US State Privacy Law Tracker

Our US State Privacy Law Tracker, Ensighten helps you get all the information you need about the patchwork of state privacy laws, and easily compare the rights and requirements introduced by the various laws.

Search Topics

The enactment of the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act of 2018 ('CCPA') started a domino effect for state privacy laws in the United States, and today there are over 15 state-level privacy laws in legislation, and several have passed into law.  But, without an overarching federal privacy law in place, this complex patchwork of state privacy laws has created a complicated compliance environment for businesses and privacy professionals in the US.

With our US State Privacy Law Tracker, Ensighten offers businesses and consumers a simple way to get all the information you need about the patchwork of state privacy laws, and easily compare the rights and requirements introduced by the various laws. This document is updated frequently, so we encourage you to bookmark it for easy reference. 

If you have any questions about the compliance or security of your website, contact our team of experts for a compliance and security evaluation. 

California - California Privacy Rights Act (CPRA)

Status: Passed.

The California Privacy Rights Act 2020 (CPRA) is a California privacy law that expands upon the California Consumer Privacy Act (CCPA) of 2018 with new rights (the right to rectification and the right to limit the use and disclosure of sensitive personal information), increased enforcement via a new enforcement agency, and the additional requirement of a 'Do Not Share' button. 

The CPRA will take effect on January 1, 2023. However, there are bills in the California house seeking to extend certain exemptions to the bill through 2026.

Scope: 

The CPRA applies to any organization meeting at least any one of the following three criteria:

  • Annual gross revenue is more than $25 million. (This is worldwide revenue, not just revenue for California.)
  • The organization buys, shares, or sells personal information relating to at least 100,000 Californian consumers, households, or devices in a 12-month period.
  • At least half of annual revenue is generated from selling personal information relating to Californian consumers.

Right to Access: Yes

Data subjects have the right to know what personal information a business collects about them, and to request a copy of that data, to be provided in a format that is easily understandable by the average consumer, and structured in a commonly used, machine-readable format.

Right to Correction: Yes

The CPRA gives consumers a new right to correct inaccurate personal information maintained by businesses.

Right to Deletion: Yes

Data subjects have the right to request the deletion of any personal information a business has collected about them. 

Right to Data Portability: Yes

The CPRA mandates that, if the customer requests it, a business must transfer their information to another entity directly.

Right to Opt-Out of Data Sales: Yes

Data subjects have the right, at any time, to mandate that a business may not sell--or share-- their personal data. Businesses must provide "do not sell/share" my personal data buttons in a readily accessible place on their websites.

Right to Consent: No

Right Against Automated Decision Making: Yes

The CPRA mandates that the California Attorney General shall issue regulations governing access and opt-out rights with respect to businesses' use of automated decision-making technology. Additionally, consumers may direct businesses to limit the use and disclosure of their sensitive personal information to uses necessary to perform the services or provide the goods requested.

Data Security Requirement: Yes

Under the CPRA, data collectors and processors have a duty to "implement and maintain
reasonable security procedures and practices appropriate to the nature of the information to
protect the personal information," or else they are subject to civil action from data subjects. 

Privacy Notice Requirement: Yes

Data collectors and processors must inform data subjects on:

  • The categories of personal information collected,
  • The purposes for which the personal information is collected or used
  • Whether or not collected information is sold or shared
  • The categories of sensitive personal information collected (if applicable), and the purpose of said data collection.
  • The length of time for which personal information will be retained.

Enforcement:

The CPRA establishes a dedicated agency--the California Privacy Agency (CPA)--to enforce state privacy laws, investigate violations, and evaluate fines for violators.

Businesses will also lose the 30-day “heal” period, which the CCPA allows to give organizations time to mitigate violations that are discovered before being fined. It will also be illegal to share personal information with third parties unless the involved individuals elect to opt-in. Previously, CCPA only made it illegal to sell personal information.

From a fine standpoint, the base penalties for violations do not change between CCPA and CRPA—$2,500 for each unintentional and $7,500 for each intentional violation. But CRPA does add automatic fines ($7,500) for each violation involving the personal information of minors.

Link to text. 

Colorado - Colorado Privacy Act (CPA)

Status: Passed

The CPA became law on July 8th, 2021, and takes effect on July 1st, 2023. A “sunset” mechanism means two further changes automatically take effect in 2025: the removal of a grace period for fixing violations and the introduction of a “universal opt-out” mechanism for data sales.

