- Resources
Our Latest Blog
US Data Privacy Laws Tracker: State-by-State Map
Select a U.S. state below to get information on its data protection laws.
- Committee and Introduced
- Effective
- Non-Effective
Key Components of State Data Privacy Laws
While each law is unique, there are common elements
Defines which businesses the law applies to, often based on revenue, data volume, or the percentage of revenue derived from data sales.
Includes rights like accessing, correcting, deleting or opting out of data processing.
Some laws require explicit consent for processing sensitive personal data.
Includes requirements for privacy notices, security measures, and data protection assessments.
Typically handled by the state attorney general, with penalties for violations.
| State | Effective Date | Applicability | Consumer Rights | Penalties |
|---|---|---|---|---|
| California Consumer Privacy Act (CCPA/CPRA) | January 1, 2020/2023 | $25M revenue, 50,000 consumers, or 50%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | $2,500 per violation; $7,500 for intentional violations |
| Virginia Consumer Data Privacy Act (VCDPA) | January 1, 2023 | 100,000 consumers or 25,000+ 50%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | Up to $7,500 per violation |
| Colorado Privacy Act (CPA) | July 1, 2023 | 100,000 consumers or 25,000+ 25%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | Up to $20,000 per violation with a total maximum penalty of $500,000 |
| Connecticut Data Privacy Act (CTDPA) | July 1, 2023 | 100,000 consumers or 25,000+ 25%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | Up to $500,000 per violation |
| Utah Consumer Privacy Act (UCPA) | December 31, 2023 | $25M revenue and 100,000 consumer or 25,000+ consumers with 50% revenue from data sales | Access, Delete, Opt-Out, Portability | Up to $7,500 per violation |
| Oregon Consumer Privacy Act (OCPA) | July 1, 2024 | 100,000 consumer or 25,000+ consumers with 25% revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | Up to $7,500 per violation |
| Texas Data Privacy and Security Act (TDPSA) | July 1, 2024 | 35,000 consumer or 10,000+ consumers with 20% revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | Up to $7,500 per violation |
| Florida Digital Bill of Rights (FDBR) | July 1, 2024 | gross annual revenue of at least $1 billion or 50% or more revenue from targeted advertising | Access, Delete, Correct, Opt-Out, Portability | Up to $50,000 per violation |
| Montana Consumer Data Privacy Act (MTCDPA) | October 1, 2024 | 50,000 consumer or 25,000+ consumers with 25% revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | Not specified |
| Delaware Personal Data Privacy Act (DPDPA) | January 1, 2025 | 35,000 consumer or 10,000+ consumers with 20% revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | up to $10,000 per violation |
| Iowa Consumer Data Protection Act (ICDPA) | January 1, 2025 | 100,000 consumer or 25,000+ consumers with 50% revenue from data sales | Access, Delete, Portability Opt-Out, | up to $7,500 per violation |
| Nebraska Data Privacy Act (NDPA) | January 1, 2025 | Annual gross Revenue exceeding $10 million or buying/selling/sharing personal information of 50,000 or more consumers or 50%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | up to $7,500 per violation |
| New Hampshire Privacy Act | January 1, 2025 | 35,000 consumer or 10,000+ consumers with 25% revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | up to $10,000 per violation |
| New Jersey Data Privacy Act (NJDPA) | January 15, 2025 | 100,000 consumer or 25,000+ consumers with data sales revenue | Access, Delete, Correct, Opt-Out, Portability | Up to $10,000 for 1st violation and up to $20,000 for subsequent violations |
| Tennessee Information Protection Act (TIPA) | July 1, 2025 | $25M revenue, 25,000 consumers (50%+ revenue from data sales) or 175,000 consumers | Access, Delete, Correct, Opt-Out, Portability | $7,500 per violation; treble damages for intentional violations |
| Minnesota Consumer Data Privacy Act (MCDPA) | July 31, 2025 | 100,000 consumers or 25,000+ consumers with data 25%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | up to $7,500 per violation |
| Maryland Online Data Privacy Act (MODPA) | Oct 1, 2025 | 35,000 consumers or 10,000+ consumers with 20%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | up to $10,000 per violation, and up to $25,000 for repeated violations |
| Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) | January 1, 2026 | 35,000 consumers or 10,000+ consumers with 20%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | $10,000 per violation and between $100 - $500 for each intentional disclosure of personal data |
