• Platform
    • The Osano Platform Overview

      Get an overview of the simple, all-in-one data privacy platform

    • header__icon-1
      Cookie Consent

      Manage consent for data privacy laws in 50+ countries

    • user-square
      Subject Rights Management

      Streamline and automate the DSAR workflow

    • assessments primary 200
      Assessments

      Efficiently manage assessment workflows using custom or pre-built templates

    • Unified Consent primary 200
      Unified Consent & Preference Hub

      Streamline consent, utilize non-cookie data, and enhance customer trust

    • data mapping primary 200
      Data Mapping

      Automate and visualize data store discovery and classification

    • shield-tick
      Vendor Privacy Risk Management

      Ensure your customers’ data is in good hands

    • Features & Integrations

      Key Features & Integrations

    • Privacy Templates
    • GDPR Representative
    • Consult Privacy Team
    • Regulatory Guidance
    • Integrations
  • Solutions
    • By Regulation
    • CPRA

      Discover how Osano supports CPRA compliance

    • CCPA

      Learn about the CCPA and how Osano can help

    • GDPR

      Achieve compliance with one of the world’s most comprehensive data privacy laws

    • By Organization Type
    • Icon (10)
      Start-Up

      Don’t let data privacy compliance get in the way of growth

    • Icon (11)
      Mid-Sized

      Preserve your competitive edge

    • Icon (12)
      Enterprise

      Manage data privacy at scale

    • By Use Case
    • Path
      Consent Management

      Manage consent without the complexity

    • Icon (14)
      DSAR Automation

      Never miss a DSAR deadline again

    • Icon (15)
      Vendor Risk Management

      Regain insight and control over your customers’ data

    • Icon (16)
      Privacy Program Management

      Build and grow an end-to-end privacy program

  • Resources
    • View All Resources
    • book-open-01
      Articles

      Expert insights on all things privacy

    • Icon (25)
      Resource Center

      Key resources to further your data privacy education

    • globe icon primary 200
      U.S. Data Privacy Laws

      A guide to data privacy in the U.S.

    • Icon (17)
      Topics

      Research the most essential privacy topics

    • hand a heart icon primary 200
      Customer Stories

      Meet some of the 5,000+ leaders using Osano to transform their privacy

    • Icon (30)
      Events

      Upcoming webinars and in-person events designed for privacy professionals

    • envelope icon primary 200
      Newsletter

      Subscribe and become a Privacy Insider

    • Icon (21)
      Product Updates

      What’s the latest with Osano?

    Latest Blog post

    How AI is Changing Data Privacy Forever

    Episode 2: How AI is Changing Data Privacy Forever In this episode of...

    Read Now
  • Company
    • Vector
      About Us

      The Osano story

    • Icon (25)
      Careers

      Become an Osanian and help us build the future of privacy!

    • Icon (26)
      Contact

      We’re eager to hear from you

    • 
      Our Pledge

      No fines, no penalties

    • Icon (27)
      Data Licensing

      Add Osano data privacy ratings and recommendations to your application

    • Icon (28)
      Osano Swag Store

      Increase Trust. Stay Compliant. Get Cool Swag.

    • Icon (29)
      Press & Media

      Inquiries and Osano in the news

    • Icon (30)
      Partners & Resellers

      Interested in partnering with us?

  • Pricing
  • Sign In Book a Demo
US Data Privacy Law Guide

U.S. Data Privacy Laws: A Guide to the 2024 Landscape

With multiple comprehensive data privacy laws enacted and many more in progress, staying on top of the U.S. data privacy landscape is becoming more and more challenging. We're here to help.

Data Privacy in the U.S.

A State-by-state Landscape

The United States doesn't currently have a national comprehensive privacy law, despite efforts to enact one. As of this writing, the American Privacy Rights Act (APRA) has been introduced in Congress, though it still has a long road ahead before it can be enacted into law.

As a result, U.S. states have been pushed to act independently. The most comprehensive state law is currently lauded by California and many states are following California's lead by enacting similar or slightly watered-down versions of the CPRA.

All laws are slightly different, however, which can be very challenging for organizations and individuals to navigate. We've distilled the U.S. data privacy law landscape focusing on the key features of each law.

