The number of regulations at the national, state, and local level designed to protect personally identifiable information (PII) has been growing over the past few years. And no wonder—with data breaches on the rise, it’s clear that malicious actors are poised to exploit businesses’ mistakes or carelessness regarding how they secure sensitive information.
While the U.S. does not have a national data privacy law, a growing number of states have enacted laws and regulations that govern how data is collected, stored, and processed. These are intended to:
In general, businesses should strive to meet these goals, regardless of which laws apply in their jurisdiction, to guard against financial and reputational damage related to poor data privacy practices. However, they should also stay abreast of applicable national, state, and local laws to ensure they are in legal compliance as well.
In recent years two initiatives have been developed to address data privacy at the national level: the American Data Privacy and Protection Act, introduced in the 177th Congress and not yet voted on, and an executive order issued in February 2024 authorizing the U.S. Attorney General to prevent the large-scale transfer of sensitive U.S. data to countries of concern. Despite the lack of a single unifying data privacy law, there are a wealth of agencies that have authority over privacy issues, including the Federal Trade Commission, the Office of the Comptroller of the Currency, the Department of Health and Human Services, the Federal Communications Commission (FDD), the Securities and Exchange Commission (SEC), the Consumer Financial Protection Bureau (CFPB), and the Department of Commerce.
To date, at least 15 states have enacted data privacy laws:
| State | Examples of privacy legislation |
|---|---|
| California | 1. California Consumer Privacy Act (CCPA): Allows residents to ask businesses to disclose the type of information they collect, why they’re collecting the information, and the source of that data 2. California Privacy Rights Act (CPRA): Gives residents the ability to prevent businesses from sharing their personal data, request that personal data inaccuracies be corrected, and prevent them from using sensitive PII, such as race and sexual preference. 3. Several AI-related bills passed in 2024: Defines AI and regulates the largest AI models, generative AI training data transparency, algorithmic discrimination and deepfakes in election campaigns |
| Colorado | 1. The Colorado Artificial Intelligence Act: Requires AI systems developers “to use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination in the high-risk system” 2. The Colorado Privacy Act: Gives consumers rights to manage their personal data and specifies how businesses must protect personal data |
| Connecticut | The Connecticut Personal Data Privacy and Online Monitoring Act: Lays out consumer rights related to personal data, data privacy, and online monitoring |
| Delaware | The Delaware Personal Data Privacy Act: Specifies consumer rights and requirements for the protection of personal data |
| Florida | The Florida Digital Bill of Rights: Applies to entities generating more than $1 billion in gross revenue and at least 50% of their global annual revenues from the sale of online advertisements |
| Indiana | The Indiana Consumer Data Protection Act (effective January 1, 2026): Outlines consumer rights and requirements for data protection |
| Iowa | The Iowa Consumer Data Protection Act: Outlines consumer rights and requirements for data protection |
| Montana | The Montana Consumer Data Privacy Act: Applies to entities conducting business in Montana or providing products or services to Montana residents that might use personal data |
| New Hampshire | The New Hampshire Privacy Act: Applies to entities conducting business in New Hampshire or creating products or services targeting New Hampshire residents |
| New Jersey | The New Jersey Data Protection Act: Applies to entities conducting business in New Jersey or creating products or services targeting New Jersey residents |
| Oregon | The Oregon Consumer Privacy Act: Outlines consumer rights and rules for data protection |
| Tennessee | The Tennessee Information Protection Act (effective July 1, 2025): Governs data protection and data breach reporting |
| Texas | The Texas Data Privacy and Security Act: Outlines consumer rights and data protection requirements for businesses |
| Utah | The Utah Consumer Privacy Act: Provides consumer rights and emphasizes data protection assessments and security measures |
| Virginia | The Virginia Consumer Data Protection Act: Grants consumers rights to access, correct, delete, and post their personal data; mandates that businesses comply with data protection rules; and affects both government and nongovernment organizations that annually process specific quantities of personal data |
It is expected that similar legislation in other states will build on the foundation of consumer protection established in these states. Eventually, this may even lead to a broad-based national data privacy law. In the meantime, however, it will be up to businesses to monitor developments in the jurisdictions in which they do business to ensure accurate compliance.
If you’re uncertain if your current IT practices are providing robust protection for the PII your business handles, or if you are fully in compliance with all the data privacy laws that could apply to your business, Right Click can help. Our expert, 24/7 managed IT support services are designed to produce cost-effective, tailored solutions for your business needs. To find out more, contact us here to schedule a consultation.