State Privacy Laws

New state privacy laws are popping up everywhere. Keep track of them all with our interactive state privacy laws map. Click on the hot spots below.

 

 

Disclaimer: This is not a substitute for legal advice and may not be fully up-to-date.

MAINE

STATUS: Law

 

Maine has passed arguably one of the strictest internet privacy laws in the country. Signed in early June 2019 and due to go into effect in July 2020, the Act to Protect the Privacy of Online Customer Information will prohibit internet service providers (ISPs) from discriminating against or refusing to provide service to persons who want their data protected. Furthermore, the law would prohibit telecommunications companies from offering discounts or any other types of incentives to customers who do opt to share their data.

 

‹ BACK

MASSACHUSETTS

STATUS: Bill

 

This proposed law is similar to the CCPA in that it aims to provide the:

 

  • Right to request deletion of collected personal information
  • Right to request a copy of collected personal information
  • Right of notice at or before the point of collection of personal information that is collected and disclosure of purposes
  • Right to opt-out of personal information transfer
  • Ability to obtain reports of personal information up to twice per year
  • Inability of covered businesses to deny goods or services or charge different prices or rates to consumers exercising their opt-out right

 

Additionally, the right to opt out applies to any disclosure of personal information to third parties and contains a complete prohibition on the knowing disclosure of children’s (under the age of 18) personal information. This law would also provide a private right of action for consumers who have suffered a violation of this proposed law.

 

‹ BACK

RHODE ISLAND

STATUS: Bill

 

This proposed law would place more stringent requirements on the collection and retention of consumers’ personal information by a business. This law would apply to all businesses, no matter the location, that collect personal information from Rhode Island residents. Businesses would be required to inform consumers of the categories of information collected and for what purpose prior to the collecting of that information. This law would also grant consumers a private right of action against businesses who commit certain violations of this law.

 

‹ BACK

CONNECTICUT

STATUS: Task force substituted for comprehensive bill
 
Connecticut has a proposed law that would establish a task force focused on consumer privacy. This law would require businesses to disclose the proposed use of any personal information and would give consumers the right to discover what personal information businesses possess and the ability to opt out of the sale of their personal information. It would also create a cause of action and penalties for violations of such requirements.

 

‹ BACK

NEW JERSEY

STATUS: Bill
 
This proposed law would require commercial Internet websites and online services to notify customers of collection and disclosure of personally identifiable information and allows customers to opt out.

 

‹ BACK

NEW YORK

STATUS: Bill
 
This proposed law (S224) focuses on the transparency of the disclosure of personal information without granting the other significant consumer rights. A business is required to make the categories of personal information disclosed to third parties available to customers. This would apply to any person or entity that does business in New York. This proposed law also permits consumers or customers of a business to bring a civil action to recover penalties for violations of the bill. New York also has another proposed law, SB S8641,that adds a private right of action to security violations of S224.

 

‹ BACK

MARYLAND

STATUS: Bill
 
This proposed law requires certain businesses that collect personal information from consumers to provide notices to the consumer at or before the point of collection. It also authorizes a consumer to submit a certain request for information to a certain business that collects the consumer’s personal information and requires a certain business to comply with certain requests for information in a certain manner and within 45 days after receiving a verifiable consumer request.

 

‹ BACK

ILLINOIS

STATUS: Bill

 

Illinois’ proposed bill, the Data Transparency and Privacy Act (HB 3358), is similar to CCPA in that it includes consumer rights to receive notice and opt out of the sale of personal data. However, the bill exempted from the definition of “sale” the use of personal data for advertising; a significant difference.

 

The bill would also provide the right to the consumer to know the approximate number of third parties that received their personal information. Furthermore, the bill defines “de-identified data” to data that could not be used to infer information about consumers.

 

‹ BACK

NORTH DAKOTA

STATUS: Bill
 
This proposed law is a broad prohibition on the disclosure of personal information except with explicit consent.

