1. Overview
Over 20 U.S. states have enacted comprehensive consumer privacy laws granting residents specific rights over their personal data. In addition, several states have enacted sector-specific privacy and data protection laws covering areas such as health data, biometric information, and breach notification. MayDay-IC is committed to honoring these rights for all users regardless of their state of residence. This page provides a state-by-state summary of applicable privacy laws, sector-specific protections, and the rights they afford you.
Because MayDay-IC processes protected health information (PHI) in connection with emergency response, much of the data we handle is governed by HIPAA, which preempts state privacy laws for PHI. The rights described below apply to personal information that falls outside HIPAA’s scope.
2. State Privacy Law Summary
The following table summarizes the comprehensive state privacy laws currently in effect or enacted, including key rights and response timelines.
| State | Law | Effective Date | Response Timeline | Enforcement |
|---|---|---|---|---|
| California | CCPA / CPRA | Jan 1, 2020 / Jan 1, 2023 | 45 days | AG & CPPA |
| Virginia | VCDPA | Jan 1, 2023 | 45 days | AG |
| Colorado | CPA | Jul 1, 2023 | 45 days | AG |
| Connecticut | CTDPA | Jul 1, 2023 | 45 days | AG |
| Utah | UCPA | Dec 31, 2023 | 45 days | AG |
| Oregon | OCPA | Jul 1, 2024 | 45 days | AG |
| Texas | TDPSA | Jul 1, 2024 | 45 days | AG |
| Montana | MCDPA | Oct 1, 2024 | 45 days | AG |
| Iowa | ICDPA | Jan 1, 2025 | 90 days | AG |
| Delaware | DPDPA | Jan 1, 2025 | 45 days | AG |
| New Jersey | NJDPA | Jan 15, 2025 | 45 days | AG |
| New Hampshire | NHPA | Jan 1, 2025 | 60 days | AG |
| Indiana | INCDPA | Jan 1, 2026 | 45 days | AG |
| Tennessee | TIPA | Jul 1, 2025 | 45 days | AG |
| Maryland | MODPA | Oct 1, 2025 | 45 days | AG |
| Florida | FDBR | Jul 1, 2024 | 45 days | AG |
| Kentucky | KCDPA | Jan 1, 2026 | 45 days | AG |
| Nebraska | NDPA | Jan 1, 2025 | 30 days | AG |
| Minnesota | MCDPA | Jul 31, 2025 | 45 days | AG |
| Rhode Island | RIDPA | Jan 1, 2026 | 45 days | AG |
| Vermont | VDPA | Jul 1, 2025 | 45 days | AG |
| Wisconsin | WDPA | 2025 | 45 days | AG |
3. Consumer Rights by State
The table below details the specific rights granted under each state’s privacy law.
| State | Access | Delete | Correct | Portability | Opt-Out of Sale | Opt-Out of Targeted Ads | Opt-Out of Profiling | Appeal |
|---|---|---|---|---|---|---|---|---|
| California | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No* |
| Virginia | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Colorado | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Connecticut | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Utah | Yes | Yes | No | Yes | Yes | Yes | No | No |
| Oregon | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Texas | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Montana | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Iowa | Yes | Yes | No | Yes | Yes | Yes | No | No |
| Delaware | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| New Jersey | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| New Hampshire | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Indiana | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Tennessee | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Maryland | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Florida | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Kentucky | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Nebraska | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Minnesota | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Rhode Island | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Vermont | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Wisconsin | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
* California does not have a formal appeal process under CCPA/CPRA, but consumers may file complaints with the California Privacy Protection Agency (CPPA) or the Attorney General.
4. California (CCPA/CPRA)
The California Consumer Privacy Act, as amended by the California Privacy Rights Act, provides California residents with the most comprehensive set of privacy rights in the United States.
Your Rights
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purposes, and the third parties with whom we share it.
- Right to Delete: Request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, completing transactions, security).
