Data privacy laws in the United States

Resources to help you better understand and comply with U.S. data privacy laws.

Last updated October 3, 2024

Several U.S. states have enacted data privacy laws which generally:

  • Set rules on how covered businesses may use personal information of individuals.
  • Give individuals more awareness and control of how businesses use their personal information.

This guide provides an overview of those state privacy laws, how Squarespace helps you comply with them, and what you should know as a Squarespace user with visitors or customers in those states.

Note

This guide is available as a resource, but should not be construed or relied upon as legal advice. Per our Terms of Service, Squarespace doesn't provide advice or recommendations regarding laws applicable to your site or business.

U.S. State Data Privacy Law best practices for Squarespace sites

While we can’t offer legal advice, here are some best practices that will help to ensure you’re in compliance. If you have questions not addressed here, we recommend you consult with a data privacy expert.

Personal information audit

Review your website and look for areas where you collect personal information, keeping in mind the definitions of personal information under these laws. Consider these questions:

  • Do you collect personal information on your site using third-party services like Google Analytics or Mailchimp? If so, you should read the privacy policies of those services.
  • Do you download or export data from your site into another system?
  • Do you combine the personal information you collect with other sources of data?
  • Do you use advertising/marketing technology on your site (including Meta Pixel) which may share visitor data to a third-party?

Create (or update) your privacy policy

After you’ve identified how you collect and use personal information, these laws require that you provide specific information about how you’re collecting and using your customers’ personal information. Posting a privacy policy provides clarity regarding your use of visitors’ information. Consider making a privacy policy page on your site that documents:

  • What information you collect
  • Why you collect that information
  • Who you share that information with
  • How long you'll store that information
  • Whether you’ll sell that information
  • Any other information required under these laws

For more tips on privacy policies for websites, visit Sharing policies and terms on your site, and Sample messages for your Squarespace website privacy policy. To learn how to use an Acuity intake form to add your privacy policy to your scheduler, visit Client intake forms and agreements in Acuity.

Tip

If your business is a large corporation or enterprise looking for premium support, you may require a custom solution to meet your contracting, payment, or support needs. To learn more, visit our Enterprise page.

U.S. Federal Data Privacy Laws

Unlike the EU/UK with GDPR, the US doesn't have one generally applicable data privacy law. In addition to state laws, there are several industry-specific federal laws that relate to data privacy. For example:

  • The Gramm-Leach-Bliley Act (The Financial Modernization Act), or GLBA, regarding financial information.
    • Note: Squarespace sites, and other Squarespace products, aren’t compliant with the GLBA. They should never be used to collect "nonpublic personal information" (as defined in GLBA).
  • The Health Insurance Portability and Accountability Act or HIPAA, regarding protected health information.
  • The Family Educational Rights and Privacy Act or FERPA, regarding educational information.
    • Note: Unless you have a special written agreement with Squarespace, Squarespace sites and other Squarespace products may not be used to collect information covered by FERPA.

Applicability

Each of these state laws has different applicability thresholds. To determine whether you and your business are covered by a state law, please review the law and seek legal advice if necessary.

For example, California’s data privacy law applies to any legal entity, organized or operated for the profit or financial benefit of its shareholders/owners, that does business in California and:

  • Has annual gross revenues greater than $25M
  • Annually buys, sells, or shares personal information of 50,000 (the CPRA changes this to 100,000) or more consumers or households
  • Derives 50% or more annual revenues from selling (the CPRA adds the concept of “sharing” so the CPRA changes this to “selling and sharing”) personal information

The other state laws listed below have different applicability thresholds.

Personal Information

These state laws can also differ in how they define personal information. However, in general, the term is defined broadly in all of these laws, and includes not only traditional personal data— like birthdays, names, physical addresses, email addresses—but may also include location data, biometric data, financial information, and more.

For example:

  • California’s data privacy law defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
  • Virginia’s data privacy law defines personal information as “information that is linked or reasonably linkable to an identified or identifiable individual.”

Individual Rights Under These Laws

These state laws differ in the rights they provide to individuals related to personal information in possession of a covered business. The laws may give individuals any or all of the following rights to know or request:

  • Whether data is being collected about them.
  • The categories and specific pieces of personal information a covered business has collected about them.
  • Where the personal information was collected.
  • What the personal information is used for.
  • Who the covered business sells or shares the personal information to, if applicable.
  • That the personal information not be sold or shared (if the covered business sells or shares their personal information).
  • That the covered business update/correct their personal information.
  • That their personal information be deleted.

Examples of state data privacy laws in the U.S.

