This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Welcome to Reed Smith's viewpoints — timely commentary from our lawyers on topics relevant to your business and wider industry. Browse to see the latest news and subscribe to receive updates on topics that matter to you, directly to your mailbox.
| 1 minute read

Five years later: GDPR and the U.S. state privacy law boom

It’s hard to believe that half a decade has gone by since the General Data Protection Regulation (“GDPR”) first came into effect on May 25, 2018. Since its inception, the GDPR has resulted in billions of dollars in fines against companies for failing to adhere to the regulation’s strict data handling requirements.

As shown in the table below, ten U.S. states have passed privacy laws with some provisions similar to those found in the GDPR. In 2023 alone, five state privacy laws are becoming effective, and five more states passed new privacy laws with future effective dates. This is leading to a patchwork of privacy laws – making it difficult for interstate companies to comply with different states’ laws. No federal privacy law is currently on the horizon, but having one uniform standard that would preempt inconsistent state laws could ease compliance for many businesses.

State LawPassed InEffective Date
California Consumer Privacy Act
July 1, 2023
Colorado Privacy Act
July 1, 2023
Connecticut Data Privacy Act
July 1, 2023
Indiana Consumer Data Privacy Bill
January 1, 2026
Iowa Data Privacy Law
January 1, 2025
Montana Consumer Data Privacy Act
October 1, 2024
Tennessee Information Protection Act
July 1, 2025
Texas Data Privacy and Security Act
March 1, 2024
Utah Consumer Privacy Act
2022December 31, 2023
Virginia Consumer Data Protection Act
2021January 1, 2023


ediscovery, gdpr, international, cross-border, data, transfer, privacy, state, laws, law, e-discovery