State Data Privacy Laws
Stay informed about your privacy rights with our comprehensive guide to state data privacy laws. This page provides a complete overview of the current data protection regulations across U.S. states, helping you understand how your personal information is safeguarded.
Whenever you engage in an online activity, organizations collect information about you. Consumers expect businesses to care for their data and safeguard it from bad actors. Data privacy laws exist to set standards on what an organization can and can’t do with the information it collects. They also provide a means for consumers to hold businesses accountable for failing to safely secure their data after a data breach.
In New York and nationwide, data privacy laws aim to protect consumers and their personal information from being accessed by unauthorized third parties. Data breaches can cause significant damage to victims’ lives, and identity theft is a real threat. Privacy laws in New York aim to prevent data breaches and give residents the information and access they need to protect themselves after a breach occurs.
In today’s world, major data breaches are a frequent occurrence, and Pennsylvania residents aren’t immune. These breaches can target your Social Security number, bank accounts, and even your genetic information.
Maryland’s data privacy laws are designed to protect residents from the misuse and unauthorized exposure of their personal information. With new legislation like the Maryland Online Data Privacy Act of 2024, businesses operating in the state must follow strict requirements for collecting, storing, and sharing consumer data. If you’re one of the many state residents who’ve gotten a notice regarding a data breach recently, you may be rightly worried about your data and concerned about your next step.
If an individual or business of any size steals or misuses your private data, your legal recourse might depend on the jurisdiction. Texas has become one of the most proactive states in protecting consumer privacy. From mandatory breach notifications to limits on how companies collect and use your data, Texas state law gives you clear protections and options to file a claim and pursue justice after a data breach.
Whether you are shopping online, scheduling an appointment, or just browsing a website, your personal details may be gathered and stored, sometimes without your full knowledge. Some data is anonymous, but other information like Social Security numbers, contact details, or purchase histories can be used to identify or harm you after a data breach.
In the United States, federal and state data privacy laws aim to protect consumers’ personal information from data breaches, which can lead to identity theft, fraud, extortion, and other crimes. State laws, like Illinois’ data privacy laws, carry much of this burden, as there is no comprehensive federal data breach response law. At Class Action U, our mission is to simplify the process of taking legal action after a data breach, connecting victims with our legal partners to join ongoing class actions or file individual lawsuits for the damages they’ve suffered after a breach.
Data breaches can be devastating for affected individuals and their families. Breaches are not only a violation of privacy but also an exposure to potential identity theft, extortion, and other harmful practices. Because of this, California has several laws in place to protect consumers and give them legal avenues for recourse in the event of a breach.
Florida’s data privacy laws protect consumers’ personal information, such as social security numbers and banking information, from unauthorized access. When data breaches occur, these laws also dictate how businesses or organizations must respond and notify consumers of the breach. Additionally, the law allows victims of data breaches to take legal action and recover damages for financial and emotional harm.
Indiana’s Consumer Data Protection Act, effective January 2026, grants consumers rights to access, correct, delete, and opt out of the sale of personal data. It also mandates breach notifications, offering protection against fraud and identity theft.
Missouri lacks a comprehensive data privacy law but has breach notification requirements under the Identity Theft Protection Act. Consumers may pursue compensation through class actions if their data is compromised.
Michigan has no comprehensive data privacy law but mandates breach notifications under federal and state laws. Victims can pursue legal action or class actions for compensation after data breaches.
Wisconsin requires data breach notifications within 45 days under state law. While lacking a broad privacy law, consumers can still seek compensation through class actions for breaches involving personal data.
Data privacy laws in New Jersey are designed to protect residents when companies collect, store, or share personal information. As more businesses rely on digital systems, the risk of data breaches, identity theft, and unauthorized access continues to grow. Several state laws shape New Jersey’s privacy policy laws.
North Carolina privacy laws help protect residents’ personal information in certain contexts, especially after data breaches and in the handling of specific categories of data. However, North Carolina does not currently have a comprehensive consumer privacy law that gives residents broad rights to access, delete, correct, or opt out of the sale or processing of personal data.
Virginia’s privacy laws help regulate how certain businesses collect, use, and share residents’ personal data. These laws are intended to increase transparency and give consumers more control over their information. If your personal information was exposed in a data breach, you may have legal options depending on the facts of your situation and the laws that apply.
Massachusetts takes a detailed approach to privacy and data protection, with a strong, security-focused framework. Victims of privacy violations in Massachusetts have the right to file a civil lawsuit. At Class Action U, our team of dedicated partners has handled numerous data privacy lawsuits.
