• Platform
    • The Osano Platform Overview

      Get an overview of the simple, all-in-one data privacy platform

    • header__icon-1
      Cookie Consent

      Manage consent for data privacy laws in 50+ countries

    • user-square
      Subject Rights Management

      Streamline and automate the DSAR workflow

    • assessments primary 200
      Assessments

      Efficiently manage assessment workflows using custom or pre-built templates

    • Unified Consent primary 200
      Unified Consent & Preference Hub

      Streamline consent, utilize non-cookie data, and enhance customer trust

    • data mapping primary 200
      Data Mapping

      Automate and visualize data store discovery and classification

    • shield-tick
      Vendor Privacy Risk Management

      Ensure your customers’ data is in good hands

    • Features & Integrations

      Key Features & Integrations

    • Privacy Templates
    • GDPR Representative
    • Consult Privacy Team
    • Regulatory Guidance
    • Integrations
  • Solutions
    • By Regulation
    • CPRA

      Discover how Osano supports CPRA compliance

    • CCPA

      Learn about the CCPA and how Osano can help

    • GDPR

      Achieve compliance with one of the world’s most comprehensive data privacy laws

    • By Organization Type
    • Icon (10)
      Start-Up

      Don’t let data privacy compliance get in the way of growth

    • Icon (11)
      Mid-Sized

      Preserve your competitive edge

    • Icon (12)
      Enterprise

      Manage data privacy at scale

    • By Use Case
    • Path
      Consent Management

      Manage consent without the complexity

    • Icon (14)
      DSAR Automation

      Never miss a DSAR deadline again

    • Icon (16)
      Privacy Program Management

      Build and grow an end-to-end privacy program

    • Icon (15)
      Vendor Risk Management

      Regain insight and control over your customers’ data

  • Resources
    • Resources

      Key resources on all things data privacy

    • book-open-01
      Articles

      Expert insights on all things privacy

    • Icon (25)
      Resource Center

      Key resources to further your data privacy education

    • hand a heart icon primary 200
      Customer Stories

      Meet some of the 5,000+ leaders using Osano to transform their privacy programs

    • globe icon primary 200
      U.S. Data Privacy Laws

      A guide to data privacy in the U.S.

    • code icon primary 200
      Product Updates

      What's the latest from Osano?

    • Become a Privacy Insider

      Data privacy is complex but you're not alone

    • envelope icon primary 200
      The Newsletter

      Join our weekly newsletter with over 35,000 subscribers

    • Icon (17)
      The Podcast

      Global experts share insights and compelling personal stories about the critical importance of data privacy

    • book-open-01
      The Book

      Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program

    • Icon (30)
      Events

      Upcoming webinars and in-person events designed for privacy professionals

    Latest Blog post

    Hand holding compass

    5 Privacy Trends for 2025: What to Watch For

    Heraclitus said that “The only constant in life is change,” but...

    Read Now
  • Company
    • Vector
      About Us

      The Osano story

    • Icon (25)
      Careers

      Become an Osanian and help us build the future of privacy!

    • Icon (26)
      Contact

      We’re eager to hear from you

    • 
      Our Pledge

      No fines, no penalties

    • Icon (27)
      Data Licensing

      Add Osano data privacy ratings and recommendations to your application

    • Icon (28)
      Osano Swag Store

      Increase Trust. Stay Compliant. Get Cool Swag.

    • Icon (29)
      Press & Media

      Inquiries and Osano in the news

    • Icon (30)
      Partners & Resellers

      Interested in partnering with us?

  • Pricing
  • Sign In Book a Demo
US Data Privacy Law Guide

U.S. Data Privacy Laws: A Guide to the 2025 Landscape

With multiple comprehensive data privacy laws enacted and many more in progress, staying on top of the U.S. data privacy landscape is becoming more and more challenging. We're here to help.

Data Privacy in the U.S.

A State-by-state Landscape

The United States doesn't currently have a national comprehensive privacy law, despite efforts to enact one. As of this writing, the American Privacy Rights Act (APRA) has been introduced in Congress, though it still has a long road ahead before it can be enacted into law.

As a result, U.S. states have been pushed to act independently. The most comprehensive state law is currently lauded by California and many states are following California's lead by enacting similar or slightly watered-down versions of the CPRA.

All laws are slightly different, however, which can be very challenging for organizations and individuals to navigate. We've distilled the U.S. data privacy law landscape focusing on the key features of each law.

Switchback - State Law Features (1)
U.S. Data Privacy Laws Survival Guide

A Guide to the 2025 Landscape

Many of the U.S.'s data privacy laws share common requirements for compliance, but not always.

Our U.S. Data Privacy Laws Survival Guide compiles all the information you need to know to tailor your privacy program for compliance with the laws that matter most to your organization.

