privacy laws

Navigating the Maze: An In-Depth Look at U.S. State Data Privacy Laws

The Maine Data Privacy and Protection Act (MDPPA) takes effect July 1, 2025, providing robust consumer rights and imposing stringent obligations on businesses handling personal data. This analysis explains key compliance requirements, regulatory scope, and practical implementation strategies.

Compliance Hub

Compliance Hub

26 min read
Navigating the Maze: An In-Depth Look at U.S. State Data Privacy Laws
Photo by NASA / Unsplash

The landscape of data privacy in the United States is rapidly evolving, moving beyond the scope of federal regulations like the Health Insurance Portability and Accountability Act (HIPAA) to encompass a growing number of state-specific laws. While resources exist to understand federal rules, navigating the complexities of individual state privacy laws presents a significant challenge for businesses striving to maintain compliance, prevent data breaches, and make informed decisions about data sharing. This article delves into the key aspects of these state regulations, drawing on expert surveys and recent legislative updates to provide a comprehensive overview for your compliance website.

The Rising Tide of State Privacy Legislation

Since the enactment of the California Consumer Privacy Act (CCPA) in 2018, states have increasingly taken the initiative to establish their own comprehensive consumer data privacy laws. This trend reflects a broader movement where states are acting as "laboratories of democracy," experimenting with different approaches to protect the personal information of their residents. Privacy professionals face the ongoing challenge of balancing compliance with the existing ensemble of effective laws while integrating newly enacted ones.

Defining the Scope: Personal Information and Covered Entities

Understanding the definitions and scope of state privacy laws is fundamental to compliance. While some states, particularly in the context of health information, align their definitions with HIPAA's definition of Protected Health Information (PHI), others have broader definitions of "personal information." For instance, California defines "Personal Information" as a person's first name (or initial) and last name in combination with sensitive data points like a Social Security number, driver’s license number, or financial account access information. Similarly, Colorado defines "Personal Information" to include a resident’s name plus their Social Security Number, driver’s license number, medical information, health insurance number, or other specified data. Virginia, while addressing health-related data, uses the term "medical information" with its own specific definition. Delaware's breach notification statute also includes a broad definition of "Personal information".

Global Privacy & Compliance Explorer
Interactive map for exploring global privacy regulations and compliance requirements. Navigate GDPR, CCPA, PIPEDA, and more.
Interactive Regulatory MapLovable

The applicability of these laws typically extends to persons that conduct business in the Commonwealth or produce products or services targeted to residents and meet certain thresholds related to the volume of personal data processed. For example, the Virginia Consumer Data Protection Act (CDPA) applies to entities that, during a calendar year, control or process personal data of at least 100,000 consumers, or control or process data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data. It's also important to note that many state laws include exemptions, such as for entities already subject to and compliant with HIPAA. Furthermore, some reports indicate specific carve-outs for financial institutions in certain state data privacy laws. Montana's recently enacted Montana Consumer Data Privacy Act (MCDPA), effective October 1, 2024, is a comprehensive privacy law that exempts protected health information under HIPAA but regulates a variety of "personal data" and "sensitive data".

Empowering Individuals: Consumer Rights Under State Laws

A cornerstone of these state privacy laws is the establishment of various consumer rights designed to provide individuals with greater control over their personal data. These rights often include:

  • The Right to Know/Access: Consumers have the right to confirm whether a controller is processing their personal data and to access that data.
  • The Right to Correct Inaccuracies: Individuals can request the correction of inaccurate personal data held by businesses.
  • The Right to Delete: Consumers generally have the right to request the deletion of personal data they have provided or that has been obtained about them. However, there can be exceptions to this right in certain circumstances. For example, New York's proposed privacy act (S3044) outlines specific scenarios where a controller is not required to comply with a deletion request, such as for accounting functions, processing refunds, product recalls, fulfilling warranty claims, or for public interest scientific research under specific conditions.
  • The Right to Data Portability: Consumers may have the right to obtain a copy of their personal data in a portable and readily usable format.
  • The Right to Opt-Out: This crucial right allows consumers to opt out of the processing of their personal data for specific purposes, including targeted advertising, the sale of personal data, and profiling. Recent reports suggest that many companies may be struggling to fully honor these opt-out requests, highlighting the need for robust mechanisms. New York's proposed bill (S3044) specifies conditions under which a controller may not sell personal data to third parties as part of loyalty programs if a consumer has exercised their opt-out rights, emphasizing clear disclosure and limited use by the third party.
  • Universal Opt-Out Mechanisms: Some states, like Colorado, are recognizing and implementing standards for Universal Opt-Out Mechanisms, aiming to simplify the process for consumers to express their privacy preferences across different platforms.
AI Security Risk Assessment Tool
Systematically evaluate security risks across your AI systems
AIRiskAssess.comAIRiskAssess Team

