As a result, many states are now implementing comprehensive privacy laws for themselves. This means your privacy isn’t protected to the same degree in every US state. We researched which US states guard your privacy most effectively. Here’s our verdict: If you live in a state that lacks proper privacy laws, you can improve your own level of online privacy by using a VPN. A VPN will hide your location and protect your data while you’re using the internet. NordVPN offers a great privacy policy and useful extra features. Unlike in the EU, the United States’ privacy laws vary from state to state. There is no single piece of guidance governing data privacy across the nation, and some states offer greater protections than others.
Federal Privacy Laws of the United States
The privacy laws of the United States are a haphazard collection of individual federal and state-level laws. What’s more, rather than a single directive, each law tends to focus on specific information: financial data, health data, and so on. This can leave individuals confused as to how their data may legally be gathered, stored, and used. Let’s start by looking at some of the federal privacy laws that exist. A federal law is one that applies to all states in the US.
Children’s Online Privacy Protection Rule (COPPA)
The COPPA affords children under the age of 13 certain rights related to data privacy, limiting or entirely barring certain information from being collected and stored. This act applies to any digital service or platform that gathers, uses, or shares children’s personal information. Companies must:
Maintain a privacy policy that clearly sets out the data that will be collected, how it will be used, and when it may be shared with third parties Obtain parental consent before carrying out any of the activities noted above Give parents or guardians the chance to review and delete the personal information held about their children
This law has already seen success in offering individual protections. For example, in the period 2020-2022 alone, six organizations have faced fines varying from $100,000 to $3m for breaches of COPPA. This law is also the reason that many online games and platforms, like Instagram, have an age restriction of 13 years and older.
Electronic Communications Privacy Act (ECPA)
The ECPA and the Stored Wire Electronic Communications Act are often discussed together, but the ECPA actually simply updated the existing Wiretap Act of 1968 to bring it into the modern era. This act limits the government’s ability to wiretap citizens’ phone calls. The Wiretap Act makes it unlawful to intercept electronic or wire communications, or to use or disclose information obtained in this way. There are, however, some exceptions under the Patriot Act when investigating terrorism. ECPA also moderates how employers may monitor their employee’s electronic chats or emails. Unfortunately, the ECPA was passed in the mid-80s, making it largely outdated in the face of modern technology. Organizations that have moved to remote work since COVID-19 must be especially wary of this act. Companies that lean too heavily on employee monitoring might find themselves on the wrong side of this law.
Fair Credit Reporting Act (FCRA)
The Fair Credit Reporting Act determines who can access citizens’ credit reports, as well as what information can be stored within them. Essentially, it ensures that your credit report is fair, accurate, and kept out of malicious hands. Companies tend to violate this act by reporting on old or inaccurate information, accidentally combining your credit report with somebody else’s, or sharing your report with an organization or person they shouldn’t.
Family Educational Rights and Privacy Act (FERPA)
FERPA specifies the individuals and organizations that are allowed to request access to student records. This includes the student themselves, their parents, and other institutions for which the student makes an application. Some notable examples of breaches include sending a letter of recommendation to an employer without consent. Even something as simple as a teacher sending a group email to multiple students who are failing can be considered a breach of FERPA.
Federal Trade Commission Act (FTC Act)
The FTC’s role is to protect the public from unfair business practices while enforcing consumer protection laws. This act determines the powers afforded to the FTC itself and allows the FTC to govern companies that violate privacy laws. For example, under the FTC Act, websites and application owners that breach their own privacy policy can be held accountable. In a time when privacy policies are already hard to read due to their difficult use of language, we should at least be able to trust that the promises companies make in these texts are followed through. This is just one example of what the FTC does.
Gramm-Leach-Bliley Act (GLBA)
This act offers limited data rights to citizens who access consumer financial services. Loan or investment providers, for example, must outline how they’ll gather and share customer data. However, the law doesn’t set any limitations regarding how those companies may use customer data, making it fairly limited. As a result, the GLBA is often criticized for being vague, especially in the face of wide-reaching privacy laws elsewhere, such as the European Union’s GDPR. For comparison, under GDPR, any organization in any industry can be fined for breaching consumer privacy laws, unknowingly leaking consumer data, and more. The GLBA, by comparison, simply covers financial services organizations. It states that companies must:
Explain to consumers how data may be shared and provide a means for opting out Develop and maintain an information security program to stop third parties from accessing sensitive data without consent Follow established guidelines for financial institutions regarding how data should be collected, utilized, and protected
One recent example of this law in action concerns data and analytics company Ascension. The company settled a lawsuit that arose when they supposedly failed to assure that third-party service providers were properly protecting consumer data.
