Explore consumer rights and business requirements across enacted US privacy laws and see how our Privacy Automation can help.
Simplify US privacy law compliance
The United States privacy landscape is rapidly evolving, with more than a dozen states now enforcing comprehensive data privacy laws — many of which came into effect in 2025. Each law introduces different obligations around consumer rights, risk assessments, and opt-out mechanisms.
We’re here to simplify your compliance journey across all US jurisdictions and support you in protecting personal data while building trust with your customers.
How OneTrust helps you operationalize US consumer privacy rights
Automate access, correction, deletion, and portability requests
Fulfilling consumer requests all starts with having an appropriate intake method for consumers to make requests to access, correct, delete, or transmit their data. Explore the chart below to see which enacted US privacy laws require these rights.
| Right to access | Right to correct | Right to delete | Right to portability | |
|---|---|---|---|---|
| California: CPRA | X | X | X | X |
| Colorado | X | X | X | X |
| Connecticut | X | X | X | X |
| Delaware | X | X | X | X |
| Florida | X | X | X | X |
| Indiana | X | X | X | X |
| Iowa | X | X | X | |
| Kentucky | X | X | X | X |
| Maryland | X | X | X | X |
| Minnesota | X | X | X | X |
| Montana | X | X | X | X |
| Nebraska | X | X | X | X |
| New Hampshire | X | X | X | X |
| New Jersey | X | X | X | X |
| Oregon | X | X | X | X |
| Rhode Island | X | X | X | X |
| Tennessee | X | X | X | X |
| Texas | X | X | X | X |
| Utah | X | X | X | |
| Virginia | X | X | X | X |
Note: Cells with an 'X' indicate the corresponding law requires that particular right.
Processing personal rights requests can be time consuming for the business. Data Subject Request (DSR) Automation expedites the entire DSAR fulfillment process by:
- Streamlining intake across your different touchpoints
- Automating identity verification
- Automating the redaction and response process
- Automating the data discovery and deletion process
Honor opt-out requests and limit data use automatically
Organizations that utilize the advertising ecosystem will have to pay particular attention to opt-out requests. Explore the chart below to see which enacted US privacy laws specify opt-out, right to use, and disclosure requirements.
| Right to opt-out | Right to limit use and disclosure | |||
|---|---|---|---|---|
| Sale | Profiling | Targeted advertising | Sensitive personal information | |
| California: CPRA | X | X | X | X |
| Colorado | X | X | X | Opt-in required |
| Connecticut | X | X | X | Opt-in required |
| Delaware | X | X | X | Opt-in required |
| Florida | X | X | X | Opt-in required |
| Indiana | X | X | X | Opt-in required |
| Iowa | X | X | ||
| Kentucky | X | X | X | Opt-in required |
| Maryland | X | X | X | Opt-in required |
| Minnesota | X | X | X | Opt-in required |
| Montana | X | X | X | Opt-in required |
| Nebraska | X | X | X | Opt-in required |
| New Hampshire | X | X | X | Opt-in required |
| New Jersey | X | X | X | Opt-in required |
| Rhode Island | X | X | X | Opt-in required |
| Oregon | X | X | X | Opt-in required |
| Tennessee | X | X | X | Opt-in required |
| Texas | X | X | X | Opt-in required |
| Utah | X | X | ||
| Virginia | X | X | X | Opt-in required |
Note: Cells with an 'X' indicate the corresponding law requires that particular right.
Our Consent and Preferences solution operationalizes opt-outs by:
- Automatically identifying third-party trackers
- Delivering a consumer-first preference center where preferences can be changed at any time and applied across all touchpoints
- Enforcing opt-outs and processing limitations based on preferences and opt-out requirements
- Respect user preferences and support Global Privacy Controls (GPC)
Ensure transparency with dynamic policy management
All enacted US privacy laws require notice and transparency be provided to those covered under the law. OneTrust Privacy Operations helps by enabling you to centrally manage policies across digital assets.
- Schedule automatic website and mobile app scans to trigger policy updates
- Use pre-built templates and sync the latest updates across your web and app properties
Streamline risk assessments across states
All enacted US privacy laws (aside from Iowa and Utah) require formal risk assessments of privacy and/or security projects or procedures. OneTrust Privacy Operations integrates with your existing business processes, giving you real-time comprehensive risk discovery and actionable insights for risk mitigation.
In addition to streamlining the assessment process, our Privacy Automation solution also equips you with the tools to improve your privacy program. Privacy awareness training, third-party risk management, and privacy and security incident management are available to unify and optimize your data privacy program activities.
You might also like
FAQs
We’re here to help demystify US data privacy regulations. Explore answers to frequently asked questions below.
More than 17 states have enacted comprehensive privacy laws. Other states have introduced bills for committee evaluation. In addition to comprehensive state-level laws, the US also has privacy laws that govern specific types of data. For example, HIPAA is a federal law that protects sensitive patient health information and COPPA protects children’s online privacy.
Explore the DataGuidance US privacy tracker to learn more about emerging and new laws.
The EU’s General Data Protection Regulation (GDPR) focuses on a person’s right to privacy whereas much of the US legislation focuses on the data security safeguards of consumers and employees. Regardless of whether your business is in the EU or US, or other countries with data privacy laws, if data is processed across borders, relevant privacy and data protection laws apply.
OneTrust Privacy Operations can simplify how you comply with the various requirements of privacy regulations.