• Platform
    • Data Privacy Platform

      The simple, all-in-one data privacy platform

    • header__icon-1
      Cookie Consent

      Manage consent for data privacy laws in 50+ countries

    • user-square
      Subject Rights Management

      Streamline the DSAR workflow

    • data mapping primary 200
      Data Mapping

      Automate and visualize data store discovery and classification

    • shield-tick
      Vendor Privacy Risk Management

      Ensure your customers’ data is in good hands

    • Assessments
    • Privacy Templates
    • GDPR Representative
    • Consult Privacy Team
    • Regulatory Guidance
    • Integrations
    G2 - CMP - Spring 2023 (1)
  • Solutions
    • By Regulation
    • CPRA

      Discover how Osano supports CPRA compliance

    • CCPA

      Learn about the CCPA and how Osano can help

    • GDPR

      Achieve compliance with one of the world’s most comprehensive data privacy laws

    • By Organization Type
    • Icon (10)
      Start-Up

      Don’t let data privacy compliance get in the way of growth

    • Icon (11)
      Mid-Sized

      Preserve your competitive edge

    • Icon (12)
      Enterprise

      Manage data privacy at scale

    • By Use Case
    • Path
      Consent Management

      Manage consent without the complexity

    • Icon (14)
      DSAR Automation

      Never miss a DSAR deadline again

    • Icon (15)
      Vendor Risk Management

      Regain insight and control over your customers’ data

    • Icon (16)
      Privacy Program Management

      Build and grow an end-to-end privacy program

  • Resources
    • View All Resources
    • book-open-01
      Articles

      Expert insights on all things privacy

    • Icon (25)
      Resource Center

      Key resources to further your data privacy education

    • globe icon primary 200
      U.S. Data Privacy Laws

      A guide to data privacy in the U.S.

    • Icon (17)
      Topics

      Research the most essential privacy topics

    • envelope icon primary 200
      Newsletter

      Subscribe and become a Privacy Insider

    • Icon (20)
      Our Pledge

      No fines, no penalties

    • Icon (21)
      Product Updates

      What’s the latest with Osano?

    • Icon (22)
      System Status

      What’s the status of account management systems, the platform, and support systems?

    Latest Blog post

    Announcing The Privacy Insider Book

    For decades, unchecked data collection and processing was the...

    Read Now
  • Company
    • Vector
      About Us

      The Osano story

    • Icon (25)
      Careers

      Become an Osanian and help us build the future of privacy!

    • Icon (26)
      Contact

      We’re eager to hear from you

    • 
      Our Pledge

      No fines, no penalties

    • Icon (27)
      Data Licensing

      Add Osano data privacy ratings and recommendations to your application

    • Icon (28)
      Osano Swag Store

      Increase Trust. Stay Compliant. Get Cool Swag.

    • Icon (29)
      Press & Media

      Inquiries and Osano in the news

    • Icon (30)
      Partners & Resellers

      Interested in partnering with us?

  • Pricing
  • Sign In Book a Demo
US Data Privacy Law Guide

U.S. Data Privacy Laws: A Guide to the 2024 Landscape

With 12 comprehensive data privacy laws enacted and many more in progress, staying on top of the U.S. data privacy landscape is becoming more and more challenging. We're here to help.

Data Privacy in the U.S.

A State-by-state Landscape

The United States doesn't currently have a national comprehensive privacy law, despite efforts to enact one. As a result, U.S. states have been pushed to act independently. The most comprehensive state law is currently lauded by California and many states are following California's lead by enacting similar or slightly watered-down versions of the CPRA.

All laws are slightly different, however, which can be very challenging for organizations and individuals to navigate. We've distilled the U.S. data privacy law landscape focusing on the key features of each law.

 

Switchback - State Law Features (1)
U.S. Data Privacy Laws Survival Guide

A Guide to the 2024 Landscape

Many of the U.S.'s data privacy laws share common requirements for compliance, but not always.

Our U.S. Data Privacy Laws Survival Guide compiles all the information you need to know to tailor your privacy program for compliance with the laws that matter most to your organization.

Switchback - US Laws Survival Guide
U.S. Data Privacy Laws

Need help complying?

Schedule a Demo

Enacted Comprehensive Laws

California (CCPA/CPRA)

Effective Date

  • CPRA effective date: 1/1/2023
  • CCPA effective date: 1/1/2020
  • Enforcement date: 7/1/2023
    (updated: on February 9, 2024, the CPPA won its appeal, immediately allowing enforcement of the initial CPRA regulations and retroactively setting the enforcement effective date to July 1, 2023.)

