🛡️ Legal/Consumer Rights: Data Privacy Laws in the US: A Consumer's Guide to State-Level Rights (e.g., CCPA and other emerging laws)

The US lacks a unified federal data privacy law, relying instead on a growing patchwork of state-level protections like the CCPA/CPRA, CDPA, and CPA. This consumer guide details the core rights granted by these laws—including the right to know, delete, correct, and opt out—and explains how individuals can exercise control over their personal data.

 By Papdi Chat Sat, 22 Nov 2025
. .

Introduction: The US Patchwork of Privacy

The United States does not have a comprehensive federal data privacy law equivalent to Europe's GDPR.3 Instead, consumer rights are governed by a rapidly expanding patchwork of state-level laws, led by California.

These laws are designed to protect residents of the enacting state, giving them significant control and transparency over how companies (which are often data brokers, large retailers, or tech companies) collect, use, and share their personal information.

 

I. Core Consumer Rights Across State Laws

While each state law has unique thresholds and enforcement methods, they all grant consumers a fundamental set of rights.

 

Consumer Right Explanation Key Laws Granting This Right
Right to Know The right to request a business disclose the categories and specific pieces of personal information collected about you, the sources of that data, and the purpose for its use. CCPA/CPRA, CDPA, CPA
Right to Delete The right to request a business delete any personal information collected from you (with some exceptions, such as completing a transaction). CCPA/CPRA, CDPA, CPA
Right to Correct The right to request a business correct inaccurate or outdated personal information it holds about you. CCPA/CPRA, CDPA, CPA
Right to Opt-Out The right to tell a business to stop processing your personal data for specific purposes. This is the most critical right for consumers. CCPA/CPRA, CDPA, CPA
Right to Limit Use The right to limit a business's use of Sensitive Personal Information (SPI) to only what is necessary to provide the requested service. CCPA/CPRA (New SPI rules), CDPA, CPA

 

II. Key State Laws in Effect

 

1. California Consumer Privacy Act (CCPA), Amended by CPRA

The CCPA (as updated by the CPRA) is the gold standard for US consumer privacy, known for its strict obligations.7

  • Who is Covered: California Residents.

  • Opt-Out Provision: Consumers have the right to opt out of both the sale and the sharing of personal information (sharing primarily covers cross-context behavioral advertising).

  • Exercise Your Right: Look for the mandatory "Do Not Sell or Share My Personal Information" link on the company's homepage.10 Businesses must also honor universal opt-out signals, such as the Global Privacy Control (GPC) web browser signal.

  • Sensitive Personal Information (SPI): The CPRA created a special category for SPI (e.g., precise geolocation, genetic data, health data, racial/ethnic origin) and allows consumers to limit its use.

 

2. Virginia Consumer Data Protection Act (CDPA)12

Virginia's law was the second comprehensive state law enacted.

  • Who is Covered: Virginia Residents.

  • Key Opt-Outs: The CDPA grants the right to opt out of processing data for the purposes of:

    • Targeted advertising.

    • The sale of personal data.

    • Certain types of profiling that have a legal or similarly significant effect on the consumer.

  • Enforcement Note: Unlike the CCPA, the CDPA does not provide a "private right of action," meaning individual consumers cannot sue the company; only the State Attorney General can bring enforcement actions.

 

3. Colorado Privacy Act (CPA)17

Colorado's law is similar to the CDPA but has some unique requirements.

  • Who is Covered: Colorado Residents.

  • Key Requirement: The CPA is distinct in mandating controllers to make available a universal opt-out mechanism for consumers to easily opt out of targeted advertising and sales.20

  • Sensitive Data: The CPA strictly requires businesses to obtain affirmative consent before processing a consumer's sensitive data.21

 

III. How Consumers Can Act on Their Rights

Exercising your rights under these laws is essential for data protection.

  1. Look for the Links: On any company website, scroll to the footer or the main privacy policy page and look for the following links:

    • "Do Not Sell or Share My Personal Information"22

    • "Consumer Privacy Rights Request"

  2. Use Universal Opt-Outs: Install a browser extension or configure your browser settings to transmit the Global Privacy Control (GPC) signal.23 Covered businesses are legally required to recognize this signal as a valid opt-out request.

  3. Submit Verifiable Requests: Use the provided toll-free number or online form to submit formal requests (Right to Know, Delete, or Correct).24 Businesses must respond to these requests within 45 days (with a possible extension).25

  4. Know Your Residency: Your rights are determined by your state of residence, not the state where the business is headquartered.26 If you are a resident of California, Virginia, or Colorado, those state laws protect your data even when you interact with a company in New York.

     

Frequently Asked Questions (FAQ’s)

1. What is "Sensitive Personal Information" (SPI)?

SPI generally includes a specific subset of personal data that, if exposed, could lead to significant harm.27 Examples across various state laws include: Social Security numbers, precise geolocation data, genetic or biometric data, financial account access details, racial or ethnic origin, and health diagnoses.28

 

2. If a company receives a Right to Delete request, do they have to delete all my data?

Not always. Businesses have exceptions.29 They are typically allowed to keep data necessary to: complete a transaction you started, perform a legal or regulatory obligation (like IRS tax records), or detect security incidents.

3. Is the Federal Government working on a national privacy law?

Discussions for a unified federal law, such as the American Data Privacy and Protection Act (ADPPA), continue but have not yet been successful.30 Until a federal law is passed, the state laws will remain the primary regulators of consumer data privacy in the US.

4. What other states have laws coming into effect soon?

Beyond the major players (CA, VA, CO, CT, UT), a large number of states, including Florida, Texas, Oregon, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, and Tennessee, have passed comprehensive privacy laws that are either recently effective or will become effective soon.31

Tags

From around the web