.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
It’s Time for Privacy Pros to Make a Strategic Shift
The importance of effective data privacy can no longer be ignored.
Read Now
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.png)
Effective Comprehensive Laws
California (CCPA/CPRA)
Effective Date
- CPRA effective date: 1/1/2023
- CCPA effective date: 1/1/2020
- Enforcement date: 7/1/2023
(updated: on February 9, 2024, the CPPA won its appeal, immediately allowing enforcement of the initial CPRA regulations and retroactively setting the enforcement effective date to July 1, 2023.)
Summary
The California Privacy Rights Act (CPRA) is currently the most comprehensive data privacy law in the United States. It amended California's previous comprehensive state privacy law, the California Consumer Privacy Act.
The primary components of this law are as follows:
|
Feature |
CPRA's Guidelines |
|
Thresholds |
|
|
Fines |
|
|
Cure Period |
None |
|
Privacy Impact Assessments |
Required for profiling, sensitive data, large-scale processing, and other processing activities with risk of harm to consumers. |
|
Recognize Universal Opt-Out Mechanisms |
Yes |
|
Sensitive Data |
|
|
Consumer Rights |
|
Resources
Colorado (CPA)
Effective Date
- CPA effective date: 7/1/2023
Summary
Colorado was the third state to pass a comprehensive data privacy law, the Colorado Privacy Act (CPA). It's most similar to the CPRA, Virginia's Consumer Data Protection Act, and the GDPR.
Here are the primary features you need to know about:
|
Feature |
CPA's Guidelines |
|
Thresholds |
|
|
Fines |
$20,000 per offense, with penalties capped at $500,000. |
|
Cure Period |
60 days, sunsets on 1/1/2025 |
|
Privacy Impact Assessments |
Yes |
|
Recognize Universal Opt-Out Mechanisms |
Yes |
|
Sensitive Data |
|
|
Consumer Rights |
|
Resources
Connecticut (CTDPA)
Effective Date
- CTDPA effective date: 7/1/2023
Summary
Connecticut was the fifth state to adopt a privacy law. Known as the Connecticut Data Privacy Act (CTDPA), or “An Act Concerning Personal Data Privacy and Online Monitoring,” Connecticut Bill 6 went into effect on July 1, 2023.
|
Feature |
CTDPA's Guidelines |
|
Thresholds |
Businesses in the state or those that produce products or services targeted to Connecticut residents and who, during the previous year:
|
|
Fines |
|
|
Cure Period |
60 days, sunsets on 12/31/2024. |
|
Privacy Impact Assessments |
Yes |
|
Recognize Universal Opt-Out Mechanisms |
Yes. Must be recognized by controllers as valid consumer requests beginning 1/1/2025. |
|
Sensitive Data |
|
|
Consumer Rights |
|
Resources
Virginia (VCDPA)
Effective Date
- VCDPA effective date: 1/1/2023
Summary
Virginia's leaders passed The Virginia Consumer Data Protection Act (VCDPA) on March 2, 2021, making it the second state to vote in a comprehensive privacy law after California. As a result, it's similar to the CCPA and the GDPR.
|
Feature |
VCDPA's Guidelines |
|
Thresholds |
Businesses that sell products and services in Virginia or do so targeting Virginia residents, and also do one of the following:
|
|
Fines |
Up to $7,500 per violation. |
|
Cure Period |
30 days, no sunset. |
|
Privacy Impact Assessments |
Required for any processing involving targeted advertising, data sales, profiling or sensitive data; or any data processing that presents a "risk of harm." |
|
Recognize Universal Opt-Out Mechanisms |
Yes |
|
Sensitive Data |
|
|
Consumer Rights |
|
Resources
Utah (UCPA)
Effective Date
- UCPA effective date: 12/31/2023
Summary
Utah became the fourth state to enact a data privacy law in March of 2022. The Utah Consumer Privacy Act (UCPA) is considered by experts to be more business-friendly than several other privacy regulations in the U.S., including the CPRA, VCDPA, and CPA.
