HIPAA / HITECH
Protected Health Information for covered entities and business associates. Still the floor for healthcare data — and increasingly tested by AI vendors that touch PHI.
There is no US federal omnibus. Instead, 20+ states have passed comprehensive privacy laws — most modeled loosely on Virginia, with a half-dozen meaningful divergences. Internationally, GDPR is no longer the lone giant: India, China, Brazil, Saudi Arabia, and a dozen others have stood up regimes with real teeth. We help organizations stop reacting law-by-law and start operating against a coherent, defensible privacy doctrine.
A snapshot of the comprehensive consumer-privacy laws now in effect or scheduled. Most share the same shape — notice, consumer rights, opt-out for sale / targeted advertising / profiling, sensitive-data consent, data minimization, contracts with processors. The teeth are in the divergences.
| State | Law | Effective | What sets it apart |
|---|---|---|---|
| California | CCPA / CPRA | 2020 / 2023 | Private right of action for breach. CPPA enforcement. "Sensitive PI" and limit-use rights. Strictest of the bunch. |
| Virginia | VCDPA | 2023 | The template most states copy. Opt-in for sensitive data, DPIAs for high-risk processing. |
| Colorado | CPA | 2023 | Universal opt-out (Global Privacy Control) is mandatory. AG rulemaking is active and detailed. |
| Connecticut | CTDPA | 2023 | Heightened protections for minors; recognized opt-out signals required. |
| Utah | UCPA | 2023 | The lightest-touch of the early wave; opt-out only, no DPIA mandate. |
| Iowa | ICDPA | 2025 | Closer to Utah than Virginia. No profiling opt-out, no DPIA requirement. |
| Indiana | INCDPA | 2026 | Effectively a Virginia clone with a generous compliance runway. |
| Tennessee | TIPA | 2025 | Notable: an affirmative defense for organizations with a written program aligned to NIST Privacy Framework. |
| Texas | TDPSA | 2024 | Applies to anyone processing Texan data — no revenue threshold for non-SMBs. Sensitive data opt-in. |
| Oregon | OCPA | 2024 | Right to know list of specific third parties the data was shared with — unusual and operationally heavy. |
| Montana | MTCDPA | 2024 | Lower applicability thresholds; opt-out of sale, targeted ads, and profiling. |
| Delaware | DPDPA | 2025 | Among the lowest applicability thresholds in the country. Heightened minor protections. |
| New Jersey | NJDPA | 2025 | Universal opt-out signals, sensitive-data consent, AG rulemaking authority. |
| New Hampshire | NHDPA | 2025 | Standard Virginia model with formal AG rulemaking. |
| Kentucky | KCDPA | 2026 | Virginia model; modest applicability thresholds. |
| Maryland | MODPA | 2025 | The strictest non-California regime. True data minimization (banning sale of sensitive data), strong protections for kids, and heightened limits on targeted advertising. |
| Minnesota | MCDPA | 2025 | Right to question profiling decisions and learn the reasoning. Real "right to explanation." |
| Rhode Island | RIDTPPA | 2026 | Disclosure obligations for third parties to whom data is sold or shared. |
| Nebraska | NDPA | 2025 | Texas-style applicability — anyone processing Nebraskan data, with SMB carve-outs. |
| Florida | FDBR | 2024 | Narrow applicability ($1B+ revenue); aggressive on sale of sensitive data and minor protections. |
Effective dates and details continue to shift; treat this as a planning aid, not legal advice. We work alongside privacy counsel — not in place of it.
Protected Health Information for covered entities and business associates. Still the floor for healthcare data — and increasingly tested by AI vendors that touch PHI.
Functionally a national-impact law. Covers consumer health data (well beyond HIPAA scope) and carries a private right of action. Operates as a de-facto federal floor for health data.
Financial-services privacy and security; the 2023 Safeguards amendments require formal written program elements that look a lot like SOC 2.
Federal COPPA still governs children under 13. California, Maryland, and others now layer Age-Appropriate Design Codes on top — meaningful obligations for any consumer product with minors as users.
Consumer-reporting and background-check obligations. Increasingly relevant to AI-driven hiring and lending decisions.
Illinois BIPA continues to drive class-action exposure. Texas, Washington, and more states now have biometric-specific provisions — a critical input for any face/voice/behavioral product.
If you sell, hire, host, or even just market across borders, you operate under multiple regimes simultaneously. We help map data flows, choose transfer mechanisms, and design DPIAs / TIAs that survive scrutiny in any of these jurisdictions.
Still the gravity well. Lawful basis discipline, DPIAs, breach notification, DPOs. Schrems-driven scrutiny on cross-border transfers continues; SCCs + TIA + technical safeguards are the modern playbook.
Substantively similar to EU GDPR but evolving on its own track post-Brexit. UK adequacy with the EU and the Data (Use and Access) reform mean operating in both jurisdictions is a moving target.
Revised Federal Act on Data Protection — closer to GDPR than the predecessor, with criminal penalties for individuals (not just companies).
GDPR-shaped law with a strong national authority (ANPD). Active enforcement on consent quality, lawful basis, and the role of the DPO ("Encarregado").
Federal PIPEDA underlies most provinces; Quebec's Law 25 phased in over 2022–2024 and is now substantively closer to GDPR. Bill C-27's CPPA reform remains in flux.
Latin America's regimes range from mature (Argentina) to actively reforming (Chile's modernization, Colombia's expanded SIC enforcement). Expect modest convergence toward GDPR-shaped models.
India's first comprehensive privacy statute. Notable for opt-in consent as the dominant lawful basis, an emerging Data Protection Board, and steep penalties. Implementation rules are arriving in waves.
The "trinity" — Personal Information Protection Law, Data Security Law, Cybersecurity Law. Cross-border transfer mechanisms (CAC security assessment, SCCs, certification) are the operational pain point.
Mature regime, regular amendments, strong cross-border transfer rules. APPI was one of the first non-EU adequacy decisions and remains an important node.
Among the strictest in Asia; PIPC is an active enforcer. Cross-border transfers and dark-pattern enforcement are recent emphases.
PDPC continues to evolve guidance — meaningful breach-notification obligations and a Do-Not-Call regime that catches many global B2C operators by surprise.
The largest reform since 1988 is mid-rollout: tightened consent, fairness/reasonableness, expanded penalties, and a children's privacy code on the way.
Now actively enforced after grace periods. Strong on data localization for certain processing and cross-border transfer approvals.
Federal regime plus financial-free-zone regimes (DIFC DPL, ADGM). Different scopes, different regulators — picking the right entity matters.
Recently amended; database registration, DPO obligations for certain operators, and an active regulator (PPA).
The continent's flagship law. Active Information Regulator with a track record of enforcement and meaningful breach-notification obligations.
Replaced the older NDPR. Mandatory DPO registration for certain processors, audit filings, and a fast-evolving compliance ecosystem.
Trying to operate to twenty subtly-different state laws is a losing game. We help clients identify the controlling regime by data type and business line, build to that bar, and document the rest as exceptions — so when the next state passes a law, the answer is "we already do that."
The same principle applies internationally: GDPR, plus localized obligations for sensitive jurisdictions (China, Russia, Saudi Arabia), plus a defensible cross-border transfer story.