Scope:

The CPA applies to any organization that meets the criteria for both location and the number of data subjects:

  • The organization either does business in Colorado or that it produces products or services which it targets at Colorado residents. (This means they are among the intended audience, not that Colorado is the sole or primary market.)
  • The organization controls or processes the data of at least 100,000 Colorado consumers in a year. This falls to 25,000 if the organization makes any money (or gets any discounts) from selling personal data.

Right to Access: Yes

A consumer has the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer's personal data.

Right to Correction: Yes

Consumers have the right to correct inaccuracies in their personal data, taking into account the nature of the personal data, and the purposes of the processing.

Right to Deletion: Yes

A consumer has the right to delete personal data concerning the consumer.

Right to Data Portability: Yes

When exercising their right of access, consumers have the right to obtain the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity.

Right to Opt-Out of Sales: Yes*

A consumer has the right to opt-out of the processing of personal data concerning the consumer for the purposes of: 

  • Targeted advertising
  • The sale of personal data
  • Profiling for decision-making

*The universal opt-out provision does not come into effect until 2025.

Right to Consent: No

Right Against Automated Decision-Making: Yes

A consumer has the right to opt-out of the processing of personal data concerning the consumer for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects.

Data Security Requirement: Yes

A controller must take reasonable measures to secure personal data from unauthorized access during both storage and use. A controller also may not conduct processing that presents a heightened risk of mark to a consumer without first conducting and documenting a data protection assessment of each of its processing activities.

Privacy Notice Requirement: Yes

A controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice outlining the categories of personal data collected, the purposes of the processing, what categories are shared with third parties, and more.

Enforcement:

The CPA can be enforced by either the Attorney General of Colorado, or by the state's District Attorneys.

Link to text.

District of Columbia - Uniform Personal Data Protection Act (Bill 24-0451)

Status: In committee.

The Uniform Personal Data Protection Act of 2021 (Bill 24-0451) was introduced on October 18th, 2021. The bill has since been referred to the Committee on Judiciary and Public Safety.

Scope: The Uniform Personal Data Protection Act (UPDPA) would apply to any data controller or processor that conducts business or provides products or services in the District of Columbia and either (a) maintains personal data about more than 50,000 data subjects who are residents of DC, excluding data subjects whose data is collected or maintained solely to complete a payment transaction, or (b) earns more than 50 percent of its gross annual revenue during a calendar year from maintaining personal data as a controller or processor. 

Right to Access: Yes

The UPDPA would give data subjects the right to receive a copy of their personal data. 

Right to Correction: Yes

The UPDPA would give data subjects the right to have any errors in their personal data corrected. 

Right to Deletion: No

Right to Data Portability: No

Right to Opt-Out of Data Sales: No

Right to Consent: No

Right Against Automated Decision Making: No

Data Security Requirement: Yes

The UPDPA would require "reasonable data-security measures, including appropriate
administrative, technical, and physical safeguards to prevent unauthorized access" to personal data. Data controllers and processors would also be required to regularly conduct and maintain data-privacy and security-risk assessments that would evaluate privacy and security risks to personal data and would track efforts to mitigate these risks. 

Privacy Notice Requirement: Yes

The UPDPA would require controllers to "adopt and comply with a reasonably clear and accessible privacy policy."

Enforcement: 

The UPDPA would be enforced by the attorney general of the District of Columbia. 

Link to text

Florida - Consumer Data Privacy (HB 9) 

Status: In legislation

The Florida House Judiciary Committee passed an amended version of HB 9 on February 23, 2022. On February 25, 2022, lawmakers filed thirteen amendments.

Scope:

HB 9 would apply to any entity that buys, sells, or shares the personal information of Florida consumers.

Right to Access: Yes

Consumers would have the right to request a copy of the personal information that controllers process about them.

Right to Deletion: Yes

Consumers would have the right to have their personal information deleted.

Right to Correction: Yes

A consumer has the right to make a request to correct inaccurate personal information to a controller that maintains inaccurate personal information about the consumer.

Right to Data Portability: Yes

Following a request for access, personal information must be made available in a readily useable format.

Right to Opt-Out of Data Sales: Yes

Consumers would have the right to opt out of the sale or sharing of their personal information to third parties.

Right to Consent: No

Right Against Automated Decision-Making: No

Data Security Requirement: Yes

 Controllers must implement and maintain reasonable security procedures and practices appropriate to the nature of personal information.