Businesses must establish clear procedures for consumers to exercise these rights and respond to their requests within specified timeframes. For instance, data controllers in Colorado and under New York's proposed law are generally required to respond within 45 days of receiving a request, with the possibility of a one-time extension if reasonably necessary, provided the consumer is informed of the delay. If a request is denied, the controller must provide a written justification for the denial. Authentication of the consumer's identity may also be required before fulfilling a request.

State privacy laws impose several key obligations on businesses that handle personal data. These include:

  • Implementing Comprehensive Privacy Policies: Businesses are required to maintain and provide clear and easily accessible privacy policies that inform consumers about their data collection, use, and sharing practices, as well as their rights. Minnesota has a unique requirement to include data retention policies in privacy notices, while Maryland mandates third-party notices if data is used or shared inconsistently with the original disclosures.
  • Establishing Procedures for Responding to Consumer Requests: As mentioned earlier, businesses must have processes in place to receive, verify, and respond to consumer rights requests within the legally mandated timeframes.
  • Maintaining Reasonable Data Security: Organizations are expected to implement and maintain reasonable security measures to protect the confidentiality, integrity, and availability of personal data. New York's SHIELD Act, for example, outlines requirements for safeguards for confidential information.
  • Executing Data Processing Agreements: When engaging third-party service providers or "processors" to process personal data on their behalf, controllers are typically required to enter into written contracts that clearly outline the instructions for processing data, the nature and purpose of processing, the types of data involved, the duration of processing, and the rights and obligations of both parties. These contracts must also include stipulations that processors ensure confidentiality, implement adequate security measures, process data only as instructed, not combine data received from different controllers, assist with consumer rights requests, and allow for audits by the controller.
  • Conducting Data Protection Assessments: Some state laws may require businesses to conduct data protection assessments for processing activities that pose a heightened risk to consumers.
  • Obtaining Consent for Sensitive Data: Many state laws require businesses to obtain explicit opt-in consent before processing sensitive categories of personal data.
CISO Marketplace

Safeguarding Data: Breach Notification Requirements

State laws also mandate specific procedures for notifying individuals and relevant authorities in the event of a data breach involving personal information. The definition of "personal information" that triggers these notification requirements can vary. Generally, notification must be made in the most expedient time possible and without unreasonable delay. For example, Alabama requires reporting to affected individuals as soon as possible and notification to the Attorney General within 45 days if more than 1,000 individuals are affected. California has detailed requirements for the content of security breach notifications. Delaware's law applies to entities that own, license, or maintain computerized data containing personal information of Delaware residents. Importantly, a "good faith acquisition" of personal information by an employee for legitimate business purposes is often not considered a breach, provided there is no further unauthorized disclosure. Florida mandates that business associates who experience a breach of health records must notify the covered entity within 10 days.

Enforcing the Rules: Penalties and Oversight

Enforcement of state data privacy laws is typically the responsibility of the state Attorneys General. These authorities can issue notices of violation and initiate legal actions to address non-compliance. For instance, Connecticut's Attorney General's Office has been actively issuing "cure notices" to companies for potential violations of the Connecticut Data Privacy Act (CTDPA). Colorado's Attorney General announced the launch of CPA enforcement in July 2023. New York's proposed bill (S3044) empowers the Attorney General to bring actions to enjoin violations, obtain restitution and disgorgement of profits, and impose civil penalties of up to $20,000 per violation, with each instance of unlawful processing counting as a separate violation, and unlawful processing of data for multiple consumers counting as a separate violation for each consumer. Alabama imposes penalties of up to $5,000 per day for violating notification provisions, and Maine can levy penalties up to $5,000 for intentional violations, with higher penalties for repeated offenses by practitioners and facilities. While some laws, like North Carolina's, do not provide a private right of action for individuals unless they have suffered injury as a result of the violation, the increasing trend is towards active regulatory scrutiny and enforcement collaboration among states.

https://cyberinsurancecalc.com/

The increasing number and varying requirements of state data privacy laws create significant compliance challenges for organizations operating across multiple states. The differences in consumer rights, definitions, nuances, and exceptions necessitate a careful and tailored approach to compliance. Organizations must thoroughly evaluate their obligations under each applicable state law and determine if any exemptions apply.

