Discover the landscape of US consumer data privacy laws, from CCPA to emerging legislation. Learn how to comply with state-specific regulations and protect consumer privacy effectively.
Explore more privacy compliance insights and best practices
In the absence of a federal law on data protection in the United States, the US states enact their own consumer privacy laws.
The bad news is that you have to learn about each privacy and data laws to ensure that you comply with all of them. The good news is that they are very similar to each other, so complying with one law will do most of the work for complying with the others at the same time.
That's doable. We created a free report on the Dos and Donts of US Consumer Data Privacy Compliance for you to get an idea of what you need to do to be compliant while operating throughout the United States.
State laws on consumer data privacy comprise the US consumer data privacy landscape. Each state decides how to protect its residents, as there is no federal law on data protection. California leads with CCPA requirements for 2026 setting the standard for other states.
Unlike most of the data protection laws worldwide, the state privacy laws in the United States, unlike most data protection laws worldwide, do not protect personal data. They protect consumers. The General Data Protection Regulation (GDPR) of the EU, for example, protects personal data. Instead, US state data privacy laws prioritize consumer protection.
Nevertheless, many of the laws guarantee the same privacy rights to consumers and prescribe similar obligations to businesses.
So far, the following consumer privacy laws have come into effect:
| State | Law | Effective Date |
|---|
| California | California Consumer Privacy Act | January 1, 2020 | |
| Virginia | Virginia Consumer Data Protection Act | January 1, 2023 | |
| Colorado | Colorado Privacy Act | July 1, 2023 | |
| Connecticut | Connecticut Data Privacy Act | July 1, 2023 | |
| Utah | Utah Consumer Privacy Act | December 31, 2023 |
The following states have passed a law, but it has not come into effect yet:
| State | Law | Effective Date |
|---|
| Iowa | Iowa Consumer Data Protection Act | January 1, 2025 | |
| Indiana | Indiana Consumer Data Protection Act | January 1, 2026 | |
| Tennessee | Tennessee Information Protection Act | July 1, 2025 | |
| Texas | Texas Data Privacy and Security Act | January 1, 2025 | |
| Montana | Montana Consumer Data Privacy Act | October 1, 2024 | |
| Oregon | Oregon Consumer Data Protection Act | July 1, 2024 | |
| Delaware | Delaware Personal Data Privacy Act | January 1, 2025 | |
| New Jersey | New Jersey Consumer Data Privacy Bill | January 16, 2025 | |
| New Hampshire | New Hampshire Consumer Data Protection Act | January 1, 2025 | |
| Kentucky | Kentucky Consumer Data Protection Act | January 1, 2026 | |
| Maryland | Maryland Online Data Privacy Act | October 1, 2025 | |
| Nebraska | Nebraska Data Privacy Act | October 1, 2025 | |
| Minnesota | Minnesota Consumer Data Privacy Act | July 31, 2025 | |
| Vermont | Vermont Data Privacy Act | July 1, 2025 |
We can't include them all here. We expect Kentucky, Georgia, and Wisconsin to be the next three states with comprehensive data privacy legislation. However, there are at least two dozen other states with some bills progressing in the legislative bodies, so it is hard to make any predictions.
The California Privacy Rights Act (CPRA) went into effect on January 1, 2023, and it imposed the following obligations on businesses:
If you own a business or sell to people in California and meet at least one of the following criteria, you must abide by these rules:
Businesses that engage in extensive marketing practices will easily fall under the purview of the CPRA. If your company must comply, read our in-depth article on CPRA requirements.
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) continue evolving—see CCPA requirements for 2026.
Each violation of the Virginia Consumer Data Protection Act (VCDPA) will result in a $7,500 fine. If they meet at least one of the following criteria, businesses registered in Virginia or selling to Virginia customers must comply:
The following are some of the legal requirements for affected businesses:
You can find more information about the Virginia Consumer Data Protection Act here. It went into effect on January 1, 2023.
The Colorado Privacy Act took effect on July 1, 2023. It imposes the following obligations on affected businesses:
Failure to comply with CPA requirements results in fines of up to $20,000, the highest penalty cap in the US. If you register in Colorado, offer goods or services to Colorado residents, and meet at least one of the following thresholds, you must adhere to the law:
The thresholds are not as high as they appear on the surface. If your Facebook Pixel collects browsing data from at least 100,000 Colorado residents, you will be subject to the law.
Our in-depth article provides more information on the CPA. You can also learn about CPA's Cookie Consent Requirements.
The Connecticut Data Privacy Act (CTDPA) took effect on July 1, 2023, and it includes similar requirements to the CPA, such as:
Furthermore, the applicability criteria are the same as in Colorado law. The CTDPA applies to Connecticut businesses as well as non-Connecticut businesses that interact with Connecticut customers if they meet at least one of the following requirements:
We have an in-depth article on CTDPA requirements for your business where you can learn more about how to prepare for compliance.
The Utah Consumer Privacy Act (UCPA) will take effect on December 31, 2023. You should be ready if you:
It will not affect all businesses, but if you are required to comply, you must be prepared to:
The fine is up to $7,500 per violation.
You can find more information about the Utah UCPA here.
On March 28, 2023, the Iowa Data Privacy Act became a law. It comes into effect on January 1, 2025.
It won’t affect all businesses, but only those that do business in Iowa or target Iowa residents, and either:
There are no revenue thresholds, like in other US states.
The IDPA imposes the standard legal obligations on businesses that are affected, including
Check out our latest article to explore IDPA in more detail.
The Indiana Data Privacy Law was signed on May 1, 2023, and comes into effect on January 1, 2026. Until then, affected businesses have enough time to adjust to their requirements.
If you comply with other privacy laws already, it won’t be much of a hassle. The IDPL requirements overlap greatly with other US state privacy laws.
