State Privacy Legislation

In the wake of the European Union's General Data Protection Regulation (GDPR), a growing number of states across the country are considering comprehensive privacy legislation of their own. Most of the proposals aim to give residents new rights to ownership over their data and establish new transparency requirements for entities that process personal data. Individuals would have the right to access, delete, correct, and move their data, or opt-out of data collection. Some of the proposed measures could impact data maintained by colleges and universities in these states.

Enacted Legislation

Proposed Legislation

Updates

Resources

Recent State Actions

Enacted Legislation

California Consumer Privacy Act and California Privacy Rights Act
The California Consumer Privacy Act (CCPA), enacted in 2018 and effective January 1, 2020, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. The law protects the personal data of "residents" of California—either by living in California or temporarily outside the state—collected by any company that does business in California for profit. CCPA applies to any business that (1) has annual gross revenue of more than 25 million, (2) buys, receives, sells, or shares the personal information of 50,000+ "residents," or (3) derives more than 50 percent of their annual revenue from the sale of personal data. Personal data subject to the Health Insurance Portability and Accountability Act (HIPAA) and certain other laws are exempted from the CCPA, but data subject to the Family Educational Rights and Privacy Act (FERPA) are not included in those exemptions.
In November 2020, California voters approved Proposition 24, a ballot measure that creates the California Privacy Rights Act (CPRA). The CPRA modifies the CCPA, creating new and expanded rights for California residents and new compliance obligations for businesses. The CPRA applies to any for-profit entity that does business in California, collects and uses the personal information of Californians, and either (1) has annual gross revenues of at least $25 million in the preceding calendar year, (2) buys, sells, or shares the personal information of at least 100,000 California residents or households, or (3) derives at least 50 percent of its revenue from selling or sharing personal information. The CPRA takes effective on January 1, 2023, and enforcement begins on July 1, 2023.
Colorado Privacy Act
The Colorado Privacy Act (CPA), effective July 1, 2023, provides residents with a right to opt-out of processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling; and create rights of access, correction, deletion, and data portability; among other things. The law applies to legal entities that conduct business or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado, and either: (1) controls or processes personal data of 100,000 consumers during a calendar year or (2) derives revenue or receives a discount on the price of goods from the sale of personal data or processes or controls the personal data of 25,000 consumers or more. Personal data subject to FERPA, HIPAA, and certain other laws are exempted from the CPA.
Connecticut Personal Data Privacy and Online Monitoring Act
The Connecticut Personal Data Privacy and Online Monitoring Act contains substantially similar obligations and rights as the Colorado Privacy Act (CPA) and Virginia Consumer Data Protection Act (VCDPA). The bulk of the statute took effect July 1, 2023. The Connecticut Privacy Act provides status-based exemptions for institutions of higher education, as well as data-based exemptions for personal information regulated by the Family Educational Rights and Privacy Act (FERPA).
Delaware Personal Data Privacy Act
The Delaware Personal Data Privacy Act, slated to take effect on January 1, 2025, applies to businesses that control or process the personal data of either 35,000 or more consumers (excluding data for payment transactions) or 10,000 or more consumers while deriving 20 percent or more of their annual gross revenue from selling personal data. The act exempts data subject to federal regulations such as HIPAA (Health Insurance Portability and Accountability Act), the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act (FERPA).
Indiana Consumer Data Protection Act
The Indiana Consumer Data Protection Act (ICDPA), slated to take effect on January 1, 2026, hews closely to the laws in Virginia, Utah, and Iowa. The law applies to entities that do business in Indiana and process personal data of more than 100,000 Indiana consumers, or process personal data of 25,000 Indiana consumers while also deriving a significant percentage of income from the "sale" of personal data—50 percent. The ICDPA does not apply to institutions of higher education, government entities (including third parties while doing business with those entities), nonprofits, or public utilities.
Iowa Consumer Data Protection Act
The Iowa Consumer Data Protection Act, effective on January 1, 2025, applies to companies that (1) control or process data of at least 100,000 Iowa consumers, or (2) control or process data of at least 25,000 Iowa consumers and derive 50 percent of their revenue from the sale of personal data. Like other data privacy laws, the Iowa legislation assigns specific requirements to controllers of personal data and establishes rights for consumers, or data subjects. Such consumer rights include the right to data portability; to confirm whether a controller is processing data and to access that data; to delete data provided by the consumer; and to opt out of the sale of personal data, among other things. The law incorporates broad exemptions for various entities and data regulated under certain federal laws, including non-profits and higher education institutions, as well as personal data regulated by Family Educational Rights and Privacy Act (FERPA).
Montana Consumer Data Privacy Act
The Montana Consumer Data Privacy Act, effective on October 1, 2024, generally follows the models set forth by Virginia and Connecticut and expand privacy protections for state residents. The act includes broad exemptions for various entities and data regulated under certain federal laws, including non-profits and higher education institutions, as well as personal data regulated by Family Educational Rights and Privacy Act (FERPA).
Oregon Consumer Privacy Act
The Oregon Consumer Privacy Act, which will take effect on July 1, 2024, applies to businesses that control or process the personal data of either 100,000 or more consumers (excluding data for payment transactions) or 25,000 or more consumers while deriving 25 percent or more of their annual gross revenue from selling personal data. The act exempts data subject to federal regulations such as HIPAA (Health Insurance Portability and Accountability Act), the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act (FERPA).
Tennessee Information Protection Act
The Tennessee Information Protection Act, slated to take effect on July 1, 2025, generally follows the models set forth by Virginia and Connecticut and expand privacy protections for state residents. The act includes broad exemptions for various entities and data regulated under certain federal laws, including non-profits and higher education institutions, as well as personal data regulated by Family Educational Rights and Privacy Act (FERPA).
Texas Data Privacy and Security Act
The Texas Data Privacy and Security Act, slated to take effect on July 1, 2024, follows the framework of Virginia's state privacy bill, but does not include common monetary stipulations for applicability that other states adopted. Entities are required to comply with requirements if they meet the following standards: (a) conducts business in Texas or generates products or services consumed by Texas residents; (b) processes or engages in the sale of personal data; (c) does not identify as a small business as defined by the U.S. Small Business Administration. Similar to other state legislation, the act exempts institutions of higher education, as well as personal data regulated by FERPA.
Utah Consumer Privacy Act
The Utah Consumer Privacy Act, effective December 31, 2023, contains provisions similar to the Virginia Data Privacy Act (VCDPA), the Colorado Privacy Act (CPA), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA). It provides Utah residents with certain consumer protections, including the right to access, right of deletion, right to data portability, and right to opt-out. The law exempts information covered under the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLBA), among other things.
Virginia Consumer Data Protection Act
The Virginia Consumer Data Protection Act, enacted in March 2021 and effective January 1, 2023, gives residents new rights to ownership over their data and establishes new transparency requirements for entities that process personal data. The law applies to any entity that conducts business in Virginia or targets Virginia intentionally with products and/or services and that (1) either controls or processes personal data of 100,000+ consumers or (2) derives more than 50 percent of their annual revenue from the sale of personal data and processes or controls personal data of not fewer than 25,000 customers. Personal data subject to FERPA, HIPAA, and certain other laws are exempted from the Virginia Consumer Data Protection Act.

