47 States Have Weak or Nonexistent Consumer Data Privacy Laws

“It’s like the wild wild west,” Emily Mancini, communications director for New York State Sen. Kevin Thomas (D), says, “for businesses and consumers alike.”

A bold comparison, perhaps, but one that’s not altogether incorrect. No, we don’t travel by horseback anymore, but as more and more of our lives migrate online, competing regulations, laws, and legislative proposals make it clear that data privacy is, indeed, the new frontier.

But as new laws around the country give form to basic personal data privacy, it’s impossible not to notice just how many states and the federal government itself seem to be sitting out the game entirely.

>> Related Reading: Guide to Data Removal Services

Some lawmakers, like New York State’s Thomas, as well as lawmakers in California, Nevada, and Maine, have had success in crafting effective proposals and getting them through the legislative process, while just over half of all states do not currently have any meaningful proposals active in their lawmaking bodies.

Roughly 95% of Americans are now online, but in only three states have lawmakers managed to approve legislation that guarantees residents some degree of control over their personal data online and/or requires the private companies collecting that data to behave by a particular set of rules regarding the sanctity of that information.

And despite years of bipartisan calls for federal action, the U.S. remains one of the few developed nations without a comprehensive, blanket data protection law. While lawmakers have floated several proposals — including the American Privacy Rights Act (APRA), which gained traction in 2024 — none has crossed the finish line to become federal law.

In the absence of federal legislation, states have been stepping up. As of mid-2025, 20 states have enacted comprehensive consumer data privacy laws, though the strength and scope of those laws vary widely. California’s framework remains the gold standard, but most state laws still leave significant gaps in consumer protections.

Strong Data Privacy Requires These 15 Rights & Regulations

There is no single consensus as to the definition of comprehensive digital privacy, but there are several areas where privacy advocates generally agree. Here’s a look at the 15 most common provisions, some of which provide rights to consumers and some of which apply only to business practices:

• Right of access & information: Consumers should be informed of what information businesses or data collectors are gathering about them, and they should be able to access the information or categories of information as well as accessing names or categories of third parties who received the shared information.
• Right of rectification: Consumers should be able to request corrections to outdated or incorrect personal information.
• Right of deletion: Consumers should be able to request that personal information be deleted in certain conditions.
• Right to restriction of processing: Consumers should be able to restrict a company’s ability to access their personal information.
• Right to data portability: Consumers should be able to request their information be disclosed in a common file format.
• Right to opt-out of sale of personal data: Consumers should be able to choose not to have their personal information sold by the collector to a third party.
• Right against automated decision-making: Businesses should not make decisions about consumers based on an entirely automated process that has no human input.
• Right of action: Consumers should be able to seek civil damages from a business that violates privacy statutes.
• Age-based opt-in: Businesses must default to strict opt-in for sale of personal information for consumers under a certain age.
• Transparency requirements: Businesses must provide notice to consumers about their data practices and privacy programs.
• Data breach notification: Businesses must notify consumers or enforcement authorities in the event of privacy or security breach where people’s identities may be stolen.
• Risk assessment: Businesses must conduct formal risk assessments of their established security and privacy practices.
• Non-discrimination: Businesses are prohibited from treating a consumer differently if they exercise data privacy rights.
• Purpose & processing limitation: Businesses must collect and process consumer data only for a specific purpose.
• Fiduciary duty: Businesses must act in the best interest of the consumer.

It’s important to note that all states now have some form of data breach notifications in place, but the specific provisions of the laws vary, including exempting some businesses from the requirements as well as variations in enforcement.

Digital Privacy Legislation

Since our original analysis, the data privacy landscape has shifted considerably. At least 20 states have enacted comprehensive consumer data privacy laws, with more legislation advancing each session. Federal momentum has picked up — though a comprehensive national standard still doesn’t exist. No state yet covers all 15 critical areas we identified, and the patchwork nature of U.S. privacy law remains a real problem for everyday consumers.

>> Related Reading: Five Easy Opt-Outs to Protect Your Identity and Privacy

Those 20 states with comprehensive consumer data privacy laws include: California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, Minnesota, Rhode Island, and Florida. Additional states have bills advancing through their legislatures. Bipartisan support has been common in states where bills have actually crossed the finish line, with Republicans championing privacy measures in states like Texas and Indiana as well.

Still, a significant number of states lag behind — either relying on outdated breach notification statutes, stalled study committees, or no meaningful privacy framework at all. The gap between states like California (with its robust California Privacy Rights Act, or CPRA, enforced since July 1, 2023) and states with zero active comprehensive legislation remains stark.