New cases and investigations, settlement deadlines, and news straight to your inbox.
Georgia Data Privacy Laws
Several states have enacted major data privacy laws, including California and Virginia. Georgia may follow with new legislation that imposes restrictions on data collection and gives consumers greater control over their data.
One law under consideration recently in the state is the Georgia Privacy Protection Act. Its provisions include:
- Limitations on the collection and resale of consumer data
- Rights for consumers to decline collection of their personal data
- Penalties for organizations that fail to protect consumer data
The prospective law failed to pass the Georgia General Assembly’s 2025-2026 legislative session. However, it may be reintroduced next year.
New York State Data Privacy Laws
Data privacy laws are crucial to protect the identities, finances, and personal information of consumers across New York. The state takes a proactive stance on data protection to minimize the impact of data breaches on residents and businesses alike. Because there is no comprehensive federal law governing data privacy, many individual states, including New York, have established their own privacy laws to safeguard consumer data.
As of 2025, New York’s two main data privacy laws include the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) and the New York Personal Privacy Protection Law (PPPL). However, several other data privacy laws with more comprehensive protections are pending in the state legislature.
Pennsylvania Data Privacy Laws
Pennsylvania law currently requires businesses to have a detailed information security plan and provide prompt notifications for data breaches.
The Pennsylvania General Assembly is currently considering a privacy bill that would impose additional requirements on businesses and grant consumers greater rights over their data once it is collected.
Maryland Data Privacy Laws
Maryland’s data privacy laws require organizations to take steps to protect personal data and promptly notify consumers in the event of a breach. A new state law coming into force in 2025 and 2026 will place additional requirements on businesses and provide consumers with more rights regarding their data.
Texas State Data Privacy Laws
Texas has enacted several strong privacy laws that require businesses to protect consumer data and notify affected individuals if a data breach occurs. If your personal or sensitive information is compromised, these laws may give you the right to take legal action or join a class action lawsuit.
Ohio Data Privacy Laws
Several Ohio regulations protect consumers from the misuse of their sensitive data. These laws place strict requirements on how entities use your data and their responsibilities if a data breach occurs.
Illinois State Data Privacy Laws
In Illinois, three key laws protect residents’ personal information from unauthorized access and give consumers the right to take legal action if their information is not properly protected. State law protects several types of personal data, including traditional identifiers like Social Security numbers and driver’s license information, as well as other personal information like financial data, biometric data, and health information. Illinois’ three main data privacy laws include:
- The Illinois Personal Information Protection Act (PIPA)
- The Illinois Biometric Information Privacy Act (BIPA)
- The Illinois Insurance Data Security Law
California State Data Privacy Laws
California law requires businesses and government agencies to notify all California residents whose unencrypted personal information was acquired by an unauthorized person. The three main laws that protect consumer privacy in California are the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the California Data Breach Notification Law.
Florida State Data Privacy Laws
Under Florida law, businesses, government agencies, and third-party organizations must take reasonable steps to protect and secure consumers’ data if it contains personal information. Additionally, the law requires these entities to notify the government of any security breach affecting more than 500 people statewide within 30 days of discovering the breach. Businesses and organizations that experience data breaches must also provide notice within 30 days to affected individuals whose personal information was accessed. Violations of these laws qualify as unfair or deceptive trade practices.
Indiana Data Privacy Laws
The Indiana Consumer Data Protection Act (INCDPA), effective January 1, 2026, grants Indiana residents control over their personal data. It includes rights to access, correct, delete, and opt out of the sale of their data. Businesses must provide clear privacy notices and protect data from breaches. The law applies to businesses handling personal data of 100,000+ consumers or 25,000+ consumers if over 50% of their revenue comes from data sales. Sensitive data such as health, biometric, and geolocation info is given stronger protection. In case of a breach, businesses must notify affected individuals promptly. Indiana residents can take steps like credit monitoring or pursuing legal action if their data is compromised.
Missouri Data Privacy Laws
Missouri lacks a comprehensive consumer data privacy law but has several laws that offer privacy protections, especially in the event of a data breach. Key laws include the Missouri Data Breach Notification Law, which requires businesses to notify affected consumers of breaches involving personal information like Social Security numbers or medical data. The Missouri Social Security Number Protection Law restricts the public use and display of Social Security numbers, while the Missouri Student Data Privacy Law mandates breach notifications to parents if student data is compromised. The Insurance Data Security Act, effective January 2026, sets standards for insurance companies’ cybersecurity. While Missouri’s laws offer some protections, they are less comprehensive than those in states like California and Illinois. After a breach, Missouri consumers can take steps like credit monitoring and pursue compensation through lawsuits or class actions.
