It’s hard to believe that half a decade has gone by since the General Data Protection Regulation (“GDPR”) first came into effect on May 25, 2018. Since its inception, the GDPR has resulted in billions of dollars in fines against companies for failing to adhere to the regulation’s strict data handling requirements.
As shown in the table below, ten U.S. states have passed privacy laws with some provisions similar to those found in the GDPR. In 2023 alone, five state privacy laws are becoming effective, and five more states passed new privacy laws with future effective dates. This is leading to a patchwork of privacy laws – making it difficult for interstate companies to comply with different states’ laws. No federal privacy law is currently on the horizon, but having one uniform standard that would preempt inconsistent state laws could ease compliance for many businesses.
| State Law | Passed In | Effective Date |
|---|---|---|
| California Consumer Privacy Act | 2018 | July 1, 2023 |
| Colorado Privacy Act | 2021 | July 1, 2023 |
| Connecticut Data Privacy Act | 2022 | July 1, 2023 |
| Indiana Consumer Data Privacy Bill | 2023 | January 1, 2026 |
| Iowa Data Privacy Law | 2023 | January 1, 2025 |
| Montana Consumer Data Privacy Act | 2023 | October 1, 2024 |
| Tennessee Information Protection Act | 2023 | July 1, 2025 |
| Texas Data Privacy and Security Act | 2023 | March 1, 2024 |
| Utah Consumer Privacy Act | 2022 | December 31, 2023 |
| Virginia Consumer Data Protection Act | 2021 | January 1, 2023 |