ESG Law

Entertainment Sports
and Gaming Law

Back to Publications

Privacy Laws in the United States

By Lydia Kautsky · Tue, Sep 17, 2024 5:54 PM

Privacy Laws in the United States

A brief overview of evolving state privacy laws in the United States.

In the age of the internet and digital technology, data is a valuable resource that is constantly being collected from consumers. In the United States, there is currently no federal law governing data protection; instead, individual states are passing laws to protect the data of their residents. These laws aim to grant consumers certain rights and protections in connection with their personal data, and therefore impact the way businesses need to handle consumer data. Gaming and esports businesses often process user data in the process of operating online merchandise shops, fan reward hubs, sweepstakes, and other related operations.

Although the definition of personal information varies from state to state, it is generally defined as information1 linked to or reasonably linkable to an identified or identifiable individual. A brief summary of current data protection laws for personal information in the United States is outlined below. Businesses should contact an attorney for comprehensive information on any of these data protection laws and related legal obligations.

  • California: The California Consumer Privacy Act, as amended by the California Privacy Rights Act, applies to all for-profit entities that conduct business in California that either (i) generated annual gross revenue during the preceding calendar year that exceeded $25 million; (ii) annually buy, sell, or share the personal information of 100,000 or more consumers or households; or (iii) derive 50% or more of annual revenues from selling or sharing consumers' personal information.2 If a business meets any of these thresholds, it must provide consumers with the right to access, delete, correct, and move their personal information,3 as well as the ability to opt-out of the sale or sharing of personal information.4

  • Colorado: The Colorado Privacy Act applies to entities that conduct business in Colorado or produce or deliver commercial products or services intentionally targeted to Colorado residents and that control or process personal data of either (i) 100,000 consumers or more during a calendar year; or (ii) 25,000 or more consumers and earn revenue from the sale of personal data.5 If a business meets this threshold, it must provide consumers with the right to access, delete, correct, and move their personal information,6 and the ability to opt-out of the sale of personal information or targeted advertising based on personal information.7

  • Connecticut: The Connecticut Personal Data Privacy and Online Monitoring Act applies to persons that conduct business in Connecticut or produce products or services targeted to Connecticut residents and, during the preceding calendar year, controlled or processed personal data of either at least (i) 100,000 consumers, excluding personal data processed or controlled solely for completing a payment transaction; or (ii) 25,000 consumers and derived more than 25% of its gross revenue from personal data sales.8 If a business meets this threshold, it must provide consumers with the right to access, delete, correct, and move their personal information,9 and the ability to opt-out of the sale of personal information or targeted advertising based on personal information.10

  • Delaware: The Delaware Personal Data Privacy Act (effective January 1, 2025) applies to persons that conduct business in Delaware or produce or deliver products or services targeted to Delaware residents and that, during the preceding calendar year, controlled or processed personal data of either at least (i) 35,000 consumers, excluding personal data processed solely for a payment transaction; or (ii) 10,000 consumers when the person derived more than 20% of its gross revenue from personal data sales.11 If a business meets this threshold, it must provide consumers with the right to access, delete, correct, and move their personal information,12 the right to know the categories of third-parties their personal information has been shared with, and the ability to opt-out of the sale of personal information or targeted advertising based on personal information.13

  • Florida: The Florida Digital Bill of Rights applies to for-profit entities that (i) conduct business in Florida; (ii) collect personal data about consumers and determined the processing purpose of such data; (iii) make over one billion dollars in global gross annual revenues; and (iv) either (A) derive 50% or more of its revenue from the sale of advertisements online, (B) operate voice command services, or (C) operate an app store or a digital distribution platform that offers at least 250,000 different software apps for consumers.14 If an entity meets this threshold, it must provide consumers with the right to access, delete, correct, and move their personal information,15 as well as the right to opt-out of the sale of personal information, targeted advertising, data profiling, personal data collection through voice recognition or facial recognition features, and passive surveillance by digital device features.16

  • Indiana: The Indiana Consumer Data Protection Act (effective January 1, 2026) applies to persons that conduct business in Indiana or produce products or services that target Indiana residents and that, during a calendar year, control or process personal data of at least either (i) 100,000 consumers; or (ii) 25,000 consumers, if they also derive more than 50% of their gross revenue from the sale of personal data.17 If an entity meets this threshold, it must provide consumers with the right to access, correct, delete and move their personal information,18 as well as the right to opt-out of the sale of their personal information, targeted advertising, or data profiling.19

