HydraWatch All articles
Account Security & Privacy

The Privacy Patchwork: What Your State's Data Laws Actually Protect — and Where the Gaps Leave You Exposed

HydraWatch
The Privacy Patchwork: What Your State's Data Laws Actually Protect — and Where the Gaps Leave You Exposed

The Privacy Patchwork: What Your State's Data Laws Actually Protect — and Where the Gaps Leave You Exposed

If you live in California, you can demand that a company delete every piece of personal data it holds on you, opt out of having your information sold to third parties, and sue the company directly if it mishandles your sensitive records. If you live in Alabama, you enjoy almost none of those rights. The company collecting your data operates under essentially the same rules it did a decade ago.

This is the reality of data privacy in the United States in 2024: a fragmented, state-by-state system in which your legal protections depend not on what you do online, but on which side of a state border your home address sits. For most Americans, this system is nearly invisible — until something goes wrong.

HydraWatch has mapped the current landscape of state-level consumer data privacy legislation to give you a clear picture of where things stand, which states are leading, which are lagging, and what you can do right now to exercise whatever rights apply to you.

The Leaders: States With Comprehensive Privacy Laws

A small but growing cluster of states has enacted what legal scholars describe as "comprehensive" consumer data privacy legislation — laws that apply broadly across industries and grant consumers meaningful control over their personal information.

California remains the national benchmark. The California Consumer Privacy Act (CCPA), which took effect in 2020 and was subsequently strengthened by the California Privacy Rights Act (CPRA) in 2023, gives California residents the right to know what personal data businesses collect, the right to delete it, the right to correct inaccurate records, the right to opt out of its sale or sharing, and the right to limit the use of sensitive personal information — including precise geolocation, health data, and financial records. The CPRA also established the California Privacy Protection Agency, the first dedicated state-level data privacy enforcement body in the country.

Virginia's Consumer Data Protection Act (CDPA), effective since January 2023, mirrors many of California's provisions: access rights, deletion rights, opt-out rights for targeted advertising and data sales, and a right to appeal a company's decision to deny a consumer request. Virginia's law notably covers a broader range of businesses by applying lower revenue and data-volume thresholds.

Colorado, Connecticut, and Texas have all enacted similar comprehensive frameworks. Texas's Data Privacy and Security Act, which took effect in July 2024, is particularly notable for applying to businesses of virtually any size that process the data of Texas residents — a departure from the revenue-based exemptions that limit the reach of other state laws.

Oregon and Montana joined the list in 2024 as well, extending comprehensive protections to residents of the Pacific Northwest and Mountain West for the first time.

The Middle Ground: Sector-Specific and Partial Protections

Many states have enacted laws that protect data in specific contexts without providing comprehensive consumer rights across the board.

Most states, for example, have breach notification laws that require companies to inform residents when their personal information has been compromised. These laws vary in their definitions of "personal information," their timelines for notification, and the penalties they impose for non-compliance — but they represent at least a baseline of accountability.

Several states have also enacted laws targeting specific categories of sensitive data. Washington State's My Health MY Data Act, which took effect in 2024, imposes strict requirements on any entity that collects health-related information from Washington residents — going beyond what federal HIPAA rules cover by extending to consumer health data held by non-healthcare companies, including fitness apps and period-tracking services.

Illinois has long maintained the Biometric Information Privacy Act (BIPA), which restricts how companies can collect and use biometric identifiers like fingerprints and facial recognition data. BIPA has generated some of the largest privacy-related class action settlements in US history, including a $650 million settlement against Facebook and a $92 million settlement against TikTok.

The Gaps: Where Consumer Protections Remain Weakest

For residents of states without comprehensive privacy legislation — which, as of mid-2024, includes the majority of US states — the practical reality is that most private companies can collect, retain, share, and sell your personal data with very few legal restrictions beyond federal baseline rules.

Federal law in the United States takes a sectoral approach to privacy, meaning that specific laws protect specific categories of data — HIPAA covers medical records, FERPA covers student records, COPPA covers data collected from children under 13 — but no single federal law gives Americans a general right to access, delete, or opt out of the collection of their personal information.

States like Alabama, Wyoming, South Carolina, and Mississippi currently have no comprehensive consumer privacy legislation on the books. Residents of these states depend almost entirely on federal sectoral laws and whatever voluntary privacy policies individual companies choose to publish.

What You Can Do Right Now

Regardless of where you live, there are practical steps you can take to exercise the rights you do hold and reduce your exposure where legal protections fall short.

If you live in a state with a comprehensive privacy law:

If you live in a state without comprehensive protections:

The Road Ahead

Momentum toward a federal privacy standard has been building for years, with the American Privacy Rights Act (APRA) advancing further through Congress in 2024 than any previous proposal. Whether it ultimately becomes law — and what form it takes — remains uncertain. What is clear is that the current patchwork creates compliance burdens for businesses and confusion for consumers in roughly equal measure.

Until a national standard emerges, your privacy rights in America are, in a very real sense, a function of your zip code. Knowing what protections you hold — and actively using them — is the most direct line of defense available to you right now.

All articles

Related Articles

The Open Door You Don't Know About: 7 Router Settings Every American Household Should Fix Right Now

The Open Door You Don't Know About: 7 Router Settings Every American Household Should Fix Right Now

The Vault Problem: When Your Password Manager Gets Hacked and What You Can Do About It

The Vault Problem: When Your Password Manager Gets Hacked and What You Can Do About It

The Unraveling: How Federal Investigators Strip Away Dark Web Anonymity One Mistake at a Time

The Unraveling: How Federal Investigators Strip Away Dark Web Anonymity One Mistake at a Time