Switchback - State Law Features (1)
U.S. Data Privacy Laws Survival Guide

A Guide to the 2024 Landscape

Many of the U.S.'s data privacy laws share common requirements for compliance, but not always.

Our U.S. Data Privacy Laws Survival Guide compiles all the information you need to know to tailor your privacy program for compliance with the laws that matter most to your organization.

Switchback - US Laws Survival Guide
U.S. Data Privacy Laws

Need help complying?

Schedule a Demo

Effective Comprehensive Laws

California (CCPA/CPRA)

Effective Date

  • CPRA effective date: 1/1/2023
  • CCPA effective date: 1/1/2020
  • Enforcement date: 7/1/2023
    (updated: on February 9, 2024, the CPPA won its appeal, immediately allowing enforcement of the initial CPRA regulations and retroactively setting the enforcement effective date to July 1, 2023.)

Summary

The California Privacy Rights Act (CPRA) is currently the most comprehensive data privacy law in the United States. It amended California's previous comprehensive state privacy law, the California Consumer Privacy Act. 

The primary components of this law are as follows:

Feature

CPRA's Guidelines

Thresholds

  • Buys, sells, or shares the personal information of 100,000 people or households. The “shares” part was added with the CPRA, and the number of people was doubled. 

  • Creates 50% or more of your revenue through the sale or sharing of personal information. 

  • Had $25 million in gross revenue in the preceding calendar year. The “preceding calendar year” part was added with the CPRA to make it clear what they meant by $25 million in annual gross revenues.  

Fines

  • $2,500 per offense for negligent mistakes.  

  • $7,500 per offense for willful offenses.  

Cure Period

None

Data Protection Impact Assessments

Required for profiling, sensitive data, large-scale processing, and other processing activities with risk of harm to consumers.

Recognize Universal Opt-Out Mechanisms

Yes

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health condition treatment

  • Sexual orientation

  • Sex life

  • Citizenship/immigration status

  • Genetic or biometric data for purposes of uniquely identifying an individual

  • Genetic or biometric data

  • Precise geolocation

  • Union Membership

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Sensitive Data)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Limit Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Colorado (CPA)

Effective Date

  • CPA effective date: 7/1/2023

Summary

Colorado was the third state to pass a comprehensive data privacy law, the Colorado Privacy Act (CPA). It's most similar to the CPRA, Virginia's Consumer Data Protection Act, and the GDPR. 

Here are the primary features you need to know about: 

Feature

CPA's Guidelines

Thresholds

  • Businesses that collect personal data from 100,000 Colorado residents or

  • Businesses that collect data from 25,000 Colorado residents and derive a portion of revenue from the sale of that data. 

Fines

$20,000 per offense, with penalties capped at $500,000. 

Cure Period

60 days, sunsets on 1/1/2025

Data Protection Impact Assessments

Yes

Recognize Universal Opt-Out Mechanisms

Yes

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health diagnosis, condition, and diagnosis made by HCP

  • Sexual orientation

  • Sex life

  • Citizenship or citizenship status

  • Genetic or biometric data

  • Personal data of known child

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Connecticut (CTDPA)

Effective Date

  • CTDPA effective date: 7/1/2023

Summary

Connecticut was the fifth state to adopt a privacy law. Known as the Connecticut Data Privacy Act (CTDPA), or “An Act Concerning Personal Data Privacy and Online Monitoring,” Connecticut Bill 6 went into effect on July 1, 2023. 

Feature

CTDPA's Guidelines

Thresholds

Businesses in the state or those that produce products or services targeted to Connecticut residents and who, during the previous year:  

  • Controlled or processed personal data of 100,000 or more consumers, excluding solely for completing a payment transaction; or 

  • Controlled or processed personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.  

Fines

  • $5,000 per violation

  • The Attorney General can also issue orders to offenders to prevent them from violating the law, order disgorgement, and pay restitution to victims.

Cure Period

60 days, sunsets on 12/31/2024.

Data Protection Impact Assessments

Yes

Recognize Universal Opt-Out Mechanisms

Yes. Must be recognized by controllers as valid consumer requests beginning 1/1/2025.