Summary

The California Privacy Rights Act (CPRA) is currently the most comprehensive data privacy law in the United States. It amended California's previous comprehensive state privacy law, the California Consumer Privacy Act. 

The primary components of this law are as follows:

Feature

CPRA's Guidelines

Thresholds

  • Buys, sells, or shares the personal information of 100,000 people or households. The “shares” part was added with the CPRA, and the number of people was doubled. 

  • Creates 50% or more of your revenue through the sale or sharing of personal information. 

  • Had $25 million in gross revenue in the preceding calendar year. The “preceding calendar year” part was added with the CPRA to make it clear what they meant by $25 million in annual gross revenues.  

Fines

  • $2,500 per offense for negligent mistakes.  

  • $7,500 per offense for willful offenses.  

Cure Period

None

Data Protection Impact Assessments

Required for profiling, sensitive data, large-scale processing, and other processing activities with risk of harm to consumers.

Recognize Universal Opt-Out Mechanisms

Yes

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health condition treatment

  • Sexual orientation

  • Sex life

  • Citizenship/immigration status

  • Genetic or biometric data for purposes of uniquely identifying an individual

  • Genetic or biometric data

  • Precise geolocation

  • Union Membership

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Sensitive Data)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Limit Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Colorado (CPA)

Effective Date

  • CPA effective date: 7/1/2023

Summary

Colorado was the third state to pass a comprehensive data privacy law, the Colorado Privacy Act (CPA). It's most similar to the CPRA, Virginia's Consumer Data Protection Act, and the GDPR. 

Here are the primary features you need to know about: 

Feature

CPA's Guidelines

Thresholds

  • Businesses that collect personal data from 100,000 Colorado residents or

  • Businesses that collect data from 25,000 Colorado residents and derive a portion of revenue from the sale of that data. 

Fines

$20,000 per offense, with penalties capped at $500,000. 

Cure Period

60 days, sunsets on 1/1/2025

Data Protection Impact Assessments

Yes

Recognize Universal Opt-Out Mechanisms

Yes

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health diagnosis, condition, and diagnosis made by HCP

  • Sexual orientation

  • Sex life

  • Citizenship or citizenship status

  • Genetic or biometric data

  • Personal data of known child

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Connecticut (CTDPA)

Effective Date

  • CTDPA effective date: 7/1/2023

Summary

Connecticut was the fifth state to adopt a privacy law. Known as the Connecticut Data Privacy Act (CTDPA), or “An Act Concerning Personal Data Privacy and Online Monitoring,” Connecticut Bill 6 went into effect on July 1, 2023. 

Feature

CTDPA's Guidelines

Thresholds

Businesses in the state or those that produce products or services targeted to Connecticut residents and who, during the previous year:  

  • Controlled or processed personal data of 100,000 or more consumers, excluding solely for completing a payment transaction; or 

  • Controlled or processed personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.  

Fines

  • $5,000 per violation

  • The Attorney General can also issue orders to offenders to prevent them from violating the law, order disgorgement, and pay restitution to victims.

Cure Period

60 days, sunsets on 12/31/2024.

Data Protection Impact Assessments

Yes

Recognize Universal Opt-Out Mechanisms

Yes. Must be recognized by controllers as valid consumer requests beginning 1/1/2025.

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health diagnosis, condition, and diagnosis made by HCP

  • Sexual orientation

  • Sex life

  • Citizenship or citizenship status

  • Genetic or biometric data

  • Personal data of known child

  • Precise geolocation

  • Consumer health data

  • Status as victim of crime

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Virginia (VCDPA)

Effective Date

  • VCDPA effective date: 1/1/2023

Summary

Virginia's leaders passed The Virginia Consumer Data Protection Act (VCDPA) on March 2, 2021, making it the second state to vote in a comprehensive privacy law after California. As a result, it's similar to the CCPA and the GDPR. 

Feature

VCDPA's Guidelines

Thresholds

Businesses that sell products and services in Virginia or do so targeting Virginia residents, and also do one of the following:

  • Control or process the personal data of 100,000 or more; 

  • Control or process the personal data of at least 25,000 consumers and earn 50% of their revenue by selling personal information. 

Fines

Up to $7,500 per violation.

Cure Period

30 days, no sunset.

Data Protection Impact Assessments

Required for any processing involving targeted advertising, data sales, profiling or sensitive data; or any data processing that presents a "risk of harm."