Switchback - US Laws Survival Guide
U.S. Data Privacy Laws

Need help complying?

Schedule a Demo

Effective Comprehensive Laws

California (CCPA/CPRA)

Effective Date

  • CPRA effective date: 1/1/2023
  • CCPA effective date: 1/1/2020
  • Enforcement date: 7/1/2023
    (updated: on February 9, 2024, the CPPA won its appeal, immediately allowing enforcement of the initial CPRA regulations and retroactively setting the enforcement effective date to July 1, 2023.)

Summary

The California Privacy Rights Act (CPRA) is currently the most comprehensive data privacy law in the United States. It amended California's previous comprehensive state privacy law, the California Consumer Privacy Act. 

The primary components of this law are as follows:

Feature

CPRA's Guidelines

Thresholds

  • Buys, sells, or shares the personal information of 100,000 people or households. The “shares” part was added with the CPRA, and the number of people was doubled. 

  • Creates 50% or more of your revenue through the sale or sharing of personal information. 

  • Had $25 million in gross revenue in the preceding calendar year. The “preceding calendar year” part was added with the CPRA to make it clear what they meant by $25 million in annual gross revenues.  

Fines

  • $2,500 per offense for negligent mistakes.  

  • $7,500 per offense for willful offenses.  

Cure Period

None

Privacy Impact Assessments

Required for profiling, sensitive data, large-scale processing, and other processing activities with risk of harm to consumers.

Recognize Universal Opt-Out Mechanisms

Yes

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health condition treatment

  • Sexual orientation

  • Sex life

  • Citizenship/immigration status

  • Genetic or biometric data for purposes of uniquely identifying an individual

  • Genetic or biometric data

  • Precise geolocation

  • Union membership

  • Neural data

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Sensitive Data)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Limit Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Colorado (CPA)

Effective Date

  • CPA effective date: 7/1/2023

Summary

Colorado was the third state to pass a comprehensive data privacy law, the Colorado Privacy Act (CPA). It's most similar to the CPRA, Virginia's Consumer Data Protection Act, and the GDPR. 

Here are the primary features you need to know about: 

Feature

CPA's Guidelines

Thresholds

  • Businesses that collect personal data from 100,000 Colorado residents or

  • Businesses that collect data from 25,000 Colorado residents and derive a portion of revenue from the sale of that data. 

Fines

$20,000 per offense, with penalties capped at $500,000. 

Cure Period

60 days, sunsets on 1/1/2025

Privacy Impact Assessments

Yes

Recognize Universal Opt-Out Mechanisms

Yes

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health diagnosis, condition, and diagnosis made by HCP

  • Sexual orientation

  • Sex life

  • Citizenship or citizenship status

  • Genetic or biometric data

  • Personal data of known child

  • Neural data

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Connecticut (CTDPA)

Effective Date

  • CTDPA effective date: 7/1/2023

Summary

Connecticut was the fifth state to adopt a privacy law. Known as the Connecticut Data Privacy Act (CTDPA), or “An Act Concerning Personal Data Privacy and Online Monitoring,” Connecticut Bill 6 went into effect on July 1, 2023. 

Feature

CTDPA's Guidelines

Thresholds

Businesses in the state or those that produce products or services targeted to Connecticut residents and who, during the previous year:  

  • Controlled or processed personal data of 100,000 or more consumers, excluding solely for completing a payment transaction; or 

  • Controlled or processed personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.  

Fines

  • $5,000 per violation

  • The Attorney General can also issue orders to offenders to prevent them from violating the law, order disgorgement, and pay restitution to victims.

Cure Period

60 days, sunsets on 12/31/2024.

Privacy Impact Assessments

Yes

Recognize Universal Opt-Out Mechanisms

Yes. Must be recognized by controllers as valid consumer requests beginning 1/1/2025.

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health diagnosis, condition, and diagnosis made by HCP

  • Sexual orientation

  • Sex life

  • Citizenship or citizenship status

  • Genetic or biometric data

  • Personal data of known child

  • Precise geolocation

  • Consumer health data

  • Status as victim of crime

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Virginia (VCDPA)

Effective Date

  • VCDPA effective date: 1/1/2023

Summary

Virginia's leaders passed The Virginia Consumer Data Protection Act (VCDPA) on March 2, 2021, making it the second state to vote in a comprehensive privacy law after California. As a result, it's similar to the CCPA and the GDPR. 

Feature

VCDPA's Guidelines

Thresholds

Businesses that sell products and services in Virginia or do so targeting Virginia residents, and also do one of the following:

  • Control or process the personal data of 100,000 or more; 

  • Control or process the personal data of at least 25,000 consumers and earn 50% of their revenue by selling personal information. 

