer’s personal data

    • Right to access their personal data

    • Right to correct their personal data

    • Right to have their personal data deleted

    • Right to receive a copy of their personal data (data portability)

    • Right to opt-out of the sale of personal data

    • Right to opt-out of cross-contextual behavioral targeted advertising

    • Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

    • Right to appeal

    Texas

    • Right to confirm whether a business is processing a consumer’s personal data

    • Right to access their personal data

    • Right to correct their personal data

    • Right to have their personal data deleted

    • Right to receive a copy of their personal data (data portability)

    • Right to opt-out of the sale of personal data

    • Right to opt-out of cross-contextual behavioral targeted advertising

    • Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

    • Right to appeal

    Utah

    • Right to confirm whether a business is processing a consumer’s personal data

    • Right to access their personal data

    • Right to have their personal data deleted

    • Right to receive a copy of their personal data (data portability)

    • Right to opt-out of the sale of personal data

    • Right to opt-out of cross-contextual behavioral targeted advertising

    • Right to limit the processing of sensitive personal data to what is necessary

    Virginia

    • Right to confirm whether a business is processing a consumer’s personal data

    • Right to access their personal data

    • Right to correct their personal data

    • Right to have their personal data deleted

    • Right to receive a copy of their personal data (data portability)

    • Right to opt-out of the sale of personal data

    • Right to opt-out of cross-contextual behavioral targeted advertising

    • Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

    • Right to appeal

  • The vast majority of the U.S. state data protection laws include a requirement that businesses not discriminate against a consumer for their exercise of a data privacy right. This includes not charging an individual more for the same products merely because they exercise a right to delete, for example.

    This implicates loyalty programs and consumer financial incentives. Such programs are still permitted in most cases, but need to have robust notices that meet specific requirements set forth in the applicable U.S. state data protection laws.

  • OVERVIEW

    “Sensitive” personal data can generally be understood to be that information, which if mishandled, has increased risk of causing harm to an individual (e.g., Social Security #'s, race, ethnicity, sexual orientation, religion, citizenship and immigration, health data, genetic and biometric information, precise geolocation information)

    U.S. states have diverged on whether to require businesses to obtain prior consent for collecting and processing sensitive personal data, or to provide a right to opt-out of collecting and processing sensitive personal data after the fact.

    Most have landing on requiring prior consent.

    California

    • Requires ability to limit

    • Categories of sensitive personal data: (i) government identifications (e.g., Social Security Numbers, Driver License or Passport Numbers, etc.); (ii) financial account or card numbers, or log-in information in combination with requires security codes, passwords or credentials; (iv) race, ethnicity, or religion; (v) personal data concerning an individual’s health; (vi) sexual orientation; (vii) union membership; (viii) genetic or biometric data processed with the purpose of identifying an individual; (ix) the contents of an individual’s mails, email, or text messages unless the business was the intended recipient; and (x) a person’s precise geolocation (within a radius of 1,850 feet).

    Colorado

    • Requires opt-in consent

    • Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

    Connecticut

    • Requires opt-in consent

    • Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); (vii) biological and neural data; and (viii) a person’s precise geolocation (within a radius of 1,750 feet).

    Delaware

    • Requires opt-in consent

    • Categories of sensitive personal data: Categories of sensitive personal data: (i) race, ethnicity, national origin, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation, or transgender or non-binary status; (iv) status as a victim of a crime; (v) citizenship or immigration status; (vi) genetic or biometric data; (vii) the personal information of a child (younger than 13); and (viii) a person’s precise geolocation (within a radius of 1,750 feet).

    Florida

    • Requires opt-in consent and ability to opt-out

    • Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 18); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

    Indiana

    • Requires opt-in consent

    • Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

    Iowa

    • Requires ability to opt-out

    • Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

    • Kentucky

    • Requires opt-in consent

    • Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

    • Maryland

    • Requires opt-in consent

    • Categories of sensitive personal data: Categories of sensitive personal data: (i) race, ethnicity, national origin, or religion; (ii) consumer health data; (iii) sexual orientation, or transgender or non-binary status; (iv) citizenship or immigration status; (v) genetic or biometric data; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

    Minnesota

    • Requires opt-in consent

    • Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a three decimal degrees of latitude and longitude).