Recognize Universal Opt-Out Mechanisms

Yes

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health diagnosis

  • Sexual orientation

  • Citizenship or immigration status

  • Genetic or biometric data/Genetic or biometric data for purposes of uniquely identifying an individual

  • Personal data of known child 

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 


Resources

Utah (UCPA)

Effective Date

  • UCPA effective date: 12/31/2023

Summary

Utah became the fourth state to enact a data privacy law in March of 2022. The Utah Consumer Privacy Act (UCPA) is considered by experts to be more business-friendly than several other privacy regulations in the U.S., including the CPRA, VCDPA, and CPA. 

Feature

UCPA's Guidelines

Thresholds

Have annual revenue of $25m or more AND:

  • Control/process personal data of 100,000 or more residents, OR

  • 25,000 or more residents and derive over 50% of gross revenue from selling personal data.

Fines

Up to $7,500 per violation + actual damages

Cure Period

30 days, no sunset

Data Protection Impact Assessments

Not Required

Recognize Universal Opt-Out Mechanisms

No

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health condition and medical history, treatment, diagnosis by HCP

  • Sexual orientation

  • Citizenship/immigration status

  • Genetic or biometric data

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Delete

  • Right to Opt Out of Certain Processing (/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Notice and Opt-Out of Sensitive Data Processing

 

Resources

Pending Comprehensive Laws 

Displayed chronologically based on the laws' effective dates.

Texas (TDPSA)

Effective Date

  • TDPSA effective date: 7/1/2024

Summary

The Texas Data Privacy and Security Act (TDPSA) was signed into law on June 18, 2023, making it the largest state in the United States — and the second of the U.S.'s largest states — to have a comprehensive privacy law on the books. The TDPSA has a few unique aspects, such as the fact that it replaces revenue-based thresholds with a focus on businesses conducting operations in Texas and offering products or services consumed by Texas residents, or businesses that process or sell personal data. It also has a novel small business provision, and while it excludes entities like state agencies and financial institutions, the law does not provide an exemption for organizations governed by HIPAA or GLBA.

Feature

TDPSA's Guidelines

Thresholds

  • Conduct business in Texas or produce products/ services consumed by residents, OR

  • Process or engage in the sale of personal data and are not small businesses.

There are no revenue thresholds. 

Fines

Up to $7,500 per ‎violation‎ and injunctive relief to restrain or enjoin the violator's operations.

Cure Period

30 days, no sunset

Data Protection Impact Assessments

Required for targeted advertising, sale of data, profiling, sensitive data processing, other processing activities with risk of harm to consumers.

Recognize Universal Opt-Out Mechanisms

Yes, as of 1/1/2025.

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health diagnosis, and diagnosis made by HCP

  • Sexuality

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Oregon (OCPA)

Effective Date

  • OCPA effective date: 7/1/2024

Summary

Oregon's legislation passed the Oregon Consumer Privacy Act (OCPA) into law on June 22, 2023. The privacy law is the culmination of four years of work by the Oregon Attorney General’s Consumer Privacy Task Force. Other than what's in the chart below, one notable feature is that non-profits aren't exempt from the law, but they have until July 1, 2025, to comply. And, like Texas, organizations governed by HIPAA or GLBA are not exempt and must follow OCPA for non-covered data. 

Feature

OCPA's Guidelines

Thresholds

  • Control/process the personal data of 100,000 or more residents, OR 

  • 25,000 or more residents, while deriving 25% or more of gross revenue from selling personal data.

Fines

Up to $7,500 per violation

Cure Period

30 days, sunsets 1/1/2026

Data Protection Impact Assessments

Required for targeted advertising, sale of data, profiling, sensitive data processing, other processing activities with risk of harm to consumers.

Recognize Universal Opt-Out Mechanisms

Yes, starting 1/1/2026

Sensitive Data

  • Racial, ethnic, national origin

  • Religious beliefs

  • Mental/physical health condition, diagnosis, medical history and/or treatment, diagnosis by HCP

  • Sexual orientation and status as transgender/nonbinary

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

  • Status as victim of a crime

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to obtain a list of "specific third parties" to whom a controller disclosed personal data 

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Montana (MTCDPA)

Effective Date

  • MTCDPA effective date: 10/1/2024

Summary

Montana's governor signed the Montana Consumer Data Privacy Act (MTCDPA) into law on May 19, 2023. The act is similar to data privacy laws in Indiana, Virginia, Colorado, and Connecticut. One unique factor in the MTCDPA is that Montana's thresholds don't only rely on a revenue limit. Find out more in the breakdown below.

