Overview of US Data Privacy Laws
The landscape of data privacy in the United States has evolved rapidly, driven by growing concerns over the collection, use, and sharing of personal information. With the absence of a unified federal privacy law, states have taken the lead, establishing comprehensive data privacy laws to protect their residents. Currently, over 20 states have passed privacy laws, each tailored to local consumer protection needs. These laws grant individuals rights over their personal data, including access, correction, deletion, and data portability. In 2025, businesses must navigate these state-level privacy laws to remain compliant while respecting consumer rights.
The push for data privacy laws reflects rising consumer demands for more control over their personal data, especially sensitive information like genetic or biometric data, as well as data related to children. State laws address these concerns by providing individuals the right to opt-out of data sales, limit data collection, and even restrict how businesses use data for targeted advertising. As more laws come into effect, businesses face increasing obligations to implement data privacy safeguards and conduct assessments of their data practices.
The growing number of state-level data privacy laws
The United States is witnessing a significant surge in state-level data privacy laws, with over 20 states having enacted comprehensive data privacy legislation to date. These laws are designed to protect consumersβ personal data, granting them rights to control their information and regulating how businesses handle this data. While the specifics of each law vary, they all share a common goal: enhancing data privacy and security for residents. This trend reflects a broader movement towards more stringent data protection standards across the country, emphasizing the importance of safeguarding personal data in an increasingly digital world.
The increasing importance of compliance with data privacy laws
As the landscape of data privacy laws continues to expand, compliance is becoming more critical than ever for businesses. Non-compliance can lead to hefty fines, legal penalties, and significant reputational damage. Therefore, it is imperative for businesses to stay informed about the latest developments in data privacy legislation and take proactive steps to ensure compliance. This includes regularly reviewing and updating data protection policies, conducting thorough data protection assessments, and implementing robust security measures to protect personal data. By doing so, businesses can not only avoid legal repercussions but also build trust with their customers.
State Data Privacy Laws
California Privacy Rights Act (CPRA)
The California Privacy Rights Act (CPRA) represents one of the most comprehensive privacy laws and data privacy frameworks in the United States. Effective since January 1, 2023, the CPRA builds on the California Consumer Privacy Act (CCPA) and grants California residents expansive rights over their personal information. Under the CPRA, businesses that collect personal information must provide transparency around their data practices and offer consumers the right to access, correct, and delete their data.
The CPRA requires businesses to establish robust data security measures, limit the use of sensitive data, and honor opt-out requests for targeted advertising and data sales. Additionally, the CPRA created the California Privacy Protection Agency (CPPA), an independent regulatory body dedicated to enforcing Californiaβs data privacy laws and providing oversight.
Virginiaβs Consumer Data Protection Act (CDPA)
Virginiaβs Consumer Data Protection Act (CDPA) went into effect on January 1, 2023, setting a precedent for state data privacy laws on the East Coast. This law provides Virginia residents with rights over their personal data, including access, correction, deletion, and the ability to opt out of the sale of personal information. The CDPA applies to organizations that handle the personal data of at least 100,000 residents of Virginia each year or derive more than 50% of their gross revenue from selling personal data.
The CDPA requires businesses to conduct Data Protection Assessments (DPAs) to evaluate the risks associated with processing personal data and implement safeguards to protect against potential breaches. This law is particularly significant as it mirrors some of the requirements found in the EUβs General Data Protection Regulation (GDPR).
Colorado Privacy Act (CPA)
The Colorado Privacy Act (CPA), effective July 1, 2023, gives Colorado residents the right to control their personal information and places specific obligations on businesses that process this data. Like the CDPA, the CPA allows individuals to access, delete, correct, and opt out of the sale of their personal data and targeted advertising.
The CPA includes provisions for processing sensitive data, such as biometric or genetic information, requiring businesses to obtain consent before handling such information. In addition to standard compliance practices, businesses in Colorado must provide clear notice about their data processing activities and enable universal opt-out mechanisms for consumers.
Tennessee Information Protection Act (TIPA)
The Tennessee Information Protection Act (TIPA) is set to go into effect on July 1, 2025. This law applies to businesses with annual revenue exceeding $25 million that process the personal data of at least 100,000 Tennessee residents or sensitive data of at least 25,000 residents. TIPA provides Tennessee residents with rights similar to those in the CDPA and CPA, including access, correction, and deletion.
TIPA also focuses on selling personal data, requiring businesses to notify consumers when their data is sold. This act introduces provisions to protect sensitive data, particularly when it comes to childrenβs information, setting a standard for other state privacy laws.
Other State Laws
Utah Consumer Privacy Act (UCPA)
The Utah Consumer Privacy Act (UCPA) was enacted to address the growing need for consumer privacy protections in Utah. This law, similar to others, grants Utah residents rights to their personal data, including access, deletion, and opting out of data sales. It requires businesses to inform consumers about data collection practices and mandates security protocols to protect personal information.
Texas Data Privacy and Security Act (TDPSA)
The Texas Data Privacy and Security Act (TDPSA) regulates the handling of sensitive data, including biometric and genetic information, by businesses operating in Texas. TDPSA requires businesses to implement data security measures and gives consumers the right to know how their data is being used and shared. The law also limits the sale of personal data, protecting Texas residents from unauthorized data sharing.
Connecticut Data Privacy Act (CTDPA)
The Connecticut Data Privacy Act (CTDPA) protects Connecticut residents by granting them rights over their personal data and imposing compliance requirements on businesses that process this information. Businesses must provide transparency around their data practices and implement measures to secure personal data, particularly sensitive information.