Fines

Up to $7,500 per violation.

Cure Period

30 days, no sunset.

Privacy Impact Assessments

Required for any processing involving targeted advertising, data sales, profiling or sensitive data; or any data processing that presents a "risk of harm."

Recognize Universal Opt-Out Mechanisms

Yes

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health diagnosis

  • Sexual orientation

  • Citizenship or immigration status

  • Genetic or biometric data/Genetic or biometric data for purposes of uniquely identifying an individual

  • Personal data of known child 

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 


Resources

Utah (UCPA)

Effective Date

  • UCPA effective date: 12/31/2023

Summary

Utah became the fourth state to enact a data privacy law in March of 2022. The Utah Consumer Privacy Act (UCPA) is considered by experts to be more business-friendly than several other privacy regulations in the U.S., including the CPRA, VCDPA, and CPA. 

Feature

UCPA's Guidelines

Thresholds

Have annual revenue of $25m or more AND:

  • Control/process personal data of 100,000 or more residents, OR

  • 25,000 or more residents and derive over 50% of gross revenue from selling personal data.

Fines

Up to $7,500 per violation + actual damages

Cure Period

30 days, no sunset

Privacy Impact Assessments

Not Required

Recognize Universal Opt-Out Mechanisms

No

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health condition and medical history, treatment, diagnosis by HCP

  • Sexual orientation

  • Citizenship/immigration status

  • Genetic or biometric data

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Delete

  • Right to Opt Out of Certain Processing (/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Notice and Opt-Out of Sensitive Data Processing

 

Resources

Texas (TDPSA)

Effective Date

  • TDPSA effective date: 7/1/2024

Summary

The Texas Data Privacy and Security Act (TDPSA) was signed into law on June 18, 2023, making it the largest state in the United States — and the second of the U.S.'s largest states — to have a comprehensive privacy law on the books. The TDPSA has a few unique aspects, such as the fact that it replaces revenue-based thresholds with a focus on businesses conducting operations in Texas and offering products or services consumed by Texas residents, or businesses that process or sell personal data. It also has a novel small business provision, and while it excludes entities like state agencies and financial institutions, the law does not provide an exemption for organizations governed by HIPAA or GLBA.

Feature

TDPSA's Guidelines

Thresholds

  • Conduct business in Texas or produce products/ services consumed by residents, OR

  • Process or engage in the sale of personal data and are not small businesses.

There are no revenue thresholds. 

Fines

Up to $7,500 per ‎violation‎ and injunctive relief to restrain or enjoin the violator's operations.

Cure Period

30 days, no sunset

Privacy Impact Assessments

Required for targeted advertising, sale of data, profiling, sensitive data processing, other processing activities with risk of harm to consumers.

Recognize Universal Opt-Out Mechanisms

Yes, as of 1/1/2025.

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health diagnosis, and diagnosis made by HCP

  • Sexuality

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Oregon (OCPA)

Effective Date

  • OCPA effective date: 7/1/2024

Summary

Oregon's legislation passed the Oregon Consumer Privacy Act (OCPA) into law on June 22, 2023. The privacy law is the culmination of four years of work by the Oregon Attorney General’s Consumer Privacy Task Force. Other than what's in the chart below, one notable feature is that non-profits aren't exempt from the law, but they have until July 1, 2025, to comply. And, like Texas, organizations governed by HIPAA or GLBA are not exempt and must follow OCPA for non-covered data. 

Feature

OCPA's Guidelines

Thresholds

  • Control/process the personal data of 100,000 or more residents, OR 

  • 25,000 or more residents, while deriving 25% or more of gross revenue from selling personal data.

Fines

Up to $7,500 per violation

Cure Period

30 days, sunsets 1/1/2026

Privacy Impact Assessments

Required for targeted advertising, sale of data, profiling, sensitive data processing, other processing activities with risk of harm to consumers.

Recognize Universal Opt-Out Mechanisms

Yes, starting 1/1/2026

Sensitive Data

  • Racial, ethnic, national origin

  • Religious beliefs

  • Mental/physical health condition, diagnosis, medical history and/or treatment, diagnosis by HCP

  • Sexual orientation and status as transgender/nonbinary

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

  • Status as victim of a crime

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to obtain a list of "specific third parties" to whom a controller disclosed personal data 

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Montana (MTCDPA)

Effective Date

  • MTCDPA effective date: 10/1/2024

Summary

Montana's governor signed the Montana Consumer Data Privacy Act (MTCDPA) into law on May 19, 2023. The act is similar to data privacy laws in Indiana, Virginia, Colorado, and Connecticut. One unique factor in the MTCDPA is that Montana's thresholds don't only rely on a revenue limit. Find out more in the breakdown below.

