US State Privacy Laws: The Complete Compliance Guide
Navigate the growing patchwork of state consumer privacy regulations with practical guidance from an attorney who has architected global privacy programs for Fortune 500-serving platforms.
State Privacy Law Timeline
2023
- • California CPRA (Jan 1)
- • Virginia VCDPA (Jan 1)
- • Colorado CPA (Jul 1)
- • Connecticut CTDPA (Jul 1)
- • Utah UCPA (Dec 31)
2024
- • Texas TDPSA (Jul 1)
- • Oregon OCPA (Jul 1)
- • Montana MTCDPA (Oct 1)
2025
- • Delaware (Jan 1)
- • Iowa (Jan 1)
- • New Jersey (Jan 15)
- • New Hampshire (Jan 1)
- • + More states...
2026+
- • Kentucky (Jan 1, 2026)
- • Rhode Island (Jan 1, 2026)
- • More states expected
- • Possible federal law
Active State Privacy Laws
Detailed breakdown of each state's privacy law requirements, thresholds, and key provisions.
California (CCPA/CPRA)
Effective: January 1, 2020 / January 1, 2023
Applicability Thresholds:
$25M+ revenue OR 100K+ consumers OR 50%+ revenue from data
Key Features:
- Broadest consumer rights
- Private right of action (breaches)
- CPPA enforcement agency
- Sensitive data opt-out
Virginia (VCDPA)
Effective: January 1, 2023
Applicability Thresholds:
100K+ consumers OR 25K+ consumers + 50% revenue from data
Key Features:
- Model for other states
- Consent for sensitive data
- 30-day cure period
- AG enforcement only
Colorado (CPA)
Effective: July 1, 2023
Applicability Thresholds:
100K+ consumers OR 25K+ consumers + revenue from data sales
Key Features:
- Universal opt-out required (2024)
- DPIAs required
- 60-day cure (sunsets 2025)
- Right to appeal
Connecticut (CTDPA)
Effective: July 1, 2023
Applicability Thresholds:
100K+ consumers OR 25K+ consumers + 25% revenue from data
Key Features:
- Loyalty program provisions
- 60-day cure period
- Appeal mechanism
- Narrow nonprofit exemption
Utah (UCPA)
Effective: December 31, 2023
Applicability Thresholds:
$25M+ revenue AND 100K+ consumers OR 25K+ consumers + 50% revenue
Key Features:
- Most business-friendly
- No right to correction initially
- Higher thresholds
- No DPIAs
Texas (TDPSA)
Effective: July 1, 2024
Applicability Thresholds:
No revenue threshold—processes TX residents' data + not small business
Key Features:
- Broadest applicability
- Small business exemption
- 30-day cure
- Sensitive data consent
Oregon (OCPA)
Effective: July 1, 2024
Applicability Thresholds:
100K+ consumers OR 25K+ consumers with data sale revenue
Key Features:
- No nonprofit exemption
- Universal opt-out required
- De-identified data rules
- DPIAs required
Montana (MTCDPA)
Effective: October 1, 2024
Applicability Thresholds:
50K+ consumers OR 25K+ consumers + revenue from data sales
Key Features:
- Lowest threshold (50K)
- Follows Virginia model
- 30-day cure
- Sensitive data consent
Feature Comparison
Side-by-side comparison of consumer rights and requirements across major state privacy laws.
| Feature | CCPA/CPRA | VCDPA | CPA | CTDPA | UCPA | TDPSA |
|---|---|---|---|---|---|---|
| Right to Access | ||||||
| Right to Delete | ||||||
| Right to Correct | ||||||
| Right to Portability | ||||||
| Opt-Out of Sale | ||||||
| Opt-Out of Targeted Ads | ||||||
| Right to Appeal | ||||||
| Universal Opt-Out Required | ||||||
| DPIAs Required | ||||||
| Private Right of Action |
Emerging State Privacy Laws (2025+)
More states are passing comprehensive privacy laws. Stay ahead of compliance requirements.
Delaware
Passed
January 1, 2025
Iowa
Passed
January 1, 2025
New Jersey
Passed
January 15, 2025
New Hampshire
Passed
January 1, 2025
Kentucky
Passed
January 1, 2026
Maryland
Passed
October 1, 2025
Minnesota
Passed
July 31, 2025
Nebraska
Passed
January 1, 2025
Rhode Island
Passed
January 1, 2026
Tennessee
Passed
July 1, 2025
Multi-State Compliance Strategy
Common Denominator Approach
Implement the strictest requirements across all states to simplify compliance. Use CPRA as your baseline and add state-specific requirements as needed.
- Single privacy policy for all states
- Universal opt-out mechanism
- Shortest response timeframes
State-Specific Approach
Tailor compliance to each state where you do business. More complex but avoids over-compliance in states with lower requirements.
- State-specific privacy notices
- Geo-targeted consent flows
- State-specific request handling
Threshold Analysis
Many businesses don't meet all state thresholds. Careful analysis can reduce compliance burden while maintaining protection.
- Revenue and consumer counts
- Data sale revenue analysis
- State-by-state applicability
Attorney Insight: Navigating the Patchwork
"Having built privacy programs that serve clients across all 50 states at Traackr, I've developed efficient frameworks for navigating this complex patchwork while minimizing operational burden. The key is building scalable systems that can adapt as new states pass laws—which they will continue to do until federal legislation emerges."
— Miakel D. Williams, Esq., Founder & Managing Partner, Savvy Esquires
Related Resources
GDPR vs CCPA Comparison
In-depth comparison of the world's major privacy frameworks
Global Privacy Laws Guide
International privacy frameworks including GDPR, LGPD, PIPEDA
Privacy Compliance Services
Experienced privacy program design and compliance support
Frequently Asked Questions About US State Privacy Laws
Need Help Navigating State Privacy Laws?
Get practical guidance on multi-state privacy compliance from an attorney who has built global privacy programs.
No-Obligation Discovery Call
15 minutes to understand your needs
Same-Day Availability
Choose a time that works for you
Immediate Value
Get actionable insights on your first call
We respond to all inquiries within 24 hours