    Montana

    • Requires opt-in consent

    • Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

    • Nebraska

    Requires opt-in consent

    • Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

    • New Hampshire

    • Requires opt-in consent

    • Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

    New Jersey

    • Requires opt-in consent

    • Categories of sensitive personal data: (i) race, ethnicity, national origin, or religion; (ii) mental or physical health data; (iii) sexual orientation, or transgender or non-binary status; (iv) financial information, which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account; (v) citizenship or immigration status; (vi) genetic or biometric data processed with the purpose of identifying an individual; (vii) the personal information of a child (younger than 13); and (viii) a person’s precise geolocation (within a radius of 1,750 feet).

    • Nevada

    • N/A

    Oregon

    • Requires opt-in consent

    • Categories of sensitive personal data: (i) race, ethnicity, national origin, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation, or transgender or non-binary status; (iv) status as a victim of a crime; (v) citizenship or immigration status; (vi) genetic or biometric data processed with the purpose of identifying an individual; (vii) the personal information of a child (younger than 13); and (viii) a person’s precise geolocation (within a radius of 1,750 feet).

    Rhode Island

    • Requires opt-in consent

    • Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

    Tennessee

    • Requires opt-in consent

    • Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

    Texas

    • Requires opt-in consent

    • Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexuality; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

    Utah

    • Requires ability to opt-out

    • Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

    Virginia

    • Requires opt-in consent

    • Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

  • OVERVIEW

    All of the U.S. state data protections require some form of audit or review if a business’s processing of personal data is or could be considered “high risk”. However, practically, in order to determine if a business’s processing of personal data falls within the high risk category, there must be on-going regular reviews in place by default.

    California

    Annual cybersecurity audit required if a business’s processing of personal data presents significant risk to security. Businesses must consider (i) the size and complexity of the business; and (ii) the nature and scope of the personal data processing (e.g., type of data, quantity of data, etc.).

    • Must submit an annual risk assessment to the California Privacy Protection Agency if a business’s processing of personal data presents significant risk to security.

    Colorado

    • Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

    • The data protection assessment must be made available to applicable regulators upon request.

    Connecticut

    • Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

    • The data protection assessment must be made available to applicable regulators upon request.

    Delaware

    • Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

    • The data protection assessment must be made available to applicable regulators upon request.

    Florida

    • Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

    • The data protection assessment must be made available to applicable regulators upon request.

    Indiana

    • Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

    • The data protection assessment must be made available to applicable regulators upon request.

    Iowa

    • None

    • Kentucky

    • Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

    • The data protection assessment must be made available to applicable regulators upon request.

    • Maryland

    • Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

    • The data protection assessment must be made available to applicable regulators upon request.

    Minnesota

    • Must maintain documented policies and procedures that includes (1) Data Protection Office (or equivalent) name and contact information; and (2) a description of the business's privacy policies (inclusive of similar information required in a business's public-facing privacy notice) and security policies.

    • Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

    • The data protection assessment must also reference and describe the policies required under the first bullet point.

    • The data protection assessment must be made available to applicable regulators upon request.

    Montana

    • Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

    • The data protection assessment must be made available to applicable regulators upon request.

    • Nebraska

    • Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

    • The data protection assessment must be made available to applicable regulators upon request.

    • New Hampshire

    • Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

    • The data protection assessment must be made available to applicable regulators upon request.

    • New Jersey

    • Prohibited from processing personal data in a manner that presents a heightened risk of harm to the consumer without first conducting a data protection assessment. Heightened risk includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

    • The data protection assessment must be made available to applicable regulators upon request.

    • Nevada

    • None

    Oregon

    • Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

    • The data protection assessment must be made available to applicable regulators upon request.

    Rhode Island

    • Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, or processing of sensitive personal data.

    • The data protection assessment must be made available to applicable regulators upon request.

    Tennessee

    • Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

    • The data protection assessment must be made available to applicable regulators upon request.

    Texas

    • Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

    • The data protection assessment must be made available to applicable regulators upon request.

    Utah

    • None

    Virginia

    • Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

    • The data protection assessment must be made available to applicable regulators upon request.

  • OVERVIEW

    All of the U.S. state data protection laws require businesses to adhere to the data protection principle of data minimization. The principle of data minimization requires a business to (1) collect the least amount of personal data; (2) for specified purposes (e.g., expressed in a privacy notice); (3) retained for the least amount of time; and (4) after such retention, securely destroy or delete such personal data.

    Data retention and destruction policies and procedures are therefore key aspects to maintaining adherence to the data minimization requirement.

  • OVERVIEW

    All of the U.S. state data protection laws include a right to consumers to opt-out of targeted advertising; however, it is specific to what is called “cross-contextual behavioral advertising.” This includes advertising based on an individuals activity across the Internet, but may exclude a business’s advertising that is solely based on an individuals activity on the business’s specific website.

