State Privacy Laws

Subscribe to State Privacy Laws

Oregon has become one of the latest states to adopt a comprehensive data privacy law. The Oregon Consumer Privacy Act (“OCPA” or the “Act”) takes effect July 1, 2024, and mirrors its other U.S. privacy law counterparts, with a few unique distinctions. Here is what you need to know.

Scope. The OCPA applies to (i) any person or entity who conducts business in Oregon or provides products or services to residents in Oregon and (ii) during a calendar year, controls or processes:

  • The personal data of 100,000 or more consumers (other than personal data controlled or processed solely for the completion of a payment transaction) or
  • The personal data of 25,000 or more consumers while deriving 25 percent or more of annual revenue from selling personal data.


Continue Reading 12 Down, 38 to Go: Oregon Becomes One of the Latest States to Enact a Comprehensive Data Privacy Law

On June 30, 2023, California Superior Court Judge James P. Arguelles held that the California Privacy Protection Agency (the “Agency”) cannot enforce any violation for the Agency’s regulations issued on March 29, 2023, under the California Consumer Privacy Act (CCPA), as amended by the California Consumer Privacy Rights Act (CPRA) until March 29, 2024. This holding stems from a petition brought by the California Chamber of Commerce (the “Chamber”) against the Agency, arguing that based on a plain reading of the CPRA’s language, enforcement cannot begin until one year following issuance of the Agency’s regulations.

Although enforcement of the Agency’s regulations are delayed, the text of the CCPA, as well as regulations enacted prior to March 29, 2023, remain in effect and enforceable. The enforcement stay solely bars the Agency from enforcing its own issued regulations under the CPRA for one year after a particular regulation is finalized.

Continue Reading Not So Fast: California Superior Court Delays Enforcement of Certain CPRA Regulations

On May 19, 2023, Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (the “MTCDPA”) into law, becoming the ninth state to enact a comprehensive consumer privacy act. Montana joins California, Colorado, Connecticut, Indiana, Iowa, Utah, and Virginia with legislation that protects their residents’ personal data.

The MTCDPA will go into effect on October 1, 2024. In preparation for MCTDPA to be signed into law, companies doing business in Montana should start thinking of ways to incorporate the law’s requirements into their existing privacy policies and procedures.

Continue Reading Montana Enacts Privacy Law

Last month, Washington Governor Jay Inslee signed the My Health My Data Act (“MHMDA” or the “Act”) into law. While the Act is not a comprehensive privacy law, it extends many protections to Washington residents (“consumers”) regarding certain personal information. The MHMDA’s unique features are unlike any privacy law we have seen in the last few years – making this law arguably the most impactful U.S. privacy legislation since the CCPA. Here is what you need to know.

Continue Reading What You Need to Know About Washington State’s New “My Health My Data” Act

On May 18, 2023, the Federal Trade Commission (the “FTC”) issued a policy statement on the use of biometric information under its regulatory powers in Section 5 of the FTC Act (the “Statement”). The Statement is the strongest message the FTC has ever issued regarding how certain uses of biometric technology may, depending on the circumstances, constitute unfair and deceptive trade practices under Section 5.

The Statement provides significant insight into the FTC’s shifting priorities and focus on the regulation of the use of biometric technology, a topic that so far has been regulated by state and local law – or not at all. Companies should take heed of the FTC’s guidance for purposes of understanding potential exposure not only at the federal and state regulatory level but also in the form of potential civil lawsuits under state unfair and deceptive trade practice statutes.

Continue Reading The FTC Expands Its Regulatory Watch Over the Use of Biometric Technology

On May 11, 2023, Tennessee Governor Bill Lee signed the Tennessee Information Protection Act (the “TIPA”) into law. Tennessee is now the eighth state to enact a comprehensive privacy law, joining California, Colorado, Connecticut, Indiana, Iowa, Utah, and Virginia. The TIPA is set to go into effect on July 1, 2025.

Continue Reading State Number Eight: Tennessee Becomes Eighth State to Enact Privacy Law

On May 3, 2023, Utah’s Online Pornography Viewing Age Requirements Act (the “Act”) went into effect. The Act states that website operators must require internet users to prove they are eighteen years of age or older through a “digitized identification card” or third-party age-verification service when accessing websites containing “pornography or other materials harmful to minors.” In other words, to access adult websites in Utah, users must either upload their driver’s license (or other state-issued identification) or subject themselves to third-party age verification through tools such as biometric scanning. Simply clicking “I am 18 or older” is no longer sufficient with this legislation; an individual must now give personally identifiable information, including in some cases, a biometric face scan.

Continue Reading Porn, Privacy & Protecting Kids:  States Seek to Balance Individual Rights and Business Interests in New Online Age Verification Laws

This month, Indiana passed its own privacy bill, Senate Bill 5 (“SB 5”) for consumer data protection. SB 5 is now awaiting signature from Indiana Governor Eric Holcomb. Once signed into law, Indiana will be the seventh state in the nation to enact a comprehensive privacy law. With a later effective date of January 1, 2026, SB 5 maintains the status-quo and largely follows the six other states with privacy laws (California, Colorado, Connecticut, Iowa, Utah, and Virginia). Following is a high level overview of the key provisions of SB 5.

Continue Reading Up Next, the Crossroads of America: Indiana Positioned as 7th State to Join Privacy Party

Recently, the California Office of Administrative Law approved the California Privacy Protection Agency’s (CPPA) long-awaited final regulations (“Regulations”). While there are many rules businesses need to ensure they comply with, this article focuses on the CPPA’s enforcement action and the role the Agency will play in interacting with companies moving forward.

Continue Reading CPPA Final Regulations Are Here

As expected, another state has joined the privacy party. This month, Iowa positioned itself to become the sixth state in the nation to pass legislation establishing consumer data privacy protections. Iowa Senate File 262 (the “SF 262”) unanimously passed in the Iowa House and Senate and is now awaiting signature by Iowa Governor Kim Reynolds. When signed into law, SF 262 will become effective on January 1, 2025. The new SF 262 mirrors many of the protections and rights provided in the data privacy laws of the five other states (California, Colorado, Connecticut, Utah, and Virginia). Below are the key highlights that businesses should know about the bill.

Continue Reading Six down, 44 to go? Iowa Joins Privacy Party by Passing New Privacy Law