Feature

MTCDPA's Guidelines

Thresholds

  • Control/process the personal data of at least 50,000 residents, OR

  • 25,000 or more residents and derive more than 25% of gross revenue from selling of personal data.

Fines

Not yet specified

Cure Period

60 days, sunsets 4/1/2026

Privacy Impact Assessments

Required for targeted advertising, sale of data, profiling, sensitive data processing, other processing activities with risk of harm to consumers.

Recognize Universal Opt-Out Mechanisms

Yes, as of 1/1/2025

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health condition and/or diagnosis

  • Sexual orientation, sex life, sexuality

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Pending Comprehensive Laws 

Displayed chronologically based on the laws' effective dates.

Delaware (DPDPA)

Effective Date

  • DPDPA effective date: 1/1/2025

Summary

After the Delaware Personal Data Privacy Act (DPDPA) was voted in, people quickly started lauding it as the strongest data privacy law in the United States. That's not true — California still holds the title — however, it does apply to more businesses than others, and it is one of the more consumer-friendly laws. 

Feature

DPDPA's Guidelines

Thresholds

Any company that does business in the state or produces products or services that are targeted to residents of the state and that, during the previous calendar year, met one of the following:  

  • Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.  

  • Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.

Fines

Up to $10,000 per violation, up to the Department of Justice's discretion.

Cure Period

60 days, until 1/1/2026

Privacy Impact Assessments

Required for targeted advertising, selling personal data, and for profiling if there’s a risk of: 

  • Unfair or deceptive treatment to consumers  

  • Financial, physical or reputational injury  

  • Intrusion upon the solitude or seclusion of a consumer (if the intrusion would be “offensive to a reasonable person)  

  • Processing sensitive data 

Recognize Universal Opt-Out Mechanisms

Yes, as of 1/1/2026

Sensitive Data

  • Racial, ethnic, national origin

  • Religious beliefs

  • Mental/physical health condition, diagnosis, diagnosis by HCP

  • Sexual orientation and status as transgender/nonbinary

  • Sex life

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to obtain a list of "specific third parties" to whom a controller disclosed personal data 

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling


Resources

Iowa (ICDPA)

Effective Date

  • ICDPA effective date: 1/1/2025

Summary

The Iowa Consumer Data Protection Act (ICDPA) was the first comprehensive state privacy law ratified in 2023, making it the sixth overall state privacy law so far. There are a couple of differences in the Iowa law versus the others, such as the lack of provisions for the right to correct PI and the right to opt out of profiling, that it sets a 90-day timeline for responses to subject rights requests, and that it provides businesses with a 90-day cure period as opposed to the 30- or 60-day cure period set by other laws. 

Feature

ICDPA's Guidelines

Thresholds

The law applies to any business that:  

  • Controls or processes the personal data of at least 100,000 Iowa consumers, or 

  • Controls or processes the personal data of at least 25,000 consumers and derives more than 50% of its gross revenue from the sale of personal data.  

Fines

$7,500 per violation

Cure Period

Yes, 90 days

Privacy Impact Assessments

ICDPA does not address assessments. 

Recognize Universal Opt-Out Mechanisms

No

Sensitive Data

  • Racial, ethnic, national origin

  • Religious beliefs

  • Mental/physical health diagnosis, diagnosis by HCP 

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Delete

  • Right to Opt Out of Certain Processing (Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt Out of or Limit Sensitive Data Processing

 

Resources

Nebraska (NDPA)

Effective Date

  • NDPA effective date: 1/1/2025

Summary

The NDPA is a comprehensive data privacy act designed to protect consumers and give them control over their personal information. It grants them certain rights, outlined below, and provides controllers, or the entity that determines the purpose and means of processing personal data, with specific requirements for how to handle data and consumer requests related to their data.  

The law’s scope tracks closely with the Texas Data Privacy and Security Act (TDPSA), including its applicability, sensitive data, and its requirement to honor universal opt-out mechanisms.  

Feature

NDPA's Guidelines

Thresholds

Like the TDPSA, Nebraska’s privacy law applies to a person who:  

  • Conducts business in the state or produces a product or service consumed by residents of Nebraska;  
  • Processes or engages in the sale of personal data; and  
  • Is not a small business as determined under the federal Small Business Act. 

One notable aspect of the NDPA’s applicability is that, unlike most other state laws, there is no revenue or volume of data processed.  

  

Fines

$7,500 per violation.  

Cure Period

Yes, if a controller is found to have violated Nebraska privacy act, they have 30 days to cure the violation. Unlike some data privacy acts, the cure period does not have a sunset date. 

