Regarding the non-profit exemption, Maryland’s law only exempts non-profit controllers that process personal data solely for the purposes of assisting (i) law enforcement investigating criminal or fraudulent insurance acts, or (ii) first responders for catastrophic events. Other non-profits may fall within scope of the law, but further guidance is necessary. Connecticut, Maryland, Nevada and Washington have enacted consumer health data privacy laws, with additional laws pending in other states. The laws require covered entities like health apps to develop more robust data privacy policies and require additional consent before disclosing some health data, according to law firm Hunton Andrews Kurth. Data privacy laws passed by the states are designed primarily to protect consumers, the data subjects from whom businesses and other organizations collect personal data.

Even before a possible sale goes through, Prince, the law professor, said she wonders how many people know what data 23andMe already shares and with whom. For example, the company has given over anonymized data to the pharmaceutical giant GSK for years to help it develop new drugs. “Often, if there’s so much personal data that a group has, it’s maybe in a hospital setting or a research setting and can be governed by more meaningful safeguards,” said Suzanne Bernstein, counsel at the nonprofit Electronic Privacy Information Center. Pairing regulator fine data with Shufti’s onboarding analytics reveals how policy priorities are reshaping market behaviour, fraud typologies, and compliance lead times. Before we dive into what’s new, let’s briefly recap the pillars of China’s fast‑evolving data‑governance regime and why each statute and its 2025 refinements matters for multinationals that collect, store, or simply touch Chinese personal information today.

It applies to entities that conduct business in New Jersey or create products or services targeting New Jersey residents, and includes provisions on consumer rights and opt-out options, as well as controller and processor security requirements. The Indiana Consumer Data Protection Act, which goes into effect Jan. 1, 2026, outlines consumer rights and requirements for data protection, including data access, correction and deletion, and the ability to opt out of targeted advertising. Over the past decade, dozens of laws, regulations, statutes and other guidance have been issued on data protection and privacy by the U.S. federal government, states and local municipalities, and international governments and legislative bodies. Passed in 2018 and known as the strictest data privacy law in the country, the CCPA applies to a business that collects personal information about consumers and outlines specific rights consumers have. The CCPA was updated with a second act—the California Privacy Rights Act—which was passed in 2020 and took effect in 2023. This extended the rights of consumers to include the right to correct inaccurate data a business collected about them and the right to limit the use and disclosure of sensitive data.

Step 3: Tighten Up Security In A Practical, “Small Business-Friendly” Way

Texas CUBI and Washington HB 1493 also have standalone biometric laws but are enforced only by the attorney general. Many comprehensive state privacy laws classify biometric data as “sensitive data” requiring opt-in consent. The federal track includes HIPAA for healthcare data, GLBA for financial data, COPPA for children under 13, and the FTC Act for unfair or deceptive data practices. These laws are powerful within their scope but leave vast categories of personal data unregulated at the federal level. Our Master of Legal Studies (MLS) in Cybersecurity empowers non-lawyers with the essential legal, risk management, and technical expertise to protect private and public sector organizations. You’ll learn to identify, assess, and mitigate cyber risks—ultimately developing cybersecurity strategies that safeguard business operations and sensitive data and position you as a critical asset in today’s digital world.

• Applicants whose Native language is not English are required to demonstrate English language proficiency, for required scores, visit our International Student page.
• This extended the rights of consumers to include the right to correct inaccurate data a business collected about them and the right to limit the use and disclosure of sensitive data.
• This means that the jurisdiction in which a company is incorporated may influence data sovereignty, but only in light of the specific factual circumstances involved.
• Peru’s amended law places even stricter mandatory data breach notifications, requiring notifications within 48 hours, along with enhanced security obligations for covered entities that process personal data.
• Smith Anderson’s Data Privacy team has extensive experience guiding businesses through complex privacy and security compliance challenges.

Mitigating Heightened Risk for Businesses Nationwide

Given the importance of data privacy and protection, expect more states to officially enact data privacy laws, most likely built on the foundation laid by California and other states that have been at the forefront of consumer protection. A notable trend to consider is that businesses operating in multiple states will encounter increased challenges in complying with each state’s privacy laws. It provides consumer rights and describes business data protection assessments and security measures. Signed into law in 2023, the Iowa Consumer Data Protection Act went into effect Jan. 1, 2025. While no national legislation exists, many U.S. states have enacted their own data privacy laws, including California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah and Virginia. In addition, more than half of U.S. states have proposed or passed some form of targeted legislation citing the use of AI in political campaigns, schooling, crime data, sexual offenses and deepfakes.

Which states have comprehensive data privacy laws?