    In some jurisdictions, the use of certain Ad Tech tools could also be considered as “sale” of information (see “Vendor Management” below for more information).

  • OVERVIEW

    Procurement and contracting have become a key aspect to a successful and compliant data protection program, and now, for adherence to U.S. state data protection laws. Where vendors or service providers are processing or accessing personal data on behalf of a business, the business must ensure specific contractual provisions are included in the written contract—often in the form of a data protection or processing agreement.

    If the specific contractual provisions are not in place, a business could be considered a “seller” of personal data, triggering additional requirements.

    California

    • Specific contractual provisions required in any and all engagements with a third party that have access to or otherwise process personal data

    • If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

    Colorado

    • Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

    • If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

    Connecticut

    • Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

    • If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

    Florida

    • Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

    • If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

    Indiana

    • Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

    • If proper contractual provisions are not in place, potentially considered a “sale” of personal data; however, Indiana more narrowly defines the concept of “sale” as disclosing personal data to a third party for just monetary consideration

    Iowa

    • Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

    • If proper contractual provisions are not in place, potentially considered a “sale” of personal data; however, Iowa more narrowly defines the concept of “sale” as disclosing personal data to a third party for just monetary consideration

    • Kentucky

    • Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

    • If proper contractual provisions are not in place, potentially considered a “sale” of personal data; however, Kentucky more narrowly defines the concept of “sale” as disclosing personal data to a third party for just monetary consideration

    • Maryland

    • Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

    • If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

    • Minnesota

    • Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

    • If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

    Montana

    • Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

    • If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

    • Nebraska

    • Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

    • If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

    • New Hampshire

    • Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

    • If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

    New Jersey

    • Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

    • If proper contractual provisions are not in place, potentially considered a “sale” of personal data; however, New Jersey more narrowly defines the concept of “sale” as disclosing personal data to a third party for just monetary consideration

    • Nevada

    • Does not require contractual provisions in place with third parties

    • “Sale” defined narrowly to only include the exchange of personal information for monetary consideration.

    Oregon

    • Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

    • If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

    • Rhode Island

    • Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

    • If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

    Tennessee

    • Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

    • If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

    Texas

    • Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

    • If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

    Utah

    • Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

    • If proper contractual provisions are not in place, potentially considered a “sale” of personal data; however, Utah more narrowly defines the concept of “sale” as disclosing personal data to a third party for just monetary consideration

    Virginia

    • Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

    • If proper contractual provisions are not in place, potentially considered a “sale” of personal data; however, Virginia more narrowly defines the concept of “sale” as disclosing personal data to a third party for just monetary consideration

  • California

    • Requires businesses to adhere to “opt-out preference signals” if selling or engaging in cross-contextual behavioral advertising is in-scope.

    Colorado

    • Requires businesses to adhere to “opt-out preference signals” if any of the following are in-scope: (i) selling, (ii) cross-contextual behavioral advertising, or (iii) automated profiling.

    Connecticut

    • Requires businesses to adhere to “opt-out preference signals” if any of the following are in-scope: (i) selling, (ii) cross-contextual behavioral advertising, or (iii) automated profiling.

    Delaware

    • Requires businesses to adhere to “opt-out preference signals” if any of the following are in-scope: (i) selling, (ii) cross-contextual behavioral advertising, or (iii) automated profiling.

    Florida

    • Not applicable.

    Indiana

    • Not applicable.

    Iowa

    • Not applicable.

    • Kentucky

    • Not applicable.

    • Maryland

    • Requires businesses to adhere to “opt-out preference signals” if any of the following are in-scope: (i) selling, or (ii) cross-contextual behavioral advertising.

    Minnesota

    • Requires businesses to adhere to “opt-out preference signals” if any of the following are in-scope: (i) selling, or (ii) cross-contextual behavioral advertising.

    Montana

    • Requires businesses to adhere to “opt-out preference signals” if any of the following are in-scope: (i) selling, (ii) cross-contextual behavioral advertising, or (iii) automated profiling.

    • Nebraska

    • Requires businesses to adhere to “opt-out preference signals” if any of the following are in-scope: (i) selling, or (ii) cross-contextual behavioral advertising.

    • New Hampshire

    • Requires businesses to adhere to “opt-out preference signals” if any of the following are in-scope: (i) selling, and (ii) targeted advertising

    New Jersey

    • Requires businesses to adhere to “universal opt-out mechanisms” if any of the following are in-scope: (i) selling, (ii) cross-contextual behavioral advertising, or (iii) automated profiling.

