ON THIS PAGE
November 7, 2025
Fraud Article
Ultimate guide to US Data Privacy Protection Laws 2025: Stay secure with Veriff
In today’s digital age, convenience often comes at the cost of privacy. As technology advances, so do the risks of unprecedented surveillance and data exploitation. Recognizing this threat, countries worldwide are enacting comprehensive data protection and privacy laws to safeguard consumer data.
It often seems that convenience in the modern digital world is synonymous with surrendering your privacy. While technology has, in many aspects, revolutionized our lives, it has also left us vulnerable and exposed to unprecedented levels of data collection and surveillance. To combat this, more and more countries all over the world are working towards comprehensive data protection and privacy laws to protect their consumers and their data.
In the United States, legislators have started building legal bulwarks against the encroaching tide of data exploitation. While the US has long been regarded as a patchwork of sectoral privacy laws, recent years have witnessed a significant shift towards comprehensive consumer data protection. This transformation reflects a growing recognition of the need for robust regulations to address the complexities of modern data practices.
While the elusive federal-level consumer data protection act remains a tantalizing mirage on the horizon, individual states have taken the reins, crafting their own legislative masterpieces to fill the void. Consequently, a diverse array of state privacy laws has emerged, each aiming to enhance privacy protections and empower consumers in an increasingly data-driven society.
For both businesses and consumers, understanding the complexities of these laws can be challenging. This article aims to clarify the key aspects of US data protection and privacy laws.
1. Overview of US privacy landscape
For years, data protection in the United States relied on the sectoral approach. This meant that data privacy regulations in the US applied only to specific industries. There was (and still is) the Health Insurance Portability and Accountability Act (HIPAA) to regulate the processing of protected health information by covered entities and business associates. In the financial services industry, consumers received some privacy protection under the Fair Credit Reporting Act (FCRA) or the Gramm-Leach-Bliley Act (GLBA). Additionally, laws like the Maryland Online Privacy Protection Act (COPPA) regulate data collection for children, while others address biometric data and personal identifiers. However, none of these laws provide comprehensive protection to the individual.
Recently, data protection in the US took an interesting turn. In 2018, the California Consumer Privacy Act (CCPA) was signed into law. It became effective on January 1, 2020, and it was the first comprehensive data privacy law in the United States. It gives consumers far more control over their personal information than any of the previous privacy laws. The CCPA, along with its amendment, the California Privacy Rights Act (CPRA), protects consumers on another level, setting an example for other states. Suddenly, consumers could ask about what personal data is being collected about them, receive information about data disclosures, say “no” to the sale of their personal data, or even request that their personal information be deleted, regardless of the industry of the business.
It took a while for other states to follow suit. But today, though California remains by far the most stringent of the state data protection laws, there are several state-level data protection and privacy laws granting similarly broad protection to consumers in other states as well.
In 2025 there was no such ambitious project as the American Privacy Rights Act of 2024 or the American Data Privacy and Protection Act of 2023 (neither of which passed the early discussion phase). Only time will tell whether someday there will also be a “United States General Data Protection Regulation” (yes, a straightforward, clumsy comparison with the European GDPR).
Meanwhile, let’s dive into the overview of the data protection and privacy laws enacted by various US states.
2. In-depth look into the US states’ data protection and privacy laws
It’s essential to recognize that the US privacy landscape is in constant change. Therefore, we cannot promise an exhaustive overview of all state-level consumer data protection acts. However, we have curated a list of the most relevant legal acts shaping the privacy landscape in 2025. Here’s a look at the key provisions of US data protection and privacy laws, including new states entering the fold:
California
- Act: California Consumer Privacy Act of 2018 (CCPA) and its amendment, the California Privacy Rights Act (CPRA)
- Effective Date: January 1, 2023 (for CPRA amendments)
- Scope: Protects individuals both in private household context as well as in a commercial or employment context. It imposes obligations on businesses and service providers
- Unique Features: In addition to the Attorney General, it is enforced by the California Privacy Protection Agency (CPPA) and includes even a private right of action for certain security breaches
Stay Secure
Learn more about Veriff’s state-of-the-art security practices and how we ensure your data remains secure at all times.