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health diagnosis, condition, and diagnosis made by HCP

  • Sexual orientation

  • Sex life

  • Citizenship or citizenship status

  • Genetic or biometric data

  • Personal data of known child

  • Precise geolocation

  • Consumer health data

  • Status as victim of crime

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Virginia (VCDPA)

Effective Date

  • VCDPA effective date: 1/1/2023

Summary

Virginia's leaders passed The Virginia Consumer Data Protection Act (VCDPA) on March 2, 2021, making it the second state to vote in a comprehensive privacy law after California. As a result, it's similar to the CCPA and the GDPR. 

Feature

VCDPA's Guidelines

Thresholds

Businesses that sell products and services in Virginia or do so targeting Virginia residents, and also do one of the following:

  • Control or process the personal data of 100,000 or more; 

  • Control or process the personal data of at least 25,000 consumers and earn 50% of their revenue by selling personal information. 

Fines

Up to $7,500 per violation.

Cure Period

30 days, no sunset.

Data Protection Impact Assessments

Required for any processing involving targeted advertising, data sales, profiling or sensitive data; or any data processing that presents a "risk of harm."

Recognize Universal Opt-Out Mechanisms

Yes

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health diagnosis

  • Sexual orientation

  • Citizenship or immigration status

  • Genetic or biometric data/Genetic or biometric data for purposes of uniquely identifying an individual

  • Personal data of known child 

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 


Resources

Utah (UCPA)

Effective Date

  • UCPA effective date: 12/31/2023

Summary

Utah became the fourth state to enact a data privacy law in March of 2022. The Utah Consumer Privacy Act (UCPA) is considered by experts to be more business-friendly than several other privacy regulations in the U.S., including the CPRA, VCDPA, and CPA. 

Feature

UCPA's Guidelines

Thresholds

Have annual revenue of $25m or more AND:

  • Control/process personal data of 100,000 or more residents, OR

  • 25,000 or more residents and derive over 50% of gross revenue from selling personal data.

Fines

Up to $7,500 per violation + actual damages

Cure Period

30 days, no sunset

Data Protection Impact Assessments

Not Required

Recognize Universal Opt-Out Mechanisms

No

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health condition and medical history, treatment, diagnosis by HCP

  • Sexual orientation

  • Citizenship/immigration status

  • Genetic or biometric data

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Delete

  • Right to Opt Out of Certain Processing (/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Notice and Opt-Out of Sensitive Data Processing

 

Resources

Pending Comprehensive Laws 

Displayed chronologically based on the laws' effective dates.

Texas (TDPSA)

Effective Date

  • TDPSA effective date: 7/1/2024

Summary

The Texas Data Privacy and Security Act (TDPSA) was signed into law on June 18, 2023, making it the largest state in the United States — and the second of the U.S.'s largest states — to have a comprehensive privacy law on the books. The TDPSA has a few unique aspects, such as the fact that it replaces revenue-based thresholds with a focus on businesses conducting operations in Texas and offering products or services consumed by Texas residents, or businesses that process or sell personal data. It also has a novel small business provision, and while it excludes entities like state agencies and financial institutions, the law does not provide an exemption for organizations governed by HIPAA or GLBA.

Feature

TDPSA's Guidelines

Thresholds

  • Conduct business in Texas or produce products/ services consumed by residents, OR

  • Process or engage in the sale of personal data and are not small businesses.

There are no revenue thresholds. 

Fines

Up to $7,500 per ‎violation‎ and injunctive relief to restrain or enjoin the violator's operations.

Cure Period

30 days, no sunset

Data Protection Impact Assessments

Required for targeted advertising, sale of data, profiling, sensitive data processing, other processing activities with risk of harm to consumers.

Recognize Universal Opt-Out Mechanisms

Yes, as of 1/1/2025.

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health diagnosis, and diagnosis made by HCP

  • Sexuality

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Oregon (OCPA)

Effective Date

  • OCPA effective date: 7/1/2024

Summary

Oregon's legislation passed the Oregon Consumer Privacy Act (OCPA) into law on June 22, 2023. The privacy law is the culmination of four years of work by the Oregon Attorney General’s Consumer Privacy Task Force. Other than what's in the chart below, one notable feature is that non-profits aren't exempt from the law, but they have until July 1, 2025, to comply. And, like Texas, organizations governed by HIPAA or GLBA are not exempt and must follow OCPA for non-covered data. 

