Data privacy laws by state

Your data travels even if you don't.
Written by Taylor Leamey, Contributing Writer on

[This article was first published in September 2020.]

The more connected we become, the more data we will continue to share. Think about how often you access the internet and input or view sensitive information. From accessing health care information to paying bills online to even tagging your location on social media, you're sharing information that can be collected.

According to a recent study, 47% of Americans were not sure they understood what was done with their personal information and 59% were confused by the privacy policy presented by companies. In a time when our lives are so heavily entwined with the internet, knowing what's done with the data you share is critical.

Why it matters

Landmark security breaches remind us how vulnerable our data is. Equifax, one of the top three credit reporting agencies, disclosed a data breach in September of 2017. Information like social security numbers, names, addresses, and driver's license numbers were compromised for 147 million people, along with 209,000 customer credit card numbers. Given the severity and importance of the information leaked, the Equifax breach is regarded as unprecedented in impact. The settlement reached with the Federal Trade Commission amounted to $425 million to be paid out to help people who were affected.

Facebook has experienced a series of security breaches, which has resulted in federal investigation. In 2019, the user data of 540 million Facebook users was exposed on Amazon's cloud computing services. It was revealed that Facebook partnered with more than 150 companies to share the personal information of the hundreds of millions of people who use the social media platform. Users were not aware of this exchange. In a focus group conducted by the Pew Research Center, people spoke negatively about the consequences of sharing data and cited that companies could have an ulterior motive for collecting their data.

Federal Laws

  • U.S. Privacy Act of 1974: This act established regulations on the collection, maintenance, use, and sharing of information. It requires that agencies obtain written consent from the individual before disclosing any of their information unless it is part of the 12 statutory exceptions. Under this act, individuals are also able to request amendments to their records.
  • Federal Trade Commission Act: This act gives the Federal Trade Commission the power to protect consumers from unfair or deceptive practices taken by companies and seek monetary compensation. They also have the right to enforce federal data and privacy protections.
  • Children's Online Privacy Protection Act (COPPA): COPPA prohibits the collection of data from anyone under the age of 13 without obtaining verifiable parental consent.
  • Video Privacy Protection Act (VPPA): VPPA bans the disclosure of personal information or data unless the customer is aware and consents. This act includes streaming services.

There is no single catch-all data privacy law. Instead, there is a mixture of federal and state laws that try to address the different aspects of data protection. The lack of federal laws on consumer privacy led individual states to pass their own laws protecting citizens. Even still, all-encompassing laws are not widely held. There is still a lot of ground that needs to be covered to ensure that American consumers are completely protected.

Types of Data Privacy Laws

Consumer privacy

Do you ever wonder why things like Facebook or Instagram are free? You pay in privacy. These types of online services are free of monetary charge because they collect your data in exchange for their hosted services. However, 38% of surveyed Americans said that they were confused by the information presented in a privacy policy.

As of January 2020, the California Consumer Privacy Act addresses that exact issue. This law puts pressure on companies to be transparent with their practices and gives residents the right to know what personal information has been collected, shared, or sold. Additionally, consumers have the right to delete personal information that's already been collected and the right to opt out of the sale of personal information. The idea of trading your personal information for a free service is better accepted when the consumer has control.

Children's online privacy

One of the only inclusive data privacy laws is concerned with children's online privacy. Children's Online Privacy Protection Act (COPPA) is a federal law that prohibits the collection of data from children who are under 13 years old. This means that parents have control over the information the companies can have and can request that any collected data be deleted.

In February 2019, TikTok paid $5.7 million to the FTC over concerns that the video app violated COPPA. The largest children's privacy civil penalty to date, TikTok was accused of illegally collecting personal information from children without parental consent. In addition to the substantial settlement, TikTok was required to update its practices and remove all videos that are made by children under the age of 13. TikTok is only one example, Google and YouTube have also been investigated by the FTC.


There are only a handful of states that have laws governing consumer privacy when it comes to e-readers. These laws prohibit entities from collecting or sharing information regarding the type of material being rented or bought using the e-reader. Within the states that have laws pertaining to e-readers, most have focused on information that can be gathered by public entities like libraries. However, efforts are being made to protect the privacy of the content people choose to read on their electronic devices. The Electronic Frontier Foundation took the time to comb through the popular e-book platforms' privacy policies to give you the answers you've been searching for.

Online services

Consumers are seeing changes when it comes to online services and privacy data. Companies are now more transparent when it comes to their efforts in collecting information about your browsing habits, whether in a good-faith effort to keep their consumer's trust or because of the laws that require it. Additionally, approximately 86% of internet users have taken steps to maintain their online privacy. Clearing cookies, using a virtual network, and encrypting their email are some of the actions taken. Still, 61% say that they still would like to do more to protect themselves.

