The Virginia Consumer Data Protection Act (VCDPA) took effect on January 1, 2023, making Virginia the second state, after California, to enact a comprehensive privacy law. California set the strongest standard, but many of the states that came after have followed Virginia's more limited model rather than California's. It lets Virginians access, correct, delete, and obtain a copy of their data and opt out of targeted advertising, data sales, and certain profiling.
In 2025, the Data Breach Chronology captured 8,019 data breach notification filings from state and federal agencies that publish breach reports. These represented 4,080 unique breach events impacting at least 375 million individuals. This report examines what those 4,080 breaches tell us about the state of data security, and where the gaps in breach reporting leave consumers in the dark.
This survey analyzes and compares data breach notification laws across all 50 U.S. states and the District of Columbia. Using a standardized framework of 50 questions, we examined each jurisdiction's requirements for breach notification timing, covered data types, notification recipients, enforcement mechanisms, and consumer remedies.
The survey reflects statutes enacted as of January 1, 2026.
The survey reflects statutes enacted as of January 1, 2026.
Governor Newsom signs SB 361, AB 566, AB 656, and SB 446, advancing browser controls, data broker transparency, social media account deletion, and breach notification