Feature

OCPA's Guidelines

Thresholds

  • Control/process the personal data of 100,000 or more residents, OR 

  • 25,000 or more residents, while deriving 25% or more of gross revenue from selling personal data.

Fines

Up to $7,500 per violation

Cure Period

30 days, sunsets 1/1/2026

Data Protection Impact Assessments

Required for targeted advertising, sale of data, profiling, sensitive data processing, other processing activities with risk of harm to consumers.

Recognize Universal Opt-Out Mechanisms

Yes, starting 1/1/2026

Sensitive Data

  • Racial, ethnic, national origin

  • Religious beliefs

  • Mental/physical health condition, diagnosis, medical history and/or treatment, diagnosis by HCP

  • Sexual orientation and status as transgender/nonbinary

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

  • Status as victim of a crime

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to obtain a list of "specific third parties" to whom a controller disclosed personal data 

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Montana (MTCDPA)

Effective Date

  • MTCDPA effective date: 10/1/2024

Summary

Montana's governor signed the Montana Consumer Data Privacy Act (MTCDPA) into law on May 19, 2023. The act is similar to data privacy laws in Indiana, Virginia, Colorado, and Connecticut. One unique factor in the MTCDPA is that Montana's thresholds don't only rely on a revenue limit. Find out more in the breakdown below.

Feature

MTCDPA's Guidelines

Thresholds

  • Control/process the personal data of at least 50,000 residents, OR

  • 25,000 or more residents and derive more than 25% of gross revenue from selling of personal data.

Fines

Not yet specified

Cure Period

60 days, sunsets 4/1/2026

Data Protection Impact Assessments

Required for targeted advertising, sale of data, profiling, sensitive data processing, other processing activities with risk of harm to consumers.

Recognize Universal Opt-Out Mechanisms

Yes, as of 1/1/2025

Sensitive Data

  • Racial or ethnic origin

  • Religious beliefs

  • Mental/physical health condition and/or diagnosis

  • Sexual orientation, sex life, sexuality

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Delaware (DPDPA)

Effective Date

  • DPDPA effective date: 1/1/2025

Summary

After the Delaware Personal Data Privacy Act (DPDPA) was voted in, people quickly started lauding it as the strongest data privacy law in the United States. That's not true — California still holds the title — however, it does apply to more businesses than others, and it is one of the more consumer-friendly laws. 

Feature

DPDPA's Guidelines

Thresholds

Any company that does business in the state or produces products or services that are targeted to residents of the state and that, during the previous calendar year, met one of the following:  

  • Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.  

  • Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.

Fines

Up to $10,000 per violation, up to the Department of Justice's discretion.

Cure Period

60 days, until 1/1/2026

Data Protection Impact Assessments

Required for targeted advertising, selling personal data, and for profiling if there’s a risk of: 

  • Unfair or deceptive treatment to consumers  

  • Financial, physical or reputational injury  

  • Intrusion upon the solitude or seclusion of a consumer (if the intrusion would be “offensive to a reasonable person)  

  • Processing sensitive data 

Recognize Universal Opt-Out Mechanisms

Yes, as of 1/1/2026

Sensitive Data

  • Racial, ethnic, national origin

  • Religious beliefs

  • Mental/physical health condition, diagnosis, diagnosis by HCP

  • Sexual orientation and status as transgender/nonbinary

  • Sex life

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to obtain a list of "specific third parties" to whom a controller disclosed personal data 

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling


Resources

Iowa (ICDPA)

Effective Date

  • ICDPA effective date: 1/1/2025

Summary

The Iowa Consumer Data Protection Act (ICDPA) was the first comprehensive state privacy law ratified in 2023, making it the sixth overall state privacy law so far. There are a couple of differences in the Iowa law versus the others, such as the lack of provisions for the right to correct PI and the right to opt out of profiling, that it sets a 90-day timeline for responses to subject rights requests, and that it provides businesses with a 90-day cure period as opposed to the 30- or 60-day cure period set by other laws. 

Feature

ICDPA's Guidelines

Thresholds

The law applies to any business that:  

  • Controls or processes the personal data of at least 100,000 Iowa consumers, or 

  • Controls or processes the personal data of at least 25,000 consumers and derives more than 50% of its gross revenue from the sale of personal data.  