 

‹ BACK

TEXAS

STATUS: Task force substituted for comprehensive bill
 
Texas has two proposed privacy laws in the state legislature. One is the Texas Consumer Privacy Act (TXCPA) and the other is the Texas Privacy Protection Act (TXPPA). The TXCPA would provide Texas consumers with rights to know what information of theirs is being collected, distributed and sold. It would also allows them to opt out of sales and request the deletion of unneeded data. It would also require businesses to be transparent when consumers exercise their rights and provide notices of information privacy operations. TXPPA is more of a GDPR-style restriction-based bill that prohibits a business from collecting or processing information except under certain circumstances.

 

‹ BACK

NEW MEXICO

STATUS: Bill postponed indefinitely
 
This proposed law would establish that consumers have a right to request from a business the kind of information collected or sold by that business. In addition, businesses would also have to notify consumers about the information they’re collecting and allow people to opt out. Furthermore, if someone stole consumer information from that business the consumer would have the right to file a lawsuit and recover damages, in some circumstances. Should this law be passed, it would be called the Consumer Information Privacy Act.

 

‹ BACK

WASHINGTON

STATUS: Bill
 
This proposed law allows consumers the right to access their data and know where it has been sold. Consumers would also be able to correct inaccurate information, delete personal information, and object to its use in direct marketing.

 

‹ BACK

NEVADA

STATUS: Law
 
Nevada’s passed privacy law, SB 220, requires website services and online services operators to post a notice on their website regarding their privacy practices and provide consumers the ability to provide a designated request address – such as email, toll-free number or website – for receipt of opt-out requests by consumers. The operators must then respond to the opt-out request within 60 days of receipt.

 

‹ BACK

CALIFORNIA

STATUS: Law

 

The California Consumer Privacy Act gives California consumers new privacy rights including:

  • Right to know all data collected by a business about you.
  • Right to say no to the sale of your information
  • Right to sue companies who collected your data and then that data was stolen due to a data breach or because the company was careless or negligent about how it protected your data.
  • Right to delete data you have posted.
  • Right not to be discriminated against if you tell a company not to sell your personal information.
  • Right to be informed of what data will be collected about you prior to its collection or at the point in time of collection as well as to be informed of any changes to the collection of your data.
  • Mandated opt-in before sale of the information of children under the age of 16.
  • Right to know with what third parties your data is shared.
  • Right to know the sources from which your data was required.
  • Right to know the purpose for which you information as collected and will be used.
  • Right to statutory damages between $100 and $750 for certain data breaches.

 

‹ BACK

HAWAII

STATUS: Task force subsituted for comprehensive bill

 

This proposed law requires a business to:

  • Disclose the categories and specific pieces of identifying information collected about a consumer upon verifiable request from the consumer.
  • Disclose the identity of third parties to which the business has sold or transferred identifying information about a consumer upon verifiable request from the consumer.
  • Publicly disclose the categories of identifying information that collected from consumers and the purposes for collection.
  • Delete identifying information collected from a consumer upon verifiable request frm the consumer.

The law also authorizes consumers to opt out of the sale of identifying information by a business and prohibits a business from selling the identifying information of an individual under the age of sixteen years old unless authorized to do so. It also prohibits a business from discriminating against consumers who exercise their rights to request disclosures or deletions or to opt out.

 

‹ BACK

LOUISIANA

STATUS: Task force substituted for comprehensive bill

 

This bill requests the Southern University Law Center to establish a task force to study the effects of the sale of consumer personal information by internet access service providers, social media companies, search engines, websites, and other providers of online services.

‹ BACK

MINNESOTA

STATUS: Bill

 

Minnesota has proposed a privacy law that requires controllers to provide, correct or restrict personal data processing upon consumer request. Controllers would be required to provide privacy notice and document risk assessment and the attorney general would have enforcement authority.

‹ BACK

PENNSYLVANIA

STATUS: Bill

 

Pennsylvania’s proposed consumer privacy bill would include provisions such as:

  • comprehensive definition of personal information
  • protecting biometric information and geolocation data
  • protecting personally identifying information such as names, addresses, Social Security numbers, etc.
‹ BACK