To effectively navigate this complex landscape, organizations should consider the following best practices:

  • Develop a Comprehensive Compliance Framework: Implement a unified framework that addresses the core requirements of all applicable state privacy laws.
  • Prioritize Transparency: Ensure privacy policies are clear, comprehensive, and easily accessible to consumers.
  • Establish Robust Mechanisms for Consumer Rights Requests: Implement efficient and effective processes for receiving, authenticating, and responding to consumer requests within the required timeframes.
  • Strengthen Data Security Measures: Implement and regularly update security safeguards to protect personal data from unauthorized access and breaches.
  • Conduct Thorough Due Diligence on Third-Party Processors: Ensure that contracts with processors meet the legal requirements and include appropriate data protection obligations.
  • Stay Informed About Regulatory Updates: Continuously monitor new legislation, enforcement actions, and guidance issued by state Attorneys General.
  • Foster Collaboration with Regulators: Approach investigations collaboratively to facilitate open communication and potentially mitigate escalation.
  • Focus on Proactive Compliance: Actively work towards compliance to minimize the risk of enforcement actions.
Global Privacy & Compliance Explorer
Interactive map for exploring global privacy regulations and compliance requirements. Navigate GDPR, CCPA, PIPEDA, and more.
Interactive Regulatory MapLovable

Looking Ahead: The Evolving Privacy Landscape

The U.S. state data privacy landscape is expected to continue evolving, with new laws taking effect and amendments being introduced. For example, Colorado's HB 1130, passed in 2024 and effective July 1, 2025, amends the CPA to create new obligations for entities collecting biometric data. Staying abreast of these developments is crucial for maintaining ongoing compliance.

The landscape of U.S. consumer data privacy regulations is characterized by a growing number of state-specific laws, leading to significant distinctions in consumer rights and business obligations. While many states share common goals, the specifics of their regulations vary considerably.

Here are some key distinctions in consumer data privacy rights across different state regulations:

  • Core Consumer Rights: Most state privacy laws grant consumers core rights such as the right to access, correct, and delete their personal data, as well as the right to data portability and the right to opt out of the sale of their personal data and targeted advertising. However, the specifics and scope of these rights can differ. For instance, the right to correct data is not included in the privacy laws of Utah and Iowa. Indiana's rights to data portability and correction are limited to personal data provided by the consumer.
  • Right to Opt Out of Profiling: Many states provide the right to opt out of profiling, but some laws, like Connecticut's, specify that this applies to solely automated decisions. Minnesota introduces a new right to contest automated profiling, requiring businesses to explain profiling results.
  • Right to Know Third Parties: Oregon and Delaware's laws allow consumers a "right-to-know" the specific third parties or categories of third parties with whom their personal data is shared. This level of detail is not consistently required across all state laws, as Connecticut's law currently only requires the identification of the "categories" of data and third parties.
  • Recognition of Universal Opt-Out Mechanisms: Several states, including California, Colorado, Connecticut, and Texas, mandate that businesses honor universal opt-out signals like the Global Privacy Control (GPC), allowing consumers to opt out at the browser level. Other states may provide more flexibility in this regard, leading to inconsistencies in enforcement. A study in early 2025 indicated that many companies might still be ignoring these opt-out requests.
  • Rights Related to Sensitive Data: State laws vary in their approach to sensitive data, which often includes genetic and biometric data, precise geolocation data, and in some cases, health information. The requirement for obtaining opt-in consent before processing sensitive data is common, but the specific categories of data and the stringency of consent can differ. For example, Maryland prohibits the sale of children's data.
  • Private Right of Action (PRA): A significant point of divergence is the inclusion of a private right of action, allowing individuals to sue companies for privacy violations. Currently, California's CCPA has a limited PRA for data breaches, but many newer comprehensive privacy laws do not include a PRA. The Electronic Frontier Foundation (EFF) emphasizes that the absence of a PRA can weaken consumer protections.
CISO Marketplace

Key distinctions in business obligations across different state regulations include:

  • Applicability Thresholds: State privacy laws have different thresholds for which businesses they apply to, often based on a combination of factors such as the volume of personal data processed and revenue derived from selling personal data. For example, Delaware and New Hampshire have lower thresholds (processing data of 35,000 consumers) compared to the 100,000 consumer threshold seen in states like Iowa, New Jersey, Colorado, Connecticut, and Virginia. Nebraska's law applies to businesses operating in the state that are not defined as small businesses under federal law, regardless of data processing volume or revenue.
  • Data Minimization: While most laws include a principle of limiting data collection to what is necessary, Maryland's Online Data Privacy Act (MODPA) introduces a stricter "strictly necessary" standard for processing sensitive data.
  • Privacy Notice Requirements: All state laws require businesses to provide privacy notices to consumers, detailing their data practices. However, the specific content requirements can vary. For instance, Minnesota uniquely requires businesses to include data retention policies in their privacy notices, and Maryland mandates a third-party notice if data is used or shared inconsistently with the original disclosures.
  • Data Protection Assessments (DPAs) or Risk Assessments: Several states, including Colorado and Virginia, require businesses to conduct and document data protection assessments for processing activities that present a heightened risk to consumers, such as targeted advertising and profiling.
  • Vendor Management and Processor Obligations: State laws outline obligations for controllers when engaging data processors and, to varying degrees, impose direct obligations on processors themselves. Contracts between controllers and processors are typically required to define their respective responsibilities.
  • Handling Consumer Rights Requests: Businesses are obligated to establish mechanisms for consumers to exercise their rights and to respond to these requests within specified timeframes. However, the statutory response periods and the possibility of extensions can differ between states.
  • Opt-Out Mechanisms and Consent Practices: Businesses must implement mechanisms for consumers to opt out of data sales and targeted advertising and obtain consent for processing sensitive data. The specific requirements for these mechanisms and the validity of consent can vary. Some states require opt-in consent for certain processing of minors' data.
  • Exemptions: State laws often include entity-level exemptions (e.g., for non-profits or entities subject to other federal laws like HIPAA and GLBA) and data-level exemptions (e.g., for data governed by HIPAA or FCRA). However, the scope of these exemptions can differ; for instance, California and Oregon's GLBA and HIPAA exemptions are limited to data covered under those laws, unlike Connecticut's blanket exemptions.
  • Enforcement and Penalties: Enforcement of state privacy laws is typically carried out by the state Attorney General. California also has a dedicated privacy agency, the California Privacy Protection Agency (CPPA). Penalties for non-compliance can vary significantly, as seen with Colorado's potential penalties of up to $20,000 per violation and Delaware's up to $10,000 per violation. Some states provide a cure period for violations, although this may be temporary or at the discretion of the enforcing agency.
GeneratePolicy.com - AI Security Policy Generator
Generate comprehensive security policies instantly with AI. Tailored for HIPAA, GDPR, ISO 27001, and industry-specific compliance requirements.
GeneratePolicy.com

The increasing complexity of this state-level patchwork underscores the challenges for businesses in maintaining compliance and highlights the ongoing evolution of consumer data privacy regulation in the U.S..

State data breach notification laws across the United States share some commonalities but also exhibit important differences regarding their scope, triggers, timelines, and potential penalties for violations. Seyfarth Shaw's 50-State Survey of Health Care Information Privacy Laws provides specific details for several states, often highlighting how state laws interact with federal regulations like HIPAA.