Information sharing by business

While businesses collecting and sharing your information is nothing new, recent changes require that companies inform you of what their intentions are when collecting that information. The reason why the company collects your data will vary, though generally companies use it to improve customer experience, assess their marketing strategy, or make money. The relationship around data privacy is a give and take between both consumers and data collectors. Businesses must be held accountable for the data privacy methods they have in place and be transparent about how they use the data they harvest. It's also imperative that consumers know their rights and ability to impact how companies collect and use their information.

Notice when recording phone calls

Generally, the biggest concern when recording phone calls is consent. Many states are one-party consent states, meaning that phone calls can be recorded as long as one person consents. But what is considered consent? Think about when you call a customer service line and hear the ever-identifiable "this call may be monitored or recorded…" message. When a caller continues with the call, many states take that as implied consent.

Eleven states require both parties to consent to the recording: California, Delaware, Florida, Illinois, Maryland, Montana, Nevada, New Hampshire, Pennsylvania, and Washington. Sometimes regardless of which law the state follows, there are exceptions to the rules. Which include: police recordings, court orders, and emergency services.

Breach notification laws

Every single state has a data breach notification law in place, although some states were slower than others to adopt one. Still, many states are actively amending their laws and expanding the definitions they hold. States like New Jersey, New York, and Oregon have broadened the scope of what is protected and established what regulations they impose on companies. Breach notification laws require that companies notify consumers of any data breaches involving personal or otherwise identifying information. Each law has a specified time frame in which action needs to be taken.

Data disposal

Data disposal laws are concerned with what happens to your information when the company no longer wants to store it. To prevent unauthorized access, both government and private agencies are required to destroy or make indecipherable information in consumer reports. The Federal Trade Commission has impressed a disposal rule that outlines what the rule applies to and what constitutes proper disposal. Proper disposal of consumer records should be a part of every company's security program.

Understandably, the mashup of federal and state laws can be hard to navigate. This table can help you break it down.

