California
The
California Consumer Privacy Act (CCPA), the first comprehensive state privacy law in the United States, expanded California consumers’ control over their personal data. Amended by the California Privacy Rights Act (CPRA) to include additional data privacy protections, the CCPA established consumers’ right to know what personal data is being collected and whether this data is being sold and disclosed, and to deny the sale of their personal data. Companies are expressly prohibited from discriminating against California consumers for exercising their privacy rights. California has also enacted a
data broker law that requires businesses meeting the criteria for “data brokers” under the law to register annually with the Attorney General. Failure to register can result in legal penalties, including fines and pecuniary damages.
Colorado
Passed in 2021, the
Colorado Privacy Act grants Colorado consumers the right to access, delete, and correct their personal data, as well as to opt out of the sale or sharing of their personal information. Under this law, companies have the responsibility to protect consumers’ personal data and obtain consent before processing any data defined as “sensitive.”
Connecticut
The
Connecticut Personal Data and Privacy Online Monitoring Act, effective July 2023, establishes privacy rights for Connecticut consumers. This legislation specifies the rights of Connecticut residents to know whether a business is processing their personal data, to correct or delete their personal information, to obtain a copy of their personal data, and to opt out of the processing of their personal data.
Delaware
Taking effect January 2025, Delaware’s comprehensive Personal Data Privacy Act (
Bill Detail – Delaware General Assembly) (DPDPA) provides consumers the right to access, correct, and delete their personal data and to opt out of having their data sold or used for targeted advertising or profiling. Consumers can also obtain from controllers a list of the third parties to whom the controller has disclosed their data. Notably, the law applies a lower collection threshold and sell/share threshold compared to other states’ consumer privacy laws, making the DPDPA applicable to a wider range of businesses. However, it does not provide consumers with a private right of action.
Florida
The “
Florida Digital Bill of Rights,” (FDBR) which applies to businesses with more than $1 billion in annual gross revenue, requires businesses to obtain consent and conduct data protection assessments for certain processing activities. Signed into law in June 2023 and effective July 2024, the law establishes familiar consumer rights and grants consumers the right to opt out of personal data collection through voice and facial recognition technologies. Like privacy laws in California and Colorado, the FDBR will have accompanying regulations.
Indiana
The
Indiana Consumer Data Protection Act requires businesses to provide consumers with information regarding the collection and use of their data. Passed in May of 2023 and taking effect January 1, 2026, the legislation also ensures that consumers can correct or delete their data, and requires businesses to provide means for consumers to opt out of having their data processed for certain purposes.
Iowa
Signed by the governor in March of 2023, the
Iowa Consumer Data Protection Act took effect January 1, 2025. This legislation imposes transparency and disclosure requirements regarding the types of consumer data collected and the uses for which personal information will be processed, and applies to all organizations that conduct business in Iowa or produce products and services targeted to the residents of Iowa.
Kentucky
The
Kentucky Consumer Data Protection Act, signed into law in March 2024 and effective on January 1, 2026, grants consumers familiar rights in regard to personal information, including the right to delete, correct, know, access, and opt-out of processing for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of legally significant decisions. The law also requires consumer consent to process sensitive personal information and to process personal information for purposes that are neither reasonably necessary to nor compatible with the purposes disclosed to the consumer.
Maryland
The
Maryland Online Data Privacy Act, signed into law in May 2024, introduces novel sensitive data protections by prohibiting the collection or processing of sensitive data unless strictly necessary to provide or maintain a specific product or service requested by the consumer. Selling sensitive data is also prohibited. Effective on October 1, 2025, Maryland’s law requires consent to sell personal data if the controller knows or should know the consumer is under age 18 and to process personal data for purposes not compatible or reasonably necessary for the purposes disclosed to the consumer.