|
Feature |
UCPA's Guidelines |
|
Thresholds |
Have annual revenue of $25m or more AND:
|
|
Fines |
Up to $7,500 per violation + actual damages |
|
Cure Period |
30 days, no sunset |
|
Privacy Impact Assessments |
Not Required |
|
Recognize Universal Opt-Out Mechanisms |
No |
|
Sensitive Data |
|
|
Consumer Rights |
|
Resources
Texas (TDPSA)
Effective Date
- TDPSA effective date: 7/1/2024
Summary
The Texas Data Privacy and Security Act (TDPSA) was signed into law on June 18, 2023, making it the largest state in the United States — and the second of the U.S.'s largest states — to have a comprehensive privacy law on the books. The TDPSA has a few unique aspects, such as the fact that it replaces revenue-based thresholds with a focus on businesses conducting operations in Texas and offering products or services consumed by Texas residents, or businesses that process or sell personal data. It also has a novel small business provision, and while it excludes entities like state agencies and financial institutions, the law does not provide an exemption for organizations governed by HIPAA or GLBA.
|
Feature |
TDPSA's Guidelines |
|
Thresholds |
There are no revenue thresholds. |
|
Fines |
Up to $7,500 per violation and injunctive relief to restrain or enjoin the violator's operations. |
|
Cure Period |
30 days, no sunset |
|
Privacy Impact Assessments |
Required for targeted advertising, sale of data, profiling, sensitive data processing, other processing activities with risk of harm to consumers. |
|
Recognize Universal Opt-Out Mechanisms |
Yes, as of 1/1/2025. |
|
Sensitive Data |
|
|
Consumer Rights |
|
Resources
Oregon (OCPA)
Effective Date
- OCPA effective date: 7/1/2024
Summary
Oregon's legislation passed the Oregon Consumer Privacy Act (OCPA) into law on June 22, 2023. The privacy law is the culmination of four years of work by the Oregon Attorney General’s Consumer Privacy Task Force. Other than what's in the chart below, one notable feature is that non-profits aren't exempt from the law, but they have until July 1, 2025, to comply. And, like Texas, organizations governed by HIPAA or GLBA are not exempt and must follow OCPA for non-covered data.
|
Feature |
OCPA's Guidelines |
|
Thresholds |
|
|
Fines |
Up to $7,500 per violation |
|
Cure Period |
30 days, sunsets 1/1/2026 |
|
Privacy Impact Assessments |
Required for targeted advertising, sale of data, profiling, sensitive data processing, other processing activities with risk of harm to consumers. |
|
Recognize Universal Opt-Out Mechanisms |
Yes, starting 1/1/2026 |
|
Sensitive Data |
|
|
Consumer Rights |
|
Resources
Montana (MTCDPA)
Effective Date
- MTCDPA effective date: 10/1/2024
Summary
Montana's governor signed the Montana Consumer Data Privacy Act (MTCDPA) into law on May 19, 2023. The act is similar to data privacy laws in Indiana, Virginia, Colorado, and Connecticut. One unique factor in the MTCDPA is that Montana's thresholds don't only rely on a revenue limit. Find out more in the breakdown below.
|
Feature |
MTCDPA's Guidelines |
|
Thresholds |
|
|
Fines |
Not yet specified |
|
Cure Period |
60 days, sunsets 4/1/2026 |
|
Privacy Impact Assessments |
Required for targeted advertising, sale of data, profiling, sensitive data processing, other processing activities with risk of harm to consumers. |
|
Recognize Universal Opt-Out Mechanisms |
Yes, as of 1/1/2025 |
|
Sensitive Data |
|
|
Consumer Rights |
|
Resources
Pending Comprehensive Laws
Displayed chronologically based on the laws' effective dates.
Delaware (DPDPA)
Effective Date
- DPDPA effective date: 1/1/2025
Summary
After the Delaware Personal Data Privacy Act (DPDPA) was voted in, people quickly started lauding it as the strongest data privacy law in the United States. That's not true — California still holds the title — however, it does apply to more businesses than others, and it is one of the more consumer-friendly laws.
|
Feature |
DPDPA's Guidelines |
|
Thresholds |
Any company that does business in the state or produces products or services that are targeted to residents of the state and that, during the previous calendar year, met one of the following:
|
|
Fines |
Up to $10,000 per violation, up to the Department of Justice's discretion. |
|
Cure Period |
60 days, until 1/1/2026 |
|
Privacy Impact Assessments |
Required for targeted advertising, selling personal data, and for profiling if there’s a risk of:
|
|
Recognize Universal Opt-Out Mechanisms |
Yes, as of 1/1/2026 |
|
Sensitive Data |
|
|
Consumer Rights |
|
Resources
Iowa (ICDPA)
Effective Date
- ICDPA effective date: 1/1/2025
Summary
The Iowa Consumer Data Protection Act (ICDPA) was the first comprehensive state privacy law ratified in 2023, making it the sixth overall state privacy law so far. There are a couple of differences in the Iowa law versus the others, such as the lack of provisions for the right to correct PI and the right to opt out of profiling, that it sets a 90-day timeline for responses to subject rights requests, and that it provides businesses with a 90-day cure period as opposed to the 30- or 60-day cure period set by other laws.