Feature

MTCDPA's Guidelines

Thresholds

  • Control/process the personal data of at least 50,000 residents, OR

  • 25,000 or more residents and derive more than 25% of gross revenue from selling of personal data.

Fines

Up to $7,500 per violation

Cure Period

60 days, sunsets 4/1/2026

Data Protection Impact Assessments

Required for targeted advertising, sale of data, profiling, sensitive data processing, other processing activities with risk of harm to consumers.

Recognize Universal Opt-Out Mechanisms

Yes, as of 1/1/2025

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health condition and/or diagnosis

  • Sexual orientation, sex life, sexuality

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Delaware (DPDPA)

Effective Date

  • DPDPA effective date: 1/1/2025

Summary

After the Delaware Personal Data Privacy Act (DPDPA) was voted in, people quickly started lauding it as the strongest data privacy law in the United States. That's not true — California still holds the title — however, it does apply to more businesses than others, and it is one of the more consumer-friendly laws. 

Feature

DPDPA's Guidelines

Thresholds

Any company that does business in the state or produces products or services that are targeted to residents of the state and that, during the previous calendar year, met one of the following:  

  • Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.  

  • Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.

Fines

Up to $10,000 per violation, up to the Department of Justice's discretion.

Cure Period

60 days, until 1/1/2026

Data Protection Impact Assessments

Required for targeted advertising, selling personal data, and for profiling if there’s a risk of: 

  • Unfair or deceptive treatment to consumers  

  • Financial, physical or reputational injury  

  • Intrusion upon the solitude or seclusion of a consumer (if the intrusion would be “offensive to a reasonable person)  

  • Processing sensitive data 

Recognize Universal Opt-Out Mechanisms

Yes, as of 1/1/2026

Sensitive Data

  • Racial, ethnic, national origin

  • Religious beliefs

  • Mental/physical health condition, diagnosis, diagnosis by HCP

  • Sexual orientation and status as transgender/nonbinary

  • Sex life

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to obtain a list of "specific third parties" to whom a controller disclosed personal data 

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling


Resources

Iowa (ICDPA)

Effective Date

  • ICDPA effective date: 1/1/2025

Summary

The Iowa Consumer Data Protection Act (ICDPA) was the first comprehensive state privacy law ratified in 2023, making it the sixth overall state privacy law so far. There are a couple of differences in the Iowa law versus the others, such as the lack of provisions for the right to correct PI and the right to opt out of profiling, that it sets a 90-day timeline for responses to subject rights requests, and that it provides businesses with a 90-day cure period as opposed to the 30- or 60-day cure period set by other laws. 

Feature

ICDPA's Guidelines

Thresholds

The law applies to any business that:  

  • Controls or processes the personal data of at least 100,000 Iowa consumers, or 

  • Controls or processes the personal data of at least 25,000 consumers and derives more than 50% of its gross revenue from the sale of personal data.  

Fines

$7,500 per violation

Cure Period

Yes, 90 days

Data Protection Impact Assessments

ICDPA does not address assessments. 

Recognize Universal Opt-Out Mechanisms

No

Sensitive Data

  • Racial, ethnic, national origin

  • Religious beliefs

  • Mental/physical health diagnosis, diagnosis by HCP 

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Delete

  • Right to Opt Out of Certain Processing (Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt Out of or Limit Sensitive Data Processing

 

Resources

New Jersey (NJDPA)

Effective Date

  • NJDPA effective date: 1/15/2025

Summary

The New Jersey Data Protection Act (NJDPA) is a data privacy law that gives New Jersey residents control over their personal data, providing certain rights and imposing obligations on those who control and process consumer data. The law applies to businesses and entities who conduct business in the state or who produce products or services targeted to those who live in New Jersey and meet certain thresholds. Unlike other state laws, no monetary penalties are defined in the law’s text, but a violation of the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act, which can entail fines of up to $10,000 for the initial violation and up to $20,000 for subsequent violations.

Feature

NJDPA's Guidelines

Thresholds

In terms of applicability and exemptions, New Jersey’s privacy law aligns with other state laws. It applies to controllers who, during a calendar year, meet one of the following criteria:

  • Control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction, or
  • Control or process the personal data of at least 25,000 consumers and the controller derives revenue or receives a discount on the price of any goods or services, from the sale of personal data.