Scope

  • Definition of Protected Information: States vary in their definitions of what constitutes protected information that triggers notification requirements.
    • Some states, like Alaska, define a breach trigger based on the breach of unencrypted personal information if there is a reasonable likelihood of harm.
    • California has a broad definition of "Personal Information" that includes a person's name combined with a Social Security number, driver's license number, or financial account access information. Notably, California's Consumer Privacy Act (CCPA) expressly exempts protected health information under HIPAA and medical information governed by CMIA.
    • Colorado defines a "security breach" as the unauthorized acquisition of unencrypted computerized data that compromises the confidentiality of "Personal Information," which includes medical and health insurance information combined with a resident's name. Colorado's law exempts third-party service providers that are HIPAA business associates.
    • Connecticut refers to HIPAA's definition of Protected Health Information (PHI) and also has a state-level definition of health information that identifies an individual. Connecticut statutes defer to 45 C.F.R. § 164.402 for what constitutes a breach.
    • Delaware defines "Protected health information" following HIPAA, but its statute governing notice requirements for a computer security breach includes a broad definition of "Personal information".
    • Hawaii's Health Care Privacy Harmonization Act harmonizes state law with HIPAA.
    • Kentucky generally defines PHI the same as HIPAA. Its breach definition includes unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of unencrypted or unredacted records, or encrypted data with the key, that may compromise personal information and likely result in harm.
    • Maine defines protected information as directly identifiable information relating to a patient's condition, medical history, or treatment. Its notification requirements, however, only apply to breaches from the statewide health information exchange.
    • Minnesota does not have a specific definition or penalties beyond HIPAA mentioned in the excerpts.
    • Mississippi does not have a comprehensive statute beyond HIPAA but has regulations for "nonpublic personal health information" for insurers unless they comply with HIPAA.
    • Montana's Uniform Health Care Information Act applies to entities not covered by HIPAA. Its newly enacted Montana Consumer Data Privacy Act (effective October 1, 2024) exempts HIPAA-protected health information but regulates other "personal data" and "sensitive data".
    • Nevada's data breach law focuses on the unauthorized acquisition of unencrypted personal information like name with Social Security number, driver's license number, or financial account information.
    • New Hampshire uses the same definition as HIPAA.
    • New Jersey's data breach law applies to businesses with access to "personal information," and health insurance carriers are also subject to the act.
    • New Mexico excludes entities covered by HIPAA from its Data Breach Notification Act.
    • North Carolina does not have a comprehensive statute protecting medical information, with HIPAA generally governing. However, breaches might fall under a law governing businesses that own or license personal information of residents.
    • North Dakota defines a breach as the unauthorized acquisition of unencrypted personal information, including name with unencrypted medical or health insurance information.
    • Ohio defines PHI and covered entities the same as HIPAA.
    • Oregon defines PHI as individually identifiable health information maintained or transmitted by a covered entity.
    • Pennsylvania's Breach of Personal Notification Act (BPINA) covers entities maintaining computerized data including "medical information," defined as individually identifiable information in medical records. Entities complying with HIPAA for electronic PHI are deemed compliant with BPINA.
    • Rhode Island defines "confidential healthcare information" broadly as information related to a patient's healthcare obtained from a healthcare provider.
    • South Carolina defines "Protected Health Information" broadly to include any information related to an individual's past, present, or future health status that could reveal their identity.
    • Tennessee defines PHI and health care providers similarly to HIPAA.
    • Texas does not have specific definitions in the provided excerpts.
    • Vermont defines "Protected health information" and "Covered entity" the same as HIPAA but provides additional state-level privacy protections.
    • Virginia defines "Medical information" to include name with medical history, condition, treatment, diagnosis, or health insurance details, if unencrypted.
    • Washington defines "Health care information" broadly as any information related to a patient's health care that identifies or can be readily associated with the patient.
    • Wisconsin defines PHI as in 45 CFR 160.103.
Data Privacy Compliance Fine Calculator
Calculate potential fines and penalties for data privacy violations across GDPR, CCPA, HIPAA, and other privacy laws.
Privacy Compliance Calculator
  • Exemptions: Many state laws have exemptions, particularly for entities already regulated under federal laws like HIPAA and the Gramm-Leach-Bliley Act (GLBA). For instance, Arizona's breach notification statute does not apply to HIPAA-covered entities. Montana's Uniform Health Care Information Act only applies to non-HIPAA entities. The CFPB report notes that many new state data privacy laws exempt financial institutions and data covered by federal law.

Triggers

  • The trigger for notification generally involves the unauthorized acquisition of protected information.
  • Some states, like Alaska, also require a reasonable likelihood of harm to the affected individual.
  • Kentucky's definition includes unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release if it compromises security, confidentiality, or integrity and is likely to result in harm.
  • North Carolina's law applies if illegal use of the personal information has occurred or is reasonably likely to occur, creating a material risk of harm.
  • Pennsylvania's BPINA is triggered by unauthorized access and acquisition that materially compromises security or confidentiality and causes or is believed to cause loss or injury.
  • The encryption status of the data is often a key factor. Breaches of encrypted data may not trigger notification unless the encryption key is also compromised. However, some states may have safe harbors for encrypted, redacted, unreadable, or unusable data.