The following are examples of U.S. states that have passed laws about data privacy and data security:

State

Details

California

The California Consumer Privacy Act, or CCPA, is a California state data privacy law which took effect January 1, 2020. The CCPA was modified by the California Privacy Rights Act, or CPRA. Most of the CPRA’s changes to the CCPA took effect on January 1, 2023.

The CPRA created a state agency called the California Privacy Protection Agency, or CPPA. You can read more about the CCPA/CPRA on the CPPA’s website.

Colorado

The Colorado Privacy Act is a Colorado state data privacy law which took effect on July 1, 2023.

Connecticut

The Connecticut Act Concerning Personal Data Privacy and Online Monitoring is a Connecticut state data privacy law which took effect on July 1, 2023.

Delaware

The Delaware Personal Data Privacy Act is a Delaware state privacy law which takes effect on January 1, 2025.

Indiana

The Indiana Consumer Data Protection Act is an Indiana state data privacy law which takes effect on January 1, 2026. 

Iowa

The Iowa Consumer Data Protection Act is an Iowa state data privacy law which takes effect on January 1, 2025.

Kentucky

The Kentucky Consumer Data Protection Act is a Kentucky data privacy law which takes effect on January 1, 2026.

Maryland

The Maryland Online Data Privacy Act is a Maryland data privacy law which takes effect on October 1, 2025.

Minnesota

The Minnesota Consumer Data Privacy Act is a Minnesota data privacy law which takes effect on July 31, 2025.

Montana

The Montana Consumer Data Privacy Act is a Montana state data privacy law which took effect on October 1, 2024.

Nebraska

The Nebraska Data Privacy Act is a Nebraska state data privacy law which takes effect on January 1, 2025.

Nevada

The Nevada online data privacy law (Nevada Revised Statutes Chapter 603A) first took effect in 2017, but has since been amended several times.

New Hampshire

Senate Bill 255 is a New Hampshire state privacy law which takes effect on January 1, 2025.

New Jersey

The New Jersey Privacy Act is a New Jersey state privacy law which takes effect on January 15, 2025.

Oregon

The Oregon Consumer Privacy Act is an Oregon state data privacy law which took effect on July 1, 2024.

Rhode Island

The Rhode Island Data Transparency and Privacy Protection Act is a Rhode Island state data privacy law which takes effect on January 1, 2025.

Tennessee

The Tennessee Information Protection Act is a Tennessee state data privacy law which takes effect on July 1, 2025

Texas

The Texas Data Privacy and Security Act is a Texas state data privacy law which took effect on July 1, 2024.

Utah

The Utah Consumer Privacy Act is a Utah state data privacy law which took effect on December 31, 2023.

Virginia

The Virginia Consumer Data Protection Act, or VCDPA, is a Virginia state data privacy law which took effect on January 1, 2023.

 

How does Squarespace help me comply with these U.S. state laws?

By default, we use cookies to run your site and obtain information about your visitors. You can find this information in Squarespace analytics. To help you comply with these laws, you can:

You can also post your own legal terms or privacy policies. For example, you can:

To learn about how to add these to your site, visit Sharing policies and terms on your site.

Note

You can manage the cookies on your Squarespace site using the tools available in your account. However, we can't control third-party services you use through product integrations, code-based modifications or connected accounts. To learn more, see the section below on using Squarespace with third-party services. Review the policies for all services connected to your Squarespace site to understand your site’s cookie use.

How does Acuity Scheduling help me comply with these U.S. state laws?

Acuity is designed to allow you to comply with the requirements of these U.S. state laws. However, being compliant is ultimately up to you. How you use and configure your account, and what data you collect from clients, will factor into your compliance. In Acuity, you can:

Removing my or my customers’ personal data from Squarespace

You can access, update, or delete personal data in your account, including:

You can also delete your account via the self-service option after you have taken the appropriate steps.

You can access most of your customers’ personal data when you’re logged into Squarespace. For some products, you can also update or delete your customers’ personal data. If you receive a request to update or delete a particular piece of personal data of one of your customers, and you're unable to do so, contact us at privacy@squarespace.com.

Using Squarespace with third-party services

U.S. state laws affect how the Squarespace products you use process personal data, and how other services process data on your behalf. You can use built-in integrations to connect Squarespace products to third-party services, and other methods for integrating additional services, including:

Typically, third-party services accept data from, or embed content into your site, or other Squarespace products. Squarespace acts as a pass-through for such data or displayed content. These services may have their own terms of service, privacy policies, and other practices which are different from ours. It’s important to carefully review the policies of all services connected to your Squarespace products.

Footer Image
  • Get help from our community

  • Get help from our community on advanced customizations.

  • Hire a Squarespace Expert

  • Stand out online with the help of an experienced designer or developer.