Colorado
- Effective Date: July 1, 2023
- Scope: Protects individuals acting in private household context. Imposes obligations on controllers and processors
- Unique Features: Has been amended several times since it first entered into force to enhance protection of biometric data and sensitive data (latest amendments in July 1, 2025)
Connecticut
- Effective Date: July 1, 2023
- Scope: Protects individuals acting in private household context. Imposes obligations on controllers and processors
- Scope: Protects individuals acting in private household context. Imposes obligations on controllers and processors
Delaware
- Effective Date: January 1, 2025
- Scope: Protects individuals acting in private household context. Imposes obligations on controllers and processors. Applies to businesses processing data of at least 35,000 Delaware residents, or 10,000 residents if deriving over 20% of revenue from data sales
- Unique Features: Universal opt-out mechanisms must be implemented by 2026
Iowa
- Act: Iowa Consumer Data Protection Act (ICDPA)\
- Effective Date: January 1, 2025
- Scope: Protects individuals acting in private household context. Imposes obligations on controllers and processors. Targets businesses processing data of 100,000 consumers, or 25,000 consumers with over 50% of revenue from data sales
- Unique Features: Unlike several other US State Privacy Laws, the ICDPA does not include obligation to carry out data protection assessments
Nebraska
- Effective Date: January 1, 2025
- Scope: Closely mirrors the Virginia model, applying to businesses handling data of 100,000 consumers or 25,000 consumers if deriving over 50% of revenue from data sales
- Unique Features: Emphasizes transparency and consumer rights to access, delete, and correct personal data
New Hampshire
- Effective Date: January 1, 2025
- Scope: Applies to businesses processing data of 100,000 consumers, or 25,000 consumers with over 25% of revenue from data sales
- Unique Features: Aligns closely with Connecticut’s framework, including opt-out provisions and detailed definitions for sensitive data. Also, there is already an amendment proposal in the works.
New Jersey
- Effective Date: January 15, 2025
- Scope: Applies to controllers processing data of 100,000 consumers, or 25,000 consumers if deriving revenue from data sales
- Unique Features: Focuses on consumer rights to correction and deletion, and prohibits discrimination for exercising privacy rights
Maryland
- Act: Maryland Online Data Privacy Act (MODPA)
- Effective Date: October 1, 2025
- Scope: One of the most comprehensive laws enacted in 2024, focusing on data minimization and protections for sensitive data categories
- Unique Features: MODPA is much stricter on sensitive data processing. For example, the sale of any sensitive data is prohibited, regardless of consent. Furthermore, even for service or product provision, controllers may not collect, process, or share sensitive data unless it is strictly necessary.
Minnesota
- Effective Date: July 31, 2025
- Scope: Covers entities processing data of 100,000 consumers, or 25,000 consumers deriving over 25% of revenue from data sales
- Unique Features: Strong opt-out rights and mandatory privacy impact assessments
Montana
- Effective Date: October 1, 2024
- Scope: Protects individuals acting in private household context. Imposes obligations on controllers and processors
- Unique Features: For data to be deidentified, MCDPA explicitly states that the data cannot be reasonably linked to a device linked to the individual.
Oregon
- Effective Date: July 1, 2024
- Scope: Protects individuals acting in private household context. Imposes obligations on controllers and processors
- Unique Features: Similarly to CCPA, OCPA includes household data in personal data definition. It was amended in June 2025 addressing the sale of personal data. Obligation to honour opt-out requests is applicable from January 2026
Tennessee
- Effective Date: July 1, 2025
- Scope: Applies to businesses processing data of 175,000 consumers, or 25,000 consumers with over 50% of revenue from data sales
- Unique Features: Provides an affirmative defense for businesses following the NIST Privacy Framework
Utah
- Effective Date: December 31, 2023
- Scope: Protects individuals acting in private household context. Imposes obligations on controllers and processors
- Unique Features: Consumer rights are much more limited than under other US State Privacy laws. Several rights such as the right to correct data or the right to object to automated decision making are not included.
Texas
- Effective Date: July 1, 2024
- Scope: Protects individuals acting in private household context. Imposes obligations on controllers and processors
Virginia
- Effective date: January 1, 2023
- Scope: Protects individuals acting in private household context. Imposes obligations on controllers and processors
Florida
- Effective Date: July 1, 2024
- Scope: FDBR is somewhat special compared to other US data protection and privacy laws. It focuses more on the protection of personal data of children and issues of social media. The main target of the law are big tech companies
3. Actionable insight: tips to keep your business compliant
- Privacy compliance is a journey: Regularly assess your compliance status and stay updated on federal laws and state privacy laws.
- Transparency is key: Honor opt-outs and ensure consumers know how their personal information is processed.
- Train your team: Equip your staff with knowledge about data protection trends and privacy laws.
4. How Veriff can help?
Veriff assists customers in navigating the complex terrain of regulatory and compliance obligations with cutting-edge identity verification technology. In industries where knowing your customer (KYC) and anti-money laundering (AML) regulations are stringent, Veriff’s solutions streamline the verification process, ensuring that businesses can remain compliant with local and international laws. By employing advanced AI and machine learning algorithms, Veriff automatically verifies the authenticity of documents and the identity of users, reducing the risk of fraud. This not only fortifies trust and safety online but also significantly diminishes the legal and financial repercussions associated with non-compliance.
Veriff’s Services are flexible to align with various privacy laws (including the US State Privacy Laws) to assist the customer with any data protection related matters.
Please note that Veriff does not provide legal advice. This article is provided for informational purposes only. You should always discuss your privacy and data protection operations or issues with a qualified legal counsel or privacy specialists.