Privacy Notice Requirement: Yes

Controllers must maintain an up-to-date online privacy policy available from its home page. 

Enforcement:

Enforcement of HB 9 would be carried out by the Florida Department of Legal Affairs. In certain circumstances, HB 9 would also provide for a private right of action.

Link to text.

Indiana - Consumer Privacy (HB 1261)

Status: In legislation.

The Indiana Senate passed SB 358 on February 1, 2022. On February 17, 2022, the bill passed committee and was sent to the floor of the house, will it will require two majority votes to pass. 

Scope:

SB 358 would apply to any business or organization that:

  1. Conducts business in Indiana.
  2. Provides goods or services marketed to Indiana residents. 
  3. Controls or processes the personal data of either of the following:
    1. At least 100,000 consumers during the calendar year
    2. At least 25,000 consumers during a calendar year, and derives more than 50% of gross revenue from the sale of personal data. 

Right to Access: Yes

SB 358 would give data subjects the right to access their personal data.

Right to Correction: Yes*

A business that receives a verifiable consumer request to correct inaccurate personal information shall use commercially reasonable efforts to correct the inaccurate personal information as directed by the consumer.

*"Commercially reasonable" is not defined. 

Right to Deletion: Yes

SB 358 would give data subjects the right to delete their personal data.

Right to Data Portability: No

Right to Opt-Out of Data Sales: Yes

SB 358 would give data subjects the right to opt out of the sharing or sale of their personal data.

Right to Consent: No

Right Against Automated Decision Making: No

Data Security Requirement: No*

*SB 358 does not explicitly state requirements for data security, but it does reference obligations regarding maintaining the security and integrity of personal data.

Privacy Notice Requirement: No

Enforcement:

The bill would be enforced by the Indiana division of Consumer Protection.

Link to text.

Iowa - HSB 674, HF 2506

Status: Introduced. The Iowa House Information Technology Committee voted 15-0 to advance HSB 674 to a full House vote.

Iowas House Study Bill 674 (renamed HF 2506 on 2/23/22) is a data privacy bill introduced in February 2022. The proposed law would establish data subject rights and an opt-out for personal data sales. If passed, the law would be put into effect on Jan. 1, 2024.

Right to Access: Yes

Consumers have the right to confirm whether a controller is processing their personal data and to access such personal data. 

Right to Correction: Yes

Consumers have the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data. 

Right to Deletion: Yes

Consumers have the right to delete personal data provided or obtained about the consumer.

Right to Data Portability: Yes

Consumers have the right to obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically practicable, readily usable format so that the consumer may transmit the data to another controller without hindrance. 

Right to Opt-Out of Data Sales: Yes

Consumers have the right to opt out of the processing of personal data for the purposes of target advertising, the sale of personal data, or profiling. 

Right to Consent: No

Right Against Automated Decision-Making: Yes

Consumers have the right to opt out of the processing of personal data for the purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. 

Data Security Requirement: Yes

Controllers must adopt and implement reasonable administrative, technical, and physical data security practices to protect the integrity, confidentiality, and accessibility of personal data. Controllers may not process sensitive data without the consumer's consent. 

Privacy Notice Requirement: Yes

Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the categories of personal information collected, the purposes for data processing, categories shared with third parties, and more. 

Enforcement:

 The law would be enforced by the Iowa attorney general.

Link to text.

Massachusetts - The Massachusetts Information Privacy and Security Act (H. 142, S.2687)

Status: In legislation. 

H. 142 advanced to house legislation on February 2nd, 2022. The bill is now filed under S.2687 (the Massachusetts Information Privacy and Security Act). On February 14, 2022, the bill was referred to the Senate Ways and Means Committee.

Scope:

The law would apply to any entity that conducts business in the Commonwealth of Massachusetts, processes personal information by itself or by contracting with a data processor, and has earned or received 10 million or more dollars of annual revenue through 300 or more transactions, or processes or maintains the personal information of 10,000 or more unique individuals during the course of a calendar year.

Right to Access: Yes

Individuals have the right to access all their personal information that was processed by the covered entity or a data processor; and access all the information pertaining to the collection and processing of their personal information, including:

  • Where or from whom the information was obtained.
  • The types of third parties to which the processor has disclosed or will disclose personal information
  • The categories of information processed
  • The purpose of processing
  • The retention period of collected information

Right to Correction: Yes

Individuals have the right to correct inaccurate personal information.

