State Privacy Law Overview
The United States has seen an explosion of state-level privacy legislation since 2018. While there is no comprehensive federal privacy law, states have taken the lead in protecting consumer data. As of 2026, over 20 states have enacted comprehensive privacy laws, with many more considering legislation.
These laws share many similarities but have significant variations in scope, thresholds, consumer rights, and enforcement mechanisms. Understanding these differences is essential for businesses operating across state lines.
States with Comprehensive Privacy Laws
- Enacted: California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Iowa
- 2023-2024: Texas, Florida, Tennessee, Montana, Texas, Oregon
- 2025-2026: New Jersey, Minnesota, Kentucky, Maryland
- Pending/Proposed: Many additional states
Common Elements of State Privacy Laws
While each state law is unique, most share common frameworks:
Consumer Rights
Most state laws grant consumers the right to:
- Know: What personal data is collected and how it's used
- Delete: Request deletion of personal data
- Opt-Out: Stop the sale or sharing of their data
- Correct: Request correction of inaccurate data
- Portability: Receive their data in a portable format
- Non-Discrimination: Not be discriminated against for exercising rights
Business Obligations
Covered businesses typically must:
- Publish a privacy policy with required disclosures
- Implement processes to handle consumer requests
- Provide opt-out mechanisms (often including a "Do Not Sell" link)
- Conduct data protection assessments for high-risk processing
- Enter into contracts with service providers
- Implement reasonable data security measures
Threshold Requirements
Most state laws apply only to businesses meeting certain thresholds:
- Annual revenue thresholds (typically $25-40 million)
- Number of consumers (typically 25,000-100,000)
- Percentage of revenue from data sales
Virginia Consumer Data Protection Act (VCDPA)
Virginia was the second state (after California) to enact comprehensive privacy legislation. VCDPA took effect on January 1, 2023.
Applicability
VCDPA applies to persons that conduct business in Virginia or target Virginia residents and:
- Control or process data of 100,000+ consumers, or
- Control or process data of 25,000+ consumers and derive 50%+ revenue from data sales
Consumer Rights
- Right to know and access
- Right to delete
- Right to correct
- Right to opt-out of sale, targeted advertising, profiling
- Right to data portability
- Right to opt-out of "sensitive data" processing
- Right to non-discrimination
Key Features
- One of the first to include profiling protections
- Requires "clear and affirmative" consent for sensitive data
- Includes a 30-day cure period for violations (expires 2026)
- Private right of action excluded (only Attorney General enforcement)
VCDPA at a Glance
- Effective: January 1, 2023
- Threshold: 100K consumers or 25K + 50% revenue from sales
- Cure Period: 30 days (ending 2026)
- Enforcement: Attorney General only
- Penalties: Up to $7,500 per violation
Colorado Privacy Act (CPA)
Colorado's CPA took effect on July 1, 2023, with additional provisions taking effect in 2025. It includes unique requirements for universal opt-out mechanisms.
Applicability
CPA applies to controllers conducting business in Colorado or targeting Colorado residents and:
- Process data of 100,000+ consumers, or
- Process data of 25,000+ consumers and derive 25%+ revenue from data sales
Consumer Rights
- Right to know and access
- Right to delete
- Right to correct
- Right to opt-out of sale, targeted advertising, profiling
- Right to data portability
- Right to opt-out of automated decision-making
- Right to opt-out of sensitive data processing
Unique Requirements
- Universal Opt-Out: Must honor browser-based opt-out signals (Global Privacy Control)
- Privacy Sandbox: Must work with emerging privacy technologies
- Data Protection Assessment: Required for profiling and certain processing
- Right to opt-out of "dark patterns"
CPA at a Glance
- Effective: July 1, 2023
- Threshold: 100K consumers or 25K + 25% revenue from sales
- Special Feature: Universal opt-out mechanism requirement
- Enforcement: Attorney General and District Attorneys
- Penalties: Up to $20,000 per violation
Connecticut Data Privacy Act (CTDPA)
Connecticut's CTDPA took effect on July 1, 2023, blending elements from Virginia and Colorado with some unique additions.
Applicability
CTDPA applies to controllers conducting business in Connecticut or targeting Connecticut residents and:
- Process data of 100,000+ consumers, or
- Process data of 25,000+ consumers and derive 25%+ revenue from data sales
Consumer Rights
- Right to confirm whether data is being processed
- Right to access and portability
- Right to delete
- Right to correct
- Right to opt-out of sale, targeted advertising, profiling
- Right to opt-out of sensitive data processing
Key Features
- Includes "de-identified" data provisions
- Has a 60-day cure period (ending January 2025)
- Similar to Virginia but with Colorado's revenue threshold
- Requires data minimization principles
CTDPA at a Glance
- Effective: July 1, 2023
- Threshold: 100K consumers or 25K + 25% revenue from sales
- Cure Period: 60 days
- Enforcement: Attorney General
- Penalties: Up to $5,000 per violation
Texas Data Privacy and Security Act (TDPSA)
Texas enacted TDPSA in 2023, which became effective on July 1, 2024. It was one of the largest states to adopt a comprehensive privacy law.
