Effective Comprehensive Laws
California (CCPA/CPRA)
Effective Date
- CPRA effective date: 1/1/2023
- CCPA effective date: 1/1/2020
- Enforcement date: 7/1/2023
(updated: on February 9, 2024, the CPPA won its appeal, immediately allowing enforcement of the initial CPRA regulations and retroactively setting the enforcement effective date to July 1, 2023.)
Summary
The California Privacy Rights Act (CPRA) is currently the most comprehensive data privacy law in the United States. It amended California's previous comprehensive state privacy law, the California Consumer Privacy Act.
The primary components of this law are as follows:
Feature |
CPRA's Guidelines |
Thresholds |
|
Fines |
|
Cure Period |
None |
Data Protection Impact Assessments |
Required for profiling, sensitive data, large-scale processing, and other processing activities with risk of harm to consumers. |
Recognize Universal Opt-Out Mechanisms |
Yes |
Sensitive Data |
|
Consumer Rights |
|
Resources
Colorado (CPA)
Effective Date
- CPA effective date: 7/1/2023
Summary
Colorado was the third state to pass a comprehensive data privacy law, the Colorado Privacy Act (CPA). It's most similar to the CPRA, Virginia's Consumer Data Protection Act, and the GDPR.
Here are the primary features you need to know about:
Feature |
CPA's Guidelines |
Thresholds |
|
Fines |
$20,000 per offense, with penalties capped at $500,000. |
Cure Period |
60 days, sunsets on 1/1/2025 |
Data Protection Impact Assessments |
Yes |
Recognize Universal Opt-Out Mechanisms |
Yes |
Sensitive Data |
|
Consumer Rights |
|
Resources
Connecticut (CTDPA)
Effective Date
- CTDPA effective date: 7/1/2023
Summary
Connecticut was the fifth state to adopt a privacy law. Known as the Connecticut Data Privacy Act (CTDPA), or “An Act Concerning Personal Data Privacy and Online Monitoring,” Connecticut Bill 6 went into effect on July 1, 2023.
Feature |
CTDPA's Guidelines |
Thresholds |
Businesses in the state or those that produce products or services targeted to Connecticut residents and who, during the previous year:
|
Fines |
|
Cure Period |
60 days, sunsets on 12/31/2024. |
Data Protection Impact Assessments |
Yes |
Recognize Universal Opt-Out Mechanisms |
Yes. Must be recognized by controllers as valid consumer requests beginning 1/1/2025. |
Sensitive Data |
|
Consumer Rights |
|
Resources
Virginia (VCDPA)
Effective Date
- VCDPA effective date: 1/1/2023
Summary
Virginia's leaders passed The Virginia Consumer Data Protection Act (VCDPA) on March 2, 2021, making it the second state to vote in a comprehensive privacy law after California. As a result, it's similar to the CCPA and the GDPR.
Feature |
VCDPA's Guidelines |
Thresholds |
Businesses that sell products and services in Virginia or do so targeting Virginia residents, and also do one of the following:
|
Fines |
Up to $7,500 per violation. |
Cure Period |
30 days, no sunset. |
Data Protection Impact Assessments |
Required for any processing involving targeted advertising, data sales, profiling or sensitive data; or any data processing that presents a "risk of harm." |
Recognize Universal Opt-Out Mechanisms |
Yes |
Sensitive Data |
|
Consumer Rights |
|
Resources
Utah (UCPA)
Effective Date
- UCPA effective date: 12/31/2023
Summary
Utah became the fourth state to enact a data privacy law in March of 2022. The Utah Consumer Privacy Act (UCPA) is considered by experts to be more business-friendly than several other privacy regulations in the U.S., including the CPRA, VCDPA, and CPA.
Feature |
UCPA's Guidelines |
Thresholds |
Have annual revenue of $25m or more AND:
|
Fines |
Up to $7,500 per violation + actual damages |
Cure Period |
30 days, no sunset |
Data Protection Impact Assessments |
Not Required |
Recognize Universal Opt-Out Mechanisms |
No |
Sensitive Data |
|
Consumer Rights |
|
Resources
Pending Comprehensive Laws
Displayed chronologically based on the laws' effective dates.
Texas (TDPSA)
Effective Date
- TDPSA effective date: 7/1/2024
Summary
The Texas Data Privacy and Security Act (TDPSA) was signed into law on June 18, 2023, making it the largest state in the United States — and the second of the U.S.'s largest states — to have a comprehensive privacy law on the books. The TDPSA has a few unique aspects, such as the fact that it replaces revenue-based thresholds with a focus on businesses conducting operations in Texas and offering products or services consumed by Texas residents, or businesses that process or sell personal data. It also has a novel small business provision, and while it excludes entities like state agencies and financial institutions, the law does not provide an exemption for organizations governed by HIPAA or GLBA.