Privacy Impact Assessments

Nebraska’s privacy law requires controllers to conduct and document a DPIA for a variety of activities that involve personal data, including for the processing of data for targeted advertising; the sale of personal data; processing for profiling if it presents a risk of impacts like unfair or deceptive treatment, financial, physical or reputational injury, an intrusion on the solitude of a consumer, or other substantial injury to the consumer.  

They’re also required when processing sensitive data or for any processing activity that involves personal data that presents a heightened risk of harm to any consumer.  

Recognize Universal Opt-Out Mechanisms

Yes

Sensitive Data

Like Texas’s law, Nebraska’s data privacy act defines sensitive data as:  

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; 
  • Genetic or biometric data that is processed for the purpose of uniquely identifying an individual; 
  • Personal data collected from a known child; or  
  • Precise geolocation data.  

Consumer Rights

 

  • Confirm whether a controller is processing the consumer's personal data and to access the personal data;  
  • Correct inaccuracies in the consumer's personal data;  
  • Delete personal data provided by or obtained about the consumer; 
  • Obtain a copy of their personal data in a usable format that can be transmitted to another controller; 
  • Opt out of processing for targeted advertising, the sale of personal data, or profiling if the decision would produce a legal or other significant impact on the consumer.    

Resources

New Hampshire (NHPA)

Effective Date

  • NJDPA effective date: 1/1/2025

Summary

The New Hampshire Privacy Act (NHPA) is one of a number of statewide data privacy laws aimed at giving consumers control over their personal data in an increasingly digital world. 

The good news for businesses is that the NHPA largely resembles other data privacy laws that have come before it.

The New Hampshire data privacy act’s scope is somewhat unique in that it doesn’t include a revenue threshold. Additionally, the applicability threshold is lower than other laws, but lawmakers have pointed out that this is because of the state’s lower population.  

Like other U.S. laws, the NHPA follows primarily an opt-out model, meaning businesses are free to process consumer data, but must notify consumers about the processing first and give them a way to opt out of the collection or sale of data. 

Feature

NHPA's Guidelines

Thresholds

The NHPA apply to “persons that conduct business” in the state or who produce products or services targeted to residents of New Hampshire and who, during a one-year period:

  • Controlled or processed the personal data of not less than 35,000 unique consumers, excluding if the processing occurred solely to complete a payment transaction, or
  • Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.  

Fines

The NHPA states that any violations are also a violation of the state’s deceptive trade practices law. This means penalties could be as steep as $10,000 per violation.  

Cure Period

The act has a 60-day cure period for violations that sunsets one year after the law is enacted (in January 2026).  

Privacy Impact Assessments

New Hampshire’s law requires an assessment for any processing activity that presents a “heightened risk of harm to a consumer,” including activities such as targeted advertising, sale of personal data, processing for the purposes of profiling in certain instances, and processing sensitive data.  

Recognize Universal Opt-Out Mechanisms

Yes

Sensitive Data

The NHPA has a broad definition of sensitive data, which includes personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.

Consumer Rights

 

  • Confirm whether a controller is processing the consumer's personal data and access that data. 
  • Correct inaccuracies in the consumer's personal data. 
  • Delete personal data provided by, or obtained about, the consumer. 
  • Obtain a copy of the consumer's personal data processed by the controller, in a user-friendly format. 
  • Opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling “in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.” 

Resources

New Jersey (NJDPA)

Effective Date

  • NJDPA effective date: 1/15/2025

Summary

The New Jersey Data Protection Act (NJDPA) is a data privacy law that gives New Jersey residents control over their personal data, providing certain rights and imposing obligations on those who control and process consumer data. The law applies to businesses and entities who conduct business in the state or who produce products or services targeted to those who live in New Jersey and meet certain thresholds. Unlike other state laws, no monetary penalties are defined in the law’s text, but a violation of the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act, which can entail fines of up to $10,000 for the initial violation and up to $20,000 for subsequent violations.

Feature

NJDPA's Guidelines

Thresholds

In terms of applicability and exemptions, New Jersey’s privacy law aligns with other state laws. It applies to controllers who, during a calendar year, meet one of the following criteria:

  • Control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction, or
  • Control or process the personal data of at least 25,000 consumers and the controller derives revenue or receives a discount on the price of any goods or services, from the sale of personal data.

Fines

A violation of the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act, which can entail fines of:

  • up to $10,000 for the initial violation and
  • up to $20,000 for subsequent violations.

 

Cure Period

30 days, sunsetting on July 15th, 2026.

Privacy Impact Assessments

Required for:

  • Targeted advertising or for profiling if it presents a “reasonably foreseeable” risk of unfair or deceptive treatment of, unlawful disparate impact on consumers, financial or physical injury, physical or other intrusion upon the solitude or seclusion or the private affairs of consumers, or if it would be offensive to a reasonable person.