- Right to Correct: Request correction of inaccurate personal information we maintain about you.
- Right to Portability: Receive your personal information in a portable, readily usable format.
- Right to Opt-Out of Sale/Sharing: Direct us not to sell or share your personal information for cross-context behavioral advertising. MayDay-IC does not sell personal information.
- Right to Limit Use of Sensitive Personal Information: Limit the use and disclosure of sensitive personal information to purposes authorized under the CPRA.
- Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights.
Enforcement
Enforced by the California Privacy Protection Agency (CPPA) and the California Attorney General. Penalties up to $2,500 per violation or $7,500 per intentional violation. Private right of action for data breaches.
5. Virginia (VCDPA)
The Virginia Consumer Data Protection Act grants Virginia residents specific rights regarding their personal data.
Your Rights
- Right to Access: Confirm whether we are processing your personal data and access that data.
- Right to Delete: Request deletion of personal data you have provided or that we have obtained.
- Right to Correct: Correct inaccuracies in your personal data.
- Right to Data Portability: Obtain a copy of your personal data in a portable, readily usable format.
- Right to Opt Out: Opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
- Right to Appeal: Appeal our decision regarding your data rights request within 45 days.
Enforcement
Enforced exclusively by the Virginia Attorney General. No private right of action. Penalties up to $7,500 per violation.
6. Colorado (CPA)
The Colorado Privacy Act provides Colorado residents with robust privacy protections, including a universal opt-out mechanism requirement.
Your Rights
- Right to Access: Confirm whether we are processing your personal data and access that data.
- Right to Delete: Request deletion of your personal data.
- Right to Correct: Correct inaccuracies in your personal data.
- Right to Data Portability: Obtain your personal data in a portable, readily usable format.
- Right to Opt Out: Opt out of targeted advertising, the sale of personal data, or profiling. Colorado requires controllers to honor universal opt-out mechanisms.
- Right to Appeal: Appeal our decision within 45 days.
Enforcement
Enforced by the Colorado Attorney General and district attorneys. No private right of action. 60-day cure period (expires July 1, 2025).
7. Connecticut (CTDPA)
The Connecticut Data Privacy Act provides Connecticut residents with similar rights to other comprehensive state privacy laws.
Your Rights
- Right to Access: Confirm processing and access your personal data.
- Right to Delete: Request deletion of your personal data.
- Right to Correct: Correct inaccuracies in your personal data.
- Right to Data Portability: Obtain your data in a portable format.
- Right to Opt Out: Opt out of targeted advertising, the sale of personal data, or profiling.
- Right to Appeal: Appeal within 45 days. If denied, you may file a complaint with the AG.
Enforcement
Enforced by the Connecticut Attorney General. No private right of action. 60-day cure period (expires December 31, 2024).
8. Utah (UCPA)
The Utah Consumer Privacy Act is a more business-friendly privacy law with a narrower scope of consumer rights.
Your Rights
- Right to Access: Confirm processing and access your personal data.
- Right to Delete: Request deletion of personal data you have provided.
- Right to Data Portability: Obtain your data in a portable format.
- Right to Opt Out: Opt out of targeted advertising or the sale of personal data.
Enforcement
Enforced by the Utah Attorney General and the Division of Consumer Protection. No private right of action. 30-day cure period.
9. Oregon (OCPA)
The Oregon Consumer Privacy Act provides Oregon residents with comprehensive data privacy protections.
Your Rights
- Right to Access: Confirm processing and access your personal data, including a list of third parties to whom data has been disclosed.
- Right to Delete: Request deletion of your personal data.
- Right to Correct: Correct inaccuracies in your personal data.
- Right to Data Portability: Obtain your data in a portable format.
- Right to Opt Out: Opt out of targeted advertising, the sale of personal data, or profiling.
- Right to Appeal: Appeal within 45 days. If denied, you may file a complaint with the AG.
