Last review date: 31 December 2024

☒  omnibus – all personal data.

A number of states have enacted omnibus statutes, including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia. Certain laws are already in effect (California, Colorado, Connecticut, Delaware, Iowa, Montana, Nebraska, New Hampshire, Oregon, Texas, Utah, and Virginia), while the laws of the other states will be effective in a staggered way in 2025-2026. All states have data breach notification laws, but the definition of personal data varies.

☒  sector-specific 

Most federal privacy and cybersecurity laws are sector-specific, including laws protecting medical, banking/finance, and children's data. Certain state privacy laws specific to consumer health data have been enacted (e.g., California, Connecticut, Nevada, and Washington). States have also enacted privacy laws governing a variety of sectors, including biometric information, children’s and teenagers' data, credit data and other types of data.

Last review date: 31 December 2024

Key federal data privacy include:

• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN SPAM Act)
• Children's Online Privacy Protection Act (COPPA)
• Fair Credit Reporting Act (FCRA)
• Section 5 of the Federal Trade Commission Act (FTC Act)
• Telemarketing Sales Rule (TSR)
• Telephone Consumer Protection Act (TCPA)

Key state data privacy laws include:

• California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA)
• California Online Privacy Protection Act (CalOPPA)
• California Age-Appropriate Design Code Act (CalAADCA), which is currently subject to a constitutional challenge
• Colorado Privacy Act (CPA)
• Colorado Artificial Intelligence Act (CAIA)
• Connecticut Data Privacy Act (CTDPA)
• Delaware Personal Data Privacy Act (DPDPA)
• Indiana Consumer Data Protection Act (INCDPA)
• Iowa Consumer Data Protection Act (IACDPA)
• Kentucky Consumer Data Protection Act (Kentucky CDPA)
• Maryland Age-Appropriate Design Code Act
• Maryland Online Data Privacy Act
• Minnesota Consumer Data Privacy Act (MCDPA)
• Montana Consumer Data Privacy Act (MTCDPA)
• Nebraska Data Privacy Act (NDPA)
• Nevada Consumer Health Privacy Act (Nevada Senate Bill 370)
• New Hampshire Consumer Privacy Law (New Hampshire Senate Bill 255)
• New Jersey Data Privacy Law (NJDPA)
• Oregon Consumer Privacy Act (OCPA)
• Rhode Island Data Transparency and Privacy Protect Act
• Tennessee Information Protect Act (TIPA)
• Texas Data Privacy and Security Act
• Utah Consumer Privacy Act (UCPA)
• Virginia Consumer Data Protection Act (VCDPA)
• Washington My Health My Data Act (MHMDA)
• New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies (NYDFS CR)
• State laws establishing data protection and breach notification requirements; most of these laws focus on the protection of Social Security Numbers, individual identification numbers, financial account numbers, health/medical data, and other sensitive personal data

Last review date: 31 December 2024

• Section 5 of the Federal Trade Commission Act (FTC Act)
• FTC Health Breach Notification Rule (HBNR)
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Federal Information Security Management Act (FISMA)
• Securities and Exchange Commission (SEC) Cybersecurity Rules
• Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)
• Defense Federal Acquisition Regulation Supplement (DFARS) - Safeguarding Covered Defense Information and Cyber Incident Reporting
• Cybersecurity and Infrastructure Security Agency Act (CISAA)
• New York State Department of Financial Services Cybersecurity Requirements (NYDFS) CR and New York SHIELD Act
• Payment Card Industry Data Security Standard (PCI DSS)
• State data security and breach notification laws

Last review date: 31 December 2024

• Section 5 of the Federal Trade Commission Act (FTC Act)
• Prohibits unfair or deceptive practices, including misuse of non-personal data
• Computer Fraud and Abuse Act (CFAA)
• Regulates unauthorized access/misuse of non-personal computer data and systems
• Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)
• Cybersecurity Information Sharing Act (CISA)
• Facilitates sharing of cyber threat indicators between government and private entities
• Defend Trade Secrets Act (DTSA)
• Protects misappropriation of trade secrets by providing for federal civil remedies
• Export Administration Regulations (EAR)
• Controls the export of commercial, dual-use, and some non-personal technical data for national security
• International Traffic in Arms Regulation (ITAR)
• Regulates the export of defense-related articles, services, and technical non-personal data for military purposes

Last review date: 31 December 2024

Yes. A number of states (i.e., Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia) have joined California in enacting consumer privacy laws that impose broad obligations on businesses to provide consumers with transparency and control of personal data. More states are expected to enact similar legislation. There has also been a movement towards federal consumer privacy legislation (such as the proposal of the "American Privacy Rights Act of 2024"). Most of these laws also impose security obligations on businesses. The NY DFS has outlined cybersecurity regulations for covered financial services companies. Nevada and Washington have enacted broad and prescriptive consumer health privacy laws that include signed authorization requirements for regulated entities that "sell" consumer health data. A number of states, including Arkansas, California, Connecticut, Florida, Louisiana, Texas, and Utah have also recently enacted children's privacy and protection laws, some of which are currently being challenged on constitutional grounds. Colorado has enacted a comprehensive law relating to the development and deployment of certain artificial intelligence systems. The California Privacy Protection Agency (CPPA) is concurrently considering a regulatory framework for automated decision-making technologies. Additional changes to privacy and cybersecurity enforcement are anticipated under the incoming administration.