A comprehensive overview of which states have data broker registries, comprehensive privacy laws, or neither.
| State | Status | Notes |
|---|---|---|
| Alabama | β | β |
| Alaska | β | β |
| Arizona | β | β |
| Arkansas | β | β |
| California | β | Registry + CCPA/CPRA; Delete Act "DROP" portal in rulemaking. (California Privacy Protection Agency) |
| Colorado | β οΈ | Colorado Privacy Act. (IAPP) |
| Connecticut | β οΈ | CTDPA. (IAPP) |
| Delaware | β οΈ | DPDP Act. (IAPP) |
| Florida | β | "Digital Bill of Rights" is not counted as comprehensive by IAPP. (IAPP) |
| Georgia | β | β |
| Hawaii | β | β |
| Idaho | β | β |
| Illinois | β | BIPA is sectoral; no comprehensive law. (IAPP) |
| Indiana | β οΈ | IN CDPA. (IAPP) |
| Iowa | β οΈ | ICDPA. (IAPP) |
| Kansas | β | β |
| Kentucky | β οΈ | KCDPA. (IAPP) |
| Louisiana | β | β |
| Maine | β | (No comprehensive law; sectoral laws exist.) (IAPP) |
| Maryland | β οΈ | MODPA. (IAPP) |
| Massachusetts | β | β |
| Michigan | β | β |
| Minnesota | β οΈ | MCDPA. (IAPP) |
| Mississippi | β | β |
| Missouri | β | β |
| Montana | β οΈ | MCDPA. (IAPP) |
| Nebraska | β οΈ | NDPA. (IAPP) |
| Nevada | β | NRS 603A (narrow); not counted as comprehensive. (IAPP) |
| New Hampshire | β οΈ | SB 255. (IAPP) |
| New Jersey | β οΈ | SB 332. (IAPP) |
| New Mexico | β | β |
| New York | β | No comprehensive law; sectoral bills only. (IAPP) |
| North Carolina | β | β |
| North Dakota | β | β |
| Ohio | β | β |
| Oklahoma | β | β |
| Oregon | β | Registry + OCPA. (Oregon Division of Financial Regulation) |
| Pennsylvania | β | β |
| Rhode Island | β οΈ | RTDPA. (IAPP) |
| South Carolina | β | β |
| South Dakota | β | β |
| Tennessee | β οΈ | TIPA. (IAPP) |
| Texas | β | Registry + TDPSA; amended in 2025 to expand disclosures. (Texas Secretary of State) |
| Utah | β οΈ | UCPA. (IAPP) |
| Vermont | β | Registry (first in U.S.); no comprehensive privacy law. (Vermont Legislature) |
| Virginia | β οΈ | VCDPA. (IAPP) |
| Washington | β | My Health My Data Act is sectoral; no comprehensive law. (IAPP) |
| West Virginia | β | β |
| Wisconsin | β | β |
| Wyoming | β | β |
When it comes to protecting Americans' personal data, the federal government has taken only piecemeal action. Unlike the European Union's GDPR, the United States has no single, comprehensive federal law safeguarding consumer privacy. Instead, Washington relies on a sector-by-sector approach that leaves large gaps in protection.
Over the years, Congress has passed narrow laws addressing specific industries:
The Federal Trade Commission (FTC) plays the role of watchdog, stepping in when companies engage in "unfair or deceptive" practices. While the FTC has fined tech giants like Facebook and TikTok, it lacks the clear authority and comprehensive rules that a full privacy law would provide.
Congress has repeatedly debated nationwide privacy bills, most notably the American Data Privacy and Protection Act (ADPPA, 2022 draft), which promised broad protections. But to date, no such law has passed, leaving enforcement to outdated statutes and agency rulemaking.
Without federal leadership, states have stepped in. California (CCPA/CPRA), Colorado, Virginia, Connecticut, and Utah have enacted comprehensive state privacy laws. This state-by-state patchwork is creating uneven protections depending on where you live.
The federal government has acted only in fragments. Americans' digital rights remain vulnerable until Congress passes a modern, unified privacy law.
Current IAPP tracker (updated July 7, 2025) lists: CA, CO, CT, DE, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, UT, VA. (IAPP)
CPPA Delete Act "DROP" mechanism (regulatory page). (California Privacy Protection Agency)
DFR registry portal & notice (HB 2052; effective Jan 1, 2024). (Oregon Division of Financial Regulation)
SOS registry page; 2025 amendments noted by reputable legal trackers. (Texas Secretary of State)
Act 171 (2018) established the first data-broker registry. (Vermont Legislature)
Want this matrix as a CSV for download and a color-coded embed for your site (with filters for "Registry," "Privacy-only," "No law")? Contact us for immediate generation of both formats.