top of page
Search
  • Anna Claire Trahan

A Guide to U.S. Consumer Privacy Laws

Updated: Jun 25



Since California first passed its 2018 consumer privacy laws, 20 other states since followed suit. Most states passed a “copy-cat” version of California’s Consumer Privacy Act of 2018. However, a few went rogue, changing the game on enforcement and applicability, and even increasing statutory penalties. For all businesses with an online presence, see below and pay special attention to Florida, Maryland, and Washington State as some states are permitting private citizens the right to sue violators directly.

 

California

Enforcement: Exclusively enforced by the state Attorney General.

Penalties: Consumers may seek an injunction and/or recover statutory damages not less than $100.00 and no greater than $750.00 per consumer per incident or actual damages, whichever is greater. The Attorney General may seek injunction and get civil penalties of up to $7,500.00 per intentional violation or $2,500.00 per unintentional violation.

Effective Date: Currently Effective.

 

Colorado

Enforcement: Attorney General and district attorneys concurrently responsible for enforcement.

Penalties: A violation is deemed a deceptive trade practice. Attorney General or district attorney must issue a notice of violation to the controlled if a cure is deemed possible.  

Effective Date: Currently effective.

Amendments: (Takes effect August 6, 2024) April 17, 2024, Colorado enacted HB1058 which amends the CPA and makes Colorado the first state to explicitly extend the protections of state comprehensive privacy law to neural data. Neural data is “information that is generated by the measurement of the activity of an individual’s central or peripheral nervous systems that can be processed by or with the assistance of a device.”

 

Connecticut

Enforcement: Exclusively enforced by the state Attorney General.

Penalties: Attorney General shall issue a notice of violation to the offending party and determine if a cure is possible or not. Failure to cure such violations within 60 days of receipt of the notification constitutes a violation of the unfair trade practices act.

Effective Date: Currently Effective.

 

Delaware

Enforcement: Exclusively enforced by the state Attorney General.

Penalties: Violation shall be deemed an unlawful practice under §2513 of Chapter 25 (Prohibited Trade Practices) of the title and a violation of Subchapter II of Chapter 25 (Consumer Fraud) of the title.  

Effective Date: January 1, 2025 

 

Florida

Enforcement: Exclusively enforced by the state Attorney General.

Penalties: Department may collect a civil penalty of up to $50,000.00 per violation of this section. Civil penalties may be tripled for any violation involving a Florida child when the online platform has actual knowledge that the child is under 18 years of age.

Effective Date: July 1, 2024

Interesting Elements: Only regulates companies that make more than $1 billion in gross annual revenues and derive more than half their revenue from online ads. Also allows consumers to opt out of collection of personal data collected through voice recognition or facial recognition.

 

Indiana

Enforcement: Exclusively enforced by the state Attorney General.

Penalties: Attorney General may initiate an action in the name of the state and may seek an injunction and a civil penalty not to exceed $7,500.00 for each violation and recover reasonable expenses incurred.

Effective Date: January 1, 2026

 

Iowa

Enforcement: Exclusively enforced by the state Attorney General.

Penalties:­­ Attorney General may investigate and seek injunctions and civil penalties up to $7,000.00 per violation. 

Effective Date: January 1, 2025

Interesting Elements: Does not grant consumers the right to delete or correct data collected by third parties.

 

Kentucky

Enforcement: Exclusively enforced by the state Attorney General.

Penalties: Damages up to $7,500.00 for each continued violation and Attorney General may additionally collect reasonable expenses incurred.

Effective date: January 1, 2026

 

Maryland

Enforcement: Exclusively enforced by the state Attorney General.

Penalties: Violations treated as an unfair, abusive, or deceptive trade practices and subject to the enforcements of title 13.

Effective Date: October 1, 2025

Interesting Elements: Permits a private right of action for consumers.

 

Minnesota

Enforcement: Exclusively enforced by the state Attorney General.

Penalties: Any data controller or processor that violates this chapter is subject to an injunction and liable for a civil penalty of not more than $7,500.00 for each violation and Attorney General may collect litigation expenses incurred.

