Comparing U.S. state privacy laws: personal sensitive data definitions and processing

Updated July 1, 2024

California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Montana, Tennessee, Texas, Oregon, Florida, Delaware, New Jersey, New Hampshire, Maryland, Minnesota, Kentucky, Nebraska, and Rhode Island have each enacted their own comprehensive privacy laws. But with each new law, it gets more difficult to keep track of the differences.

From scope, to notice requirements, to respect for universal opt-out mechanisms, your organization may be wondering how to develop your state-by-state or national approach to US privacy.

Sensitive data poses a particular challenge because each law determines its own definitions of what is sensitive, and the additional obligations associated with processing that information.

Plus, some states require explicit opt-in consent before it can be processed, while others only require that consumers are presented with an opportunity to opt-out.

Other states address categories like children’s data or biometric data outside the context of sensitive data entirely.

Washington and Nevada have laws specifically governing health data privacy, but not comprehensive privacy laws.

Access our comparison chart to understand key differences in how sensitive data is being defined in U.S. state laws today.

Keep up with the latest privacy news

Sign up for our privacy newsletter, A Little Privacy, Please.

Presented by Sourcepoint’s Chief Privacy Officer, Julie Rubash.

Never miss a beat and subscribe to our weekly recap of the biggest privacy headlines impacting the digital marketing ecosystem, right in your inbox.