Timelines

  • General Requirement: Most states require notification in the most expedient time possible and without unreasonable delay.
  • Specific Timeframes: Some states specify a maximum timeframe for notification after the discovery of the breach.
    • Arizona: Affected individuals must be notified within 45 days of breach determination (though this statute doesn't apply to HIPAA-covered entities).
    • Colorado: Notification to affected residents and the state's attorney general within 30 days.
    • Connecticut: Notice to the Attorney General and residents without unreasonable delay, but not later than 60 days after breach discovery.
    • Delaware: Notification in the most expedient time possible, without unreasonable delay, generally not later than 60 days after determination.
    • Florida: Notify affected individuals within 30 days and the Department of Legal Affairs for breaches affecting over 500 individuals. Business associates must notify covered entities within 10 days of a health record breach.
    • Kentucky: Agencies must report to state officers immediately, and notify affected individuals within 35 days after reporting and completing an investigation.
    • North Dakota: Disclose in the most expedient time possible to the affected consumer and, if applicable, the Attorney General.
    • Rhode Island: Notification to affected residents, the Attorney General, and credit reporting agencies no later than 45 calendar days of discovery.
    • Texas: Within 60 days after the breach, covered entities must provide written notice to affected residents.
  • Notification to Authorities: Many states also require notification to state agencies, such as the Attorney General, especially for larger breaches. Some states might have thresholds for this notification (e.g., over 500 individuals in Florida).
  • Consumer Reporting Agencies: Some states require notification to major credit reporting agencies if a certain number of residents are affected (e.g., over 100 in New Jersey, over 1,000 in Pennsylvania).
Data Breach Cost Calculator | Estimate Your Breach Costs
Calculate the potential cost of a data breach for your organization with our comprehensive breach cost calculator. Get insights on risk factors, security posture, and cost mitigation strategies.
Breach Cost CalculatorData Breach Cost Calculator

Potential Penalties for Violations

  • Penalties for failing to report data breaches or for unlawful disclosures vary significantly by state.
    • Arizona: The Attorney General may impose a civil penalty of up to $10,000 per affected individual, up to $500,000 (this does not apply to HIPAA-covered entities).
    • California: Negligent disclosure of medical information can result in a civil or administrative fine of $2,500 per violation. The NY SHIELD Act (referenced in the context of penalties) imposes civil penalties of up to $250,000 for failure to timely notify of a records breach and up to $5,000 per violation for failure to maintain reasonable safeguards.
    • Florida: A penalty of $1,000 each day for the first 30 days of failure to notify, thereafter $50,000 for each 30-day period in which the failure continues.
    • Maine: Intentional violation carries a penalty of up to $5,000 plus costs, up to $10,000 for practitioners and $50,000 for facilities if repeated.
    • Missouri: Actual damages and up to $150,000 in civil penalties per breach.
    • New Jersey: Willful, knowing, or reckless violation of the breach notification law is an unlawful practice under the Consumer Fraud Act.
    • North Dakota: Up to $5,000 per violation.
    • Rhode Island: Reckless violation - $100 per record. Knowing and willful violation - $200 per record. The AG may also bring action.
    • Texas: Failure to report unlawful exposure is liable to the State for a civil penalty between $2,000 and $50,000 for each violation.
    • South Dakota: Prosecution for deceptive practice or act, up to $10,000 per day for violation.
    • Failure to properly and timely report a HIPAA breach can result in civil penalties beyond those associated with the breach itself.

The landscape of state data breach notification laws is complex and constantly evolving. Organizations must stay informed about the specific requirements in each state where they operate. The increasing frequency of changes to these statutes creates ongoing compliance challenges. Many states are enacting comprehensive privacy laws, but these often have exemptions for data already covered by federal regulations like HIPAA and GLBA. Despite the trend towards more state privacy laws, the CFPB highlights potential gaps in financial data protection due to these exemptions. The Electronic Frontier Foundation (EFF) emphasizes the importance of strong enforcement, including a private right of action, which is largely absent in most state privacy laws except for California, to ensure companies are accountable for privacy violations.

Cybersecurity Micro Tools Showcase
Powerful, purpose-built security tools for cyber professionals. Instant access to specialized tools that solve real security challenges.
CISO Marketplace

State data breach notification laws across the U.S. share similar components but have important differences regarding scope, triggers, timelines, and potential penalties for violations. These differences mean that a uniform approach to data breach notification is insufficient. Notably, states are actively modifying their statutes, making continuous monitoring crucial for compliance.

Scope (What data is protected? Who is covered? Are there exemptions?)