Right to Deletion: Yes

Individuals have the right to delete all their personal information stored by covered entities, provided that a covered entity that has collected personal information from an individual is not required to delete information to the extent it is exempt under this chapter from the requirement of consent.

Right to Data Portability: Yes

Individuals have the right to obtain their personal information processed by a covered entity in a structured, readily usable, portable, and machine-readable format; and transmit or cause the covered entity to transmit the personal information to another covered entity, where technically feasible.

Right to Opt-Out of Data Sales: Yes*

Individuals have the right to request a covered entity to stop collecting and processing their personal information at any time

However, the law functions on an opt-in basis, and individuals must consent to any processing.

Right to Consent: Yes

Individuals have the right to consent before their personal information is collected and processed. Covered entities must obtain consent before collecting personal information for the purposes of processing an individual's information for the first time. Consent must be informed, unambiguous, and freely given.

Right Against Automated Decision Making: Yes*

Covered entities and data processors must process personal information and use automated decision systems discreetly and honestly, and only to the extent necessary for carrying out their purpose; and covered entities and data processors must be protective of personal information, loyal to the individuals whose personal information is processed, and honest about the risk of processing practices, including the use of automated decision systems.

*While not explicitly stated, the law functions on an opt-in basis, so individuals have the right to opt-out of automated decision-making by opting out of data processing writ large.  

 Data Security Requirement: Yes

Covered entities and data processors have a duty of care and must reasonably secure individual personal information from unauthorized access.

Privacy Policy Requirement: Yes

Individuals shall have the right to know what personal information a covered entity or a data processor will collect and process about the individual, including the categories and specific pieces of personal information the covered entity processes, before giving consent for the collection and processing of their personal information.

Enforcement:

The bill would form the Massachusetts Information Privacy Commission, which would have all the powers necessary or convenient to carry out and effectuate its purposes of the law. A private right of action would be put in place, and  Any individual alleging a violation of the regulation would be able to bring a civil action in any court of competent jurisdiction.

Link to text.

Nevada - SB 260

Status: Passed.

 Nevada Senate Bill 260 for an Act Relating to Internet Privacy was passed and entered into force on October 1st, 2019.

Scope: 

SB260 applies to businesses providing goods or services to citizens of the state of Nevada.

Right to Access: No

Right to Correction: No

Right to Deletion: No

Right to Data Portability: No

Right to Opt-Out of Data Sales: Yes

A consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer.

Right to Consent: No

Data Security Requirement: No

Privacy Notice Requirement: No

Enforcement:

The law is enforced by the Nevada Attorney General.

Link to text.

New Jersey - NJ Data Accountability Transparency Act (Bill A505)

Status: Reintroduced.

The New Jersey Disclosure and Accountability Transparency Act (NJ DaTA) was first introduced on February 25th, 2020, and was reintroduced on January 11th, 2022 for the 2022-23 session. 

Scope: DaTA applies to any persons or legal entity that collects, maintains, and determines the purposes and means of processing personally identifiable information. 

Right to Access: Yes

Controllers must provide consumers with information concerning the processing of their personally identifiable information (PII) in a concise, transparent, intelligible, and easily accessible form. 

Right to Correction: Yes

Consumers have the right to request rectification to PII.

Right to Deletion: Yes

Consumers have the right to request the erasure of PII. 

Right to Data Portability: Yes

Consumers have the right to the portability of PII. 

Right to Opt-Out of Data Sales: Yes*

*While Opt out is not expressly addressed in the law, DaTA is based on opt-in consent, the right to opt out is inherent to the functionality of consent in the law. 

Right to Consent: Yes

Affirmative opt-in consent is required to lawfully process personally identifiable information unless the processing is required for one of the following reasons:

  • for the performance of a contract to which the consumer is a party. 
  • in compliance with a legal obligation
  • to protect the vital interest of the consumer or another person
  • for the performance of a task conducted in the public interest

Consumers have the right to withdraw consent at any time. 

Right Against Automated Decision-Making: Yes

Consumers must be notified of any automated decision-making before giving consent, and consumers shall not be subject to a decision based solely on automated decision-making, including profiling, when that decision produces legal effects concerning the consumer or similarly significantly affects the consumer. 