Michigan Data Privacy Laws
Michigan currently lacks a comprehensive data privacy law but requires businesses to follow federal regulations and state-specific laws like the Identity Theft Protection Act (ITPA), which mandates breach notifications. Michigan businesses must notify residents if their unencrypted personal data is compromised, unless the breach is deemed unlikely to cause harm. Proposed bills, such as Senate Bill 359, could introduce more consumer protections, including consent requirements for data collection and privacy notices. Victims of data breaches may pursue compensation through class action lawsuits or other legal avenues. In the event of a breach, Michigan consumers should verify the compromised data, use credit monitoring services, and explore legal options for compensation.
Wisconsin Data Privacy Laws
Wisconsin lacks a comprehensive data protection law but offers basic privacy protections through various state statutes and federal regulations. Businesses must notify consumers within 45 days of a data breach involving unencrypted personal information, such as Social Security numbers, financial details, and biometric data. Exceptions apply to sole proprietorships, federally regulated entities, and healthcare providers. While Wisconsin does not have a broad consumer privacy law, the Wisconsin Data Privacy Act, proposed in 2023, aimed to address consumer data rights but was not passed. Victims of data breaches can seek compensation through class action lawsuits or other legal avenues. Wisconsin consumers should take steps like credit monitoring, freezing their credit, and reviewing breach notices to protect themselves.
New Jersey Privacy Policy Laws
Several state data privacy laws govern how businesses collect, store, and disclose personal information. These laws require companies to implement security measures, limit unauthorized access, and notify consumers when a data breach occurs.
Key areas covered include:
- Data security practices that require businesses to secure consumer data
- Data breach notification requirements that require companies to inform affected consumers when their information is exposed
- Consumer protections related to identity theft and misuse of personal data
Understanding these laws can help consumers recognize when their personal information may be at risk and when legal action may be an option.
North Carolina Privacy Policy
North Carolina does not currently have a comprehensive consumer privacy law that gives residents broad rights to access, correct, delete, or opt out of the sale or processing of personal data, though legislation has been proposed as of early 2026. Instead, North Carolina law focuses mainly on specific protections, including restrictions on the use of Social Security numbers, secure disposal of certain personal information, and notification duties after a qualifying security breach. If a business violates the state’s breach-notification law and a consumer is injured as a result, remedies may be available under North Carolina law.
Virginia Privacy Policy Laws
The Virginia Consumer Data Protection Act (VCDPA) is a state privacy law that gives Virginia residents certain rights regarding their personal data and imposes obligations on covered businesses. In general, the law applies only to businesses that meet certain statutory thresholds.
The VCDPA grants Virginia residents several rights regarding their personal data, including the following:
- Right to Access: Consumers can confirm whether a business is processing their personal data and access that data.
- Right to Correct: Consumers can request correction of inaccuracies in their personal data, taking into account the nature of the data and the purposes of processing.
- Right to Delete: Consumers can request deletion of personal data provided by or obtained about them, subject to applicable exceptions.
- Right to Data Portability: Consumers can obtain a copy of personal data they previously provided to the business in a portable and, to the extent technically feasible, readily usable format.
- Right to Opt Out: Consumers can opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
Massachusetts Privacy Policy Laws
Under Massachusetts law, organizations that experience a qualifying breach involving personal information must comply with notice requirements.
- Notification to Affected Residents: Notice must be given as soon as practicable and without unreasonable delay, subject to the needs of law enforcement and measures necessary to determine the scope of the breach and restore the integrity of the system. Massachusetts law also places limits on the contents of the consumer notice.
- Notification to State Authorities (the Massachusetts Attorney General’s Office and the Massachusetts Office of Consumer Affairs and Business Regulation): A business may also be required to notify state regulators and provide information such as the nature of the breach, the number of Massachusetts residents affected, and the steps taken in response.
- California State Data Privacy Laws
- Florida State Data Privacy Laws
- Georgia State Data Privacy Laws
- Illinois State Data Privacy Laws
- Indiana Data Privacy Laws
- Maryland Data Privacy Laws
- Massachusetts Privacy Policy Laws
- Michigan Data Privacy Laws
- Missouri Data Privacy Laws
- New Jersey Privacy Policy Laws
- New York State Data Privacy Laws
- North Carolina Privacy Policy
- Ohio Data Privacy Laws
- Pennsylvania Data Privacy Laws
- Texas State Data Privacy Laws
- Virginia Privacy Policy Laws
- Wisconsin Data Privacy Laws