  • Most state laws focus on the unauthorized acquisition of "personal information" (PI), though the specific definition of PI can vary.
    • For instance, California defines "Personal Information" as a person's first name or initial and last name combined with a social security number, driver's license number/California ID card number, or account/credit/debit card number with necessary access codes.
    • Nevada's definition is similar, including a natural person's name plus a social security number, driver's license/ID card number, or financial account information with access codes, when unencrypted.
    • North Dakota's definition includes an individual's name plus unencrypted medical or health insurance information.
    • Pennsylvania's Breach of Personal Notification Act (BPINA) covers "personal information" which includes a name combined with elements like "medical information," defined as individually identifiable information in a medical record.
    • Virginia defines "medical information" similarly, including health history, conditions, treatment, diagnosis, health insurance information, and application/claims history when not encrypted or redacted.
  • Health information is sometimes specifically included in the definition of PI under state data breach laws.
    • However, some states' data breach notification laws specifically exclude health information that is protected under HIPAA. For example, New Mexico's Data Breach Notification Act excludes entities covered by HIPAA. Similarly, Kentucky's general breach notification law does not apply to breaches subject to HIPAA.
    • Connecticut's statutes otherwise don't define what constitutes a breach or unlawful disclosure of health information, suggesting a reliance on 45 C.F.R. § 164.402 for the definition of a breach in that context.
    • In contrast, some states like Maine have specific definitions of protected health information.
  • HIPAA compliance can provide exemptions from some state data breach notification requirements. For instance, Pennsylvania's BPINA deems entities compliant if they adhere to HIPAA privacy and security standards for electronic personal health information.
  • State consumer privacy laws, while distinct from breach notification laws, often have exemptions for entities and data covered by federal rules like HIPAA and GLBA. This can mean that financial institutions and health data might have different privacy protections under state laws compared to other types of personal data.
  • The applicability of state laws often depends on whether an entity "owns" or "licenses" personal information of state residents or conducts business within the state. Some laws also have threshold criteria based on revenue, data processing volume, or the number of affected state residents. Delaware and New Hampshire have notably low thresholds. Nebraska's law applies based on conducting business in the state and not being a small business.
Cyber Agent Exchange - AI-Powered Cybersecurity Assistance
Access specialized AI agents for cybersecurity consulting, threat analysis, and security best practices.
AI-Powered Cybersecurity AssistanceCyber Agent Exchange

Triggers (What constitutes a data breach requiring notification?)

  • Generally, a data breach is triggered by the unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of the data. Some definitions also include unauthorized access.
  • Some states specify that the information must be unencrypted for the breach to trigger notification. However, a breach of encrypted data may also trigger notification if the encryption key is compromised.
  • North Carolina law specifies a trigger as unauthorized access and acquisition of unencrypted data (or encrypted data with the key) where illegal use of the personal information has occurred or is reasonably likely to occur, or that creates a material risk of harm.
  • Colorado defines a "security breach" as the unauthorized acquisition of unencrypted computerized data that compromises the confidentiality of Personal Information maintained by a covered entity.
  • Kentucky's definition includes the unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of unencrypted/unredacted records or encrypted data with the decryption key, which comprises or is believed to comprise the security, confidentiality, or integrity of personal information and could result in harm.
  • Pennsylvania's BPINA defines a breach as unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information and causes or is believed to cause loss or injury to a Pennsylvania resident.

Timelines (When must notifications be sent?)

  • Most state laws require notification to affected individuals to be made in the most expedient time possible and without unreasonable delay.
  • Many states also set specific timeframes for notification after the discovery or determination of a breach.
    • Alaska requires notification in the most expeditious time possible.
    • Arizona requires notification within 45 days of breach determination.
    • Colorado mandates notification to affected residents and the state attorney general within 30 days.
    • Delaware generally requires notification not later than 60 days after breach determination.
    • Florida requires notification to affected individuals within 30 days and to the Florida Department of Legal Affairs for breaches affecting over 500 people.
    • Kentucky requires notification of affected individuals within 35 days after reporting the breach to state officers.
    • Texas requires written notice to affected residents within 60 days after the breach.
    • Rhode Island requires notification to affected residents (if over 500), the Attorney General, and credit reporting agencies no later than 45 calendar days of discovery.
Breached Company
Website highlighting all the recent hacking attempts at companies and technology providers.
Breached CompanyBreached Company
  • Some states, like Connecticut, require notification to the Attorney General and affected residents without unreasonable delay, generally within sixty (60) days of breach discovery. The Connecticut Attorney General's office considers the statutory period to begin when a company becomes aware of suspicious activity.
  • Connecticut's Attorney General has issued warning letters to companies with lengthy breach notification timelines, emphasizing the importance of timely notice so residents can protect themselves from identity theft.
  • Nevada requires disclosure in the most expedient time possible without unreasonable delay, consistent with law enforcement needs or measures to determine the scope and restore system integrity.
  • Pennsylvania requires notification without unreasonable delay after determining the breach and taking measures to assess the scope and restore system integrity.
  • New Jersey requires notification in the most expedient time possible without unreasonable delay, consistent with law enforcement needs or measures to determine the scope and restore the data system, unless misuse of information is not reasonably possible.
  • North Carolina requires notice of any security breach without unreasonable delay or immediately following discovery.
  • When a breach affects a large number of individuals (e.g., over 1,000 in Pennsylvania or over 100 residents in New Jersey), notification to consumer reporting agencies may also be required.
  • Some states allow entities to comply with their own notification policies if those policies are consistent with the state law's timing requirements.

