Skip to main content

States That Have Adopted U.S. Consumer Data Privacy Laws Similar to GDPR  

Cybersecurity and privacy concepts to protect data. Lock icon and internet network security technology. Businessmen protecting personal data on tablets and virtual interfaces.

While the U.S. does not currently have a federal data privacy law similar to GDPR, over 10 states have started to establish their own comprehensive regulations that safeguard consumers from some of the costly risks associated with data gathering and misusage. 

If an organization operates or targets consumers within any of these states, they will need to adhere to the stringent provisions outlined within these ever-evolving laws. 

Below is a list of all the states that have adopted consumer data privacy laws similar to GDPR. This list will be continuously updated as more states make the shift. 

List of States That Have Adopted U.S. Consumer Data Privacy Laws Similar to GDPR: 

  • California: Effective date Jan. 1, 2023. Outlines privacy rights and requirements for collecting and selling personal information of California consumers. 
  • Virginia: Effective date Jan. 1, 2023. Outlines rights of Virginia consumers to receive access to data gathered by organizations and provides ability to request that personal information be deleted. Also requires organizations to conduct data protection assessments. 
  • Connecticut: Effective date July 1, 2023. Outlines additional privacy protections for children. 
  • Colorado: Effective date July 1, 2023. Outlines provisions for the right to access, the right to correction, the right to delete, the right to data portability and the right to opt out of data collection. 
  • Utah: Going into effect Dec. 31, 2023. Outlines protections for the collection, deletion and sale of consumer data. 
  • Oregon: Going into effect July 1, 2024. Outlines provisions for the right to request a copy of data, request deletion of data and the right to opt out of sales of personal data. 
  • Texas: Going into effect July 1, 2024. Outlines provisions for the right to request a copy of data, request deletion of data, the right to opt out of sales of personal data and the right to appeal refusal of any of these prior requests. Also outlines that controllers must practice data minimization and avoid secondary uses. 
  • Montana: Going into effect Oct. 1, 2024. Outlines a limitation of the gathering of consumer data to only what is adequate and reasonably necessary. Also requires organizations to implement data security initiatives. 
  • Iowa: Going into effect Jan. 1, 2025. Outlines right to receive notice if an organization is gathering consumer data, request access to the data, delete the data and opt out of data gathering initiatives. 
  • Tennessee: Going into effect July 1, 2025. Outlines a limitation of the gathering of consumer data to only what is adequate and reasonably necessary. Also requires organizations to implement data security initiatives. 
  • Indiana: Going into effect Jan 1., 2026. Outlines a limitation of the gathering of consumer data to only what is adequate and reasonably necessary. Also requires organizations to implement data security initiatives. 
IT Security & Compliance Consultants: What Do They Do & How Do They Help?

Final Thoughts on States That Have Adopted U.S. Consumer Data Privacy Laws Similar to GDPR  

While some of these laws have not yet been enacted, it’s essential for organizations to do everything in their power to properly prepare and avoid potential fines down the line.

Many of these laws outline requirements for organizations to not only provide information for data gathering and usage but also require them to implement and document data privacy initiatives. 

As such, it can be beneficial to onboard a trusted partner to help your organization adhere to these new laws without overloading your employees or distracting from overall goal setting and achievement. 

Bridgepoint Consulting has a team of experts ready to help you with: 

  • Understanding which data privacy laws your organization must adhere to. 
  • Developing and integrating data privacy initiatives and properly allocating resources to drive project success and efficiency. 
  • Conducting company-wide risk, IT and cybersecurity assessments to identify and correct issues before they arise. 
  • Implementing stronger internal controls that safeguard your organization and customers from threats. 

Insights By

John Patrick

IT Manager, Risk & Compliance

John is an IT risk and compliance manager with deep experience across a multitude of skill sets, including cybersecurity and data protection policies, procedures and best practices, IT audit, security, risk, and compliance.

Recent Insights

Need Data Privacy Support?

At Bridgepoint Consulting, our team understands the key issues and ongoing security risks you face and will develop an effective and secure environment to safeguard your organization today and prepare you for the challenges of tomorrow.

Contact us today or learn more about how we can help at the link below.

IT Security & Compliance