Health Insurance Portability and Accountability Act (HIPAA)
As the name suggests, this act governs communications between consumers and healthcare agencies, such as doctors’ offices, pharmacies, hospitals, and insurance providers. The catch is that it doesn’t cover all health data and has a limited impact on your data privacy. Companies to which this act applies must:
Use your data for healthcare purposes only, including treatment and invoicing you for that treatment Not use your data for marketing without prior consent Provide you with a privacy notice that outlines how your data will be used, and allow you to opt out of certain processes Allow you to update your information if anything is incorrect
Some of the most common breaches of HIPAA include abusing employee access to snoop on healthcare records and denying patients access to their own records.
Video Privacy Protection Act (VPPA)
This little-known act was passed after a journalist obtained the VHS rental history of a Supreme Court nominee. That’s right: this act stops organizations from disclosing the VHS tapes you’ve rented. Think this law will never affect your organization? Think again. Streaming services, sports organizations, and news outlets are facing lawsuits due to their use of Meta’s services.
Modern Privacy Laws of the United States
By now, you’ve probably gathered that the existing federal privacy laws are extremely specific and don’t always afford you as much protection as international laws like the GDPR. However, things are slowly starting to change. Some states have introduced more comprehensive data privacy laws, which we’ll outline below.
Massachusetts Data Privacy Law (MDPL) – 2009
The Massachusetts Data Privacy Law dates back to 2009, following an explosion of data breaches. The 2000s saw a surge in global consumer data being illegally obtained, so the state created comprehensive legislation that became known as the Massachusetts Data Privacy Law. The law defines personal data as any consumer data that includes a first and last name, social security number, driver’s license, financial account numbers, or payment card information. Such data must be adequately protected from breaches, phishing, spyware, and other cybersecurity threats. Companies are expected to take reasonable steps to protect the data from such attacks, as well as provide consumers with a way to opt out of data collection and sharing. While this is a good start, the law could certainly improve – and it might. On February 2, 2022, a new bill was drafted: the Massachusetts Information Privacy and Security Act (MIPSA). If enacted, this new bill will significantly improve consumer data protection in a number of ways:
Consumers will have the right to access, amend, delete, or port (transfer) their data. Bio-metric and other sensitive data will be covered by the new act, in addition to more protections for minors. Anti-discrimination laws will be incorporated with the new regulations. Maryland’s Attorney General will be given powers to enforce the act.
In other words, this law will make privacy legislation in Massachusetts more relevant to the world we live in today.
California Consumer Privacy Act of 2018 (CCPA) – 2020
Alastair Mactaggart, Mary Stone Ross, and Rick Arney, three wealthy Californians, were the driving force behind this Californian act. Despite heavy resistance from American telecommunications companies, they succeeded in getting the act onto the ballot and passed into law. The California Consumer Privacy Act of 2018, or CCPA, came into effect in 2020. While it isn’t identical to GDPR, it shares a lot of similarities. It also has a more comprehensive view of what is considered private data, though it has its limitations. For starters, the CCPA only applies to organizations that operate within California. What’s more, it only applies to organizations that meet specific criteria, including that they:
Have annual revenues exceeding $25 million Process the personal data of 50,000 or more individuals Derive at least 50% of their revenue from data-selling activities
Penalties for breaching CCPA law are generally considered to be less incentivizing for companies to adhere to the law. While GDPR imposes significant financial penalties on organizations that breach the regulations, CCPA allows Californians to sue for damages when their rights are violated. In other words, the victim will need to do the heavy lifting. This presents a problem, as legal suits can be expensive, and most people won’t follow them up. Compare this to the United Kingdom, where the ICO (Information Commissioner’s Office) pursues organizations using government funding. Aside from the CCPA, California passed a new law in August 2022 known as the California Age-Appropriate Design Code Act, or CA-ADCA. This law limits Californian companies’ ability to gather data on minors under the age of 18.