Penalties for Violations (What are the consequences of non-compliance?)

  • Failure to properly and timely report a HIPAA breach can result in civil penalties beyond those associated with the breach itself.
  • Arizona allows the Attorney General to impose a civil penalty of up to $10,000 per affected individual, up to $500,000. However, this statute does not apply to HIPAA-covered entities.
  • Connecticut's CTDPA allows the Attorney General to seek equitable remedies under the Unfair Trade Practice Act (CUTPA), including restitution, disgorgement, and injunctive relief [see prior conversation]. Entities may face civil penalties up to $5,000 per willful violation of the CTDPA [see prior conversation].
  • Delaware's Attorney General may bring an action to address violations related to breach notification and recover damages. Violations are considered an unlawful practice.
  • Florida imposes a penalty of $1,000 per day for the first 30 days of failure to notify, and thereafter $50,000 for each 30-day period the failure continues. Treble damages may also be awarded in certain circumstances related to children's data or failure to delete/correct data.
  • Maine has penalties for intentional violations of their health information privacy law, up to $5,000 plus costs, with higher penalties for repeated violations by practitioners and facilities.
  • Missouri allows for actual damages and up to $150,000 in civil penalties per breach.
  • Nevada considers a violation of its data breach notification law a deceptive trade practice, and the Attorney General or district attorney can bring an action for a temporary or permanent injunction.
  • New Jersey's breach notification law does not have specific penalties for failure to report but states that a willful, knowing, or reckless violation is an unlawful practice and a violation of the New Jersey Consumer Fraud Act. Industry-specific enforcement also exists.
  • New York's SHIELD Act includes civil penalties of up to $250,000 for failure to timely notify of a records breach and up to $5,000 per violation for failure to maintain reasonable safeguards.
  • North Dakota allows for penalties up to $5,000 per violation.
  • Oklahoma allows the State AG or DA to file a lawsuit for actual damages or a civil penalty up to $150,000 per breach.
  • Rhode Island has penalties for reckless ($100 per record) and knowing/willful ($200 per record) violations, and the Attorney General may bring an action.
  • Texas has civil penalties between $2,000 and $50,000 per violation for failure to report unlawful exposure.
  • Pennsylvania grants the Attorney General exclusive authority to bring an action for violations of the data breach statute.
Your Privacy Matters: Protect and Secure Your Digital Identity
Join us in a journey to regain control of your digital privacy. Our expertly crafted guides, insightful articles, and resources equip you with the knowledge and tools needed to secure your digital life. Your privacy is not a luxury, it’s a right.
My Privacy BlogMy Privacy Blog

It's important to recognize that enforcement of these laws often falls to state Attorneys General. While only California currently allows a private right of action under its comprehensive privacy law, individuals can still pursue other privacy-related claims. The absence of a private right of action in many state privacy laws has been noted as a potential weakness in consumer protection, making regulatory enforcement crucial. The Connecticut Attorney General's office actively monitors reported data breaches and follows up to ensure compliance.

Conclusion: Embracing a Culture of Privacy

In conclusion, the increasing complexity of U.S. state data privacy laws necessitates a proactive and comprehensive approach to compliance. By understanding the key definitions, consumer rights, business obligations, breach notification requirements, and enforcement trends across different states, organizations can navigate this evolving landscape effectively. Consulting with legal counsel remains essential to ensure ongoing compliance and mitigate potential risks. Embracing a culture of privacy that prioritizes transparency, data security, and respect for consumer rights is not only a legal imperative but also a cornerstone of building and maintaining customer trust in the digital age.

Read more

Beyond Reaction: Integrating Incident Response into Your Cybersecurity Risk Management Strategy with NIST SP 800-61r3

Beyond Reaction: Integrating Incident Response into Your Cybersecurity Risk Management Strategy with NIST SP 800-61r3

In today's dynamic threat landscape, cybersecurity incidents are an unfortunate reality for organizations of all sizes and sectors. The ability to effectively handle these events is no longer a siloed IT function but a critical component of overall cybersecurity risk management. Integrating incident response recommendations and considerations throughout

By Compliance Hub