Nebraska Data Privacy Act (NDPA)
The Nebraska Data Privacy Act (NDPA) is designed to safeguard personal data by requiring businesses to adopt security protocols for data protection. It gives Nebraska residents rights to access, delete, and opt out of data sales, along with specific protections for childrenβs data. The NDPA mandates strict compliance and transparency from businesses to ensure consumer privacy.
Oregon Consumer Privacy Act (OCPA)
The Oregon Consumer Privacy Act (OCPA) governs the processing of sensitive data and requires businesses to inform consumers about their data practices. The OCPA provides Oregon residents with rights over their data, including the ability to opt out of data sales and targeted advertising. Additionally, the OCPA includes provisions to protect biometric and genetic data, ensuring a higher level of privacy for Oregon residents.
Federal Data Privacy Laws
As of 2025, the United States still lacks a comprehensive federal data privacy law. While the Federal Trade Commission (FTC) oversees some aspects of consumer privacy through regulations and enforcement actions, no single law addresses data privacy on a national scale. The FTC continues to play a crucial role in protecting consumer data by regulating unfair and deceptive practices and taking enforcement actions against businesses that violate consumer trust.
Key Provisions of Data Privacy Laws
Data minimization and purpose limitation
Data minimization and purpose limitation are fundamental principles embedded in data privacy laws. These provisions mandate that businesses collect and process only the minimum amount of personal data necessary to fulfill their specific purposes. This requires transparency about the data being collected, its intended use, and the parties with whom it will be shared. Additionally, businesses must ensure that they are not collecting or processing sensitive data unless it is absolutely essential. By adhering to these principles, businesses can reduce the risk of data breaches and enhance consumer trust.
Consumer rights and opt-out options
Data privacy laws empower consumers with a range of rights over their personal data. These rights include accessing their data, correcting inaccuracies, deleting their information, and opting out of data processing activities such as the sale of personal data, targeted advertising, or profiling. Businesses are required to provide clear and concise information about their data collection and processing practices and must obtain consumer consent before processing their data. By respecting these rights, businesses can foster a more transparent and trustworthy relationship with their customers.
Protection of sensitive data
Sensitive data, such as information related to race or ethnicity, religion, health, sexual orientation, citizenship, and genetic or biometric data, is subject to additional protections under data privacy laws. Businesses must obtain explicit consent to process sensitive data and are required to conduct and document privacy impact assessments. These assessments weigh the benefits of processing sensitive data against the potential risks to individuals. By implementing these safeguards, businesses can ensure that they are handling sensitive data responsibly and ethically, thereby protecting individualsβ privacy and enhancing overall data security.
International Data Privacy Laws
The General Data Protection Regulation (GDPR), implemented by the European Union in May 2018, stands as a pivotal framework for data privacy and security on a global scale. This regulation is designed to safeguard the personal data of all EU residents, meaning that it applies not only to organizations located within the European Union but also to businesses and entities outside the EU that handle the personal information of EU citizens.
GDPR establishes rigorous guidelines governing the collection, processing, and sharing of personal data. These include requirements for obtaining explicit consent from individuals before their data can be gathered, ensuring transparency about how their data will be used, and enabling individuals to access, rectify, or erase their data upon request. Organizations must also implement appropriate security measures to protect personal data from breaches and must report any data breaches to relevant authorities within a specific timeframe.
The repercussions for non-compliance with the GDPR are severe. Companies that violate the regulation can face fines of up to β¬20 million or 4% of their annual global revenue, whichever is higher. This stringent penalty structure underscores the regulationβs far-reaching impact and reinforces its status as a benchmark for data protection standards worldwide. Furthermore, the principles outlined in the GDPR have influenced various data protection laws in different countries, reflecting its pivotal role in shaping global data privacy practices.
Evolving Data Privacy Landscape: New State Laws for 2025
In 2025, numerous new and revised data privacy laws will shape the regulatory landscape across the United States. These state laws introduce rigorous standards for consumer rights and data protection that businesses must navigate:
Delaware Personal Data Privacy Act (DPDPA) – Effective January 1, 2025, this law requires businesses to obtain consent for processing sensitive data and provides Delaware residents with rights to access, delete, and correct their personal information.
Iowa Consumer Data Privacy Law – Starting on January 1, 2025, Iowaβs law aligns closely with other state laws, giving consumers rights to their data and mandating transparency about data practices.
Minnesota Consumer Data Privacy Act – Effective July 31, 2025, this act grants rights such as data access and correction and emphasizes consumer consent for sensitive data processing.
Maryland Online Data Privacy Act – Set for October 1, 2025, Marylandβs law addresses data transparency and offers consumers control over their digital privacy.
Broader Compliance Requirements – These laws reflect trends toward comprehensive privacy standards, requiring companies to conduct Data Protection Assessments and enabling consumers to opt out of data sales and targeted advertising.
These state regulations illustrate the growing complexity of the US data privacy framework as states lead in crafting legislation to protect consumer data rights.
Conclusion
In 2025, US businesses must adhere to numerous state and international data privacy laws to protect consumer rights. Key regulations include the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and upcoming state laws in Delaware, Minnesota, and Maryland, each mandating strict standards for personal data collection, consumer consent, and sensitive data protection. These laws grant consumers rights to access, correct, and delete personal data, while businesses are expected to provide transparent notices, comply with data protection assessments, and ensure data processing meets rigorous security protocols.
With this regulatory landscape, itβs essential for businesses, especially e-commerce sites like Shopify stores, to implement solutions that simplify compliance. Pandectes GDPR Compliance provides a comprehensive solution that helps stores meet GDPR, CCPA, and CPRA requirements by automating cookie consent, script blocking, and compliance tracking, ensuring alignment with all major data privacy laws across the US and Europe.
