Last review date: 29 December 2023
☒ omnibus – all personal data. A number of states have enacted omnibus statutes, including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. Certain laws are already in effect (California, Colorado, Connecticut, Virginia, Utah), while each of the other states will be effective in a staggered way in 2024-2026. All states have data breach notification laws, but the definition of personal data varies.
☒ sector-specific – Most federal privacy and cybersecurity laws are sector specific, including laws protecting medical, banking/finance, and children's data. Certain state privacy laws specific to consumer health data have been enacted (e.g., California, Connecticut, Nevada, Washington). California and Connecticut's laws are already operative and the Nevada and Washington laws will become fully operative in 2024. States have also enacted privacy laws governing a variety of sectors, including biometric information, children and teenagers' data, credit data and other types of data.
☐ constitutional
Last review date: 29 December 2023
Key federal data privacy include:
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN SPAM Act)
- Children's Online Privacy Protection Act (COPPA)
- Fair Credit Reporting Act (FCRA)
- Section 5 of the Federal Trade Commission Act (FTC Act)
- Telemarketing Sales Rule (TSR)
- Telephone Consumer Protection Act (TCPA)
Key state data privacy laws include:
- California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA)
- California Online Privacy Protection Act (CalOPPA)
- California Age-Appropriate Design Code Act (CalAADCA), which is currently subject to a constitutional challenge
- Colorado Privacy Act (CPA)
- Connecticut Data Privacy Act (CTDPA)
- Delaware
- Indiana
- Iowa
- Montana
- Nevada Senate Bill 370
- Oregon
- Tennessee
- Texas
- Utah Consumer Privacy Act (UCPA)
- Virginia Consumer Data Protection Act (VCDPA)
- Washington My Health My Data Act (MHMDA)
- New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies (NYDFS CR)
- State laws establishing data protection and breach notification requirements; most of these laws focus on the protection of Social Security Numbers, individual identification numbers, financial account numbers, health/medical data, and other sensitive personal data
Last review date: 29 December 2023
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Federal Information Security Management Act (FISMA)
- Cybersecurity and Infrastructure Security Agency Act (CISAA)
- New York State Department of Financial Services Cybersecurity Requirements (NYDFS) CR and New York SHIELD Act
- State data security and breach notification laws
Last review date: 29 December 2023
Yes. A number of states (i.e., Delaware, Indiana, Iowa, Montana, Tennessee and Texas) recently joined California in enacting consumer privacy laws that impose broad obligations on businesses to provide consumers with transparency and control of personal data. Other states are expected to enact similar legislation, and there has also been movement towards federal consumer privacy legislation. Most of these laws also impose security obligations on businesses. The NY DFS has also proposed amendments to its cybersecurity regulations for covered financial services companies. The states of Nevada and Washington have enacted broad and prescriptive consumer health privacy laws that become operative in 2024 and that include signed authorization requirements for regulated entities that "sell" consumer health data. A number of states, including Arkansas, California, Connecticut, Florida, Louisiana, Ohio, Texas and Utah have also recently enacted children's privacy and protection laws, some of which are currently being challenged on constitutional grounds.