Enforcement
Enforced by the Oregon Attorney General. No private right of action. 30-day cure period (expires January 1, 2026).
10. Texas (TDPSA)
The Texas Data Privacy and Security Act provides broad privacy protections for Texas residents.
Your Rights
- Right to Access: Confirm processing and access your personal data.
- Right to Delete: Request deletion of your personal data.
- Right to Correct: Correct inaccuracies in your personal data.
- Right to Data Portability: Obtain your data in a portable format.
- Right to Opt Out: Opt out of targeted advertising, the sale of personal data, or profiling.
- Right to Appeal: Appeal within 45 days.
Enforcement
Enforced by the Texas Attorney General. No private right of action. 30-day cure period.
11. Montana (MCDPA)
The Montana Consumer Data Privacy Act provides Montana residents with comprehensive privacy protections.
Your Rights
- Right to Access: Confirm processing and access your personal data.
- Right to Delete: Request deletion of your personal data.
- Right to Correct: Correct inaccuracies in your personal data.
- Right to Data Portability: Obtain your data in a portable format.
- Right to Opt Out: Opt out of targeted advertising, the sale of personal data, or profiling.
- Right to Appeal: Appeal within 45 days.
Enforcement
Enforced by the Montana Attorney General. No private right of action. 60-day cure period.
12. Iowa (ICDPA)
The Iowa Consumer Data Protection Act provides Iowa residents with a more limited set of privacy rights with a longer response timeline.
Your Rights
- Right to Access: Confirm processing and access your personal data.
- Right to Delete: Request deletion of personal data you have provided.
- Right to Data Portability: Obtain your data in a portable format.
- Right to Opt Out: Opt out of targeted advertising or the sale of personal data.
Enforcement
Enforced by the Iowa Attorney General. No private right of action. 90-day cure period. 90-day response timeline.
13. Delaware (DPDPA)
The Delaware Personal Data Privacy Act provides Delaware residents with comprehensive privacy protections.
Your Rights
- Right to Access: Confirm processing and access your personal data.
- Right to Delete: Request deletion of your personal data.
- Right to Correct: Correct inaccuracies in your personal data.
- Right to Data Portability: Obtain your data in a portable format.
- Right to Opt Out: Opt out of targeted advertising, the sale of personal data, or profiling.
- Right to Appeal: Appeal within 45 days.
Enforcement
Enforced by the Delaware Attorney General and the Department of Justice. No private right of action. 60-day cure period.
14. New Jersey (NJDPA)
The New Jersey Data Privacy Act provides New Jersey residents with broad privacy protections.
Your Rights
- Right to Access: Confirm processing and access your personal data.
- Right to Delete: Request deletion of your personal data.
- Right to Correct: Correct inaccuracies in your personal data.
- Right to Data Portability: Obtain your data in a portable format.
- Right to Opt Out: Opt out of targeted advertising, the sale of personal data, or profiling.
- Right to Appeal: Appeal within 45 days.
Enforcement
Enforced by the New Jersey Attorney General and the Division of Consumer Affairs. No private right of action. 30-day cure period.
15. New Hampshire (NHPA)
The New Hampshire Privacy Act provides New Hampshire residents with privacy protections and a 60-day response timeline.
Your Rights
- Right to Access: Confirm processing and access your personal data.
- Right to Delete: Request deletion of your personal data.
- Right to Correct: Correct inaccuracies in your personal data.
- Right to Data Portability: Obtain your data in a portable format.
- Right to Opt Out: Opt out of targeted advertising, the sale of personal data, or profiling.
- Right to Appeal: Appeal within 60 days.
Enforcement
Enforced by the New Hampshire Attorney General. No private right of action. 60-day cure period. 60-day response timeline.
16. Indiana (INCDPA)
The Indiana Consumer Data Protection Act provides Indiana residents with comprehensive privacy protections.
Your Rights
- Right to Access: Confirm processing and access your personal data.
