State Privacy Laws

Subscribe to State Privacy Laws via RSS

Under newly implemented regulations of the California Consumer Privacy Act (CCPA), California now requires a formal risk assessment “before initiating any processing activity” of certain (sensitive) sorts. The regulation explicitly contemplates that businesses will complete risk assessments now, in 2026.

Eventually, such risk assessments – including those completed this year – must be signed by an executive and submitted to the California regulator under penalty of perjury.Continue Reading New CCPA Risk Assessment Requirements Now In Effect

As in Indiana and Kentucky, the start of 2026 brought into effect Rhode Island’s comprehensive consumer privacy law, the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA). This statute is not simply a replica of what has come before it.

While much of its terminology and mechanics will feel familiar to organizations already operating under multiple state privacy regimes, it also includes elements such as general applicability thresholds at the lower end of the typical range and broad privacy notice requirements. The similarities and distinctions make RIDTPPA easy to place within the broader U.S. privacy landscape, while also presenting a few compliance gray areas that merit closer attention.Continue Reading Rhode Island’s New Privacy Law: An Overview and Highlighted Differences

As we begin 2026, Kentucky has officially enacted the Kentucky Consumer Data Protection Act (KCDPA), a comprehensive privacy statute that took effect on January 1, 2026. As with Indiana, is KCDPA is modeled on the now‑familiar Virginia‑style framework. The KCDPA establishes consumer data rights, imposes governance obligations on businesses, and grants exclusive enforcement authority to the Kentucky Attorney General.Continue Reading Kentucky Consumer Data Protection Act: Key Takeaways for the New Bluegrass Statute

Indiana has joined the growing list of states with a comprehensive consumer privacy statute, codified at Indiana Code 24‑15 and effective January 1, 2026.

The law follows the “Virginia model,” but introduces several nuances that will matter for organizations doing business in, or targeting residents of, Indiana.Continue Reading HOO- HOO- HOO- HOOSIERS Brace for Indiana Consumer Data Protection Act

President Trump’s Dec. 11, Executive Order, “Ensuring a National Policy Framework for Artificial Intelligence” (the “order”), targets what the administration views as burdensome and fragmented state AI regulation in favor of a single national framework.

Although the order does not overturn any existing or proposed state AI law, it directs federal agencies to challenge certain state AI laws, condition federal funding on compliance with the order, and propose federal preemption legislation.Continue Reading President Trump Signs Executive Order to Limit State AI Regulation

On July 1, 2025, the Virginia Consumer Data Protection Act (VCDPA) amendments took effect, implementing several changes to the existing privacy law, including adding new protections to reinforce consumers’ sexual and reproductive health information. While other consumer health data laws exist, such as Washington’s My Health My Data Act (MHMDA), which generally protects a broad category of “consumer health data,” the VCDPA amendments take a more narrow approach and only focus on reproductive and sexual health information. Here is what you need to know.Continue Reading Virginia is for Lovers (of Privacy): VCDPA Amendments Merge Components of Consumer Data Health Laws to Better Protect Reproductive and Sexual Health Information

What does it take for a data breach plaintiff to have standing to sue in Illinois? More than a mere increased risk of harm, said the Illinois Supreme Court in a case where Taft represented the defendant, a large multi-specialty group medical practice.

This post highlights the importance of a thorough post-data breach investigation.Continue Reading Taft Wins First Data Breach Class Action to Reach Illinois Supreme Court: Key Takeaways

In late October 2024, Ohio Senate Bill 29 (“SB 29”)[1] took effect. This new law regulates educational records and student data privacy throughout the state, specifically relating to student-issued devices (e.g., laptops, tablets, software). What makes SB 29 unique is that it extends beyond schools and school districts and impacts third-party technology providers that work with these entities. Taft anticipates greater emphasis on compliance with this new law ahead of the 2025-2026 school year. Here is what you need to know about the Ohio student data privacy law.Continue Reading School is in Session: Ohio’s New Student Data Privacy Law Impacts More than Students

computer keyboard

On Aug. 2, 2024, Illinois Governor J.B. Pritzker signed SB 2979 into law, bringing significant reform to the state’s Biometric Information Privacy Act (BIPA). The much-anticipated BIPA amendment took effect immediately and will provide welcome relief to businesses.

The amendment allows written releases to be executed by electronic signature and drastically limits the damages an “aggrieved person” accrues in BIPA litigation. By ending the per-scan violation, the amendment directly responds to the Illinois Supreme Court’s ruling in Cothron v. White Castle Systems, Inc.Continue Reading New Legislation Promises Stronger Privacy Protections and Clearer Guidelines for Businesses

Believe it or not, we are now more than halfway through 2024. As of July 1st, we now have additional state privacy laws in effect in Florida (narrow applicability), Oregon, and Texas – with more on the way later this year and into 2025. We thought it would be a good time to provide a recap on the current privacy law landscape in the United States today. Continue Reading Comprehensive State Privacy Laws – Halfway Through 2024 and Looking Ahead to 2025