Minnesota
The
Minnesota Consumer Data Privacy Act (MCDPA), affecting entities handling data of more than 100,000 consumers or deriving substantial revenue from selling consumer data, introduces unique requirements and protections. It mandates the appointment of a chief privacy officer, includes novel consumer rights related to profiling decisions, and implements selective exemptions for small businesses and specific data types. The MCDPA mirrors aspects of privacy laws in other states, emphasizing universal opt-out mechanisms, data protection assessments, and anti-discrimination policies.
Montana
In effect since October 2024, the
Montana Consumer Data Privacy Act grants consumers the right to revoke their consent to data processing, request the deletion of their personal data, and obtain a copy of their personal information.
Nebraska
Taking effect January 2025, the
Nebraska Data Privacy Act has broad applicability in that it applies to persons conducting business or producing products or services to residents in Nebraska. The law offers consumers familiar rights, including the right to access, correct, obtain, and delete their personal data and to opt out of having their data sold or used for targeted advertising or profiling. Businesses must establish two mechanisms for consumers to exercise their privacy rights.
New Hampshire
The
New Hampshire Privacy Act, in effect as of January 2025, requires businesses to obtain consent before processing sensitive personal data and processing personal data of a known child between the ages of 13 and 16 for purposes of targeted advertising or selling the personal data, to conduct data protection assessments for activities that presents a heightened risk of harm, and includes a 60-day right to cure any privacy violation until 2026 when the right to cure becomes discretionary to the New Hampshire Attorney General.
New Jersey
Taking effect January 2025, the
New Jersey Privacy Act prohibits companies from collecting ‘sensitive data’ without the consumer’s consent and requires companies that sell personal data or engage in targeted advertising to provide consumers with a conspicuous notice of such and the manner the consumer may opt out. Similar to privacy laws in California and Colorado, corresponding regulations will accompany the law. New Jersey’s privacy law has a broader revenue threshold for applicability, potentially covering more companies than other state privacy laws.
Oregon
In effect July 2024, the
Oregon Consumer Privacy Act sets forth obligations for companies to provide information regarding the collection and use of consumers’ personal data. The Act also establishes requirements for companies to allow consumers to correct inaccuracies in their data, and to ensure that consumers can opt out of data processing.
Rhode Island
Despite containing some common elements like data subject rights and data protection assessments, the
Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) omits several provisions found in other state laws, such as universal opt-out mechanisms, enhanced children’s privacy protections, and the right to cure. Taking effect January 2026, the RIDTPPA also introduces novel privacy disclosures, requiring businesses to disclose in their privacy policy the identity of all third parties to whom personal information has been or may be sold to.
Tennessee
Taking effect July 1, 2025, the
Tennessee Information Protection Act requires that companies allow consumers to opt out of personal data collection, provide consumers with the ability to access their data, and correct inaccuracies in their personal information. By narrowly defining the types of disclosures that require opt-in consent and providing companies with the right to cure, Tennessee’s privacy law is considered more business-friendly compared with other state privacy laws.
Texas
The
Texas Data Privacy and Security Act, in effect as of July 2024, requires businesses to obtain consent before processing sensitive personal data, to recognize the universal opt-out mechanism, and includes a right to cure any privacy violation within 30 days of notification from the Texas Attorney General.
Utah
The
Utah Consumer Privacy Act, which has narrower applicability thresholds than some other state privacy laws, establishes requirements for businesses to provide information on the collection, use, and sale of consumer personal data. In effect since December 2023, this law is considered more business-friendly than some other state privacy laws and is notable for limiting its definition of the sale of personal data as the exchange of personal data for monetary consideration.
Virginia
The
Virginia Consumer Data Protection Act (VCDPA), effective since January 2023, creates a framework for controlling and processing the personal data of Virginia residents. This law grants consumers the ability to access, correct, and obtain a copy of their information as well as the right to opt-out of the processing of their personal data. Businesses operating in Virginia –– including via remote activities conducted online –– have compliance obligations for implementing processes to ensure that opt-out and other consumer requests made under the law are handled promptly.