|
Feature |
ICDPA's Guidelines |
|
Thresholds |
The law applies to any business that:
|
|
Fines |
$7,500 per violation |
|
Cure Period |
Yes, 90 days |
|
Privacy Impact Assessments |
ICDPA does not address assessments. |
|
Recognize Universal Opt-Out Mechanisms |
No |
|
Sensitive Data |
|
|
Consumer Rights |
|
Resources
Nebraska (NDPA)
Effective Date
- NDPA effective date: 1/1/2025
Summary
The NDPA is a comprehensive data privacy act designed to protect consumers and give them control over their personal information. It grants them certain rights, outlined below, and provides controllers, or the entity that determines the purpose and means of processing personal data, with specific requirements for how to handle data and consumer requests related to their data.
The law’s scope tracks closely with the Texas Data Privacy and Security Act (TDPSA), including its applicability, sensitive data, and its requirement to honor universal opt-out mechanisms.
|
Feature |
NDPA's Guidelines |
|
Thresholds |
Like the TDPSA, Nebraska’s privacy law applies to a person who:
One notable aspect of the NDPA’s applicability is that, unlike most other state laws, there is no revenue or volume of data processed. |
|
Fines |
$7,500 per violation. |
|
Cure Period |
Yes, if a controller is found to have violated Nebraska privacy act, they have 30 days to cure the violation. Unlike some data privacy acts, the cure period does not have a sunset date. |
|
Privacy Impact Assessments |
Nebraska’s privacy law requires controllers to conduct and document a DPIA for a variety of activities that involve personal data, including for the processing of data for targeted advertising; the sale of personal data; processing for profiling if it presents a risk of impacts like unfair or deceptive treatment, financial, physical or reputational injury, an intrusion on the solitude of a consumer, or other substantial injury to the consumer. They’re also required when processing sensitive data or for any processing activity that involves personal data that presents a heightened risk of harm to any consumer. |
|
Recognize Universal Opt-Out Mechanisms |
Yes |
|
Sensitive Data |
Like Texas’s law, Nebraska’s data privacy act defines sensitive data as:
|
|
Consumer Rights |
|
Resources
New Hampshire (NHPA)
Effective Date
- NJDPA effective date: 1/1/2025
Summary
The New Hampshire Privacy Act (NHPA) is one of a number of statewide data privacy laws aimed at giving consumers control over their personal data in an increasingly digital world.
The good news for businesses is that the NHPA largely resembles other data privacy laws that have come before it.
The New Hampshire data privacy act’s scope is somewhat unique in that it doesn’t include a revenue threshold. Additionally, the applicability threshold is lower than other laws, but lawmakers have pointed out that this is because of the state’s lower population.
Like other U.S. laws, the NHPA follows primarily an opt-out model, meaning businesses are free to process consumer data, but must notify consumers about the processing first and give them a way to opt out of the collection or sale of data.
|
Feature |
NHPA's Guidelines |
|
Thresholds |
The NHPA apply to “persons that conduct business” in the state or who produce products or services targeted to residents of New Hampshire and who, during a one-year period:
|
|
Fines |
The NHPA states that any violations are also a violation of the state’s deceptive trade practices law. This means penalties could be as steep as $10,000 per violation. |
|
Cure Period |
The act has a 60-day cure period for violations that sunsets one year after the law is enacted (in January 2026). |
|
Privacy Impact Assessments |
New Hampshire’s law requires an assessment for any processing activity that presents a “heightened risk of harm to a consumer,” including activities such as targeted advertising, sale of personal data, processing for the purposes of profiling in certain instances, and processing sensitive data. |
|
Recognize Universal Opt-Out Mechanisms |
Yes |
|
Sensitive Data |
The NHPA has a broad definition of sensitive data, which includes personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data. |
|
Consumer Rights |
|
Resources
New Jersey (NJDPA)
Effective Date
- NJDPA effective date: 1/15/2025
Summary
The New Jersey Data Protection Act (NJDPA) is a data privacy law that gives New Jersey residents control over their personal data, providing certain rights and imposing obligations on those who control and process consumer data. The law applies to businesses and entities who conduct business in the state or who produce products or services targeted to those who live in New Jersey and meet certain thresholds. Unlike other state laws, no monetary penalties are defined in the law’s text, but a violation of the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act, which can entail fines of up to $10,000 for the initial violation and up to $20,000 for subsequent violations.