Fines

$7,500 per violation

Cure Period

Yes, 90 days

Data Protection Impact Assessments

ICDPA does not address assessments. 

Recognize Universal Opt-Out Mechanisms

No

Sensitive Data

  • Racial, ethnic, national origin

  • Religious beliefs

  • Mental/physical health diagnosis, diagnosis by HCP 

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Delete

  • Right to Opt Out of Certain Processing (Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt Out of or Limit Sensitive Data Processing

 

Resources

Nebraska (NDPA)

Effective Date

  • NDPA effective date: 1/1/2025

Summary

The NDPA is a comprehensive data privacy act designed to protect consumers and give them control over their personal information. It grants them certain rights, outlined below, and provides controllers, or the entity that determines the purpose and means of processing personal data, with specific requirements for how to handle data and consumer requests related to their data.  

The law’s scope tracks closely with the Texas Data Privacy and Security Act (TDPSA), including its applicability, sensitive data, and its requirement to honor universal opt-out mechanisms.  

Feature

NDPA's Guidelines

Thresholds

Like the TDPSA, Nebraska’s privacy law applies to a person who:  

  • Conducts business in the state or produces a product or service consumed by residents of Nebraska;  
  • Processes or engages in the sale of personal data; and  
  • Is not a small business as determined under the federal Small Business Act. 

One notable aspect of the NDPA’s applicability is that, unlike most other state laws, there is no revenue or volume of data processed.  

  

Fines

$7,500 per violation.  

Cure Period

Yes, if a controller is found to have violated Nebraska privacy act, they have 30 days to cure the violation. Unlike some data privacy acts, the cure period does not have a sunset date. 

Data Protection Impact Assessments

Nebraska’s privacy law requires controllers to conduct and document a DPIA for a variety of activities that involve personal data, including for the processing of data for targeted advertising; the sale of personal data; processing for profiling if it presents a risk of impacts like unfair or deceptive treatment, financial, physical or reputational injury, an intrusion on the solitude of a consumer, or other substantial injury to the consumer.  

They’re also required when processing sensitive data or for any processing activity that involves personal data that presents a heightened risk of harm to any consumer.  

Recognize Universal Opt-Out Mechanisms

Yes

Sensitive Data

Like Texas’s law, Nebraska’s data privacy act defines sensitive data as:  

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; 
  • Genetic or biometric data that is processed for the purpose of uniquely identifying an individual; 
  • Personal data collected from a known child; or  
  • Precise geolocation data.  

Consumer Rights

 

  • Confirm whether a controller is processing the consumer's personal data and to access the personal data;  
  • Correct inaccuracies in the consumer's personal data;  
  • Delete personal data provided by or obtained about the consumer; 
  • Obtain a copy of their personal data in a usable format that can be transmitted to another controller; 
  • Opt out of processing for targeted advertising, the sale of personal data, or profiling if the decision would produce a legal or other significant impact on the consumer.    

Resources

New Hampshire (NHPA)

Effective Date

  • NJDPA effective date: 1/1/2025

Summary

The New Hampshire Privacy Act (NHPA) is one of a number of statewide data privacy laws aimed at giving consumers control over their personal data in an increasingly digital world. 

The good news for businesses is that the NHPA largely resembles other data privacy laws that have come before it.

The New Hampshire data privacy act’s scope is somewhat unique in that it doesn’t include a revenue threshold. Additionally, the applicability threshold is lower than other laws, but lawmakers have pointed out that this is because of the state’s lower population.  

Like other U.S. laws, the NHPA follows primarily an opt-out model, meaning businesses are free to process consumer data, but must notify consumers about the processing first and give them a way to opt out of the collection or sale of data. 

Feature

NHPA's Guidelines

Thresholds

The NHPA apply to “persons that conduct business” in the state or who produce products or services targeted to residents of New Hampshire and who, during a one-year period:
  • Controlled or processed the personal data of not less than 35,000 unique consumers, excluding if the processing occurred solely to complete a payment transaction, or
  • Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.  

Fines

The NHPA states that any violations are also a violation of the state’s deceptive trade practices law. This means penalties could be as steep as $10,000 per violation.  