Feature |
TDPSA's Guidelines |
Thresholds |
There are no revenue thresholds. |
Fines |
Up to $7,500 per violation and injunctive relief to restrain or enjoin the violator's operations. |
Cure Period |
30 days, no sunset |
Data Protection Impact Assessments |
Required for targeted advertising, sale of data, profiling, sensitive data processing, other processing activities with risk of harm to consumers. |
Recognize Universal Opt-Out Mechanisms |
Yes, as of 1/1/2025. |
Sensitive Data |
|
Consumer Rights |
|
Resources
Oregon (OCPA)
Effective Date
- OCPA effective date: 7/1/2024
Summary
Oregon's legislation passed the Oregon Consumer Privacy Act (OCPA) into law on June 22, 2023. The privacy law is the culmination of four years of work by the Oregon Attorney General’s Consumer Privacy Task Force. Other than what's in the chart below, one notable feature is that non-profits aren't exempt from the law, but they have until July 1, 2025, to comply. And, like Texas, organizations governed by HIPAA or GLBA are not exempt and must follow OCPA for non-covered data.
Feature |
OCPA's Guidelines |
Thresholds |
|
Fines |
Up to $7,500 per violation |
Cure Period |
30 days, sunsets 1/1/2026 |
Data Protection Impact Assessments |
Required for targeted advertising, sale of data, profiling, sensitive data processing, other processing activities with risk of harm to consumers. |
Recognize Universal Opt-Out Mechanisms |
Yes, starting 1/1/2026 |
Sensitive Data |
|
Consumer Rights |
|
Resources
Montana (MTCDPA)
Effective Date
- MTCDPA effective date: 10/1/2024
Summary
Montana's governor signed the Montana Consumer Data Privacy Act (MTCDPA) into law on May 19, 2023. The act is similar to data privacy laws in Indiana, Virginia, Colorado, and Connecticut. One unique factor in the MTCDPA is that Montana's thresholds don't only rely on a revenue limit. Find out more in the breakdown below.
Feature |
MTCDPA's Guidelines |
Thresholds |
|
Fines |
Up to $7,500 per violation |
Cure Period |
60 days, sunsets 4/1/2026 |
Data Protection Impact Assessments |
Required for targeted advertising, sale of data, profiling, sensitive data processing, other processing activities with risk of harm to consumers. |
Recognize Universal Opt-Out Mechanisms |
Yes, as of 1/1/2025 |
Sensitive Data |
|
Consumer Rights |
|
Resources
Delaware (DPDPA)
Effective Date
- DPDPA effective date: 1/1/2025
Summary
After the Delaware Personal Data Privacy Act (DPDPA) was voted in, people quickly started lauding it as the strongest data privacy law in the United States. That's not true — California still holds the title — however, it does apply to more businesses than others, and it is one of the more consumer-friendly laws.
Feature |
DPDPA's Guidelines |
Thresholds |
Any company that does business in the state or produces products or services that are targeted to residents of the state and that, during the previous calendar year, met one of the following:
|
Fines |
Up to $10,000 per violation, up to the Department of Justice's discretion. |
Cure Period |
60 days, until 1/1/2026 |
Data Protection Impact Assessments |
Required for targeted advertising, selling personal data, and for profiling if there’s a risk of:
|
Recognize Universal Opt-Out Mechanisms |
Yes, as of 1/1/2026 |
Sensitive Data |
|
Consumer Rights |
|
Resources
Iowa (ICDPA)
Effective Date
- ICDPA effective date: 1/1/2025
Summary
The Iowa Consumer Data Protection Act (ICDPA) was the first comprehensive state privacy law ratified in 2023, making it the sixth overall state privacy law so far. There are a couple of differences in the Iowa law versus the others, such as the lack of provisions for the right to correct PI and the right to opt out of profiling, that it sets a 90-day timeline for responses to subject rights requests, and that it provides businesses with a 90-day cure period as opposed to the 30- or 60-day cure period set by other laws.
Feature |
ICDPA's Guidelines |
Thresholds |
The law applies to any business that:
|
Fines |
$7,500 per violation |
Cure Period |
Yes, 90 days |
Data Protection Impact Assessments |
ICDPA does not address assessments. |
Recognize Universal Opt-Out Mechanisms |
No |
Sensitive Data |
|
Consumer Rights |
|
Resources
New Hampshire (NHPA)
Effective Date
- NJDPA effective date: 1/1/2025
Summary
The New Hampshire Privacy Act (NHPA) is one of a number of statewide data privacy laws aimed at giving consumers control over their personal data in an increasingly digital world.
The good news for businesses is that the NHPA largely resembles other data privacy laws that have come before it.
The New Hampshire data privacy act’s scope is somewhat unique in that it doesn’t include a revenue threshold. Additionally, the applicability threshold is lower than other laws, but lawmakers have pointed out that this is because of the state’s lower population.
Like other U.S. laws, the NHPA follows primarily an opt-out model, meaning businesses are free to process consumer data, but must notify consumers about the processing first and give them a way to opt out of the collection or sale of data.
