In force since July 1, 2024, the Oregon Consumer Privacy Act (OCPA) is one of the broadest state privacy laws in what it reaches. Beyond the usual rights to access, correct, delete, and opt out, Oregon lets residents request the specific companies that received their data, extends to the information generated by a person's car, and bans the sale of precise location data outright.
In 2025, the Data Breach Chronology captured 8,019 data breach notification filings from state and federal agencies that publish breach reports. These represented 4,080 unique breach events impacting at least 375 million individuals. This report examines what those 4,080 breaches tell us about the state of data security, and where the gaps in breach reporting leave consumers in the dark.
This survey analyzes and compares data breach notification laws across all 50 U.S. states and the District of Columbia. Using a standardized framework of 50 questions, we examined each jurisdiction's requirements for breach notification timing, covered data types, notification recipients, enforcement mechanisms, and consumer remedies.
The survey reflects statutes enacted as of January 1, 2026.
The survey reflects statutes enacted as of January 1, 2026.
Hundreds of data brokers have not registered with state consumer protection agencies. These findings come as more states are passing data broker transparency laws that require brokers to provide information about their business and, in some cases, give consumers an easy way to opt out.