  • Iowa: The Iowa Consumer Data Protection Act (effective January 1, 2025) applies to any person that conducts business in Iowa or produces products or services that target Iowa residents and that, during a calendar year, controls or processes personal data of at least either (i) 100,000 consumers; or (ii) 25,000 consumers, if it also derive more than 50% of its gross revenue from the sale of personal data.20 If an entity meets this threshold, it must provide consumers with the right to access, delete, move, and opt-out of the sale of their personal data.21

  • Kentucky: The Kentucky Consumer Data Protection Act (effective January 1, 2026) applies to any person that conducts business in Kentucky or produces products or services that target Kentucky residents and that, during a calendar year, controls or processes personal data of at least either (i) 100,000 consumers; or (ii) 25,000 consumers, if it also derive more than 50% of its gross revenue from the sale of personal data.22 If an entity meets this threshold, it must provide consumers with the right to access, correct, delete and move their personal information, as well as the right to opt-out of the sale of their personal information, targeted advertising, or data profiling.23

  • Montana: The Montana Consumer Data Privacy Act (effective October 1, 2024) applies to any person that conducts business in Montana or produces products or services that target Montana residents and that, during a calendar year, controls or processes personal data of at least either (i) 50,000 consumers; or (ii) 25,000 consumers, if it also derive more than 25% of its gross revenue from the sale of personal data.24 If an entity meets this threshold, it must provide consumers with the right to access, correct, delete and move their personal information, as well as the right to opt-out of the sale of their personal information, targeted advertising, or data profiling.25

  • New Hampshire: The New Hampshire Consumer Data Privacy Act (effective January 15, 2025) applies any person that conducts business in New Hampshire or produces products or services that target New Hampshire residents and that, during a one-year period, controls or processes personal data of at least either (i) 35,000 unique consumers (excluding individuals whose data is processed solely to complete payment transactions); or (ii) 10,000 unique consumers, if it also derive more than 25% of its gross revenue from the sale of personal data.26 If an entity meets this threshold, it must provide consumers with the right to access, correct, delete and move their personal information,27 as well as the right to opt-out of the sale of their personal information, targeted advertising, or data profiling.28

  • New Jersey: The New Jersey Consumer Data Privacy Act (effective January 15, 2025) applies to any person that conducts business in New Jersey or produces products or services that target New Jersey residents and that, during a calendar year, controls or processes personal data of at least either (i) 100,000 consumers (excluding individuals whose data is processed solely to complete payment transactions); or (ii) 25,000 consumers, if they also derive more than 25% of their gross revenue from the sale of personal data.29 If an entity meets this threshold, it must provide consumers with the right to access, correct, delete and move their personal information,30 as well as the right to opt-out of the sale of their personal information, targeted advertising, or data profiling.31

  • Oregon: The Oregon Consumer Privacy Act applies to any person that conducts business in Oregon or produces products or services that target Oregon residents and that, during a calendar year, controls or processes personal data of at least either (i) 100,000 consumers (excluding individuals whose data is processed solely to complete payment transactions); or (ii) 25,000 consumers, if they also derive more than 25% of their gross revenue from the sale of personal data.32 If an entity meets this threshold, it must provide consumers with the right to access, correct, delete and move their personal information,33 as well as the right to opt-out of the sale of their personal information, targeted advertising, or data profiling.34

  • Tennessee: The Tennessee Information Protection Act (effective July 1, 2025) applies to any person that conducts business in Tennessee which (i) produces products or services that target Tennessee residents; (ii) generates over $25 million in revenue; and (iii) that, controls or processes personal data of at least either (A) 75,000 consumers during a calendar year or (B) 25,000 consumers, if they also derive more than 50% of their gross revenue from the sale of personal data.35 If an entity meets this threshold, it must provide consumers with the right to access, correct, delete and move their personal information,36 as well as the right to opt-out of the sale of their personal information, targeted advertising, or data profiling.37

  • Texas: The Texas Data Privacy and Security Act applies to persons who (i) conduct business in Texas or produce products or services that Texas residents consume; (ii) process any volume of personal data or engage in personal data sales; and (iii) do not qualify as a small business, as defined by the United States Small Business Administration.38 If an entity meets this threshold, it must provide consumers with the right to access, correct, delete and move their personal information,39 as well as the right to opt-out of the sale of their personal information, targeted advertising, or data profiling.40