Fines

A violation of the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act, which can entail fines of:

  • up to $10,000 for the initial violation and
  • up to $20,000 for subsequent violations.

 

Cure Period

30 days, sunsetting on July 15th, 2026.

Data Protection Impact Assessments

Required for:

  • Targeted advertising or for profiling if it presents a “reasonably foreseeable” risk of unfair or deceptive treatment of, unlawful disparate impact on consumers, financial or physical injury, physical or other intrusion upon the solitude or seclusion or the private affairs of consumers, or if it would be offensive to a reasonable person.

  • The sale of personal data.

  •  Processing of sensitive data.

Recognize Universal Opt-Out Mechanisms

Yes

Sensitive Data

  • Racial or ethnic origin.
  • Religious beliefs.
  • Mental or physical health condition, treatment, or diagnosis.
  • Sex life or sexual orientation.
  • Citizenship or immigration status.
  • Status as a transgender or nonbinary person.
  • Genetic or biometric data that may be process for identifying an individual.
  • Personal data collected from a known child.
  • Precise geolocation data.
  • Financial information.

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Opt Out of Automated Decision-Making/Profiling

Resources

Tennessee (TIPA)

Effective Date

  • TIPA effective date: 7/1/2025

Summary

The Tennessee Information Protection Act (TIPA) was one of three comprehensive state privacy laws signed or ratified in May of 2023. TIPA follows many of its predecessors when it comes to consumer rights, enforcement, and penalties. Unlike its predecessors, however, TIPA diverges by providing a narrower applicability threshold, giving businesses a generous two years to prepare, and implementing an affirmative defense option for those with written privacy programs aligned with specific frameworks such as NIST.

Feature

TIPA's Guidelines

Thresholds

TIPA applies to businesses with over $25 million in annual revenue that either conduct business within Tennessee or engage with its residents and either: 

  • Control or process the personal information of at least 175,000 consumers during a calendar year.  

  • Control or process personal information of at least 25,000 consumers and derive more than 50 percent of its gross revenue from the sale of PI. 

Fines

  • up to $7,500 per violation

  • This amount can be tripled if the violations are found to be willful. 

Cure Period

60 days

Data Protection Impact Assessments

Required for targeted advertising, the sale of personal information, processing sensitive data, processing personal data for profiling, and other processing that may present a heightened risk to consumers. 

Recognize Universal Opt-Out Mechanisms

No

Sensitive Data

  • Racial, ethnic, national origin

  • Religious beliefs

  • Mental/physical health diagnosis, condition, diagnosis by HCP

  • Sexual orientation

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

Resources

Indiana (INCDPA)

Effective Date

  • INCDPA effective date: 1/1/2026

Summary

Another of the three state privacy laws to be voted in during May 2023 — and the second to do so in 2023 overall — the Indiana Consumer Data Protection Act (INCDPA) is similar to several of its predecessors, including the laws in Colorado (CPA), Connecticut (CTDPA), and Virginia (VCDPA). Indiana's law, however, does not solely rely on revenue as a threshold — it states that controllers must be compliant with the law even if their annual gross revenues do not meet a specific number as long as the data of a specific number of consumers (outlined in the chart below) is processed. 

Feature

INCDPA's Guidelines

Thresholds

Companies that operate in Indiana or sell products and services that are targeted to residents of the state and do one of the following within the previous year: 

  • Control or process the PI of 100,000 residents of Indiana or

  • Control or process the PI of at least 25,000 residents of Indiana while over 50 percent of your revenue comes from the sale of that PI. 

Fines

$7,500 per violation

Cure Period

30 days

Data Protection Impact Assessments

Required for the processing of PI for targeted advertising, the sale of personal data, processing sensitive data, processing personal data for profiling with potential risks, and any other processing that may present a heightened risk to consumers. 

Recognize Universal Opt-Out Mechanisms

No

Sensitive Data

  • Racial, ethnic, national origin

  • Religious belief

  • Sexual orientation

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

 

Additional Resources

Don't Stop Here

Make sure you have a good grasp of the data privacy landscape both domestically and globally.

US Data Privacy Checklist hero

U.S. Data Privacy Checklist

Download Yours
2024 privacy laws webinar - resource

2024's Data Privacy Laws [Webinar]

Watch Now
Data Privacy Laws (1)

Data Privacy Laws: What You Need to Know in 2024

Learn more

Simplify Data Privacy Compliance

With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.