|
Feature |
NJDPA's Guidelines |
|
Thresholds |
In terms of applicability and exemptions, New Jersey’s privacy law aligns with other state laws. It applies to controllers who, during a calendar year, meet one of the following criteria:
|
|
Fines |
A violation of the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act, which can entail fines of:
|
|
Cure Period |
30 days, sunsetting on July 15th, 2026. |
|
Privacy Impact Assessments |
Required for:
|
|
Recognize Universal Opt-Out Mechanisms |
Yes |
|
Sensitive Data |
|
|
Consumer Rights |
|
Resources
The New Jersey Data Privacy Act (NJDPA): The Basics
Tennessee (TIPA)
Effective Date
- TIPA effective date: 7/1/2025
Summary
The Tennessee Information Protection Act (TIPA) was one of three comprehensive state privacy laws signed or ratified in May of 2023. TIPA follows many of its predecessors when it comes to consumer rights, enforcement, and penalties. Unlike its predecessors, however, TIPA diverges by providing a narrower applicability threshold, giving businesses a generous two years to prepare, and implementing an affirmative defense option for those with written privacy programs aligned with specific frameworks such as NIST.
|
Feature |
TIPA's Guidelines |
|
Thresholds |
TIPA applies to businesses with over $25 million in annual revenue that either conduct business within Tennessee or engage with its residents and either:
|
|
Fines |
|
|
Cure Period |
60 days |
|
Privacy Impact Assessments |
Required for targeted advertising, the sale of personal information, processing sensitive data, processing personal data for profiling, and other processing that may present a heightened risk to consumers. |
|
Recognize Universal Opt-Out Mechanisms |
No |
|
Sensitive Data |
|
|
Consumer Rights |
|
Resources
Minnesota (MCDPA)
Effective Date
- MCDPA effective date: 7/31/2025
Summary
The MCDPA is a state-level legislation designed to safeguard the personal data of Minnesota residents. Rather than permit organizations to collect, process, and generally do whatever they wish with consumers’ personal information, data privacy regulations like the MCDPA set limits on what organizations can do with personal data; require organizations to meet certain obligations, like setting safeguards, assessing for risk, and respecting consumer rights; and provide consumers with data privacy rights that enable them to maintain control over their personal information
|
Feature |
MCDPA Guidelines |
|
Thresholds |
The MCDPA applies to organizations that provide products or services targeted at Minnesotans and meet one of the following criteria:
|
|
Fines |
$7,500 per violation. |
|
Cure Period |
30 days, sunsetting January 31, 2026. |
|
Privacy Impact Assessments |
Organizations subject to the MCDPA must conduct privacy impact assessments (PIAs) for certain activities. To confirm compliance, the state Attorney General may review these assessments. Specifically, organizations need to conduct PIAs for any processing activities involving:
|
|
Recognize Universal Opt-Out Mechanisms |
Organizations subject to the MCDPA must honor opt-out requests sent by a universal opt-out mechanism (UOOM) for targeted advertising or any sale of personal data. |
|
Sensitive Data |
|
|
Consumer Rights |
|
Resources
Maryland (MODPA)
Effective Date
- MODPA effective date: 10/1/2025
Summary
The MODPA gives Maryland residents more control over how companies collect and use their personal data online. With an effective date of October 1, 2025, the new law establishes data protection rights and requires companies that track or target the state’s residents to meet stricter requirements around data collection—especially related to data minimization, consent, universal opt-out mechanisms, sensitive data, and children’s data. However, MODPA will not apply to companies’ data processing activities until April 1st, 2026.