  • Utah: The Utah Consumer Privacy Act applies to persons who (i) conduct business in Utah or produce products or services that target Utah residents; (ii) have $25 million or more in annual revenue; and (iii) control or process personal data of (A) 100,000 or more consumers during a calendar year; or (B) 25,000 or more consumers during a calendar year and derive more than 50% of its gross revenue from personal data sales.41 If an entity meets this threshold, it must provide consumers with the right to access, delete and move their personal information,42 as well as the right to opt-out of the sale of their personal information and targeted advertising.43

  • Virginia: The Virginia Consumer Data Protection Act applies to persons that conduct business in Virginia or produce products or services that target Virginia residents and process personal data of at least (i) 100,000 consumers during a calendar year; or (ii) 25,000 or more consumers during a calendar year and derive more than 50% of its gross revenue from the sale personal data.44 If an entity meets this threshold, it must provide consumers with the right to access, correct, delete and move their personal information, as well as the right to opt-out of the sale of their personal information,45 targeted advertising, or data profiling.46

Although there are certain similarities throughout these various state privacy laws, slight differences make it difficult for businesses to navigate and ensure compliance throughout the United States; this will only become increasingly complicated in the event the remaining thirty-four states pass their own data protection laws. Please contact an attorney if you believe your business may be subject to data protection laws in the United States.


  • 1.

    Certain states also have laws governing treatment of sensitive personal information, which often includes information such as race or ethnic origins, sexual orientation, religious belief, citizenship or immigration status, genetic or biometric data, and precise geolocation data. This article does not discuss the legal treatment of sensitive personal information.

  • 2.

    Cal. Civ. Code § 1798.140(d)(1).

  • 3.

    Personal information is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, but excluding (A) de-identified or aggregate information; (B) lawfully obtained, truthful information that is a matter of public concern; and (C) publicly available information (which means information lawfully made available from government records or lawfully made available to the general public by the consumer or from widely distributed media). Cal. Civ. Code § 1798.140(v)(1).

  • 4.

    Cal. Civ. Code §§ 1798.100 to 1798.125.

  • 5.

    Colo. Rev. Stat. Ann. §§ 6-1-303(7) and 6-1-1304(1).

  • 6.

    Personal information is defined as information linked to or reasonably linkable to an identified or identifiable individual. It excludes information that is de-identified or publicly available (which means information obtained lawfully from government records, or that the controller reasonably believes that a consumer has made publicly available). Colo. Rev. Stat. Ann. § 6-1-1303(17).

  • 7.

    Colo. Rev. Stat. Ann. § 6-1-1306; 4 Colo. Code Regs. §§ 904-3:4.03 to 904-3:4.07.

  • 8.

    Conn. Gen. Stat. Ann. § 42-516.

  • 9.

    Personal information is defined as information linked to or reasonably linkable to an identified or identifiable individual. It excludes information that is de-identified or publicly available (which means information that is obtained lawfully from government records, or that the controller reasonably believes that a consumer has made publicly available). Conn. Gen. Stat. Ann. § 42-515(26), (33).

  • 10.

    Conn. Gen. Stat. Ann. § 42-518(a).

  • 11.

    6 Del. C. § 12D-103(a).

  • 12.

    Personal information is defined as information linked to or reasonably linkable to an identified or identifiable individual. It excludes information that is de-identified or publicly available (which is information obtained lawfully from government records, or that the controller reasonably believes that a consumer has made available to the public through widely distributed media). 6 Del. C. § 12D-102(21), (28).

  • 13.

    6 Del. C. § 12D-104(a).

  • 14.

    Fla. Stat. § 501.702(9)(a).

  • 15.

    Personal information is defined as information linked or reasonably linkable to an identified or identifiable individual. It excludes information that is de-identified or publicly available information (which is information lawfully made available from government records, or information that a business reasonably believes is lawfully made available to the general public through widely distributed media by the consumer). Fla. Stat. § 501.702(19), & Fla. Stat. § 501.702(13), (19), and (28).

  • 16.

    Fla. Stat.§ 501.705(3).

  • 17.

    Ind. Code § 24-15-1-1(a).

  • 18.

    Personal information is defined as information linked to or reasonably linkable to an identified or identifiable individual. It excludes information that is de-identified or publicly available (which means information that was lawfully made available from government records, or information that a business reasonably believes is lawfully made available to the general public through widely distributed media by the consumer). Ind. Code §§ 24-15-2-19 and 24-15-2-26.

  • 19.

    Ind. Code § 24-15-3-1(b).

