The Best & Worst States in America for Online Privacy (2026 Update)
There are no federal online privacy laws in the US, so each state is left to create its own rules. While some have comprehensive protections in place, others allow sites to collect your data, share it, and use it to track what you’re doing online.
In this article, we explore which states currently have the best and worst protection, what the US is doing at the federal and state levels to protect online privacy, and how you can protect your privacy in states with little cybersecurity legislation.
Our Ranking Criteria
Our research team examined various criteria to determine which states have the best and worst consumer protections in place at the moment, and are making the best progress toward improving consumer privacy.
To create our rankings, we asked the following questions and tallied the results for each state:
General Strength of Privacy Laws
- Does the consumer have a right to access, delete, or modify personal data?
- Can consumers opt out of data collection and use?
- Are companies required to disclose data collection, source, and use information?
- Are ISPs required to protect online privacy under current legislation?
General Strength of Data Security Laws
- What methods are used to create and enforce privacy policies?
- How do companies in each state safeguard consumer data?
Presence of Data Broker Laws
- Do laws exist that prevent the sale of certain forms of information?
- Do laws exist to monitor/regulate what type of information is collected?
- What, if any, rights do consumers have in regard to data brokers?
Laws in Place to Protect Children’s Privacy
- Are laws in place to protect children aged 0–9 while using the internet?
- Do parents/minors have the ability to remove data on request?
Strength of Companies’ Data Collection Policies
- Do employees have the right to delete personal data on request?
- Do employees have the right to opt out of third-party sharing?
- Are companies required to disclose what employee data they collect/store?
Laws that Infringe on Digital Privacy
- Has the state implemented any laws that infringe on digital privacy?
- Have state legislators been vocal in their support of further legislation that would harm citizens’ rights to online privacy?
PIA’s Ranking of the Best & Worst States for Digital Privacy
US States with Notable Improvements to Digital Privacy
| Other Notable Online Privacy Laws | ||
|---|---|---|
| Protection | Applies To | Adopted In |
| Right to access personal data | Consumer | All signed states* |
| Right to correct personal data | Consumer | All signed states* except IA, UT |
| Right to delete personal data | Consumer | All signed states* |
| Right to opt out of certain processing | Consumer | All signed states* except CA**, IA |
| Right to data portability | Consumer | All signed states* |
| Request that businesses disclose what personal information they collect, the source, and how it’s used | Consumer | CA, UT, NV |
| Right to opt out of sales | Consumer | All signed states* |
| Right to opt in for sensitive data processing | Consumer | All signed states* except CA, IA, UT |
| Require ISPs to keep certain information about subscribers private, unless the subscriber requests otherwise | Consumer | NV, MN |
| Require ISPs to get permission from subscribers before disclosing a subscriber’s surfing habits or sites visited | Consumer | NV, MN |
| Prohibits ISPs from using, disclosing, selling, or permitting access to subscriber personal information except on request of the subscriber | Consumer | ME |
| Prohibit site/online service operators from advertising certain products to minors based on information specific to the minor, or knowingly using, disclosing, or compiling a minor’s information or allowing third parties to do so | Children | DE, CA |
| Permit minors to remove, or request removal, of personal content or information from sites, services, and mobile apps | Children | CA |
| Right to notice and transparency | Consumer | All signed states* |
| Require operators to disclose whether third parties are/may conduct tracking on the operator’s site/service | Consumer | DE, CA |
| Require operators to disclose how a site/service responds to “Do Not Track” signals/similar transmissions | Consumer | CA |
| Prohibit knowingly making false or misleading statements in privacy policies | Consumer | NE, PA |
| Require government sites and state portals to establish privacy policies or procedures or incorporate machine-readable privacy policies | Consumer | AZ, AR, CA, CO, DE, IA, IL, ME, MD, MN, MT, NY, SC, TX, UT, VA |
| Require employers to notify employees prior to monitoring electronic communications or internet access | Employees | CT, DE, NY |
| Require states and public entities to adopt policies in regard to monitoring public employee emails | Employees | CO, TN |
| (A) Prohibit employers from requiring employees to download a mobile app to their personal devices that allows their location to be tracked or personal information to be revealed. (B) Prohibit any form of retribution for refusing or opposing any practice forbidden as stated in part (A). | Employees | HI |
| Require private sector employers to provide written notice immediately on hiring any employee that makes them aware if they are subject to electronic, internet, or phone monitoring | Employees | NY |
| Require the state and any subdivision thereof that operates or maintains electronic mail communications systems to adopt a written policy on monitoring and when/why they conduct monitoring | Employees | CO, TN |
| Require employers to make a statement available that any form of electronic mail may be public record under the Public Record Law, and that makes it subject to public inspection | Employees | CO, TN |
| Protect the personal information of students in grades K–12 | Children | NJ |
* “All signed states” refers to US states with enacted comprehensive consumer privacy laws, as tracked by the International Association of Privacy Professionals (IAPP) in its US State Privacy Legislation Tracker 2025.