Data Security Requirement: Yes

PII must be processed in a manner that ensures appropriate security of the PII, including protection against unauthorized or unlawful processing, and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

Privacy Notice Requirement: Yes

Controllers must provide consumers with information concerning the processing of their personally identifiable information (PII) in a concise, transparent, intelligible and easily accessible form.

Enforcement:

DaTA would establish the Office of Data Protection and Responsible Use, which would be responsible for enforcement of the law. The office can levy fines for of up to $10,000 for a first offense, and $20,000 for each subsequent offense.

Link to text.

New York - New York Privacy Act (SB 6701A)

Status: Reintroduced, in committee

the New York Privacy Act (S 6701A) was reintroduced in early January 2022. On February 8th, 2022, the New York Senate Consumer Affairs Committee voted S6701A out of committee. The bill was reported and committed to the Internet and Technology Committee.

Scope: 

The New York Privacy Act would apply to persons that conduct business in the State of New York, or produce products or services that are targeted to residents of New York and satisfy one or more of the following thresholds:

  1. Have annual gross revenue of twenty-five million dollars or more.
  2. Control or process personal data of at least 100,000 consumers or more.
  3. Control or process the personal data of 500,000 natural persons or more nationwide, and controls or processes personal data of ten thousand consumers or more.
  4. Derives over 50% of gross revenue from the sale of personal data, and controls or processes personal data of twenty-five thousand consumers or more. 

Right to Access: Yes

Individuals would have the right to access. Upon a consumer's request, data controllers must confirm whether or not they are processing the consumer's personal data, and provide access to any such personal data. 

Right to Correction: Yes

Consumers have the right to request the correction of inaccurate personal data under the New York Privacy Act. 

Right to Deletion: Yes

Individuals would have a right to delete personal data. Controllers must delete data within 45 days of a verified consumer request. 

Right to Data Portability: Yes

Consumers have a right to portable data. Controllers must provide consumers with their personal data in a structured, commonly used, and machine-readable format, and transfer the data to another entity upon verified request.

Right to Opt-Out of Data Sales: Yes*

*The New York Privacy Act would require opt-in consent from individuals for the processing of their personal data.

Right to Consent: Yes

In most cases, controllers must obtain freely given, specific, informed, and unambiguous opt-in consent from a consumer in order to process their personal data. Consent may be withdrawn at any time. 

Right Against Automated Decision-Making: Yes

The bill would provide individuals rights with respect to decision-making by automated means.

Data Security Requirements: Yes

Controllers must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the personal data of consumers. 

Privacy Notice Requirement: Yes

Consumers have a right to notice under the law. Data controllers must make privacy notices publicly and persistently available in a conspicuous and readily accessible manner. 

Enforcement:

The Attorney General would have the power to enforce the provisions of the bill, and consumers would have a private right of action in certain circumstances. 

Link to text.

North Carolina - Consumer Data Privacy Act (SB 569)

Status: In committee.

SB 569 was introduced on April 6th, 2021, and carried over into the 2022 session. 

Scope:

The North Carolina Privacy Act would apply to persons that conduct business in the State of North Carolina, or produce products or services that are targeted to residents of New York and either:

  1. Control or process personal data of at least 100,000 consumers per calendar year, or
  2. Control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. 

Right to Access: Yes

A consumer has the right to confirm whether or not a controller is processing the consumer's personal data and to access such personal data.  

Right to Correction: Yes

Consumers have the right to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing. 

Right to Deletion: Yes

The consumer has the right to delete personal data provided by or obtained about the consumer. 

Right to Data Portability: Yes

The consumer has the right to obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. 

Right to Opt-Out of Data Sales: Yes

The consumer has the right to opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. 

Right to Consent: No

Right Against Automated Decision-Making: Yes

The consumer has the right to opt-out of the processing of the personal data for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. 

Data Security Requirement: No

Privacy Notice Requirement: Yes

Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice.

Enforcement:

The Attorney General shall enforce the bill, except if a private right of action for a violation of the bill arises for any person injured as a result of the violation. 

Link to text.

Ohio - Ohio Personal Privacy Act (HB 376)

Status: In committee.

The Ohio Personal Privacy Act (HB 376) was introduced on July 13, 2021. On February 22, 2022, the bill was re-referred to the Rules and Reference Committee.