|
Feature |
MODPA Guidelines |
|
Thresholds |
Maryland’s privacy law applies to anyone who conducts business in the state, as well as those who provide services or products targeted to residents of Maryland and during the prior calendar year either:
|
|
Fines |
Up to $10,000 per violation or $25,000 for each repetition of the same violation. |
|
Cure Period |
Discretionary cure period of up to 60 days, sunsetting April 1, 2027. |
|
Privacy Impact Assessments |
Required for processing personal data for targeted advertising or selling personal data; processing sensitive data; processing data if there’s a risk of unfair, abusive, or deceptive treatment or if it will have an unlawful disparate impact, financial, physical, reputational, or other substantial injury to a consumer; any activity that intrudes on the solitude or seclusion of a consumer. Must be conducted for each algorithm used. |
|
Recognize Universal Opt-Out Mechanisms |
Companies have two options to comply with the law, with the first including a clear and conspicuous link on their website that allows them to opt out of the sale of personal data or targeted advertising. The second option is to allow consumers to opt out of targeted advertising and the sale of their personal data through a universal opt-out preference signal by Oct. 1, 2025. |
|
Sensitive Data |
|
|
Consumer Rights |
|
Resources
Indiana (INCDPA)
Effective Date
- INCDPA effective date: 1/1/2026
Summary
Another of the three state privacy laws to be voted in during May 2023 — and the second to do so in 2023 overall — the Indiana Consumer Data Protection Act (INCDPA) is similar to several of its predecessors, including the laws in Colorado (CPA), Connecticut (CTDPA), and Virginia (VCDPA). Indiana's law, however, does not solely rely on revenue as a threshold — it states that controllers must be compliant with the law even if their annual gross revenues do not meet a specific number as long as the data of a specific number of consumers (outlined in the chart below) is processed.
|
Feature |
INCDPA's Guidelines |
|
Thresholds |
Companies that operate in Indiana or sell products and services that are targeted to residents of the state and do one of the following within the previous year:
|
|
Fines |
$7,500 per violation |
|
Cure Period |
30 days |
|
Privacy Impact Assessments |
Required for the processing of PI for targeted advertising, the sale of personal data, processing sensitive data, processing personal data for profiling with potential risks, and any other processing that may present a heightened risk to consumers. |
|
Recognize Universal Opt-Out Mechanisms |
No |
|
Sensitive Data |
|
|
Consumer Rights |
|
Resources
Kentucky (KCDPA)
Effective Date
- KCDPA effective date: 1/1/2026
Summary
The KCDPA provides data privacy protections for consumers of the Bluegrass State, granting them certain, now standard rights.
The law defines consumers as residents of the state acting only as an individual, not in commercial or employment contexts. It closely aligns with Virginia’s law, which is good news for businesses already complying with the Virginia Consumer Data Protection Act (VCDPA). And, because the VCDPA is considered a framework or foundation legislation, the KCDPA also tracks closely with other state laws that used Virginia’s law as a framework, including Tennessee and Indiana.
Businesses will become subject to the law as of January 1, 2026.
|
Feature |
KCDPA's Guidelines |
|
Thresholds |
The KCDPA applies to any person who conducts business in Kentucky or who produces products or services that target residents of the state, and during a calendar year controls or processes data of at least:
|
|
Fines |
$7,500 per violation |
|
Cure Period |
30 days |
|
Privacy Impact Assessments |
Required for processing that involves:
This requirement becomes active June 1, 2026. |
|
Recognize Universal Opt-Out Mechanisms |
No |
|
Sensitive Data |
The law defines sensitive data as a category of personal data that includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for identifying a specific natural person; personal data collected from a known child; or precise geolocation data.
|
|
Consumer Rights |
|
Resources
Rhode Island (RIDTPPA)
Effective Date
- RIDTPPA effective date: 1/1/2026
Summary
Enacted June 29, 2024, RIDTPPA resembles many other US data privacy laws, including its requirements surrounding consent, sensitive personal information processing, and consumer rights. The law, however, does feature several important differences, especially regarding its requirements around notices (more on that later).
Notably, the law also lacks a cure period. If you’re found to have violated the law, you’ll simply be fined without any grace period to fix the violation. Most state data privacy laws feature cure periods, though some expire at various dates in the future, and some are permanent features.
|
Feature |
RIDTPPA's Guidelines |
|
Thresholds |
If your organization is a for-profit entity and conducts business in Rhode Island or provides products or services targeted to Rhode Islanders, you may be subject to the RIDTPPA.
|
|
Fines |
$10,000 penalty per violation. If a violator is found to have intentionally disclosed personal information in violation of the RIDTPPA, the state Attorney General can fine the organization between $100 and $500 per violation. |
|
Cure Period |
None |
|
Privacy Impact Assessments |
Businesses must conduct assessments prior to:
|
|
Recognize Universal Opt-Out Mechanisms |
No |
|
Sensitive Data |
The law defines sensitive data as:
|
|
Consumer Rights |
|
.png?width=1024&height=512&name=Data%20Privacy%20Laws%20(1).png)