Cure Period

The act has a 60-day cure period for violations that sunsets one year after the law is enacted (in January 2026).  

Data Protection Impact Assessments

New Hampshire’s law requires an assessment for any processing activity that presents a “heightened risk of harm to a consumer,” including activities such as targeted advertising, sale of personal data, processing for the purposes of profiling in certain instances, and processing sensitive data.  

Recognize Universal Opt-Out Mechanisms

Yes

Sensitive Data

The NHPA has a broad definition of sensitive data, which includes personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.

Consumer Rights

 

  • Confirm whether a controller is processing the consumer's personal data and access that data. 
  • Correct inaccuracies in the consumer's personal data. 
  • Delete personal data provided by, or obtained about, the consumer. 
  • Obtain a copy of the consumer's personal data processed by the controller, in a user-friendly format. 
  • Opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling “in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.” 

Resources

New Jersey (NJDPA)

Effective Date

  • NJDPA effective date: 1/15/2025

Summary

The New Jersey Data Protection Act (NJDPA) is a data privacy law that gives New Jersey residents control over their personal data, providing certain rights and imposing obligations on those who control and process consumer data. The law applies to businesses and entities who conduct business in the state or who produce products or services targeted to those who live in New Jersey and meet certain thresholds. Unlike other state laws, no monetary penalties are defined in the law’s text, but a violation of the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act, which can entail fines of up to $10,000 for the initial violation and up to $20,000 for subsequent violations.

Feature

NJDPA's Guidelines

Thresholds

In terms of applicability and exemptions, New Jersey’s privacy law aligns with other state laws. It applies to controllers who, during a calendar year, meet one of the following criteria:

  • Control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction, or
  • Control or process the personal data of at least 25,000 consumers and the controller derives revenue or receives a discount on the price of any goods or services, from the sale of personal data.

Fines

A violation of the NJDPA will constitute a violation of the New Jersey Consumer Fraud Act, which can entail fines of:

  • up to $10,000 for the initial violation and
  • up to $20,000 for subsequent violations.

 

Cure Period

30 days, sunsetting on July 15th, 2026.

Data Protection Impact Assessments

Required for:

  • Targeted advertising or for profiling if it presents a “reasonably foreseeable” risk of unfair or deceptive treatment of, unlawful disparate impact on consumers, financial or physical injury, physical or other intrusion upon the solitude or seclusion or the private affairs of consumers, or if it would be offensive to a reasonable person.

  • The sale of personal data.

  •  Processing of sensitive data.

Recognize Universal Opt-Out Mechanisms

Yes

Sensitive Data

  • Racial or ethnic origin.
  • Religious beliefs.
  • Mental or physical health condition, treatment, or diagnosis.
  • Sex life or sexual orientation.
  • Citizenship or immigration status.
  • Status as a transgender or nonbinary person.
  • Genetic or biometric data that may be process for identifying an individual.
  • Personal data collected from a known child.
  • Precise geolocation data.
  • Financial information.

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Opt Out of Automated Decision-Making/Profiling

Resources

The New Jersey Data Privacy Act (NJDPA): The Basics

Tennessee (TIPA)

Effective Date

  • TIPA effective date: 7/1/2025

Summary

The Tennessee Information Protection Act (TIPA) was one of three comprehensive state privacy laws signed or ratified in May of 2023. TIPA follows many of its predecessors when it comes to consumer rights, enforcement, and penalties. Unlike its predecessors, however, TIPA diverges by providing a narrower applicability threshold, giving businesses a generous two years to prepare, and implementing an affirmative defense option for those with written privacy programs aligned with specific frameworks such as NIST.

Feature

TIPA's Guidelines

Thresholds

TIPA applies to businesses with over $25 million in annual revenue that either conduct business within Tennessee or engage with its residents and either: 

  • Control or process the personal information of at least 175,000 consumers during a calendar year.  

  • Control or process personal information of at least 25,000 consumers and derive more than 50 percent of its gross revenue from the sale of PI. 

Fines

  • up to $7,500 per violation

  • This amount can be tripled if the violations are found to be willful. 

Cure Period

60 days

Data Protection Impact Assessments

Required for targeted advertising, the sale of personal information, processing sensitive data, processing personal data for profiling, and other processing that may present a heightened risk to consumers. 