  • The sale of personal data.

  •  Processing of sensitive data.

Recognize Universal Opt-Out Mechanisms

Yes

Sensitive Data

  • Racial or ethnic origin.
  • Religious beliefs.
  • Mental or physical health condition, treatment, or diagnosis.
  • Sex life or sexual orientation.
  • Citizenship or immigration status.
  • Status as a transgender or nonbinary person.
  • Genetic or biometric data that may be process for identifying an individual.
  • Personal data collected from a known child.
  • Precise geolocation data.
  • Financial information.

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Opt Out of Automated Decision-Making/Profiling

Resources

The New Jersey Data Privacy Act (NJDPA): The Basics

Tennessee (TIPA)

Effective Date

  • TIPA effective date: 7/1/2025

Summary

The Tennessee Information Protection Act (TIPA) was one of three comprehensive state privacy laws signed or ratified in May of 2023. TIPA follows many of its predecessors when it comes to consumer rights, enforcement, and penalties. Unlike its predecessors, however, TIPA diverges by providing a narrower applicability threshold, giving businesses a generous two years to prepare, and implementing an affirmative defense option for those with written privacy programs aligned with specific frameworks such as NIST.

Feature

TIPA's Guidelines

Thresholds

TIPA applies to businesses with over $25 million in annual revenue that either conduct business within Tennessee or engage with its residents and either: 

  • Control or process the personal information of at least 175,000 consumers during a calendar year.  

  • Control or process personal information of at least 25,000 consumers and derive more than 50 percent of its gross revenue from the sale of PI. 

Fines

  • up to $7,500 per violation

  • This amount can be tripled if the violations are found to be willful. 

Cure Period

60 days

Privacy Impact Assessments

Required for targeted advertising, the sale of personal information, processing sensitive data, processing personal data for profiling, and other processing that may present a heightened risk to consumers. 

Recognize Universal Opt-Out Mechanisms

No

Sensitive Data

  • Racial, ethnic, national origin

  • Religious beliefs

  • Mental/physical health diagnosis, condition, diagnosis by HCP

  • Sexual orientation

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

Resources

Minnesota (MCDPA)

Effective Date

  • MCDPA effective date: 7/31/2025

Summary

The MCDPA is a state-level legislation designed to safeguard the personal data of Minnesota residents. Rather than permit organizations to collect, process, and generally do whatever they wish with consumers’ personal information, data privacy regulations like the MCDPA set limits on what organizations can do with personal data; require organizations to meet certain obligations, like setting safeguards, assessing for risk, and respecting consumer rights; and provide consumers with data privacy rights that enable them to maintain control over their personal information 

Feature

MCDPA Guidelines

Thresholds

The MCDPA applies to organizations that provide products or services targeted at Minnesotans and meet one of the following criteria: 

  • During a calendar year, they control or process the personal data of 100,000 consumers or more. 
  • They derive more than 25 percent of gross revenue from the sale of personal data and process or control personal data of 25,000 consumers or more. 

Fines

$7,500 per violation.

Cure Period

30 days, sunsetting January 31, 2026.

Privacy Impact Assessments

Organizations subject to the MCDPA must conduct privacy impact assessments (PIAs) for certain activities. To confirm compliance, the state Attorney General may review these assessments. Specifically, organizations need to conduct PIAs for any processing activities involving: 

  • Targeted advertising 
  • The sale of personal data 
  • The processing of sensitive data 
  • Any processing of personal data that may pose a heightened risk of harm to consumers 
  • Profiling that poses a risk of unfair/deceptive treatment of consumers, injury to consumers (i.e., financial, physical, or reputational injury), any intrusion on the consumer’s solitude, or other substantial injury 

Recognize Universal Opt-Out Mechanisms

Organizations subject to the MCDPA must honor opt-out requests sent by a universal opt-out mechanism (UOOM) for targeted advertising or any sale of personal data. 

Sensitive Data

 

  • Racial or ethnic origin 
  • Religious beliefs 
  • Mental or physical health diagnosis 
  • Sexual orientation 
  • Citizenship or immigration status 
  • Genetic or biometric data 
  • Data collected from a known child 
  • Specific geolocation data 