Effective Date: July 31, 2025

Interesting Elements: Does not exempt non-profit organizations, unless they are established to detect and prevent fraudulent acts in connection with insurance.

 

Montana

Enforcement: Exclusively enforced by the state Attorney General.

Penalties: If the court finds that a person is willfully using or has willfully used a method, act, or practice declared unlawful by 30-14-103, the department, upon petition to the court, may recover on behalf of the state a civil fine of not more than $10,000.00 for each violation.

Effective Date: Currently Effective.

 

Nebraska

Enforcement: Exclusively enforced by the state Attorney General.

Penalties: a person found in violation following the cure period or who breaches the written statement provided by the Attorney General is liable for a civil penalty in an amount not to exceed $7,500.00 for each violation.

Effective Date: January 1, 2025             

 

New Hampshire

Enforcement: Exclusively enforced by the state Attorney General.

Penalties: Violation constitutes an unfair method of competition or any unfair or deceptive act or practice in the conduct of any trade or commerce within this state under RSA 358-A:2 and shall be enforced by the Attorney General.

Effective Date: January 1, 2025

 

New Jersey

Enforcement: Exclusively enforced by the state Attorney General.

Penalties: Non-compliance will constitute a violation of the New Jersey Consumer Fraud Act.

Effective Date: January 15, 2025

 

Oregon

Enforcement: Exclusively enforced by the state Attorney General.

Penalties: Attorney General may bring an action to seek a civil penalty of not more than $7,500.00 for each violation or to enjoin a violation or obtain other equitable relief.

Effective Date: July 1, 2024 

Interesting Elements: Contains additional exclusions for certain businesses not commonly seen in other states.

 

Tennessee

Enforcement: Exclusively enforced by the state Attorney General.

Penalties: ­­­Civil penalties up to $15,000.00 for each violation. Appropriate relief may be awarded to each identified consumer affected by a violation, regardless of whether actual damages were suffered. If the court finds the controller or processor willfully or knowingly violated this part, then the court may award treble damages. Attorney General may additionally recover reasonable expenses incurred. 

Effective date: July 1, 2025 

 

Texas

Enforcement: Exclusively enforced by the state Attorney General.

Penalties: Civil penalty in an amount not to exceed $7,500.00 for each violation. Attorney General may bring an action to recover a civil penalty, restrain or enjoin the person from violating this chapter, or recover the civil penalty and seek injunctive relief. Attorney General may additionally recover reasonable expenses incurred and attorney’s fees.

Effective Date: Currently Effective

 

Utah

Utah Consumer Privacy Act §13-61-101 to §13-61-404

Enforcement: Exclusively enforced by the state Attorney General.

Penalties: Attorney General may recover actual damages to the consumer; and for each violation, an amount not to exceed $7,500.00. 

Effective Date: Currently Effective.

 


Virginia

Enforcement: Exclusively enforced by the state Attorney General.

Penalties: If the controller or processor continues to violate or breaches an express written statement, the Attorney General may initiate an action and seek an injunction to restrain any violations and civil penalties up to $7,500.00 for each violation. The Attorney General may also recover reasonable expenses incurred during investigating and preparing the case and attorney fees. 

Effective Date: Currently Effective.

 

Washington

Enforcement: Attorney General is authorized to enforce this act. Private right of action is also granted for unfair or deceptive acts in trade or commerce and unfair methods of competition.

Penalties: A violation of this act may result in damages of up to $7,500.00 per violation as well as additional damages, capped at $25,000.00.  

Effective Date: Currently Effective

Interesting Elements: Applies to any entity, including non-profits, that conduct business in Washington or provides products and services to consumers in Washington and, alone or jointly with others, determined the purpose and means of collecting, processing, sharing, or selling consumer health data. Applies to any entity doing business in the state involved in health data collection.

 

 

35 views0 comments

Recent Posts

See All

Comments


Post: Blog2_Post
bottom of page