Privacy Laws By State


Jurisdiction Citation Notes Assessment

Table of Data Breach laws by jurisdiction

Alaska Alaska Stat. § 45.48.010 et seq.    
Alabama No law No law on the books


California Cal. Civ. Code §§ 1798.291798.82

“Personal information” is defined to include an individual's first name or first initial and last name in combination with any one or more of the following data elements:

social security number; driver's license number or California identification card number; account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; medical information; health insurance information; and information collected through an automated license plate recognition system

Florida Fla. Stat. §§ 501.171, 282.0041, 282.318(2)(i)  Identified as a leader by Electronic Privacy Information Center (EPIC) – link. Leader
Idaho Idaho Stat. §§ 28-51-104 to -107    
Massachusetts Mass. Gen. Laws § 93H-1 et seq. Mandatory info security program with specific requirements. Has unusual provisions affecting contracts. Leader
New Hampshire N.H. Rev. Stat. §§ 359-C:19 et seq. Good Faith exemption. Limited to acts by person in the state. Weak
New Mexico   New law in 2016. Risk of harm threshold; encryption exemption; HIPAA/GLBA exemption  
Oregon Oregon Rev. Stat. §§ 646A.600 to .628   Follower
Tennessee Tenn. Code §§  47-18-2107; 8-4-119 Notification required even if information was encrypted.  
Texas Tex. Bus. & Com. Code §§ 521.002, 521.053 Protects maiden name, biometrics, address or routing code, telecom access device, first initial. Leader
Utah Utah Code §§ 13-44-101 et seq.    
Virginia Va. Code §§ 18.2-186.6, 32.1-127.1:05 Revised 2016 to include tax information. Notification goes only to attorney general and Dept. of Taxation  
Washington Wash. Rev. Code §§ 19.255.010, 42.56.590

Notice is not required if the breach … is not reasonably likely to subject consumers to a risk of harm.

Breach must be disclosed if the information acquired and accessed is not secured, or if the encryption key was acquired.

[IAPP] Exemption from notification if NIST cybersecurity framework is followed