  • 20.

    Iowa Code Ann. § 715D.2(1).

  • 21.

    Iowa Code Ann. § 715D.3. Personal data is defined as information linked to or reasonable linkable to an identified or identifiable natural person, excluding, aggregated or de-identified data, and publicly available information (which is information lawfully made available from government records, or information that a business reasonable believes was lawfully made available to the general public).

  • 22.

    HB 15, Section 2(1). Personal data is defined as information linked to or reasonably linkable to an identified or identifiable natural person, but does not include de-identified data or publicly available information (which is information lawfully made available from government records, or information that a business reasonably believes is lawfully made available to the general public).

  • 23.

    HB 15, Section 3.

  • 24.

    Mont. Code Ann. § 30-14-2803. Personal data is defined as information linked to or reasonably linkable to an identified or identifiable natural person, but does not include de-identified data or publicly available information (which is information lawfully made available from government records, or information that a business reasonably believes is lawfully made available to the general public). Mont. Code Ann. § 30-14-2802(15), (22).

  • 25.

    Mont. Code Ann. § 30-14-2808(1).

  • 26.

    N.H. RSA § 507-H:2.

  • 27.

    Personal data is defined as information linked to or reasonably linkable to an identified or identifiable natural person, but does not include de-identified data or publicly available information (which is information lawfully made available from government records, or information that a business reasonably believes is lawfully made available to the general public). N.H. RSA § 507-H:1(XIX), (XXVI).

  • 28.

    N.H. RSA § 507-H:4(I).

  • 29.

    Section 2, NJDPA.

  • 30.

    Personal data is defined as information linked to or reasonably linkable to an identified or identifiable natural person, but does not include de-identified data or publicly available information (which is information lawfully made available from government records, or information that a business reasonably believes is lawfully made available to the general public). Section 1, NJDPA.

  • 31.

    Section 7, NJDPA.

  • 32.

    ORS 646A.572(1).

  • 33.

    Personal data is defined as information linked to or reasonably linkable to a consumer or a device that is linked (or reasonable linkable) to one or more consumers in a household, but does not include de-identified data or publicly available information (which is information lawfully made available from government records or widely distributed media, or information that a business reasonably understands the consumer made available to the general public). ORS 646A.570(13)(b).

  • 34.

    ORS 646A.574(1).

  • 35.

    T.C.A. § 47-18-3303.

  • 36.

    Personal data is defined as information linked to or reasonably linkable to an identified or identifiable natural person, but does not include aggregate or de-identified data or publicly available information (which is information lawfully made available from government records, or information that a business reasonably believes is lawfully made available to the general public). T.C.A. § 47-18-3302(17) , (24).

  • 37.

    T.C.A. § 47-18-3304.

  • 38.

    Tex. Bus. & Com. Code Ann. §§ 541.002(a). The United States Small Business Administration uses a complex method of determining what is a small business, typically based on revenues or number of employees. Notably for the esports industry, “Sports Teams and Clubs” must make less than $47 million in annual revenue to be considered a small business, while businesses considered “Other Spectator Sports” must make less than $16.5 Million per year in annual revenue to be considered a small business. Title 13 Part 121.201 of the Code of Federal Regulations.

  • 39.

    Personal data is defined as information linked to or reasonably linkable to an identified or identifiable natural person, but does not include de-identified data or publicly available data (which is information lawfully made available from government records, or information that a business reasonably believes is lawfully made available to the general public). Tex. Bus. & Com. Code Ann. § 541.002(19), (27).

  • 40.

    Tex. Bus. & Com. Code Ann. § 541.051.

  • 41.

    Utah Code § 13-61-102(1).

  • 42.

    Personal data is defined as information linked to or reasonably linkable to an identified or identifiable natural person, but does not include aggregated or de-identified data or publicly available data (which is information lawfully made available from government records, or information that a business reasonably believes is lawfully made available to the general public). Utah Code § 13-61-101(3), (14), (24)(b), (29).

  • 43.

    Utah Code § 13-61-201.

  • 44.

    Va. Code Ann § 59.1-576(A).

  • 45.

    Personal data is defined as information linked to or reasonably linkable to an identified or identifiable natural person, but does not include de-identified data or publicly available data (which is information lawfully made available from government records, or information that a business reasonably believes is lawfully made available to the general public). Va. Code Ann. § 59.1-575.

  • 46.

    Va. Code Ann. § 59.1-577.

  • Contact
  • Legal