- Right to Delete: Request deletion of your personal data.
- Right to Correct: Correct inaccuracies in your personal data.
- Right to Data Portability: Obtain your data in a portable format.
- Right to Opt Out: Opt out of targeted advertising, the sale of personal data, or profiling.
- Right to Appeal: Appeal within 45 days.
Enforcement
Enforced by the Indiana Attorney General. No private right of action. 30-day cure period.
17. Tennessee (TIPA)
The Tennessee Information Protection Act provides Tennessee residents with privacy protections for personal information.
Your Rights
- Right to Access: Confirm processing and access your personal data.
- Right to Delete: Request deletion of your personal data.
- Right to Correct: Correct inaccuracies in your personal data.
- Right to Data Portability: Obtain your data in a portable format.
- Right to Opt Out: Opt out of targeted advertising, the sale of personal data, or profiling.
- Right to Appeal: Appeal within 45 days.
Enforcement
Enforced by the Tennessee Attorney General and Reporter. No private right of action. 60-day cure period.
18. Maryland (MODPA)
The Maryland Online Data Privacy Act provides Maryland residents with strong privacy protections, including some of the most restrictive provisions in the country.
Your Rights
- Right to Access: Confirm processing and access your personal data.
- Right to Delete: Request deletion of your personal data.
- Right to Correct: Correct inaccuracies in your personal data.
- Right to Data Portability: Obtain your data in a portable format.
- Right to Opt Out: Opt out of targeted advertising, the sale of personal data, or profiling.
- Right to Appeal: Appeal within 45 days.
Enforcement
Enforced by the Maryland Attorney General and the Division of Consumer Protection. No private right of action. No cure period (effective from the start).
19. Florida (FDBR)
The Florida Digital Bill of Rights provides Florida residents with comprehensive privacy protections over their personal data.
Your Rights
- Right to Access: Confirm processing and access your personal data.
- Right to Delete: Request deletion of your personal data.
- Right to Correct: Correct inaccuracies in your personal data.
- Right to Data Portability: Obtain your data in a portable format.
- Right to Opt Out: Opt out of targeted advertising, the sale of personal data, or profiling.
- Right to Appeal: Appeal within 45 days.
Enforcement
Enforced by the Florida Attorney General. No private right of action. 45-day cure period. 45-day response timeline.
20. Kentucky (KCDPA)
The Kentucky Consumer Data Protection Act provides Kentucky residents with comprehensive privacy rights over their personal data.
Your Rights
- Right to Access: Confirm processing and access your personal data.
- Right to Delete: Request deletion of your personal data.
- Right to Correct: Correct inaccuracies in your personal data.
- Right to Data Portability: Obtain your data in a portable format.
- Right to Opt Out: Opt out of targeted advertising, the sale of personal data, or profiling.
- Right to Appeal: Appeal within 45 days.
Enforcement
Enforced by the Kentucky Attorney General. No private right of action. 30-day cure period. 45-day response timeline.
21. Nebraska (NDPA)
The Nebraska Data Privacy Act provides Nebraska residents with privacy protections and a 30-day response timeline.
Your Rights
- Right to Access: Confirm processing and access your personal data.
- Right to Delete: Request deletion of your personal data.
- Right to Correct: Correct inaccuracies in your personal data.
- Right to Data Portability: Obtain your data in a portable format.
- Right to Opt Out: Opt out of targeted advertising, the sale of personal data, or profiling.
- Right to Appeal: Appeal within 30 days.
Enforcement
Enforced by the Nebraska Attorney General. No private right of action. 30-day cure period. 30-day response timeline.
22. Minnesota (MCDPA)
The Minnesota Consumer Data Privacy Act provides Minnesota residents with comprehensive privacy protections over their personal data.
Your Rights
- Right to Access: Confirm processing and access your personal data.
- Right to Delete: Request deletion of your personal data.