State-by-State Breakdown

To compare each of the states’ efforts to ensure consumer digital privacy, we analyzed the measures that have become law so far, those that are still pending (and the ones that failed) to classify states by how strong their data privacy rules are. It’s worth noting that the legislative process in each state is on a different time table, and these rankings may change as events warrant.

Our analysis slotted the states into five buckets:

• Very strong: Including all 15 data privacy protections and requirements — zero states
• Strong: At least 1 of the 15 protections and requirements have been signed into law — three states
• Pending: Active legislation includes at least one of the 15 protections and requirements but nothing formally adopted yet — 15 states
• Weak: No active legislation but recent measures have included at least one protection or requirement and task force launched or study order issued — seven states
• Very weak: No active or recent legislation including at least one protection or requirement — 26 states

Strong: California, Maine, Nevada

California

Protections: CCPA went into effect Jan. 1, 2020, including eight of 15 protections and requirements. The California Privacy Rights Act (CPRA), which significantly expanded the CCPA, took full effect January 1, 2023.

Because it’s the most robust of the three laws that have gone into effect, California’s CCPA is, by default, the most far-reaching digital privacy law in the U.S., but even it falls short in several areas, and it covers just more than half of the crucial protections the modern world requires.

While the law does provide important protections, not every aspect of it is positive, and many in the business community are reasonably concerned about the added burden the requirements will place on some commercial entities; the state estimates initial compliance costs could near $60 billion.

Aside from the impact on businesses, the bill also omits several provisions, as well as leaving enforcement up to the attorney general’s office, meaning that unless poor security measures within a business exposed your information, private individuals cannot sue businesses over breaches.

What the law includes:

Right of access & information

Right of rectification (added by CPRA)

Right of rectification

Right of deletion

Right to restriction of processing (added by CPRA)

Right to restriction of processing

Right to data portability

Right to opt-out of sale of personal data

Right against automated decision-making (added by CPRA)

Right against automated decision-making

Right of action (security only)

Age-based opt-in (age 16)

Transparency requirements

Data breach notification

Risk assessment

Risk assessment (added by CPRA)

Non-discrimination

Purpose & processing limitation (added by CPRA)

Purpose & processing limitation

Fiduciary duty

Maine

Protections: An Act to Protect the Privacy of Online Consumer Information, scheduled took effect July 1, 2020, pending lawsuit from internet service providers, including four of 15 protections and requirements, applies only to ISPs.

Maine’s law had broad bipartisan support during the legislative process, and it was approved by the state senate unanimously. But it applies only to internet service providers and not other types of companies that collect consumer data.

The ISP lobbying organizations that initially filed suit — ACA Connects, CTIA, NCTA, and USTelecom — challenged the law in federal court, but the First Circuit Court of Appeals upheld Maine’s privacy law in June 2021, allowing it to remain in effect. The law continues to apply exclusively to ISPs operating in the state.

What the law includes:

Right of access & information

Right of rectification

Right of deletion

Right to restriction of processing

Right to data portability

Right to opt-out of sale of personal data (law requires strict opt-in)

Right against automated decision-making

Right of action

Age-based opt-in

Transparency requirements

Data breach notification

Risk assessment

Non-discrimination

Purpose & processing limitation

Fiduciary duty

Nevada

Protections: SB220, which went into effect in October 2019, including three of 15 protections and requirements, applies only to website operators

Nevada’s relatively modest slate of consumer protections are quite narrow in scope and are more or less limited to a right to opt-out of having data sold. The law also applies only to website operators, so businesses that collect data offline are not impacted.

California’s law is broad in terms of what comprises “sale,” while Nevada’s rule is more focused and excludes things that aren’t literally the exchange of money for information, but critics contend that while the attorney general’s office will formally handle enforcement, the agency will rely on consumers to report noncompliance.

What the law includes:

Right of access & information

Right of rectification

Right of deletion

Right to restriction of processing

Right to data portability

Right to opt-out of sale of personal data

Right against automated decision-making

Right of action

Age-based opt-in

Transparency requirements

Data breach notification

Risk assessment

Non-discrimination

Purpose & processing limitation

Fiduciary duty

Pending or Recently Passed: Additional States

Arizona

Protections: Arizona enacted a consumer data privacy law in 2024, making it one of the latest states to join the growing wave of state-level privacy legislation. The law includes several key protections and requirements, with an effective date of January 1, 2026.

Arizona’s law follows the general framework seen in other state privacy laws, giving consumers the right to access, correct, delete, and opt out of the sale of their personal data. The law applies to businesses that control or process data of at least 100,000 consumers annually, or at least 25,000 consumers if the business derives over 50% of its gross revenue from selling personal data.