Feature |
NHPA's Guidelines |
Thresholds |
The NHPA apply to “persons that conduct business” in the state or who produce products or services targeted to residents of New Hampshire and who, during a one-year period:
|
Fines |
The NHPA states that any violations are also a violation of the state’s deceptive trade practices law. This means penalties could be as steep as $10,000 per violation. |
Cure Period |
The act has a 60-day cure period for violations that sunsets one year after the law is enacted (in January 2026). |
Data Protection Impact Assessments |
New Hampshire’s law is no exception, as it requires an assessment for any processing activity that presents a “heightened risk of harm to a consumer,” including activities such as targeted advertising, sale of personal data, processing for the purposes of profiling in certain instances, and processing sensitive data. |
Recognize Universal Opt-Out Mechanisms |
Yes |
Sensitive Data |
The NHPA has a broad definition of sensitive data, which includes personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data. |
Consumer Rights |
|
Resources
New Jersey (NJDPA)
Effective Date
- NJDPA effective date: 1/15/2025
Summary
The New Jersey Data Protection Act (NJDPA) is a data privacy law that gives New Jersey residents control over their personal data, providing certain rights and imposing obligations on those who control and process consumer data. The law applies to businesses and entities who conduct business in the state or who produce products or services targeted to those who live in New Jersey and meet certain thresholds. Unlike other state laws, no monetary penalties are defined in the law’s text, but a violation of the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act, which can entail fines of up to $10,000 for the initial violation and up to $20,000 for subsequent violations.
Feature |
NJDPA's Guidelines |
Thresholds |
In terms of applicability and exemptions, New Jersey’s privacy law aligns with other state laws. It applies to controllers who, during a calendar year, meet one of the following criteria:
|
Fines |
A violation of the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act, which can entail fines of:
|
Cure Period |
30 days, sunsetting on July 15th, 2026. |
Data Protection Impact Assessments |
Required for:
|
Recognize Universal Opt-Out Mechanisms |
Yes |
Sensitive Data |
|
Consumer Rights |
|
Resources
The New Jersey Data Privacy Act (NJDPA): The Basics
Tennessee (TIPA)
Effective Date
- TIPA effective date: 7/1/2025
Summary
The Tennessee Information Protection Act (TIPA) was one of three comprehensive state privacy laws signed or ratified in May of 2023. TIPA follows many of its predecessors when it comes to consumer rights, enforcement, and penalties. Unlike its predecessors, however, TIPA diverges by providing a narrower applicability threshold, giving businesses a generous two years to prepare, and implementing an affirmative defense option for those with written privacy programs aligned with specific frameworks such as NIST.
Feature |
TIPA's Guidelines |
Thresholds |
TIPA applies to businesses with over $25 million in annual revenue that either conduct business within Tennessee or engage with its residents and either:
|
Fines |
|
Cure Period |
60 days |
Data Protection Impact Assessments |
Required for targeted advertising, the sale of personal information, processing sensitive data, processing personal data for profiling, and other processing that may present a heightened risk to consumers. |
Recognize Universal Opt-Out Mechanisms |
No |
Sensitive Data |
|
Consumer Rights |
|
Resources
Indiana (INCDPA)
Effective Date
- INCDPA effective date: 1/1/2026
Summary
Another of the three state privacy laws to be voted in during May 2023 — and the second to do so in 2023 overall — the Indiana Consumer Data Protection Act (INCDPA) is similar to several of its predecessors, including the laws in Colorado (CPA), Connecticut (CTDPA), and Virginia (VCDPA). Indiana's law, however, does not solely rely on revenue as a threshold — it states that controllers must be compliant with the law even if their annual gross revenues do not meet a specific number as long as the data of a specific number of consumers (outlined in the chart below) is processed.
Feature |
INCDPA's Guidelines |
Thresholds |
Companies that operate in Indiana or sell products and services that are targeted to residents of the state and do one of the following within the previous year:
|
Fines |
$7,500 per violation |
Cure Period |
30 days |
Data Protection Impact Assessments |
Required for the processing of PI for targeted advertising, the sale of personal data, processing sensitive data, processing personal data for profiling with potential risks, and any other processing that may present a heightened risk to consumers. |
Recognize Universal Opt-Out Mechanisms |
No |
Sensitive Data |
|
Consumer Rights |
|
Resources
Kentucky (KCDPA)
Effective Date
- KCDPA effective date: 1/1/2026
Summary
The KCDPA provides data privacy protections for consumers of the Bluegrass State, granting them certain, now standard rights.
The law defines consumers as residents of the state acting only as an individual, not in commercial or employment contexts. It closely aligns with Virginia’s law, which is good news for businesses already complying with the Virginia Consumer Data Protection Act (VCDPA). And, because the VCDPA is considered a framework or foundation legislation, the KCDPA also tracks closely with other state laws that used Virginia’s law as a framework, including Tennessee and Indiana.
Businesses will become subject to the law as of January 1, 2026.
Feature |
KCDPA's Guidelines |
Thresholds |
The KCDPA applies to any person who conducts business in Kentucky or who produces products or services that target residents of the state, and during a calendar year controls or processes data of at least:
|
Fines |
$7,500 per violation |
Cure Period |
30 days |
Data Protection Impact Assessments |
Required for processing that involves:
This requirement becomes active June 1, 2026. |
Recognize Universal Opt-Out Mechanisms |
No |
Sensitive Data |
The law defines sensitive data as a category of personal data that includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for identifying a specific natural person; personal data collected from a known child; or precise geolocation data.
|
Consumer Rights |
|