Virginia Consumer Data Protection Act (VCDPA) – 2021
The Virginia Consumer Data Protection Act was signed into law on March 2, 2021. This marks the second time a state decided to self-impose new, state-level consumer privacy laws. This act applies to certain organizations and companies operating within Virginia and has come into force on January 1, 2023. In essence, this law allows consumers to request access to their data, as well as request that their data be deleted. Companies are also responsible for undertaking data protection assessments when using consumer data for sales or targeted advertising. Like California’s CCPA, the act doesn’t automatically apply to all organizations. The VCDPA’s regulations only apply to:
Companies storing or processing a minimum of 100,000 consumers’ data within a calendar year Companies storing or processing a minimum of 25,000 consumers’ data within a calendar year, when the sale of that data makes up at least 50% of the company’s revenue
The VCDPA is significantly shorter than the CCPA, and it has been criticized by some. While it offers additional data privacy rights, it is based on opt-out consent and doesn’t allow individuals to launch legal suits like the CCPA.
Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) – 2022
Connecticut implemented the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) in 2022 due to a lack of federal legislation protecting consumer privacy, although it won’t take effect until July 1, 2023. The CTDPA gives the Attorney General enforcement powers while offering a number of protections to consumers living in the state. The CTDPA allows consumers to request access to data that a company holds about them. They may also ask that the data be rectified or deleted, or opt out of data collection entirely. Consumers can also request their data in a portable format that can easily be shared with another data controller. As with other privacy acts, there are stipulations about which companies must adhere to the regulations. It includes any company or organization conducting business in Connecticut that:
Processed the personal data of at least 100,000 consumers in the last calendar year Processed the personal data of at least 25,000 consumers in the last calendar year, while deriving at least 25% of revenue from the sale of that data
That said, the definition of “consumer” in this act excludes people acting in a commercial or employment capacity. In other words, any data gathered while you’re at work isn’t covered by this law.
Colorado Privacy Act (ColoPA) – 2022
Shortly after Virginia’s VCDPA was signed into law, Colorado’s Governor Jared Polis signed the Colorado Privacy Act. The act will come into force on July 1, 2023, and improve data privacy for anyone residing in Colorado. In summary, the ColoPA act provides state residents the right to access, correct, and delete personal data held by companies. They’ll also be able to opt out of having their data sold or used for targeted advertising campaigns. While the CCPA uses business revenue as a determining factor in whether a company is accountable, the ColoPA, like the VCDPA, focuses on data volumes. The new privacy act in Colorado will apply to companies conducting business within Colorado, or providing services or products to Colorado state residents, which:
Store or process the data of 100,000 or more state residents in each calendar year Store or process the data of 25,000 or more state residents, where the sale of that data brings in business revenue
Companies that breach the regulations set out in the ColoPA could face fines of up to $20,000 per violation. This is significantly higher than the $7,500 fine imposed by the CCPA and VCDPA and might therefore give companies more incentive to adhere to the law.
New York Privacy Act – TBA
The New York Privacy Act was reintroduced for consideration on May 13, 2021, though it has not yet been passed. If passed, the act would apply to New York companies that meet one of the following requirements:
Having an annual gross revenue of $25m or higher Controlling or processing personal data of at least 100,000 consumers Controlling or processing personal data of at least 500,000 citizens, and controlling or processing personal data of at least 10,000 consumers Generating a minimum of 50% of gross revenue from the sale of consumer data, while controlling or processing the personal data of at least 25,000 consumers
If the act is passed, it will grant similar rights to consumers that we’ve seen in the above acts: the right to request access to personal data held, as well as requesting portability, deletion, or amendment of data. The act was expected to become law in 2022, though, at the time of writing, we have yet to see this happen.
The Best US States for Privacy Legislation
Which states are best for privacy legislation? Since there are so many different acts and laws, it can be hard to determine where your privacy is best protected. We studied the ten most important privacy rights afforded to citizens of the United States, dependent on the state they live in. The ten considerations we used in our research are related to laws that govern the following: You can find our results in the infographic below. The darker the color of the state, the better it protects the rights of citizens. If you’re interested, you can also have a look at the raw data of this research by clicking the orange button below. We’ve used the data from the above research to work out and score our top states for consumer, child, and employee data privacy. Unfortunately, not one of the states managed to provide all protections we like to see in privacy legislation. This shows that there’s still a long way to go. Even so, some states do notably better than others. Let’s look at the best US states for privacy legislation.