Consumer Rights

  • Right to Know: Consumers have the right to know what categories of personal data are being collected about them by businesses.  
  • Right to Access: Consumers can request access to their personal data, and businesses must provide consumers with a copy of their personal data upon request, free of charge, and in a format that is easily accessible. 
  • Right to Obtain a List of Third Parties: As is the case with Oregon’s data privacy law, the MCDPA gives consumers the right to obtain a list of the specific third parties to which the controller has disclosed their personal data. 
  • Right to Correction: If a consumer discovers an organization has inaccurate or incomplete personal information, they may request that it be corrected. 
  • Right to Deletion: Unless the personal information is necessary for specific purposes, such as completing a transaction or complying with legal obligations, organizations must delete a consumer’s personal information upon their request. 
  • Right to Opt-Out: Consumers have the right to opt out of certain processing activities, specifically targeted advertising; the sale of personal data; or profiling that results in automated decisions that produce legal effects for the consumer. 
  • Right to Question Results of Profiling: If a consumer has been profiled, they may question the results of the profiling. If this right is exercised, organizations must inform the consumer how the results were reached and what actions the consumer could have taken to achieve a different result. 
  • Right to Non-Discrimination: Businesses may not discriminate against consumers who exercise their rights. 
  • Right to Data Portability: Consumers may have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another entity without hindrance from the business. 
  • Right to Appeal: If businesses refuse to act on a request, consumers may appeal that decision. 

 

Resources

Maryland (MODPA)

Effective Date

  • MODPA effective date: 10/1/2025

Summary

The MODPA gives Maryland residents more control over how companies collect and use their personal data online. With an effective date of October 1, 2025, the new law establishes data protection rights and requires companies that track or target the state’s residents to meet stricter requirements around data collection—especially related to data minimization, consent, universal opt-out mechanisms, sensitive data, and children’s data. However, MODPA will not apply to companies’ data processing activities until April 1st, 2026.  

Feature

MODPA Guidelines

Thresholds

Maryland’s privacy law applies to anyone who conducts business in the state, as well as those who provide services or products targeted to residents of Maryland and during the prior calendar year either:  

  • Controlled or processed the personal data of at least 35,000 consumers, with the exception of personal data collected or processed solely for completing a payment transaction, or:  
  • Controlled or processed the personal data of at least 10,000 consumers and derived more than 20 percent of its gross revenue from the sale of personal data.  

Fines

Up to $10,000 per violation or $25,000 for each repetition of the same violation.

Cure Period

Discretionary cure period of up to 60 days, sunsetting April 1, 2027.

Privacy Impact Assessments

Required for processing personal data for targeted advertising or selling personal data; processing sensitive data; processing data if there’s a risk of unfair, abusive, or deceptive treatment or if it will have an unlawful disparate impact, financial, physical, reputational, or other substantial injury to a consumer; any activity that intrudes on the solitude or seclusion of a consumer. Must be conducted for each algorithm used.

Recognize Universal Opt-Out Mechanisms

Companies have two options to comply with the law, with the first including a clear and conspicuous link on their website that allows them to opt out of the sale of personal data or targeted advertising. The second option is to allow consumers to opt out of targeted advertising and the sale of their personal data through a universal opt-out preference signal by Oct. 1, 2025.  

Sensitive Data

  • Racial or ethnic origin. 
  • Religious beliefs.  
  • Consumer health data.  
  • Sex life.  
  • Sexual orientation.  
  • Status as a transgender or nonbinary.  
  • National origin.  
  • Citizenship or immigration status. 
  • Genetic data
  • Biometric data
  • Personal data of a consumer the controller known to be a child
  • Precise geolocation data

Consumer Rights

  • Confirm whether a controller is processing their personal data.  
  • Access personal data collected. 
  • Correct inaccuracies in their personal data. 
  • Obtain a copy of the personal data in a portable and readily usable format that provides easy transmission to another controller.  
  • Obtain a list of the categories of third parties to which the controller has disclosed their personal data or a list of third parties to which the controller has disclosed personal data “if the controller does not maintain this information in a format specific to the consumer.” 
  • Opt out of the processing of personal data for targeted advertising; the sale of personal data; profiling, if the data is used to make decisions that produce legal or other significant effects 

 

Resources

Indiana (INCDPA)

Effective Date

  • INCDPA effective date: 1/1/2026

Summary

Another of the three state privacy laws to be voted in during May 2023 — and the second to do so in 2023 overall — the Indiana Consumer Data Protection Act (INCDPA) is similar to several of its predecessors, including the laws in Colorado (CPA), Connecticut (CTDPA), and Virginia (VCDPA). Indiana's law, however, does not solely rely on revenue as a threshold — it states that controllers must be compliant with the law even if their annual gross revenues do not meet a specific number as long as the data of a specific number of consumers (outlined in the chart below) is processed. 

Feature

INCDPA's Guidelines

Thresholds

Companies that operate in Indiana or sell products and services that are targeted to residents of the state and do one of the following within the previous year: 

  • Control or process the PI of 100,000 residents of Indiana or

  • Control or process the PI of at least 25,000 residents of Indiana while over 50 percent of your revenue comes from the sale of that PI. 