Recognize Universal Opt-Out Mechanisms

No

Sensitive Data

  • Racial, ethnic, national origin

  • Religious beliefs

  • Mental/physical health diagnosis, condition, diagnosis by HCP

  • Sexual orientation

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

Resources

Indiana (INCDPA)

Effective Date

  • INCDPA effective date: 1/1/2026

Summary

Another of the three state privacy laws to be voted in during May 2023 — and the second to do so in 2023 overall — the Indiana Consumer Data Protection Act (INCDPA) is similar to several of its predecessors, including the laws in Colorado (CPA), Connecticut (CTDPA), and Virginia (VCDPA). Indiana's law, however, does not solely rely on revenue as a threshold — it states that controllers must be compliant with the law even if their annual gross revenues do not meet a specific number as long as the data of a specific number of consumers (outlined in the chart below) is processed. 

Feature

INCDPA's Guidelines

Thresholds

Companies that operate in Indiana or sell products and services that are targeted to residents of the state and do one of the following within the previous year: 

  • Control or process the PI of 100,000 residents of Indiana or

  • Control or process the PI of at least 25,000 residents of Indiana while over 50 percent of your revenue comes from the sale of that PI. 

Fines

$7,500 per violation

Cure Period

30 days

Data Protection Impact Assessments

Required for the processing of PI for targeted advertising, the sale of personal data, processing sensitive data, processing personal data for profiling with potential risks, and any other processing that may present a heightened risk to consumers. 

Recognize Universal Opt-Out Mechanisms

No

Sensitive Data

  • Racial, ethnic, national origin

  • Religious belief

  • Sexual orientation

  • Citizenship/immigration status

  • Genetic or biometric data

  • Personal data of a known child

  • Precise geolocation

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to Portability/Transfer

  • Right to Opt Out of Sales

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

 

Resources

Kentucky (KCDPA)

Effective Date

  • KCDPA effective date: 1/1/2026

Summary

The KCDPA provides data privacy protections for consumers of the Bluegrass State, granting them certain, now standard rights.

The law defines consumers as residents of the state acting only as an individual, not in commercial or employment contexts. It closely aligns with Virginia’s law, which is good news for businesses already complying with the Virginia Consumer Data Protection Act (VCDPA). And, because the VCDPA is considered a framework or foundation legislation, the KCDPA also tracks closely with other state laws that used Virginia’s law as a framework, including Tennessee and Indiana.

Businesses will become subject to the law as of January 1, 2026.

Feature

KCDPA's Guidelines

Thresholds

The KCDPA applies to any person who conducts business in Kentucky or who produces products or services that target residents of the state, and during a calendar year controls or processes data of at least:

  • 100,000 consumers; or
  • 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.

Fines

$7,500 per violation

Cure Period

30 days

Data Protection Impact Assessments

Required for processing that involves:

  • Targeted advertising.
  • Selling of personal data.
  • Profiling, if there is a risk of unfair or deceptive treatment, potential injury to consumers, or an intrusion on their solitude or seclusion.
  • Sensitive data.
  • Personal data that presents a heightened risk of harm to consumers.

This requirement becomes active June 1, 2026.

Recognize Universal Opt-Out Mechanisms

No

Sensitive Data

The law defines sensitive data as a category of personal data that includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for identifying a specific natural person; personal data collected from a known child; or precise geolocation data.

 

Consumer Rights

  • Right to Know/Confirm

  • Right to Access

  • Right to Correct

  • Right to Delete

  • Right to Opt Out of Certain Processing (Profiling/Targeted Advertising)

  • Right to opt out of sale
  • Right to Portability/Transfer

  • Right to Opt In for Sensitive Data Processing

  • Right to Object to Automated Decision-Making/Profiling

Resources

Additional Resources

Don't Stop Here

Make sure you have a good grasp of the data privacy landscape both domestically and globally.

US Data Privacy Checklist hero

U.S. Data Privacy Checklist

Download Yours
2024 privacy laws webinar - resource

2024's Data Privacy Laws [Webinar]

Watch Now
Data Privacy Laws (1)

Data Privacy Laws: What You Need to Know in 2024

Learn more

Simplify Data Privacy Compliance

With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.