What is State Privacy Laws?

The United States has no comprehensive federal privacy law. Instead, individual states are creating their own — resulting in a patchwork of protections that varies dramatically depending on where you live.

Major State Privacy Laws

California (CCPA/CPRA) — Strongest

• Effective: 2020 (CCPA), 2023 (CPRA amendments)
• Rights: Access, delete, opt-out of sale, correct, limit use of sensitive data
• Enforcement: California Privacy Protection Agency (dedicated enforcement body)
• Global Privacy Control: Legally binding opt-out signal in California
• Private right of action: Consumers can sue for data breaches
• Covers: Businesses with $25M+ revenue, or handling 100K+ consumers' data

Virginia (VCDPA)

• Effective: 2023
• Rights: Access, delete, correct, opt-out of targeted advertising, profiling
• Enforcement: Attorney General only (no private right of action)
• Notable: First state to ban geofence warrants

Colorado (CPA)

• Effective: 2023
• Rights: Similar to Virginia, plus universal opt-out mechanism
• Notable: Recognizes Global Privacy Control as valid opt-out

Connecticut (CTDPA)

• Effective: 2023
• Rights: Access, delete, correct, opt-out of sale and targeted advertising

Additional States (2024-2026)

Texas, Oregon, Montana, Indiana, Iowa, Tennessee, Florida, Delaware, New Hampshire, New Jersey, Nebraska, Maryland, Minnesota, and others have passed or are considering privacy legislation.

Your Rights (In Most State Laws)

Right	Description
Right to know	What personal data a company has about you
Right to delete	Request deletion of your personal data
Right to correct	Fix inaccurate personal data
Right to opt out	Stop sale of your data or targeted advertising
Right to portability	Get your data in a usable format
Right to non-discrimination	Companies can't penalize you for exercising rights

How to Exercise Your Rights

1. Determine which laws apply to you — Based on your state of residence
2. Find the company's privacy request page — Usually linked from their privacy policy
3. Submit a verified request — Companies may require identity verification
4. Wait 45 days — Most laws give companies 45 days to respond
5. Escalate if needed — File complaints with your state's Attorney General
6. Use Global Privacy Control — Install in your browser to automatically signal opt-out preferences

The Problem with Patchwork

• Inconsistent protections: A Californian has much stronger rights than a Mississippian
• Compliance burden: Businesses must navigate dozens of different laws
• Enforcement varies: Some states actively enforce; others are passive
• No federal floor: Without a federal law, some states may never act
• Preemption risk: A weak federal law could override stronger state protections

What You Can Do

1. Know your state's law — Check if your state has comprehensive privacy legislation
2. Exercise your rights — Use them regularly; it pressures companies to build better privacy practices
3. Use Global Privacy Control — Recognized in California and Colorado, signal growing
4. Support strong state legislation if your state doesn't have a privacy law yet
5. Be cautious about weak federal proposals that could preempt stronger state laws