UPDATED: Sept. 24, 2019

Where data privacy is lawA running list of states with passed, pending or dead data privacy legislation

By Samantha Ann Schwartz

The European Union launched GDPR in 2018, immediately casting the U.S. to the also-ran position when it comes to protecting consumer data rights.

Since GDPR went into effect, only California has successfully passed a comprehensive data privacy law. Just 14 states formally introduced a data privacy law and if it were up to big tech, the fewer the states, the better.

Companies are holding out for a federal privacy law, and for good reason. A federal data privacy law would streamline compliance across the 50 states and its territories. It would also allow companies to lobby on Capitol Hill.

A successful data privacy law allows for adequate consumer protection without stifling industry innovations; compliant companies should be able to answer these questions:

  • How is consumer data collected and used?
  • How is the data stored?
  • What are a company's ethics in terms of data collection?
  • What is the process for copying or deleting data upon verifiable request from consumers?

Here, CIO Dive tracks the states pursuing data privacy laws. For each state, there is a brief description of the law's requirements, its status and a link to the original law.

CIO Dive will mark a bill as "passed" if it clears legislative hurdles without significant modifications that detract from its intent as comprehensive data privacy legislation.

Want to know when a new state data privacy law is passed? Sign up for our newsletter to get an updated version of this tracker when a law surfaces. Have a question or comment? Email us.

Data privacy laws

  • Passed: 2
  • Pending: 6
  • Dead: 6


  • Pending
  • Passed
  • Dead
Back to Top