For businesses operating nationally, that patchwork means navigating multiple, sometimes conflicting, rules. The Nebraska Data Privacy Act, which went into effect on Jan. 1, 2025, addresses key aspects of data privacy and protection for businesses that do business in Nebraska or its residents, or process or sell personal data. The Colorado Privacy Act, in effect since 2023, grants consumers rights to manage their personal data and specifies how businesses must protect personal data. US privacy laws will continue to expand as states fill the gaps left by federal laws.

No Data Protection Assessment Requirement

When the CCPA was drafted, there were fewer models than when other U.S. state data privacy legislation was in progress. However, the EU’s GDPR was already in effect in 2018 when the CCPA was passed. The Gramm-Leach-Bliley Act (GLBA) applies to financial institutions, broadly defined. A financial institution, in this case, is not just a bank; it could be any company engaged in lending or financial services. GLBA’s Privacy Rule and Safeguards Rule require those entities to protect non-public personal information and issue annual privacy notices to consumers. The Federal Trade Commission (FTC) enforces many of these provisions and has increased penalties for violations.

Universal Consumer Rights

Pakistan’s main cybercrime law, the Prevention of Electronic Crimes Act 2016 (PECA), punishes identity theft and unauthorised data access, but it is not a full-fledged privacy statute. PECA’s Section 16, for example, bans obtaining or selling another’s “identity information” without consent, but the law contains few positive rights or detailed safeguards for everyday data handling. The bill would require data brokers to register in a database and includes a provision that would permit consumers to obtain a copy of their personal data in a format that is both portable and usable. The second half of 2024 welcomed new data privacy laws from Cameroon, Ethiopia, Malawi, the Republic of Moldova and the Vatican City. Other countries, such as Botswana, Chile, Malaysia, Monaco, Turkey, Peru and Vietnam, made notable amendments, replacements or implementing provisions to their data privacy laws. Many of these brought the countries’ data privacy frameworks into alignment with other international standards, such as the EU General Data Protection Regulation.

• Illinois BIPA is the most significant, providing a private right of action with damages of $1,000 to $5,000 per violation.
• The board rejected an offer she made earlier this month, according to a press release.
• A federal bill would have to resolve whether it would preempt state laws or include a private right of action, which would allow individuals and organizations to sue over violations, even in the absence of regulatory enforcement, Levine said.
• As part of this exercise, organizations should map data flows and identify service providers that may be subject to foreign legal regimes.
• Those laws typically let users request that the companies delete their data and require law enforcement agencies to get a warrant or subpoena to access genetic information, Prince said.
• The European Commission proposed the European Biotech Act, which includes targeted amendments affecting personal data processing in health biotechnology contexts.

The State Privacy Landscape Shifts from Legislation to Enforcement

The EU-US Data Privacy Framework governs the transfer of data between the US and the European Union. International data transfers must respect the rights of the data subject and protect private information, meeting both US and European data security laws. Each state privacy law contributes to a growing patchwork of state privacy laws, with varying scopes, enforcement mechanisms, and rights for individuals. Beyond these standalone laws, most comprehensive state privacy statutes classify biometric data as “sensitive data” requiring opt-in consent before collection, including California, https://power-at-work.com/exploring-the-potential-of-augmented-reality-for-real-time-diagnostics-of-construction-equipment/ Colorado, Connecticut, Virginia, Oregon, Delaware, Maryland, and Minnesota.

Can companies face criminal charges for violating any of the US state privacy laws?

Organizations that frame privacy as strategic rather than reactive will have the advantage when the next markup lands or the next deal requires a clean data story. This key should be used to encrypt all sensitive information sent to the Cyber Command Center. For communications requiring public key encryption, please make sure this key is in your key ring. “Everybody’s worried about what a new company can do https://africanownews.com/society/page/10 with the data — and that is a concern — but frankly some of the things that people are worried about, 23andMe already can do or already does,” Prince said. Bernstein of the Electronic Privacy Information Center said any concerned 23andMe customers should delete their data, request that their saliva sample be destroyed and revoke any permissions they may have given to use their genetic information for research.

CFPB Notifies Court it Cannot Lawfully Draw Funds from the Federal Reserve

This count excludes sector-specific laws, like Washington’s My Health My Data Act, or those with limited applicability, such as Florida’s Digital Bill of Rights. The 140-page draft APRA details specific standards and processes regarding data privacy. The map tracks the status of statutes and bills that are enacted or in the legislative process. This tool tracks comprehensive US state privacy bills to help our members stay informed of the changing state privacy landscape. The tracker only includes bills intended to be comprehensive approaches to governing the use of personal information. A discussion draft of the American Privacy Rights Act (APRA) was released in April 2024.