Proposed Legislation

Lawmakers in numerous states have unveiled legislative proposals to regulate personal consumer data privacy. Other states are likely to follow suit. View a comparison of state comprehensive privacy laws developed by the International Association of Privacy Professionals (IAPP) Westin Research Center.

Updates

Sourced from AACRAO Transcript. Member login required.

Oregon and Delaware Enact State Privacy Legislation

Sep 12, 2023

The moves expand the U.S. state privacy framework to include a total of 13 states with their own privacy laws.
Oregon and Texas Pass Comprehensive State Privacy Bills

Jun 29, 2023

The passage of these bills continues a strikingly active year for comprehensive state privacy legislation.
Tennessee Enacts State Privacy Bill

May 18, 2023

New law exempts higher education institutions and data regulated by FERPA. Separately, the Florida House advances similar legislation, but with extremely narrow applicability.
Montana and Tennessee Pass State Privacy Laws

May 4, 2023

The passage of these bills continues a notably busy year for state privacy legislation.
Indiana Poised to Enact State Privacy Legislation

Apr 20, 2023

State lawmakers approve comprehensive data privacy legislation.

Issues

Resources

The International Association of Privacy Professionals created a State Comprehensive Privacy Law Comparison Map as a resource to stay abreast of the changing state-privacy landscape. Although many of the bills included in the table will fail to become law, comparing the key provisions in each bill can be helpful in understanding how privacy is developing in the United States.

State Privacy Legislation

Recent State Actions

Enacted Legislation

Proposed Legislation

Updates

Sourced from AACRAO Transcript. Member login required.

Oregon and Delaware Enact State Privacy Legislation

Sep 12, 2023

Oregon and Texas Pass Comprehensive State Privacy Bills

Jun 29, 2023

Tennessee Enacts State Privacy Bill

May 18, 2023

Montana and Tennessee Pass State Privacy Laws

May 4, 2023

Indiana Poised to Enact State Privacy Legislation

Apr 20, 2023

Issues

Resources

AACRAO

Medium

JD Supra

IAPP

IAPP

Termageddon

AACRAO