Scope:

The Ohio Personal Privacy Act applies to businesses that conduct business in the state of Ohio, or produce products or services targeted to consumers in Ohio, that satisfy one or more of the following criteria:

  1. Gross revenues in Ohio exceed $25 million.
  2. The business controls or processes the personal data of 100,000 or more consumers during a calendar year. 
  3. During the calendar year, the business derives over 50% of its gross revenue from the sale of personal data, and processes or controls personal data of 25,000 or more consumers. 

Right to Access: Yes

A consumer has a right to know the personal data that a business collects about them, such as by obtaining a privacy policy from the business. 

Right to Correction: Yes

A consumer has a right to correct inaccuracies in the consumer's personal data that the consumer previously provided to the business. 

Right to Deletion: Yes

A consumer will have the right to request that a business delete personal data that the business has collected from the consumer for commercial purposes and that the business maintains in an electronic format.

Right to Data Portability: Yes

A consumer may request a copy of their personal data electronically in a portable, and to the extent technically feasible, readily usable format. 

Right to Opt-Out of Data Sales: Yes

A consumer has a right to opt out of the sale of personal data. 

Right to Consent: No

Right Against Automated Decision-Making: No

Data Security Requirement: No

Privacy Policy Requirement: Yes

A consumer has a right to know the personal data that a business collects about that consumer, such as by obtaining a privacy policy from the business.

Enforcement:

The Attorney General of Ohio has exclusive authority to enforce HB 376.

Link to text.

Oklahoma - Computer Data Privacy Act (HB 2969)

Status: Reintroduced. HB 2969 for the Computer Data Privacy Act has been reintroduced and is due to be considered in the 2022 session.

Scope:

The Oklahoma Computer Data Privacy Act would apply to any business that does business in Ohio, collects consumers' personal information (or has others collect and process data on their behalf), and satisfies one or more of the following thresholds:

  1. Annual gross revenue exceeds $15 million.
  2. Buys, sells, or receives for commercial purposes the data of 50,000 or more consumers. 
  3. Derives 25% or more of annual revenue from the sale of personal data. 

Right to Access: Yes

Consumers have the right to request and receive a disclosure of personal information sold or received. 

Right to Correction: Yes

Consumers have the right to have their personal information corrected. 

Right to Deletion: Yes

Consumers have the right to request that a business delete any personal information retained by the business about the consumer. 

Right to Data Portability: Yes

Consumers, after making a request to be informed of the personal information held about them, have a right to receive that information in an electronic, portable, and machine-readable format.

Right to Opt-Out of Data Sales: Yes

Any consumer whose data is collected has the right to opt out of personalized advertising, and the business shall have the duty to comply with the request promptly and free of charge. 

Right to Consent: No

Right Against Automated Decision-Making: No

Data Security Requirement: Yes

 Businesses or service providers must implement and maintain reasonable security procedures and practices, including administrative, physical, and technical safeguards, appropriate to the nature of the information and the purposes for which the personal information will be used.

Data Privacy Requirement: Yes

Businesses must provide notice that information is being used and disclosed in its terms and conditions. 

Enforcement:

The Oklahoma Attorney General is responsible for the enforcement of the bill. Violators would be liable for a civil penalty of up to $7,500 for each intentional violation and up to $2,500 for each unintentional violation.

Link to text.

Utah - Consumer Privacy Act (SB 227)

Status: Passed and signed into law. 

On March 24, Gov. Spencer Cox, R-Utah, signed the Utah Consumer Privacy Act into law, making Utah the fourth state to enact comprehensive consumer privacy legislation. The law goes into effect Dec. 31, 2023.

Scope:

SB 227 applies to any data controller or processor who conducts business in the state of Utah, or produces a product or service targeted to consumers in Utah, and meets one or more of the following thresholds:

  1. Has an annual revenue of $25 million or more.
  2. Controls or processes the personal data of 25,000 or more consumers. 

Right to Access: Yes

Consumers have the right to access personal data maintained by businesses. 

Right to Correction: No

Right to Deletion: Yes

Consumers have the right to delete personal information retained by businesses.

Right to Data Portability: Yes

A consumer has the right to obtain a copy of the consumer's personal data in a format that is portable and readily useable, to the extent technically feasible. 

Right to Opt-Out of Data Sales: Yes

A consumer has the right to opt-out of the processing of personal data for purposes of targeted advertising or the sale of personal data. 

Right to Consent: No

Right Against Automated Decision-Making: No

Data Security Requirement: Yes

Businesses that control and process consumers' personal data must safeguard that data.