StateTitleType of Law
AlabamaSB318Data breach notification
AlaskaAlaska Stat. § 45.48.010Data breach notification
#rowspan#Alaska Stat. § 45.48.500Data disposal
ArizonaAriz. Rev. Stat. § 41-151.22e-reader
#rowspan#A.R.S. §§ 18-55Data breach notification
#rowspan#Ariz. Rev. Stat. § 44-7601Data disposal
ArkansasArk. Code §§ 4-110-105Data breach notification
#rowspan#Ark. Code §§ 4-110-104(b)Consumer data
#rowspan#Ark. Code §§ 4-110-104(a)Data disposal
CaliforniaCal. Civ. Code §§ 1798.100 et seq.Consumer data
#rowspan#Cal. Bus. & Prof. Code § 22948.20Consumer data
#rowspan#Cal. Civ. Code §§ 1798.81Data disposal
#rowspan#Calif. Bus. & Prof. Code §§ 22580-22582Children's online privacy
#rowspan#Cal. Ed. Code § 99122Online services and websites
#rowspan#Cal. Civ. Code §§ 1798.130(5), 1798.135(a)(2)(A)Online services and websites
#rowspan#Calif. Bus. & Prof. Code § 22575-22578 (CalOPPA)Online services and websites
#rowspan#Calif. Bus. & Prof. Code § 22575Online services and websites
#rowspan#Cal. Civ. Code §§ 1798.83 to .84Information sharing
ColoradoColo. Rev. Stat. § 6-1-716Data breach notification
#rowspan#Colo. Rev. Stat. § 6-1-713:Data disposal
ConnecticutConn. Gen. Stat. § 42-471Data disposal
#rowspan#Conn. Gen Stat. § 36a-701bData breach notification
DelawareDel. Code § 1204CChildren's online privacy
#rowspan#Del. Code tit. 6, § 1206Ce-reader
#rowspan#Del. Code Tit. 6 § 205CInformation sharing
#rowspan#Del. Code tit. 6 § 5002CData disposal
FloridaFla. Stat. §§ 501.171(3)-(6)Data breach notification
#rowspan#Fla. Stat. §§ 501.171(2)Consumer data
#rowspan#Fla. Stat. §§ 501.171(8)Data disposal
GeorgiaGa. Code §§ 10-1-910 et. seq.Data breach notification
#rowspan#Ga. Code §§ 10-15-2(b)Data disposal
HawaiiHaw. Rev. Stat. § 487N-2Data breach notification
#rowspan#Haw. Rev. Stat. §§ 487R-2Consumer data and data disposal
IdahoIdaho Code § 67-831 through § 67-833Data breach notification
Illinois20 ILCS § 450Consumer data
#rowspan#815 ILCS § 530/45Consumer data
#rowspan#815 ILCS §§ 530/1 to 530/25Data breach notification
#rowspan#815 ILCS § 530/30Data disposal
IndianaInd. Code §§ 4-1-11 et. seqData breach notification
#rowspan#Ind. Code §§ 24-4-14-8Data disposal
IowaIowa Code §§ 71.C.1 – 715C.2Data breach notification
KansasKan. Stat. § 50-7a01 et seq.Data breach notification
KentuckyKRS § 365.732 and KRS § 61.931 to 61.934Data breach notification
#rowspan#KRS § 365.725Data disposal
LouisianaLa. Rev. Stat. §§ 51:3071 et seq.Data breach notification
Maine35-A MRSA § 9301(active 7/1/20)Online services and websites
#rowspan#Me. Rev. Stat. tit. 10 § 1346 et seqData breach notification
MarylandMd. State Govt. Code § 10-624 (4)Information sharing
#rowspan#Md. State Govt. Code §§ 10-1303Data disposal
#rowspan#Md. Code Com. Law §§ 14-3504Data breach notification
MassachusettsMass. Gen. Laws § 93H-3Data breach notification
#rowspan#Mass. Gen. Laws § 93H-2Consumer data
#rowspan#Mass. Gen. Laws § 93I-2Data disposal
MichiganMich. Comp. Laws §§ 445.72Data breach notification
#rowspan#Mich. Comp. Laws §§ 445.72aData disposal
MinnesotaMinn. Stat. §§ 325M.01 to .09Online services and websites
#rowspan#Minn. Stat. §§ 325E.64Data breach notification
MississippiMiss. Code § 75-24-29Data breach notification
MissouriMo. Rev. Stat. §§ 182.815182.817e-reader
#rowspan#Mo. Rev. Stat. § 407.1500Data breach notification
MontanaMont. Code §§ 30-14-1701 et seqData breach notification
#rowspan#Mont. Code §§ 30-14-1703Data disposal
NebraskaNeb. Rev. Stat. §§ 87-801 et seq.Data breach notification
#rowspan#Neb. Stat. § 87-302(15)Inaccuracies in privacy policies
NevadaNRS § 603A.300Consumer data
#rowspan#NRS § 603A.340Information sharing
#rowspan#SB 220Online services and websites
#rowspan#NRS § 205.498Online services and websites
New HampshireN.H. Rev. Stat. §§ 359-CConsumer data, information sharing, data breach notification, data disposal
New JerseyN.J. Rev. Stat. §§ 56:8-163Data breach notification
#rowspan#N.J. Rev. Stat. §§ 56:8-162Data disposal
New Mexico2017 H.B. 15, Chap. 36, Section 6Data breach notification
#rowspan#2017 H.B. 15, Chap. 36, Section 3Data disposal
#rowspan#2017 H.B. 15, Chap. 36, Section 4Consumer data
New YorkS5575BConsumer data
#rowspan#N.Y. Gen. Bus. Law § 399-HData disposal
#rowspan#23 NYCRR 500Data breach notification
OregonORS § 646.607Information sharing
#rowspan#SB684Data breach notifications
North CarolinaN.C. Gen. Stat. § 75-65Data breach notifications
#rowspan#N.C. Gen. Stat. § 75-65Data disposal
North DakotaN.D. Cent. Code §§ 51-30-01 et seqData breach notifications
OhioOhio Rev. Code §§ 1347.12 and Ohio Rev. Code §§ 1349.19 et seqData breach notifications
Oklahoma24 OK Stat § 24-163 (2016)Data breach notifications
OregonOregon Rev. Stat. § 646A.604Data breach notifications
#rowspan#Oregon Rev. Stat. § 646A.622Data disposal
Pennsylvania18 Pa. C.S.A. § 4107(a)(10)Inaccuracies in privacy policies
#rowspan#73 P.S. §§201-1 – 201-9.2Consumer data
Rhode IslandR. I. Gen. Laws §§ 11-49.3-1 to .3-6Data breach notification
#rowspan#R. I. Gen. Laws § 6-52-2Data disposal
South CarolinaS.C. Code Ann. § 30-2-40 and S.C. Code Section 30-2-20Consumer data
#rowspan#S.C. Code SECTION 39-1-90Data breach notification
#rowspan#S.C. Code Section 37-2-190Data disposal
South DakotaSD SB62Data breach notification
TennesseeTenn. Code §§ 47-18-2107Consumer data
#rowspan#Tenn Code §§ 8-4-119Data breach notification
#rowspan#Tenn Code § 39-14-150(g)Data disposal
TexasTex. Bus. & Com. Code § 521.053Data breach notifications
#rowspan#Tex. Bus. & Com. Code § 521.052(a)Consumer data
#rowspan#Tex. Bus. & Com. Code § 521.052(b)Data disposal
UtahUtah Code §§ 13-37-201 to -203Information sharing
#rowspan#Utah Code § 13-44-201(1)(a)Consumer data
#rowspan#Utah Code § 13-44-202Data breach notifications
#rowspan#Utah Code § 13-44-201(1)(b)Data disposal
VermontNRS § 603A.300Consumer data
VirginiaVa. Code §§ 18.2-186.6.Data breach notifications
#rowspan#Va. Code § 59.1-442Information sharing
WashingtonWash. Rev. Code §§ 19.255.010Data breach notifications
#rowspan#Wash. Rev. Code §§ 19.215.030Data disposal
West VirginiaW.V. Code §§ 46A-2A-101Data breach notifications
WisconsinWis. Stat. § 134.98Data breach notifications
#rowspan#Wis. Stat. § 134.97Data disposal
WyomingWyo. Stat. §§ 40-12-501 et seq.Data breach notification
District of ColumbiaD.C. Code §§ 28-3851 et seq.Data breach notification
Puerto Rico10 L.P.R.A. § 4051Consumer data and data breach notification