- Right to Correct: Correct inaccuracies in your personal data.
- Right to Data Portability: Obtain your data in a portable format.
- Right to Opt Out: Opt out of targeted advertising, the sale of personal data, or profiling.
- Right to Appeal: Appeal within 45 days.
Enforcement
Enforced by the Minnesota Attorney General. No private right of action. 30-day cure period. 45-day response timeline.
23. Rhode Island (RIDPA)
The Rhode Island Data Privacy Act provides Rhode Island residents with comprehensive privacy protections.
Your Rights
- Right to Access: Confirm processing and access your personal data.
- Right to Delete: Request deletion of your personal data.
- Right to Correct: Correct inaccuracies in your personal data.
- Right to Data Portability: Obtain your data in a portable format.
- Right to Opt Out: Opt out of targeted advertising, the sale of personal data, or profiling.
- Right to Appeal: Appeal within 45 days.
Enforcement
Enforced by the Rhode Island Attorney General. No private right of action. 30-day cure period. 45-day response timeline.
24. Vermont (VDPA)
The Vermont Data Privacy Act provides Vermont residents with comprehensive privacy protections over their personal data.
Your Rights
- Right to Access: Confirm processing and access your personal data.
- Right to Delete: Request deletion of your personal data.
- Right to Correct: Correct inaccuracies in your personal data.
- Right to Data Portability: Obtain your data in a portable format.
- Right to Opt Out: Opt out of targeted advertising, the sale of personal data, or profiling.
- Right to Appeal: Appeal within 45 days.
Enforcement
Enforced by the Vermont Attorney General. No private right of action. 30-day cure period. 45-day response timeline.
25. Wisconsin (WDPA)
The Wisconsin Data Privacy Act provides Wisconsin residents with comprehensive privacy protections over their personal data.
Your Rights
- Right to Access: Confirm processing and access your personal data.
- Right to Delete: Request deletion of your personal data.
- Right to Correct: Correct inaccuracies in your personal data.
- Right to Data Portability: Obtain your data in a portable format.
- Right to Opt Out: Opt out of targeted advertising, the sale of personal data, or profiling.
- Right to Appeal: Appeal within 45 days.
Enforcement
Enforced by the Wisconsin Attorney General. No private right of action. 30-day cure period. 45-day response timeline.
26. Additional State Privacy & Data Protection Laws
In addition to the comprehensive consumer privacy laws listed above, several states have enacted sector-specific privacy and data protection laws that may apply to certain categories of personal information processed by MayDay-IC.
Washington: My Health My Data Act (MHMDA)
Effective March 31, 2024, the Washington My Health My Data Act provides strong protections for consumer health data that falls outside the scope of HIPAA. The law applies to entities that collect, share, or sell health data of Washington consumers.
- Scope: Consumer health data, including data that identifies a consumer’s past, present, or future physical or mental health status.
- Key Requirements: Requires consent before collecting or sharing health data; prohibits the sale of health data without valid authorization; mandates a consumer health data privacy policy.
- Consumer Rights: Right to know what health data is collected, right to withdraw consent, right to request deletion of health data.
- Enforcement: Private right of action under the Washington Consumer Protection Act. Also enforced by the Washington Attorney General.
Illinois: Biometric Information Privacy Act (BIPA)
Effective since 2008, the Illinois Biometric Information Privacy Act is one of the strongest biometric privacy laws in the United States, providing individuals with a private right of action for violations.
- Scope: Biometric identifiers including retina/iris scans, fingerprints, voiceprints, hand geometry, and face geometry.
- Key Requirements: Written consent required before collecting biometric data; must publish a retention schedule and data destruction guidelines; prohibits sale, lease, trade, or profit from biometric data.
- Penalties: $1,000 per negligent violation and $5,000 per willful or reckless violation.
- Enforcement: Private right of action. Individuals may sue directly for statutory damages without showing actual harm.
