The Privacy Patchwork: What Your State's Data Laws Actually Protect — and Where the Gaps Leave You Exposed
The Privacy Patchwork: What Your State's Data Laws Actually Protect — and Where the Gaps Leave You Exposed
If you live in California, you can demand that a company delete every piece of personal data it holds on you, opt out of having your information sold to third parties, and sue the company directly if it mishandles your sensitive records. If you live in Alabama, you enjoy almost none of those rights. The company collecting your data operates under essentially the same rules it did a decade ago.
This is the reality of data privacy in the United States in 2024: a fragmented, state-by-state system in which your legal protections depend not on what you do online, but on which side of a state border your home address sits. For most Americans, this system is nearly invisible — until something goes wrong.
HydraWatch has mapped the current landscape of state-level consumer data privacy legislation to give you a clear picture of where things stand, which states are leading, which are lagging, and what you can do right now to exercise whatever rights apply to you.
The Leaders: States With Comprehensive Privacy Laws
A small but growing cluster of states has enacted what legal scholars describe as "comprehensive" consumer data privacy legislation — laws that apply broadly across industries and grant consumers meaningful control over their personal information.
California remains the national benchmark. The California Consumer Privacy Act (CCPA), which took effect in 2020 and was subsequently strengthened by the California Privacy Rights Act (CPRA) in 2023, gives California residents the right to know what personal data businesses collect, the right to delete it, the right to correct inaccurate records, the right to opt out of its sale or sharing, and the right to limit the use of sensitive personal information — including precise geolocation, health data, and financial records. The CPRA also established the California Privacy Protection Agency, the first dedicated state-level data privacy enforcement body in the country.
Virginia's Consumer Data Protection Act (CDPA), effective since January 2023, mirrors many of California's provisions: access rights, deletion rights, opt-out rights for targeted advertising and data sales, and a right to appeal a company's decision to deny a consumer request. Virginia's law notably covers a broader range of businesses by applying lower revenue and data-volume thresholds.
Colorado, Connecticut, and Texas have all enacted similar comprehensive frameworks. Texas's Data Privacy and Security Act, which took effect in July 2024, is particularly notable for applying to businesses of virtually any size that process the data of Texas residents — a departure from the revenue-based exemptions that limit the reach of other state laws.
Oregon and Montana joined the list in 2024 as well, extending comprehensive protections to residents of the Pacific Northwest and Mountain West for the first time.
The Middle Ground: Sector-Specific and Partial Protections
Many states have enacted laws that protect data in specific contexts without providing comprehensive consumer rights across the board.
Most states, for example, have breach notification laws that require companies to inform residents when their personal information has been compromised. These laws vary in their definitions of "personal information," their timelines for notification, and the penalties they impose for non-compliance — but they represent at least a baseline of accountability.
Several states have also enacted laws targeting specific categories of sensitive data. Washington State's My Health MY Data Act, which took effect in 2024, imposes strict requirements on any entity that collects health-related information from Washington residents — going beyond what federal HIPAA rules cover by extending to consumer health data held by non-healthcare companies, including fitness apps and period-tracking services.
Illinois has long maintained the Biometric Information Privacy Act (BIPA), which restricts how companies can collect and use biometric identifiers like fingerprints and facial recognition data. BIPA has generated some of the largest privacy-related class action settlements in US history, including a $650 million settlement against Facebook and a $92 million settlement against TikTok.
The Gaps: Where Consumer Protections Remain Weakest
For residents of states without comprehensive privacy legislation — which, as of mid-2024, includes the majority of US states — the practical reality is that most private companies can collect, retain, share, and sell your personal data with very few legal restrictions beyond federal baseline rules.
Federal law in the United States takes a sectoral approach to privacy, meaning that specific laws protect specific categories of data — HIPAA covers medical records, FERPA covers student records, COPPA covers data collected from children under 13 — but no single federal law gives Americans a general right to access, delete, or opt out of the collection of their personal information.
States like Alabama, Wyoming, South Carolina, and Mississippi currently have no comprehensive consumer privacy legislation on the books. Residents of these states depend almost entirely on federal sectoral laws and whatever voluntary privacy policies individual companies choose to publish.
What You Can Do Right Now
Regardless of where you live, there are practical steps you can take to exercise the rights you do hold and reduce your exposure where legal protections fall short.
If you live in a state with a comprehensive privacy law:
- Submit data access requests to companies you suspect hold significant information about you. Most covered businesses are required to respond within 45 days.
- Opt out of the sale of your personal data. Many companies offer a "Do Not Sell or Share My Personal Information" link, often buried in the footer of their websites. Use it.
- Request deletion of your data from companies you no longer do business with. Be aware that certain exemptions apply — companies may retain data needed for legal compliance or to complete a transaction.
- File a complaint with your state's attorney general or dedicated privacy agency if a company fails to honor your request.
If you live in a state without comprehensive protections:
- Use the Global Privacy Control (GPC) browser signal, a technical standard that automatically communicates opt-out preferences to websites that recognize it. California and Colorado law require covered businesses to honor GPC signals, and many companies apply the preference nationally.
- Limit the permissions you grant to mobile apps. Revoke access to location, contacts, and microphone for any app that does not genuinely require them.
- Regularly review the privacy dashboards offered by major platforms — Google, Meta, Apple, and Microsoft all provide centralized tools for reviewing and deleting data associated with your accounts.
- Consider using a reputable data broker opt-out service, or manually submit removal requests to the largest data brokers, including Acxiom, LexisNexis, and Spokeo, which maintain opt-out processes regardless of state law.
The Road Ahead
Momentum toward a federal privacy standard has been building for years, with the American Privacy Rights Act (APRA) advancing further through Congress in 2024 than any previous proposal. Whether it ultimately becomes law — and what form it takes — remains uncertain. What is clear is that the current patchwork creates compliance burdens for businesses and confusion for consumers in roughly equal measure.
Until a national standard emerges, your privacy rights in America are, in a very real sense, a function of your zip code. Knowing what protections you hold — and actively using them — is the most direct line of defense available to you right now.