Privacy Policy Requirement: Yes

Businesses that process and control consumers' personal data must provide clear information to consumers regarding how the personal data is used. 

Enforcement:

The Attorney General of Utah has exclusive powers to enforce the law. Fines of up to $7,500 can be levied for each violation of the law. 

Link to text.

Washington - Washington Privacy Act (SB 5062)

Status: Reintroduced. 

SB 5062 for the Washington Privacy Act was reintroduced, on 10 January 2022, to the Washington State Senate.

Scope: 

The Washington Privacy Act would apply to legal entities that conduct business in the state of Washington, or provide products or services targeted to residents of Washington, and meet one or more of the following thresholds:

  1. Control or process personal data of 100,000 or more consumers in a calendar year.
  2. Derive over 25% of gross revenue from the sale of personal data and processes or controls the personal data of 25,000 consumers or more. 

Right to Access: Yes

A consumer has the right to confirm whether or not a controller is processing personal data, and access the categories of data being processed. 

Right to Correction: Yes

A consumer has the right to correct inaccurate personal data concerning the consumer. 

Right to Deletion: Yes

A consumer has the right to delete personal data concerning the consumer.

Right to Data Portability: Yes

A consumer has the right to obtain personal data concerning the consumer in a portable and, to the extent technically feasible, readily usable format. 

Right to Opt-Out of Data Sales: Yes

A consumer has the right to opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, and profiling. 

Right to Consent: No

Right Against Automated Decision-Making: Yes

Consumers have the right to opt out of the processing of their personal data for purposes of profiling in furtherance of decisions that produce legal effects or similarly significant legal effects.

Data Security Requirement: Yes

Data controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Privacy Policy Requirement: Yes

Data controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice detailing certain information.

Enforcement:

The Washington Attorney General would have enforcement powers for violations.

Link to text.

West Virginia - HB 4454

Status: In committee.

West Virginia lawmakers introduced HB 4454. The bill was assigned to the House Judiciary Committee.

Scope: Scope is not defined in the text of the law at this time. 

Right to Access: No

Right to Correction: No

Right to Deletion: No

Right to Data Portability: No

Right to Opt-Out of Data Sales: Yes

A consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information. This right may be referred to as the right to opt-out of sale or sharing.

Right to Consent: No

Right Against Automated Decision-Making:No

Data Security Requirement: No

Privacy Policy Requirement: Yes

A business that sells consumers’ personal information to, or shares it with, third parties shall provide notice to consumers that this information may be sold or shared and that consumers have the “right to opt-out” of the sale or sharing of their personal information.

Enforcement:

The law would be enforced by the West Virginia Attorney General.

Link to text.

Disclaimer

This document is for informational purposes only and not for the purpose of providing legal advice. Ensighten does not guarantee compliance with applicable laws and regulations.

Wisconsin - AB 957

Status: In legislation.

The Wisconsin Assembly voted to pass Wisconsin’s Data Privacy Act (Assembly Bill 957) on February 23 by a vote of 59 to 37, the bill now moves to the state's senate. If passed the law will go into effect on January 1st, 2024.

Scope:

AB 957 applies to data controllers that, alone or with others, determine the purpose and means of processing personal data, and that either:

  1. Process the personal data of at least 100,000 consumers
  2. Control or process the personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.

Right to Access: Yes

Consumers will have the right to confirm whether a controller is processing the consumer's personal data and to access the personal data. 

Right to Correction: Yes

Consumers will have the right to correct inaccuracies in the consumer's personal data.

Right to Deletion: Yes

Consumers have the right to delete personal information retained by businesses.

Right to Data Portability: Yes

A consumer has the right to obtain a copy of the personal data that the consumer previously provided to the controller.

Right to Opt-Out of Data Sales: Yes

A consumer has the right to opt-out of the processing of the consumer's personal data for targeted advertising; the sale of the consumer's personal data and certain forms of automated processing of the consumer's personal data.

Right to Consent: No

Right Against Automated Decision-Making: No

Data Security Requirement: Yes

A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue.

Privacy Policy Requirement: Yes

Businesses that process and control consumers' personal data must provide clear information to consumers regarding how the personal data is used. 

Enforcement:

The Attorney General of Wisconsin has exclusive powers to enforce the law. Fines of up to $7,500 can be levied for each violation of the law. 

Link to text.