1. California: The best state for privacy
California easily takes our top spot when it comes to good privacy regulations. The data collection and retention policies in California are stronger than in any other state. Of the ten key privacy regulations outlined in our infographic, California enforces seven. Massachusetts and New York have yet to decide whether the proposed changes to privacy laws will be enacted. To give an honest representation of today’s privacy law situation, we have not taken into account those potential new rights in the list below. This is, in part, thanks to the introduction of CCPA, which bolsters consumer data privacy rights. The Consumer Privacy Act ensures that consumers are able to request copies of the data held on them, as well as request that it is amended or deleted. It also allows individuals to seek damages against companies that breach their privacy responsibilities. Employees are afforded some protection under employer data policies. Although companies are able to monitor their workforce’s use of digital communication tools, employees must be notified when this takes place. Companies are responsible for notifying all new employees during the hiring period and must also obtain consent to record calls that take place with consumers. California also recently passed its new California Age-Appropriate Design Code Act (CA-ADCA). Due to that, technology companies have become responsible for verifying their users’ ages before granting them access to age-restricted digital content. One final note on California’s privacy laws is that, crucially, companies must have a data disposal policy, ensuring your data is deleted when no longer used or after a specified period. Unfortunately, this doesn’t yet apply to government agencies.
2. Colorado: Privacy laws for government agencies and nonprofits
Like California, Colorado recently implemented a new privacy act: the ColoPA. As a result, Colorado only lags slightly behind California in privacy, having six out of ten of the key privacy laws listed above. By comparison, companies don’t need to obtain consent to record calls, and there are no laws governing access to K-12 student data. However, Colorado does have laws governing the disposal of data by government agencies, unlike California. Under the ColoPA act, consumers have the right to opt out of third-party data sharing. They can also request that companies disclose what information is held about them, as well as request that the data be deleted. In a significant departure from California and Virginia’s new privacy laws, the Colorado Privacy Act also applies to nonprofit organizations. There are, however, other exemptions, such as financial institutions under the above-mentioned Gramm-Leach-Bliley Act.
3. Connecticut: More control for individuals
Connecticut is third on our list, meeting six of the ten privacy laws, thanks to the recent implementation of the Connecticut Personal Data Privacy and Online Monitoring Act. As noted above, this extends consumer data privacy rights by giving individuals greater control over their data. State residents may request access to data held about them, in addition to amending it, requesting its deletion, or opting out entirely. We’ve ranked Connecticut third because the scope of the state’s new privacy laws is a little narrower than Colorado’s ColoPA act. What’s more, unlike states such as Massachusetts, Connecticut does not consider payment card information to be protected data. Bear in mind that there is significant leniency for companies that are expected to adhere to the act. Organizations have until January 1, 2025, to provide consumers with universal opt-out settings. Colorado expects the same to be implemented by July 1, 2024, and since Colorado won’t authenticate these requests, it’s expected to be simpler for consumers to opt out.
4. Delaware: Laws to protect children’s privacy
We were hesitant to include Delaware on our list, particularly because the state does not yet support the rights outlined in the new laws passed by California, Colorado, and even Virginia. That is, consumers don’t have the legal right to request what data a company holds, nor ask for it to be amended or deleted. Still, the state enforces six of the ten key privacy laws outlined in our research. Delaware is one of the few states that requires government entities to dispose of consumer data after a specified period of time. The state also has extended privacy laws that govern library and e-reader data, as well as restricting advertising to children in the Delaware Online Privacy and Protection Act (DOPPA). Moreover, Delaware has laws protecting minors and the information of K-12 students and younger, as well as requiring companies to obtain consent to record calls. Employees must also be made aware when workplace communications are monitored. For these reasons, Delaware scores highly but doesn’t rank above similar states with comprehensive data rights, California, Colorado, and Connecticut.
5. Virginia: Recent regulations improve privacy
Virginia currently enforces five of the ten privacy laws outlined above. Virginia’s new VCDPA law improves consumer data protection, and the state also introduced new insurance data security laws in 2020. The Virginia Insurance Data Security Act requires insurance entities to:
Implement and maintain an information security program Thoroughly investigate any cybersecurity attacks or breaches Officially notify the Commissioner of Insurance of any such attacks or breaches Inform any consumers who have been impacted by such events
This act has not yet been passed, which means that consumers don’t currently have the same rights as those residing in California, Colorado, or Connecticut. This is why Virginia lags slightly behind the other states listed above, in fifth place. On the plus side, however, the VCDPA has taken effect in January 2023. Therefore, Virginia will now offer significantly more rights to consumers and the way their data is stored or processed. Virginia also enjoys certain other protections. For example, the DMV does not respond to facial recognition requests submitted by federal agencies, such as the FBI.