    • Nevada

    • Not applicable.

    Montana

    • Requires businesses to adhere to “opt-out preference signals” if any of the following are in-scope: (i) selling, (ii) cross-contextual behavioral advertising, or (iii) automated profiling.

    Oregon

    • Requires businesses to adhere to “opt-out preference signals” if any of the following are in-scope: (i) selling, (ii) cross-contextual behavioral advertising, or (iii) automated profiling.

    Rhode Island

    • Not applicable.

    Tennessee

    • Not applicable.

    Texas

    • Requires businesses to adhere to “opt-out preference signals” if any of the following are in-scope: (i) selling, (ii) cross-contextual behavioral advertising, or (iii) automated profiling.

    Utah

    • Not applicable.

    Virginia

    • Not applicable.

  • OVERVIEW

    All of the U.S. state data protection laws give all or the vast majority of the enforcement power to specific state regulators. In California, a specific privacy agency was created, while in the other states, the state Attorney Generals are the lead enforcers and regulators. California is the only state that allows even a limited private right of action (tied to violations leading to a personal data breach).

    California

    • Limited private right of action for personal data breaches caused by failure to meet security requirements.

    • 30 day cure period

    • California Privacy Protection Agency is the lead regulator

    • No cure period

    Colorado

    • No private right of action

    • State AG is the lead regulator

    • 60 day cure period (only if the AG thinks it can be cured)

    • No cure periods beginning Jan. 1, 2025

    Connecticut

    • No private right of action

    • State AG is the lead regulator

    • 60 day cure period (only if the AG thinks it can be cured)

    • Cure periods only granted in AG’s discretion beginning Jan. 1, 2025

    • Delaware

    • No private right of action

    • State AG is the lead regulator

    • 60 day cure period (only if the AG thinks it can be cured)

    • Cure periods only granted in AG’s discretion beginning Jan. 1, 2026

    Florida

    • No private right of action

    • State AG is the lead regulator

    • 45 day cure period only granted in the AG’s discretion

    • No cure period for violations involving personal data about a child (under 18 years old)

    Indiana

    • No private right of action

    • State AG is the lead regulator

    • 30 day cure period

    Iowa

    • No private right of action

    • State AG is the lead regulator

    • 90 day cure period

    • Kentucky

    • No private right of action

    • State AG is the lead regulator

    • 30 day cure period

    • Maryland

    • No private right of action

    • State AG is the lead regulator

    • 60 day cure period (only if the AG thinks it can be cured)

    • No cure periods beginning April 1, 2027

    Minnesota

    • No private right of action

    • State AG is the lead regulator

    • 30 day cure period

    • No cure periods beginning Jan. 31, 2026

    Montana

    • No private right of action

    • State AG is the lead regulator

    • 60 day cure period

    • No cure period beginning April 1, 2026

    • Nebraska

    • No private right of action

    • State AG is the lead regulator

    • 30 day cure period

    • New Hampshire

    • No private right of action

    • State AG is the lead regulator

    • 60 day cure period (only if the AG thinks it can be cured)

    • No cure periods after Dec. 31, 2025

    New Jersey

    • No private right of action

    • State AG is the lead enforcer

    • 30 day cure period

    Nevada

    • No private right of action

    • State AG is the lead regulator

    • 30 day cure period for first violation

    Oregon

    • No private right of action

    • State AG is the lead regulator

    • 30 day cure period (only if the AG thinks it can be cured)

    Rhode Island

    • No private right of action

    • State AG is the lead regulator

    • No cure period

    Tennessee

    • No private right of action

    • State AG is the lead regulator

    • 60 day cure period

    • Tennessee Safe Harbor

    • Businesses may have an affirmative defense to any violation of the Tennessee data protection law where their privacy program complies with the National Institute of Standards and Technology (“NIST”) privacy framework titled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0” or such successor or updated framework as might be promulgated by NIST from time to time.

    Texas

    • No private right of action

    • State AG is the lead regulator

    • 30 day cure period

    Utah

    • No private right of action

    • State AG is the lead regulator

    • 30 day cure period

    Virginia

    • No private right of action

    • State AG is the lead regulator

    • 30 day cure period

The Benesch Data Protection Team is composed of attorneys from the firm’s Intellectual Property, Healthcare, Labor & Employment, and Litigation Practice Groups.