This applies to businesses operating from Indiana or targeting residents of Indiana.
Again, there are no revenue thresholds for applicability.
The IDPL grants consumers privacy rights, including the right to know, to delete, to opt out, and others. It requires businesses to:
On May 11, 2023, lawmakers passed the Tennessee Information Protection Act (TIPA). Starting on July 1, 2025, it affects the following businesses:
If the TIPA applies to you, here’s what you must do:
The Montana Consumer Data Privacy Act (MTCDPA) made Montana the ninth US state to pass a data privacy law. It was passed on May 19, 2023, and comes into force on October 1, 2024.
This applies to businesses that operate from Montana or target Montana residents who:
That leads to the following obligations:
Check out our article on MTCDPA.
The Texas Data Privacy and Security Act (TDPSA) was passed on May 28, 2023, and will be enforced starting on July 1, 2024.
The TDPSA applies to businesses that:
The definition of small business by the Small Business Administration is vague and depends on various criteria.
The two primary criteria used by the SBA to define a small business are:
If you belong to any of these groups, here’s what you need to do by October 2024:
If you're interested in learning more, check out our article on TDPSA.
The Delaware Personal Data Privacy Act was passed on June 30, 2023, and is set to take effect on January 1, 2025, pending governor approval.
The DPDPA covers businesses that:
Notably, the DPDPA does not exempt most nonprofit organizations and contains a 60-day cure provision that sunsets on December 31, 2025.
If you are covered by the DPDPA, here is a list of what you’re required to do:
Update: On September 11, 2023, Delaware Governor John Carney signed the Delaware Personal Data Privacy Act (DPDPA). Learn what you need to know about the DPDPA.
On June 22, 2023, the Oregon Consumer Privacy Act was passed. The bulk of OCPA’s requirements will take effect on July 1, 2024 (with a July 1, 2025 effective date for nonprofit organizations).
The OCPA applies to businesses doing business in Oregon or targeting Oregon residents, and:
There are novel consumer rights introduced in the OCPA that businesses need to be aware of. Aside from the right to access, correct, delete, and receive personal information, individuals also have the following additional rights:
Businesses covered by the OCPA must do the following:
Read more about the Oregon Consumer Privacy Act.
The New Jersey Consumer Data Privacy Bill was passed in January 2024 and comes into effect on January 16, 2025. The Connecticut privacy law served as its model.
It applies to businesses that conduct business in New Jersey or offer products or services to residents of the state, and that during a calendar year either:
Meeting these thresholds leads to the following obligations:
The New Jersey privacy legislation grants consumers the right to:
Read more about the New Jersey Consumer Data Privacy Bill.
The comprehensive privacy legislation in New Hampshire applies to businesses that offer products and services specifically targeted at New Hampshire residents.
These laws are significantly lower compared to those in the other comprehensive data privacy laws throughout the United States. Meeting them leads to the requirement of providing consumers with the same privacy protections as in other states.
To learn more about how to navigate the data collection and processing of New Hampshire residents, read our detailed article on the New Hampshire Consumer Data Privacy Act.
The Kentucky Consumer Data Protection Act does not differ much from the other US state privacy bills.
It grants Kentucky consumers the same rights as the other states, including the right to:
Covered businesses must either:
These businesses must implement technical and organizational safeguards to protect the data, respond timely to consumer requests, conduct data protection impact assessments for high-risk processing, and perform other duties.
Read in detail about the Kentucky Consumer Data Processing Act.
The Maryland Online Data Privacy Act (MODPA) brings strict data minimization requirements. Aside from that, it does not differ too much from other state laws.
Maryland consumers have the right to:
It has lower thresholds for applicability compared to other states. It applies to any business that operates from Maryland or targets Maryland consumers and either:
The Maryland law is typical for its strict data minimization and purpose limitation requirements. It is the first US state consumer privacy law to ban selling sensitive data and children's data.
Read more about the Maryland Online Data Privacy Act.
The Nebraska Data Privacy Act bears a strong resemblance to the Texas state consumer privacy law, primarily because of its applicability requirements. It applies to businesses that:
Furthermore, it grants Nebraska consumers the following rights:
Covered entities must honor consumer requests, but they must also implement technical and organizational safeguards to protect the data, process only the minimum amount of data, and fulfill other obligations.
Read in detail about the Nebraska Data Privacy Act.
The Minnesota Consumer Data Privacy Act is quite similar to the other US state privacy bills, which means that complying with the other laws may automatically mean compliance with the MCDPA simultaneously.
The law grants Minnesota consumers the same rights as those in other states, including the following:
Covered businesses must either:
Covered businesses must limit the use of data, collect only the minimum necessary data, implement technical and organizational safeguards to protect the data, respond timely to consumer requests, conduct data protection impact assessments for high-risk processing, and perform other duties.
Read in detail about the Minnesota Consumer Data Privacy Act.
The Vermont landmark state privacy bill has very low applicability thresholds, meaning it will apply to most businesses.
It applies to many businesses, keeping in mind the low applicability thresholds. This applies to businesses that operate in Maryland.
Covered businesses must ensure data security, allow consumers to opt out of certain types of data processing, minimize data usage, and perform other duties. They also have the duty to honor consumer requests. Maryland consumers have the right to:
Read in more detail about the Vermont Data Privacy Act.
Comprehensive privacy laws are in the process of passing in many other US states. Legislative bodies are progressing with these laws, and you'll find details about them here as soon as they pass.
In the meantime, take care of the compliance with the processing of personal data that is underway in your organization. We prepared a short guide that takes only a few minutes to read and will give you an idea of what you need to do to navigate the comprehensive consumer privacy legislation in the US, how to protect the privacy rights of consumers, and how to keep your business safe from penalties.
