Your Data Privacy Rights: A State-by-State Guide

If you're waiting for a single, neat federal privacy law to protect all your personal data, don't hold your breath. The U.S. doesn't have one. Instead, we've got a messy patchwork of federal and state regulations that change depending on where you live, what kind of data is involved, and who's collecting it.

Confusing? Absolutely. But worth understanding, because your rights might be a lot stronger than you think -- or a lot weaker, depending on your state.

The Federal Landscape

There's no general federal data privacy law. What we have instead is a bunch of sector-specific protections:

• HIPAA covers medical records and health info held by healthcare providers and insurers.
• FERPA protects student education records at schools receiving federal funding.
• GLBA requires financial institutions to explain how they share your data and to safeguard sensitive information.
• COPPA restricts collecting personal data from kids under 13 online.
• FCRA regulates how consumer reporting agencies collect, use, and share credit and background check data.

If your data doesn't fit into one of those buckets, federal law largely shrugs. That's where state laws pick up the slack (in some states, at least).

State Privacy Laws: Who Has What

California (CCPA / CPRA)

California got there first, and their law is still the strongest. If you're a California resident, you can find out what personal info businesses have on you, demand they delete it, opt out of having your data sold or shared, and correct anything that's wrong. Businesses have to comply even if they're headquartered in another state -- all that matters is that they're collecting data from Californians. The California Privacy Protection Agency enforces this with fines up to $7,500 per intentional violation.

In my experience covering this space, CCPA is the law that actually moved the needle. A lot of companies just decided to give everyone CCPA-level rights rather than build separate systems for Californians. So even if you're in Ohio, you may be benefiting from California's law without knowing it.

Virginia (VCDPA)

Virginia's Consumer Data Protection Act has been in effect since January 2023. It gives you the right to access, correct, delete, and get a portable copy of your data. You can also opt out of targeted advertising, data sales, and profiling. Only the state AG can enforce it, though -- there's no private right of action, which limits its bite compared to California.

Colorado (CPA)

Colorado's law (effective July 2023) looks similar to Virginia's but adds a nice feature: universal opt-out support. You can flip on the Global Privacy Control in your browser, and Colorado businesses are legally required to honor it. That's a meaningful difference from states where opting out means filling out a separate form for every single company.

Connecticut (CTDPA)

Connecticut's version (also July 2023) closely mirrors Virginia and Colorado. It requires data protection assessments for high-risk processing and recognizes universal opt-out signals. Not groundbreaking, but solid.

Utah (UCPA)

Utah's law (effective December 2023) is the most business-friendly of the bunch. You get access and deletion rights, but the opt-out provisions are narrower. If you're a Utah resident, you've got protections, but they're thinner than what Californians or Coloradans enjoy.

Other States With Privacy Laws

The list keeps growing. As of early 2025, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska, Minnesota, Maryland, and Rhode Island have all passed privacy legislation at various stages of rollout. Each one has its own thresholds, scope, and enforcement approach.

Even states without a comprehensive privacy law probably have data breach notification requirements (all 50 states do now), and some have targeted statutes covering biometrics (Illinois' BIPA is the famous one), insurance, or telecom data.

What Rights Do You Actually Have?

If you're in a state with a comprehensive law, your core rights typically boil down to:

• Right to know: Ask a business what data they've collected on you, where it came from, why, and who they've shared it with.
• Right to delete: Tell a business to erase your data (with some exceptions, like data needed to complete a transaction).
• Right to opt out: Stop businesses from selling your data or using it for targeted ads.
• Right to correct: Fix inaccurate data a business holds on you.
• Right to portability: Get a copy of your data in a machine-readable format so you can take it elsewhere.
• Right to non-discrimination: Companies can't punish you for exercising these rights -- no higher prices, no worse service.

GDPR and U.S. Residents

Short answer: GDPR doesn't apply to you directly if you're living in the U.S. and dealing with U.S. companies.

Longer answer: it affects you in two scenarios. First, some companies that operate in the EU just apply GDPR-level protections globally because maintaining two separate data systems is a headache. Second, if you're an American living in the EU or an EU citizen in the U.S., GDPR may apply to data processed in connection with your activities over there.

But GDPR's real impact on Americans is indirect. A lot of the rights showing up in state laws -- access, deletion, correction, portability -- were inspired by GDPR. The concept of "privacy by design" came from there too, and it's increasingly showing up in U.S. regulatory expectations.

Practical Steps to Control Your Digital Footprint

No matter which state you're in, there are concrete things you can do right now:

Opt out of people search sites. Data aggregators and people search services (including OpenDataUSA) compile public records into searchable profiles. Most reputable ones offer an opt-out process to get your information removed. You'll need to hit each service individually since they operate independently. Tedious? Yes. Worth it? Also yes.

Enable Global Privacy Control. If you use Firefox, Brave, or DuckDuckGo's browser, turn on GPC. It automatically tells every website you visit that you want to opt out of data selling and sharing. Under California, Colorado, and Connecticut law, businesses must honor this signal. It takes about thirty seconds to set up.

Review your app permissions. Your phone apps are probably requesting access to things they don't need -- contacts, location, photos. Go into your settings and revoke anything that doesn't make sense. Does that flashlight app really need your contact list? No.

Freeze your credit. A security freeze with Equifax, Experian, and TransUnion prevents anyone from opening new credit accounts in your name. It's free, it's easy, and you can temporarily lift it whenever you need to apply for credit. Frankly, there's almost no reason not to do this.

Search for yourself. Run your own name through OpenDataUSA and through Google. See what's out there. It's the only way to know your actual exposure, and it'll show you which sources to go after if you want to clean things up.

Lock down social media. Review your privacy settings on every platform. Think about whether your posts, friends lists, and profile details really need to be public. Anything you share on social media can be scraped and aggregated just like a public record.

What About Public Records?

Here's the catch. Public records -- property deeds, voter registrations, court filings -- are generally exempt from state privacy laws. Those records are public by law, and the government agencies holding them usually aren't subject to the same opt-out rules as private companies.

But (and this is an important "but") the aggregators and people search services that compile public records into easy-to-search databases often are covered by state privacy laws. That's why they offer opt-out mechanisms even when the underlying data is public. You can't erase the record from the county clerk's office, but you can get it removed from the search engine that was making it easy to find.

Privacy isn't all-or-nothing. Even small steps -- opting out of a handful of data brokers, turning on GPC, freezing your credit -- make a real difference. Start with whatever's easiest and build from there.

Want to know more about what public data might show up in a search? Check out our guide to understanding public records, or visit our privacy policy to see how OpenDataUSA handles your information.