Quick Tips to Protect Data at Home

Possible security breaches and companies collecting your information are only one facet of data safety. Your data is also susceptible to being stolen or compromised by hackers. Thankfully, there are some things you can do at home to combat them. You don't need advanced tech skills or world-class equipment; these are things you can do on your home computer.

Security software

Installing security software on your computer is one of the first steps you should take. Security software keeps your computer healthy and your information safe from attacks or computer viruses. Make sure you stay up to date with any updates of your software. It's easy to close out the persistent pop-up box that reminds you to update, but don't ignore it! Security software is especially important if you are regularly connected to public WiFi networks. While most in-home routers are encrypted, there is no way to know if the internet you are connecting to is safe.

Use a password manager

Using the same password for everything leaves you vulnerable to potentially giving someone access to all of your information. But remembering a gaggle of passwords is no easy feat. Using a password manager is an easy way to ease the burden. Password managers are designed to generate long and complicated passwords that are less likely to be compromised. Your passwords are encrypted and can only be accessed through the master password you create. Depending on the password manager, it may offer an automatic fill feature that kicks in when you go to a page you have a saved password for.

Backup your data

If your information is lost, compromised, or stolen, backing up your data is a way to make sure all of your hard work and cherished memories are not lost. When you back up your data, you're making a copy that is not stored on your computer. Whether you use a local storage option or the cloud, the point is to make your files unavailable to anyone else except you.

Data encryption

Data encryption is an essential way to keep your personal information safe. It works by taking readable text from an email or document and scrambling it into an unreadable cipher text. Encrypting your data will secure it not only on your computer, but also when it is transmitted over the internet. For the information to revert to its original form, both the sender and recipient have to have the encryption key.

What to do After a Data Breach

So you've heard on the news or received an email that there has been a breach and your data may have been affected. A security breach does not automatically mean someone is going to steal your identity. Before you panic, use these steps to help you through the process.

1. Confirm if you were affected by the security breach

Beware of scammers attempting to coax more information out of you with fake emails. If you receive an email that a breach has occurred, contact the company directly to confirm. Do not reply to the email.

2. Find out what information was compromised

What you do after a security breach may vary slightly depending on the type of company that was breached. You should tailor your response to the circumstances and to what information was stolen. If you find that you are the victim of the security breach, don't pass up the company's offer to help.

3. Change your passwords

The next important step to take is to address your security. Update your login information and security questions for all of your sensitive accounts – not just the ones affected by the breach. Take this time to enact two-factor authentication into your login process to add another layer of security to your accounts.

4. Contact a credit reporting bureau to report

To make sure you aren't the victim of identity theft, call any of the major credit reporting bureaus and have them file a fraud alert on your name. This alert makes it harder for someone to open new accounts under your name and lasts for one year. Additionally, you may also consider putting a credit freeze on your report, which will restrict access to your credit report. Bear in mind this will require you to manually lock and unlock your credit report when filing for new lines of credit, like a rewards card or a house.

5. Monitor all accounts closely

Finally, after you've changed your passwords and placed a fraud alert in your name, the last thing to do is closely monitor your account for any suspicious activity. A fraud alert and credit freeze will make it harder for thieves to open new accounts, though it does not guarantee safety to the accounts they may already have access to.

Editorial standards


What the Securing Open Source Software Act does and what it misses
open source handwritten with related word cloud

What the Securing Open Source Software Act does and what it misses

How to limit Spotlight search to improve privacy in MacOS
Dark Mode on Mac

How to limit Spotlight search to improve privacy in MacOS

How to lock active incognito tabs on Android Chrome for more privacy
The Chrome flags window in Android.

How to lock active incognito tabs on Android Chrome for more privacy