| Kentucky Consumer Data Protection Act (KCDPA) | January 1, 2026 | 100,000 consumers or 25,000+ consumers with data 50%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | Up to $7,500 per violation |
| Indiana Consumer Data Protection Act (INCDPA) | January 1, 2026 | 100,000 consumers or 25,000+ consumers with data 50%+ revenue from data sales | Access, Delete, Correct, Opt-Out, Portability | Up to $7,500 per violation |
Alabama
Partial Laws
Alaska
Partial Laws
Arizona
Partial Laws
Arkansas
Partial Laws
California
Partial Laws
Colorado
Partial Laws
Connecticut
Partial Laws
Delaware
Partial Laws
Florida
Partial Laws
Georgia
Partial Laws
Hawaii
Partial Laws
Idaho
Partial Laws
Illinois
Partial Laws
Indiana
Partial Laws
Iowa
Partial Laws
Kansas
Partial Laws
Kentucky
Partial Laws
Louisiana
Partial Laws
Maine
Partial Laws
Maryland
Partial Laws
Massachusetts
Partial Laws
Michigan
Partial Laws
Minnesota
Partial Laws
Mississippi
Partial Laws
Missouri
Partial Laws
Montana
Partial Laws
Nebraska
Partial Laws
Nevada
Partial Laws
New Hampshire
Partial Laws
New Jersey
Partial Laws
New Mexico
Partial Laws
New York
Partial Laws
North Carolina
Partial Laws
North Dakota
Partial Laws
Ohio
Partial Laws
Oklahoma
Partial Laws
Oregon
Partial Laws
Pennsylvania
Partial Laws
Rhode Island
Partial Laws
South Carolina
Partial Laws
South Dakota
Partial Laws
Tennessee
Partial Laws
Texas
Partial Laws
Utah
Partial Laws
Vermont
Partial Laws
Virginia
Partial Laws
Washington
Partial Laws
West Virginia
Partial Laws
Wisconsin
Partial Laws
Wyoming
Partial Laws
Washington D.C.
Partial Laws
US Privacy Laws FAQ
Consumers have several important rights under U.S. privacy laws. They typically have the right to know what data is being collected, the right to access their data, and the right to delete their data. In some states, they can also opt out of having their data sold or shared for marketing purposes. Essentially, these laws aim to give individuals more control over their personal information.
In most cases, U.S. privacy laws do not require explicit permission before collecting personal data. However, consumers must be informed about what data is being collected, and businesses must give them the option to opt-out of certain uses of their data, such as for marketing. For more sensitive data or practices like cookies, businesses may need to obtain consent, particularly in states with stricter privacy laws like California and Colorado.
If your business doesn’t follow privacy laws, it could face legal consequences like fines and penalties. For example, under the California Consumer Privacy Act (CCPA), businesses can be fined up to $7,500 for each violation. In addition to financial penalties, businesses may also suffer reputational damage if they mishandle consumer data, which can lead to loss of trust and customers.
A Privacy Policy is a document that explains how a business collects, uses, and protects consumers’ personal data. It's important because most privacy laws require businesses to provide a clear and accessible Privacy Policy to inform customers about their data practices. This not only helps ensure compliance but also builds trust with consumers, as they can see how their data will be handled.
A Data Deletion Request allows consumers to ask a business to delete their personal information from its records. This is a key right under many U.S. privacy laws, including the CCPA. Once a request is submitted, businesses are generally required to remove the consumer's data, unless there’s a valid reason to keep it, such as for legal or business purposes. It’s important for businesses to have a process in place to handle these requests quickly and securely.
Not all businesses are required to comply with every privacy law. However, if your business meets certain criteria, such as having a significant amount of customer data or operating in a state with specific privacy laws (like California or Virginia) you may need to comply. Small businesses may be exempt from some regulations, but it’s still good practice to adopt privacy practices that protect customer information.
In the U.S., cookie laws are primarily focused on providing transparency about the use of cookies for tracking online behavior. Businesses must inform users when cookies are being used and, in some cases, give them the option to opt-out of non-essential cookies. While U.S. laws are less strict than the EU’s GDPR, states like California require businesses to provide clear information about their cookie practices, particularly for those using cookies for advertising purposes.