State | Effective Date | Applicability | Consumer Rights | Penalties |
---|
California Consumer Privacy Act (CCPA/CPRA) | January 1, 2020/2023 | $25M revenue, 50,000 consumers, or 50%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | $2,500 per violation; $7,500 for intentional violations |
Virginia Consumer Data Privacy Act (VCDPA) | January 1, 2023 | 100,000 consumers or 25,000+ 50%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | Up to $7,500 per violation |
Colorado Privacy Act (CPA) | July 1, 2023 | 100,000 consumers or 25,000+ 25%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | Up to $20,000 per violation with a total maximum penalty of $500,000 |
Connecticut Data Privacy Act (CTDPA) | July 1, 2023 | 100,000 consumers or 25,000+ 25%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | Up to $500,000 per violation |
Utah Consumer Privacy Act (UCPA) | December 31, 2023 | $25M revenue and 100,000 consumer or 25,000+ consumers with 50% revenue from data sales | Access, Delete, Opt-Out, Portability | Up to $7,500 per violation |
Oregon Consumer Privacy Act (OCPA) | July 1, 2024 | 100,000 consumer or 25,000+ consumers with 25% revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | Up to $7,500 per violation |
Texas Data Privacy and Security Act (TDPSA) | July 1, 2024 | 35,000 consumer or 10,000+ consumers with 20% revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | Up to $7,500 per violation |
Florida Digital Bill of Rights (FDBR) | July 1, 2024 | gross annual revenue of at least $1 billion or 50% or more revenue from targeted advertising | Access, Delete, Correct, Opt-Out, Portability | Up to $50,000 per violation |
Montana Consumer Data Privacy Act (MTCDPA) | October 1, 2024 | 50,000 consumer or 25,000+ consumers with 25% revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | Not specified |
Delaware Personal Data Privacy Act (DPDPA) | January 1, 2025 | 35,000 consumer or 10,000+ consumers with 20% revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | up to $10,000 per violation |
Iowa Consumer Data Protection Act (ICDPA) | January 1, 2025 | 100,000 consumer or 25,000+ consumers with 50% revenue from data sales | Access, Delete, Portability Opt-Out, | up to $7,500 per violation |
Nebraska Data Privacy Act (NDPA) | January 1, 2025 | Annual gross Revenue exceeding $10 million or buying/selling/sharing personal information of 50,000 or more consumers or 50%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | up to $7,500 per violation |
New Hampshire Privacy Act | January 1, 2025 | 35,000 consumer or 10,000+ consumers with 25% revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | up to $10,000 per violation |
New Jersey Data Privacy Act (NJDPA) | January 15, 2025 | 100,000 consumer or 25,000+ consumers with data sales revenue | Access, Delete, Correct, Opt-Out, Portability | Up to $10,000 for 1st violation and up to $20,000 for subsequent violations |
Tennessee Information Protection Act (TIPA)
| July 1, 2025 | $25M revenue, 25,000 consumers (50%+ revenue from data sales) or 175,000 consumers | Access, Delete, Correct, Opt-Out, Portability | $7,500 per violation; treble damages for intentional violations |
Minnesota Consumer Data Privacy Act (MCDPA) | July 31, 2025 | 100,000 consumers or 25,000+ consumers with data 25%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | up to $7,500 per violation |
Maryland Online Data Privacy Act (MODPA) | Oct 1, 2025 | 35,000 consumers or 10,000+ consumers with 20%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | up to $10,000 per violation, and up to $25,000 for repeated violations |
Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) | January 1, 2026 | 35,000 consumers or 10,000+ consumers with 20%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | $10,000 per violation and between $100 - $500 for each intentional disclosure of personal data |
Kentucky Consumer Data Protection Act (KCDPA) | January 1, 2026 | 100,000 consumers or 25,000+ consumers with data 50%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | Up to $7,500 per violation |
Indiana Consumer Data Protection Act (INCDPA) | January 1, 2026 | 100,000 consumers or 25,000+ consumers with data 50%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | Up to $7,500 per violation |