** In California, this right applies only to sensitive personal information under the CCPA.
| Other Notable Online Privacy Laws | |
|---|---|
| Summation | Adopted In |
| Have biometric data protection legislation in place | NY, IL, CA, TX, WA, CO |
| Apply data disposal laws to government and business entities | AL, AK, HI, IL, MA, AZ, AR, KS, MD, MA, MI, NJ, OR, SC, WA |
| Apply data disposal laws to government entities only | VA, MN, TX |
| Apply data disposal laws to business entities only | CA, CO, CT, DE, FL, GA, IN, KY, LA, MT, NE, TN, VT, NV, NM, NY, NC, RI, UT, WI |
| Require consent from both parties when recording calls of any kind | CA, CT, FL, IL, MD, MA, MT, NH, PA, WA |
| Have laws/legislation surrounding the use of artificial intelligence (AI) | All US states except AK, OH, WY, and the District of Columbia |
State Laws on AI
Unlike the European Union, which has a single framework for AI, the US has no national law governing how AI collects or uses data. Instead, regulation is happening at the state level, much like privacy laws, leaving consumers and companies with an uneven set of protections depending on where they are.
While many states have focused their AI laws on issues like deepfakes or digital likeness rights, states such as California, Colorado, Utah, and Maryland have taken a more in-depth approach. Their laws address transparency, accountability, and limits on automated decision-making in sensitive areas such as hiring, lending, and healthcare.
States with Cybersecurity Task Forces
As a response to the increase in cybercrime, some states have developed special task forces to deal with cyber threats. Currently, 30 states have a task force or similar enforcement group in place. Only 8 states took the initiative to create legislation and develop their task forces on their own; the rest were issued by executive order.
| US States with Specialized Cybercrime Task Forces | ||
|---|---|---|
| ★ Arizona ★ Arkansas ★ California ★ Colorado ★ Connecticut ★ Delaware ★ Florida ★ Georgia ★ Idaho ★ Illinois | ★ Indiana ★ Iowa ★ Kansas ★ Louisiana ★ Maine ★ Maryland ★ Minnesota ★ Mississippi ★ Missouri ★ Montana | ★ New Hampshire ★ New York ★ North Carolina ★ North Dakota ★ Oregon ★ Rhode Island ★ Texas ★ Utah ★ Vermont ★ Virginia |
At the federal level, agencies like the FBI’s National Cyber Investigative Joint Task Force and the US Secret Service Cyber Fraud Task Forces coordinate national cybersecurity efforts and assist state-level task forces with investigations and enforcement.
Federal Digital Privacy and Security Laws
Currently, federal (nationwide) laws on digital privacy and security are well meaning but ambiguous. Each tends to isolate one sector, issue, age group, or industry instead of providing a stable solution for all consumers and companies. I’ll show you what I mean – here are a few of the major federal online privacy laws
HIPAA’s Security Rule
The Health Insurance Portability and Accountability Act (HIPAA) created a national standard for the privacy and security of protected health information (PHI) that applies to any care provider storing or transmitting health information, including health care providers, schools, and health care clearinghouses.
While HIPAA’s Privacy Rule applies to all forms of PHI (electronic, oral, and written), its Security Rule applies only to electronic PHI (e-PHI). The Security Rule mandates technical, physical, and administrative safeguards to ensure the confidentiality and integrity of e-PHI.
Federal Trade Commission (FTC) Fair Information Practices
The FTC has enacted several fair information practices to protect your online privacy. Most relate to sites being transparent about what information they request, how it’s used, and why they require the information. Site operators must provide a notice of the site’s privacy practices, including if:
- Consumers can access, correct, and delete personal information
- Consumers have a say in how the site uses the information it collects
- Parents have control over the collection and use of information gathered from children
- The site safeguards any collected information, and how
Sites must also have enforcement mechanisms to prove they’re following fair information practices.
Con: While sites must let you know if you have a say in how they use the information collected, FTC practices don’t prevent sites from sharing or selling your data to third parties. The site only needs to tell you if it does, if you have any control over it, and if it has security in place for collected information.
Electronic Communication Protections Act (ECPA)
Adopted in 1986, the ECPA originally protected telephone communications. The amended ECPA now protects electronic communications during creation, transit, and storage. It defines electronic communications as email, telephone calls, and electronically stored data.
The ECPA also contains an amendment called the Stored Communications Act (SCA) which protects all subscriber records kept by service providers, including names, billing information/records, and IP addresses.
Con: The ECPA is outdated, leaving gaps in protections for modern technologies like the internet, big data, and social media.
Federal Consumer Privacy Laws
Despite repeated attempts in Congress, the US still lacks a comprehensive federal consumer privacy law, resorting instead to a patchwork of state laws and narrow sector-specific rules like HIPAA.
Recent federal action has focused on narrowly defined issues, including:
- The Protecting Americans’ Data from Foreign Adversaries Act (2024), which bars data brokers from sending sensitive US personal data to China, Russia, Iran, or North Korea.