Nevada: SB 220
Effective October 1, 2019, Nevada SB 220 provides Nevada consumers with the right to opt out of the sale of their personal information by website operators.
- Scope: Covers operators of websites or online services that collect personally identifiable information from Nevada consumers.
- Key Requirements: Must provide a designated request address for consumers to opt out of the sale of covered information; must respond to opt-out requests within 60 days.
- Consumer Rights: Right to opt out of the sale of personal information.
- Enforcement: Enforced by the Nevada Attorney General. No private right of action.
Maine: Act to Protect the Privacy of Online Consumer Information
Effective July 1, 2020, Maine’s privacy law focuses on Internet Service Providers (ISPs) and their use of customer personal information.
- Scope: ISP-focused; applies to broadband Internet access service providers operating in Maine.
- Key Requirements: Prohibits ISPs from using, disclosing, selling, or providing access to customer personal information without opt-in consent; ISPs must take reasonable measures to protect customer personal information.
- Consumer Rights: Opt-in consent required before ISPs can use or share personal information.
- Enforcement: Enforced by the Maine Attorney General. No private right of action.
New York: SHIELD Act
Effective March 21, 2020, the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act strengthens data breach notification requirements and mandates reasonable data security safeguards.
- Scope: Applies to any person or business that owns or licenses computerized data that includes private information of New York residents.
- Key Requirements: Broadened definition of private information and data breach; requires businesses to implement reasonable administrative, technical, and physical safeguards; expanded breach notification obligations.
- Consumer Rights: Right to be notified of data breaches involving private information in the most expedient time possible.
- Enforcement: Enforced by the New York Attorney General. Civil penalties up to $5,000 per violation, with additional penalties for knowing or reckless violations. No private right of action for the data security provisions.
27. How to Exercise Your Rights
Regardless of your state of residence, you may exercise your privacy rights by contacting us through any of the following methods:
- Email: Send your request to info@maydayic.com with the subject line “Privacy Rights Request — [Your State]”
- In-App: Navigate to Account > Privacy Settings to manage your data preferences
When submitting a request, please provide:
- Your full name and email address associated with your account
- Your state of residence
- The specific right(s) you wish to exercise
- Any additional details to help us locate your information
We will verify your identity before processing any request. Verification methods may include confirming your account credentials, matching information you provide with information we have on file, or requesting government-issued identification for sensitive requests.
28. Appeal Process
If we deny your privacy rights request in whole or in part, you have the right to appeal our decision in states that provide for an appeal process. The appeal process works as follows:
- Submit an Appeal: Email info@maydayic.com with the subject line “Privacy Rights Appeal” within the applicable appeal period (typically 45 days from our response).
- Internal Review: A different member of our privacy team will review your appeal and our original decision within 45 days.
- Response: We will inform you in writing of our decision, including a reasoned explanation if the appeal is denied.
- Attorney General Complaint: If your appeal is denied, we will provide you with instructions on how to file a complaint with your state’s Attorney General.
29. Universal Opt-Out Mechanisms
MayDay-IC honors universal opt-out mechanisms as required by applicable state laws. We recognize and respect the following signals:
- Global Privacy Control (GPC): We honor GPC signals transmitted by your browser or browser extension as a valid opt-out of the sale or sharing of personal information, as required by the CCPA/CPRA and recognized by Colorado, Connecticut, and other states.
- Do Not Track (DNT): We recognize DNT browser signals. Since MayDay-IC does not engage in cross-site tracking, the DNT signal does not change the behavior of our service, but we acknowledge and respect it.
No action is required on your part beyond enabling these signals in your browser. We process these signals automatically and apply your opt-out preferences across your interactions with our web properties.
30. Contact Us
If you have questions about your state-specific privacy rights or wish to exercise any of the rights described on this page, please contact us:
Email: info@maydayic.com
Blue Beard Solutions Inc.
Data Protection Officer