Applicability
TDPSA applies to for-profit entities conducting business in Texas or targeting Texas residents and:
- Process data of 100,000+ consumers, or
- Process data of 25,000+ consumers and derive 50%+ revenue from data sales
Consumer Rights
- Right to access
- Right to delete
- Right to correct
- Right to opt-out of sale, targeted advertising, profiling
- Right to opt-out of sensitive data processing
- Right to data portability
- Right to non-discrimination
Key Features
- No private right of action
- Only Attorney General enforcement
- Includes specific provisions for protected biometric data
- Requires "reasonable" data security measures
TDPSA at a Glance
- Effective: July 1, 2024
- Threshold: 100K consumers or 25K + 50% revenue from sales
- Enforcement: Attorney General only
- Penalties: Up to $7,500 per violation
- Population: ~30 million residents
Florida Information Privacy Act (FIPA)
Florida's FIPA took effect on July 1, 2024, making it one of the newer comprehensive state privacy laws.
Applicability
FIPA applies to controllers conducting business in Florida or targeting Florida residents and:
- Process data of 100,000+ consumers, or
- Process data of 50,000+ consumers and derive 50%+ revenue from data sales
Consumer Rights
- Right to access
- Right to delete
- Right to correct
- Right to opt-out of sale, targeted advertising, profiling
- Right to data portability
- Right to non-discrimination
Key Features
- Does not include right to opt-out of sensitive data (different from others)
- Private right of action excluded
- Includes "consumer rights request" response requirements
- Applies to controllers, not processors
FIPA at a Glance
- Effective: July 1, 2024
- Threshold: 100K consumers or 50K + 50% revenue from sales
- Enforcement: Attorney General
- Penalties: Up to $10,000 per violation
- Population: ~22 million residents
California CCPA/CPRA
California remains the benchmark for state privacy laws. The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), represent the most comprehensive privacy legislation in the US.
For a complete guide to CCPA/CPRA, see our CCPA Guide.
Key Differences from Other States
| Feature | California | Other States |
|---|---|---|
| Private Right of Action | Yes (data breaches) | Generally No |
| Threshold (Standard) | $25M revenue or 100K consumers | $25-40M or 100K consumers |
| Sensitive Data | Explicit opt-out right | Most include similar rights |
| Enforcement | CPPA + AG + Private | AG only (most states) |
Other State Privacy Laws
Several other states have enacted comprehensive privacy laws:
Utah Consumer Privacy Act (UCPA)
- Effective: December 31, 2023
- Threshold: 100K consumers or 25K + 20% revenue from sales
- Notable: Includes health data provisions
Iowa Consumer Data Protection Act (ICDPA)
- Effective: January 1, 2025
- Threshold: 100K consumers or 25K + 50% revenue from sales
- Notable: One of the most business-friendly laws
Tennessee Information Privacy Act (TIPA)
- Effective: July 1, 2025
- Threshold: 100K consumers or 25K + 50% revenue from sales
Oregon Consumer Privacy Act (OCPA)
- Effective: July 1, 2024
- Threshold: 100K consumers or 25K + 25% revenue from sales
- Notable: Includes local government applicability
Montana Consumer Data Privacy Act (MCDPA)
- Effective: October 1, 2024
- Threshold: 100K consumers or 25K + 50% revenue from sales
New Jersey Privacy Act (NJPA)
- Effective: January 15, 2025
- Threshold: 100K consumers or 25K + 20% revenue from sales
- Notable: Includes private right of action for breaches
Minnesota Consumer Data Privacy Act (MCDPA)
- Effective: July 31, 2025
- Threshold: 100K consumers or 25K + 20% revenue from sales
- Notable: One of the most comprehensive
Keep Monitoring
State privacy laws continue to evolve rapidly. New states are enacting laws annually, and existing laws are being amended. Stay current with your state's requirements.
Multi-State Compliance Strategy
For businesses operating in multiple states, here are key strategies:
Unified Compliance Approach
The most efficient approach is to build toward the strictest standard:
- Follow California's requirements as baseline
- Implement universal opt-out mechanisms (Colorado style)
- Include sensitive data protections
- Build flexible request handling systems
Key Actions
Privacy Program Essentials
- Map data flows across all states
- Update privacy policies for each state's requirements
- Implement opt-out mechanisms on your website
- Create processes for consumer requests
- Conduct data protection assessments
- Review vendor contracts for required provisions
- Train employees on state-specific requirements
- Monitor legislative changes in key states
Analyze Your Privacy Policy
Use PolicyLens to check if your privacy policy meets requirements for all relevant state privacy laws and identify compliance gaps.
Analyze Your Policy Free