- The Foreign Adversary-Controlled Apps Law (2024), which requires divestiture or bans of apps controlled by foreign adversaries, such as TikTok.
- The TAKE IT DOWN Act (2025), which criminalizes nonconsensual intimate images, including AI deepfakes, and requires removal within 48 hours.
Con: Federal action remains stalled, leaving US privacy protection fragmented across state laws.
FD&C Act, Section 524B
The FD&C Act was amended in 2023 to include Section 524B Ensuring Cybersecurity of Devices. Manufacturers (sponsors) developing medical devices must submit plans for addressing, identifying, and monitoring potential cybersecurity threats with their development plans.
It was amended after increasing concern from the federal government over the massive amounts of PII and ePHI transmitted by cyber medical devices (CMDs). The law requires manufacturers to make updates and patches available to cyber devices, as well as all related software and connected systems, to better prevent cyberattacks.
This includes addressing (a) unacceptable vulnerabilities in a timely manner or justified regular cycle, and (b) critical vulnerabilities that pose unnecessary risks as soon as possible.
Con: It doesn’t address legacy CMDs as diligently as new technologies.
Children’s Online Privacy Protection Act (COPPA)
Under COPPA, sites are required to verify parental or legal guardian consent if they intend to collect or use a minor’s personal information. Other notable online privacy protections in COPPA include:
- Information on when and how verifiable consent must be acquired from a parent/legal guardian
- The responsibilities, if any, that the site’s operator holds in regard to the online safety and privacy of the child
- Limits on how much data it’s acceptable to collect about children under 13
- Requirements for site operators to post the privacy policy on any page data is collected
Con: COPPA doesn’t provide a definitive set of rules for how verifiable parental/legal guardian consent must be collected, though the FTC does provide some guidelines and suggestions.
Federal vs State Laws
As a general rule, federal laws take precedence over state laws in the US. The Supremacy Clause states that when there’s conflict, federal law will override state law. Unfortunately, this isn’t an absolute rule, so loopholes exist for both branches.
States have the right to refute any federal law they can prove goes against the United States Constitution. The same precedent doesn’t apply to federal laws that a state believes go against its Constitution. Individual states also have the right to include or modify requirements.
On the other hand, the federal government can sue states on its own behalf. An example of these loopholes in action is California’s fight to keep its Internet Consumer Protection and Net Neutrality Act in place.
The federal Department of Justice sued to block the state law after it was signed in 2018, arguing that only the federal government could regulate interstate commerce. California ultimately prevailed, and in 2022 the Ninth Circuit Court of Appeals confirmed the state could enforce its law even after the FCC repealed national protections.
In 2025, the Sixth Circuit Court of Appeals blocked the FCC’s attempt to bring back federal rules and left state laws like California’s in place.
Use PIA to Protect Your Digital Privacy in the US
Online privacy laws in the US are evolving, but not nearly fast enough to keep up with the ever-increasing threat of cybercrime. Until stronger protections are in place, individuals are largely responsible for safeguarding their own data.
A VPN like Private Internet Access is a great way to protect your data. We provide military-grade encryption and tough security protocols to protect your data as it travels between your device and our servers. You also get MACE, an all-in-one ad, malware, and tracker blocker that stops threats at the DNS level before they reach your device.
Check out the latest on our 50 Servers in 50 States campaign to see how you can get a secure IP address no matter where you are in the US. You can use these servers to connect to a location without age verification laws or other invasive pieces of legislation. That way, you can protect your digital privacy while the US develops better cybersecurity policies at the state and federal levels.
FAQ
What does data privacy mean?
Data privacy refers to your ability to control how your personal information is collected, stored, shared, and used. While many US states have laws in place to protect people’s online privacy, no national standard exists.
Is data privacy important?
Absolutely. Imagine people were allowed to follow you around tracking your day-to-day activities without you being able to do anything about it. No one would tolerate that in real life, so why accept it in the virtual world?
Unfortunately, restraining orders don’t exist for online trackers, malicious software, or shady data brokers, so defending your right to online privacy and security is crucial. PIA provides the strong security you need to keep your online activity and data private.
What’s the difference between data privacy and security?
Data security focuses on how your data is protected in transit and ensures only authorized parties can access it. Data privacy focuses on the responsible collection, storage, and use of your information, such as your right to delete or modify collected data.
Basically, data security aims to protect your data from external threats while data privacy is focused on protecting your identity.
Are there data privacy laws?
There are data privacy laws at both the federal and state levels in the US, but individual state laws vary greatly from one state to the next. No federal or state law provides a singular set of regulations for data privacy.
Comments are closed.
2 Comments
Thank you for assembling this. It really is an excellent summary. I am forwarding via my LinkedIn and I am book marking for future review. I wonder if you intend to keep it up to date?
Hi Denise! I’m glad that you enjoyed the article, we definitely plan on updating the content as new information becomes available. Thank you for taking the time to comment and for being part of the PIA team.