The law does not include a private right of action, meaning enforcement falls to the state attorney general. Businesses are given a 30-day cure period to fix violations before the AG can take action. Critics note that without a private right of action, consumers have limited recourse if their data is mishandled.

Florida

Protections: Florida enacted the Florida Digital Bill of Rights (SB 262) in June 2023, with an effective date of July 1, 2024. Its scope is notably narrow compared to other state privacy laws.

Florida’s law provides consumers with rights to access, correct, delete, and opt out of the sale of personal data or its use for targeted advertising. However, the law has a significant limitation: it applies only to businesses with annual global revenues exceeding $1 billion, which excludes the vast majority of companies operating in the state.

This high revenue threshold has drawn sharp criticism from privacy advocates, who argue the law is tailored more to address a handful of major tech platforms than to deliver broad consumer protections. Enforcement authority rests with the Florida attorney general, and there is no private right of action.

Illinois

Protections: None adopted, multiple bills active, including one that covers 10 of 15 protections and requirements

A sweeping Senate bill in Illinois would include more protections than the CCPA, though it also is missing important provisions. The measure, SB 2330, was sponsored by Sen. Thomas Cullerton (D) and is currently in the senate’s judiciary committee.

Maryland

Protections: The Maryland Online Data Privacy Act (MODPA) was signed into law on May 19, 2024, making Maryland one of the stronger state-level privacy laws in the country.

Maryland’s Online Data Privacy Act goes further than many other state privacy laws by prohibiting businesses from collecting, processing, or sharing sensitive data beyond what is strictly necessary to provide a requested service — not just requiring opt-out options. The law covers data like health information, biometric data, and precise geolocation, and it takes effect on October 1, 2025.

Minnesota

Protections: The Minnesota Consumer Data Privacy Act (MCDPA) was signed into law on May 24, 2024, covering residents starting July 31, 2025.

Minnesota’s law is one of the more comprehensive state privacy laws to date, giving residents the right to access, correct, delete, and port their data. It also includes opt-out rights for targeted advertising and the sale of personal data. Notably, it requires businesses to conduct data protection assessments for high-risk processing activities.

Nebraska

Protections: The Nebraska Data Privacy Act (NDPA) was signed into law on April 17, 2024, and takes effect on January 1, 2025.

Nebraska’s privacy law gives residents rights to access, correct, delete, and obtain a copy of their personal data. It also includes opt-out rights for the sale of personal data, targeted advertising, and profiling. The state attorney general has exclusive enforcement authority.

New Hampshire

Protections: The New Hampshire Privacy Act (SB 255) was signed into law on March 6, 2024, and took effect on January 1, 2025.

New Hampshire’s law gives residents familiar rights: access, correction, deletion, and data portability. It also includes opt-out rights for targeted advertising and the sale of personal data. While it closely mirrors Virginia’s and Connecticut’s frameworks, it’s a meaningful step up for a state that previously had no comprehensive consumer data privacy protections.

New York

Protections: No comprehensive consumer data privacy law has been enacted yet, though New York remains one of the most active states in pursuing strong protections.

The New York Privacy Act (NYPA) has been reintroduced multiple times and continues to be one of the most ambitious proposals in the country — going further than California’s law in several areas, including treating data processors as fiduciaries for consumers. As of the 2023–2024 legislative session, the bill has not advanced out of committee, though advocacy for its passage remains active.

New York does have some narrower protections in place — including the SHIELD Act and the biometric privacy protections under New York City’s Local Law 3 — but residents are still waiting on comprehensive statewide privacy legislation that covers the full range of data rights.

Sen. Thomas is the primary sponsor of the NYPA, the more robust of the two proposals, and his spokesperson Mancini indicated that Thomas is determined to build on the strong protections introduced in California and Europe and that enacting new privacy laws will only become more challenging as time goes on.

“Right now is the time because it’s only going to get more difficult as we scale up the technology, so this legislation is coming at a crucial time,” Mancini said.

Thomas and other lawmakers are currently discussing the wording of amendments to the bill that will help ensure that it’s easy for consumers to take advantage of the protections and that businesses are able to comply, Mancini said: “It’s like the wild wild west, a new frontier for consumers and industry alike.”

Oklahoma

Protections: Oklahoma enacted the Oklahoma Computer Data Privacy Act (HB 1030) on May 29, 2024, making it one of the growing number of states with a comprehensive consumer data privacy law. The law takes effect July 1, 2025, and grants consumers rights including access, deletion, correction, and opt-out of data sales and targeted advertising.

Oklahoma’s law applies to entities conducting business in the state or targeting Oklahoma residents, with thresholds similar to other state privacy laws. It was signed by Governor Kevin Stitt and reflects the state’s shift toward stronger digital privacy protections.

