May 25, 2023 | 1 minute read

Five years later: GDPR and the U.S. state privacy law boom

Get in touch

David Cohen

Partner

Co-Authors

Mari Miller

E-Discovery Practice Coordinator

Get in touch

David Cohen

Partner

Co-Authors

Mari Miller

E-Discovery Practice Coordinator

It’s hard to believe that half a decade has gone by since the General Data Protection Regulation (“GDPR”) first came into effect on May 25, 2018. Since its inception, the GDPR has resulted in billions of dollars in fines against companies for failing to adhere to the regulation’s strict data handling requirements.

As shown in the table below, ten U.S. states have passed privacy laws with some provisions similar to those found in the GDPR. In 2023 alone, five state privacy laws are becoming effective, and five more states passed new privacy laws with future effective dates. This is leading to a patchwork of privacy laws – making it difficult for interstate companies to comply with different states’ laws. No federal privacy law is currently on the horizon, but having one uniform standard that would preempt inconsistent state laws could ease compliance for many businesses.

State Law	Passed In	Effective Date
California Consumer Privacy Act	2018	July 1, 2023
Colorado Privacy Act	2021	July 1, 2023
Connecticut Data Privacy Act	2022	July 1, 2023
Indiana Consumer Data Privacy Bill	2023	January 1, 2026
Iowa Data Privacy Law	2023	January 1, 2025
Montana Consumer Data Privacy Act	2023	October 1, 2024
Tennessee Information Protection Act	2023	July 1, 2025
Texas Data Privacy and Security Act	2023	March 1, 2024
Utah Consumer Privacy Act	2022	December 31, 2023
Virginia Consumer Data Protection Act	2021	January 1, 2023