Fines

$7,500 per violation

Cure Period

30 days

Privacy Impact Assessments

Required for the processing of PI for targeted advertising, the sale of personal data, processing sensitive data, processing personal data for profiling with potential risks, and any other processing that may present a heightened risk to consumers. 

Recognize Universal Opt-Out Mechanisms

No

Sensitive Data

  • Racial, ethnic, national origin

  • Religious belief

  • Sexual orientation

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Kentucky (KCDPA)

Effective Date

  • KCDPA effective date: 1/1/2026

Summary

The KCDPA provides data privacy protections for consumers of the Bluegrass State, granting them certain, now standard rights.

The law defines consumers as residents of the state acting only as an individual, not in commercial or employment contexts. It closely aligns with Virginia’s law, which is good news for businesses already complying with the Virginia Consumer Data Protection Act (VCDPA). And, because the VCDPA is considered a framework or foundation legislation, the KCDPA also tracks closely with other state laws that used Virginia’s law as a framework, including Tennessee and Indiana.

Businesses will become subject to the law as of January 1, 2026.

Feature

KCDPA's Guidelines

Thresholds

The KCDPA applies to any person who conducts business in Kentucky or who produces products or services that target residents of the state, and during a calendar year controls or processes data of at least:

  • 100,000 consumers; or
  • 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.

Fines

$7,500 per violation

Cure Period

30 days

Privacy Impact Assessments

Required for processing that involves:

  • Targeted advertising.
  • Selling of personal data.
  • Profiling, if there is a risk of unfair or deceptive treatment, potential injury to consumers, or an intrusion on their solitude or seclusion.
  • Sensitive data.
  • Personal data that presents a heightened risk of harm to consumers.

This requirement becomes active June 1, 2026.

Recognize Universal Opt-Out Mechanisms

No

Sensitive Data

The law defines sensitive data as a category of personal data that includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for identifying a specific natural person; personal data collected from a known child; or precise geolocation data.

 

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to opt out of sale
  • Right to Portability/Transfer

  • Right to Opt in for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

Resources

Rhode Island (RIDTPPA)

Effective Date

  • RIDTPPA effective date: 1/1/2026

Summary

Enacted June 29, 2024, RIDTPPA resembles many other US data privacy laws, including its requirements surrounding consent, sensitive personal information processing, and consumer rights. The law, however, does feature several important differences, especially regarding its requirements around notices (more on that later).  

Notably, the law also lacks a cure period. If you’re found to have violated the law, you’ll simply be fined without any grace period to fix the violation. Most state data privacy laws feature cure periods, though some expire at various dates in the future, and some are permanent features.  

Feature

RIDTPPA's Guidelines

Thresholds

If your organization is a for-profit entity and conducts business in Rhode Island or provides products or services targeted to Rhode Islanders, you may be subject to the RIDTPPA. 

Specifically, you must meet the above criteria as well as one of the following: 

  • Your organization controlled or processed at least 35,000 state residents’ personal data. 
  • Your organization controlled or processed at least 10,000 state residents’ personal data and derived more than 20% of its gross revenue from the sale of that data. 

Fines

$10,000 penalty per violation. If a violator is found to have intentionally disclosed personal information in violation of the RIDTPPA, the state Attorney General can fine the organization between $100 and $500 per violation.  

Cure Period

None

Privacy Impact Assessments

Businesses must conduct assessments prior to: 

  • Processing data for targeted advertising 
  • Selling personal data 
  • Certain kinds of profiling 
  • Profiling that could pose a risk of unfair or deceptive treatment of consumers; cause physical, financial, or reputational injury; intrude on consumers’ solitude or private affairs; or cause similar harm 
  • Processing sensitive data 

Recognize Universal Opt-Out Mechanisms

No

Sensitive Data

The law defines sensitive data as: 

  • Data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions or diagnoses, sex life, sexual orientation, and citizenship or immigration status 
  • The processing of genetic or biometric data for the purpose of uniquely identifying an individual
  • The personal data of a known child
  • Precise geolocation data 

Consumer Rights

  • Confirm whether a controller is processing their personal data and to access said data 
  • Correct inaccurate personal data
  • Delete personal data
  • Data portability 
  • Opt-out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or “profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer.” 

Resources

Additional Resources

Don't Stop Here

Make sure you have a good grasp of the data privacy landscape both domestically and globally.

US Data Privacy Checklist hero

U.S. Data Privacy Checklist

Download Yours
2024 privacy laws webinar - resource

2024's Data Privacy Laws [Webinar]

Watch Now
Data Privacy Laws (1)

Data Privacy Laws: What You Need to Know in 2024

Learn more

Simplify Data Privacy Compliance

With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.