Pennsylvania

Protections: None adopted, but active bill includes seven of 15 protections and restrictions

Pennsylvania has considered several consumer data privacy proposals over the years, though none have been signed into law as of this writing. Earlier versions of the legislation, including HB1049, were championed by Rep. Ed Neilson (D-Philadelphia), who emphasized a collaborative approach to getting the bill across the finish line.

“We have been working with multiple stakeholders attempting to get them on board so that we can move the issue forward. As a legislator, you realize that a good bill is negotiated not dictated, for it should never be my way or the highway.”

Neilson made clear that even if a given session ended without passage, he intended to keep reintroducing the measure — a pattern that reflects the broader challenge states face in moving comprehensive privacy legislation forward.

Rhode Island

Protections: Rhode Island enacted the Rhode Island Data Transparency and Privacy Protection Act (H 7787) on June 25, 2024. The law takes effect January 1, 2026, and establishes consumer rights, including data access, deletion, correction, portability, and opt-out of data sales and targeted advertising.

The law applies to entities that control or process personal data of at least 35,000 Rhode Island consumers, or that derive over 20 percent of gross revenue from the sale of personal data and process or control data of at least 10,000 consumers. The Rhode Island Attorney General is responsible for enforcement.

South Carolina

Protections: None adopted, but active bill includes nine of 15 protections and requirements but applies only to biometric information

A measure in the South Carolina House of Representatives provides broad protections but is narrow in its scope, including nine protections or requirements — but applying only to biometric information, such as fingerprints, iris scans, and DNA. Though it is limited in scope, the bill, proposed by Republican Bruce Bryant (Lake Wylie), among biometric privacy laws, it goes quite far.

The bill is pending in the house judiciary committee.

Virginia

Protections: None adopted, but bill continued to 2021 session includes nine of 15 protections and requirements

A bill that originated in the current session of the Virginia legislature will be held until the next session, according to a representative from the office of Democrat Mark D. Sickles (Fairfax), who introduced the measure.

While it isn’t exactly comprehensive, the Virginia Privacy Act, as it’s currently written, would be among the most expansive in the South.

Wisconsin

Protections: None adopted, trio of bills include four of 15 protections and requirements

A trio of bills comprises the Wisconsin Data Privacy Act, each covering a different area of privacy protections. Taken as a whole, the measures would provide some basic protections for consumers, though the measures still fall short in many ways.

It’s unclear what the prospects are for passage of any of the three separate measures.

Weak: 6 states

Connecticut, Hawaii, Louisiana, Massachusetts, North Dakota, Texas

Protections: None adopted and no active bills; task force substituted or study order issued in place of a comprehensive bill

A total of six states have launched data privacy task forces or issued orders for lawmakers and state officials to study the matter in detail. In all six cases, the study/task force orders were implemented in place of legislation.

Very weak: 26 states

Alabama, Alaska, Arkansas, Colorado, Delaware, Georgia, Idaho, Indiana, Iowa, Kansas, Kentucky, Michigan, Mississippi, Missouri, Montana, New Jersey, New Mexico, Ohio, Oregon, South Dakota, Tennessee, Utah, Vermont, Washington, West Virginia, Wyoming

Protections: Nothing adopted, no active bills, no formal task force or study

In more than half of the states, there is no active legislation and no task force or study order proclamations. Some of these states, like Mississippi and Washington, have seen bills be introduced in recent sessions but not survive the legislative process, while others, like Indiana, haven’t seen any relevant bills be proposed.

Conclusion

The need for consumer data protection has never been more urgent. Nearly every American is online in some capacity — whether for work, shopping, streaming, or social media — and the volume of personal data being collected and shared continues to grow. As of 2026, approximately 20 states have enacted comprehensive consumer data privacy laws, representing significant progress since this article was first published — though a federal privacy law has yet to be enacted, and many states still lack strong protections.

About This Research

Legislative research for this article covered the most recent session of each state’s legislature, which in some cases stretches back one or more years. As referenced, several states have had previous pending legislation that for one reason or another did not survive the legislative process. Every state allows the public to search for proposed legislation, read the text of it and track where it is in the process, and people who are concerned about their data privacy, even in states like California, would be well-advised to conduct their own research about the situation in their state.

We consulted several other sources to help formulate the basics of what should be considered comprehensive data privacy protections, the political and economic ramifications of these discussions, and other areas related to digital privacy. This includes the International Association of Privacy Professionals’ Westin Research Center, the National Council of State Legislatures, Recode, Varonis, Wired, and TechCrunch.