Last review date: 29 December 2023
☒ omnibus – all personal data. A number of states have enacted omnibus statutes, including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. Certain laws are already in effect (California, Colorado, Connecticut, Virginia, Utah), while each of the other states will be effective in a staggered way in 2024-2026. All states have data breach notification laws, but the definition of personal data varies.
☒ sector-specific – Most federal privacy and cybersecurity laws are sector specific, including laws protecting medical, banking/finance, and children's data. Certain state privacy laws specific to consumer health data have been enacted (e.g., California, Connecticut, Nevada, Washington). California and Connecticut's laws are already operative and the Nevada and Washington laws will become fully operative in 2024. States have also enacted privacy laws governing a variety of sectors, including biometric information, children and teenagers' data, credit data and other types of data.
☐ constitutional
Last review date: 29 December 2023
Key federal data privacy include:
Key state data privacy laws include:
Last review date: 29 December 2023
Last review date: 29 December 2023
Yes. A number of states (i.e., Delaware, Indiana, Iowa, Montana, Tennessee and Texas) recently joined California in enacting consumer privacy laws that impose broad obligations on businesses to provide consumers with transparency and control of personal data. Other states are expected to enact similar legislation, and there has also been movement towards federal consumer privacy legislation. Most of these laws also impose security obligations on businesses. The NY DFS has also proposed amendments to its cybersecurity regulations for covered financial services companies. The states of Nevada and Washington have enacted broad and prescriptive consumer health privacy laws that become operative in 2024 and that include signed authorization requirements for regulated entities that "sell" consumer health data. A number of states, including Arkansas, California, Connecticut, Florida, Louisiana, Ohio, Texas and Utah have also recently enacted children's privacy and protection laws, some of which are currently being challenged on constitutional grounds.