Protecting Your Online Data Privacy
One of the biggest threats to our data privacy right now is the internet. Whether it’s excess sharing on social media or simply signing up for a hoard of new services, our data is frequently gathered, stored, and resold online. The new laws that we’re seeing now should help limit what certain companies can do with our data, but it’s not a foolproof method. You should still be looking for ways to minimize sharing your own data. Fortunately, you can easily limit what data is exposed and captured online. Whether you’re in one of the other states that are behind on privacy legislation or just want to bolster your privacy in general, there are tools to help. Here’s what you can do to protect yourself.
1. Use a Virtual Private Network
For starters, you can use a VPN (Virtual Private Network) to increase your online privacy and security. This tool encrypts your data and hides your location. This means your ISP won’t be able to see what you do, and neither will other third parties online. The best VPN for privacy and security is NordVPN. By connecting to the internet with NordVPN, you can hide your true IP address, making it far harder for companies to track what you do online. Your data will also be encrypted, reducing the chance that it falls into the wrong hands, particularly on unsecured networks. A VPN might not be able to keep all of your data out of companies’ and governments’ hands, but it’s a very effective start. If you’d like to read more about NordVPN and how it can help keep you safe, read our full NordVPN review. You can also visit their site yourself by clicking the button below.
2. Read and understand privacy policies
While a VPN vastly improves your privacy, it won’t necessarily stop companies from getting hold of your data in the first place. As mentioned, you often give companies permission to capture and sell your data when you sign up for a service. That’s why you should always try to read the privacy policy of new products or services you access to understand how companies are using your data. You should also be wary of checkboxes that opt you into marketing when signing up for a website or service. Unfortunately, privacy policies are often longwinded, vague, and hard to understand. On top of that, you have two choices: accept them, or don’t use the service or product you wanted. Every company has a privacy policy, so the best thing you can do is get acquainted with them and choose the best, most privacy-focused option among similar companies. You might, for example, switch from Google Chrome to Firefox, or finally get rid of that TikTok account on your phone.
3. Delete excess personal information from the internet
Do you regularly tweet about your life? Share pictures of yourself and your family on Instagram? Talk about the details of your day-to-day struggles on Facebook? The internet holds more information about us than many of us realize. A large part of that we share ourselves, but there are also countless data brokers that make a living out of collecting and sharing your data. This often vague and largely ignored mass collection of personal data is why the new data privacy acts that we’re seeing in the US are so important. They’ll help to regulate and limit who can access your data while giving you greater control over amending, deleting, or opting out of it. While the laws are playing catch-up, you can take control of your own data. Go through your online accounts and settings to make any adjustments needed. You might want to rethink sharing your location with every picture you post, for example. What about those data brokers? You can use a tool like Incogni or DeleteMe to take back some control and delete data that’s behind held by brokers. These companies will take care of scanning for your personal information online and removing it from brokers who profit from selling your data.
Conclusion: US States With the Best Privacy Laws
Europe has taken the simplest approach to data privacy by introducing one comprehensive directive: the GDPR. By comparison, privacy law in the United States is lagging behind. The US has been using a varied collection of both state and federal laws that seem to apply in niche circumstances. This means that consumers in many states have few rights when it comes to data privacy. Fortunately, that appears to be changing. With the introduction of comprehensive state-level privacy laws in California, Colorado, Virginia, and Connecticut, a trend is being set. State legislators are clearly taking notice of the rising concern around consumer data privacy and cybersecurity. New York is already considering a similar bill, and other states are likely to follow. We believe that the following states are the best states for privacy in the US as of this moment: The result? We should start seeing consumers granted greater rights to the privacy and control of their own data, which is something that can’t come soon enough.
COPPA: Children’s Online Privacy Protection Rule ECPA: Electronic Communications Privacy Act FCRA: Fair Credit Reporting Act FERPA: Family Educational Rights and Privacy Act FTC Act: Federal Trade Commission Act GLBA: Gramm-Leach-Bliley Act HIPAA: Health Insurance Portability and Accountability Act VPPA: Video Privacy Protection Act
Some states, such as California, Colorado, and Virginia, have begun introducing comprehensive state-level privacy laws. You can read more about these and other US privacy laws in our full article on the privacy laws of the United States.
Massachusetts: Massachusetts Data Privacy Law (and MIPSA amendment) California: California Consumer Privacy Act of 2018 (CCPA) Colorado: Colorado Privacy Act (ColoPA) Connecticut: Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) Virginia: Virginia Consumer Data Protection Act (VCDPA)
You can read more about our research and the different privacy laws in the US by checking out our article “Privacy Legislation in the United States.”