Skip to content

    US State Privacy Laws

    A comparison of comprehensive state privacy laws across the United States

    In the absence of a comprehensive federal privacy law, US states have enacted their own data privacy legislation, creating a complex patchwork of requirements for businesses operating across state lines. California led the way with the CCPA in 2020 (amended by the CPRA in 2023), and since then, a growing number of states have followed with their own comprehensive privacy statutes.

    Each law varies in its applicability thresholds, consumer rights, enforcement mechanisms, and unique provisions. Organizations that collect personal data from residents of multiple states must understand these differences to build a compliant, scalable privacy program.

    California

    CCPA/CPRA
    January 1, 2023

    California Consumer Privacy Act / California Privacy Rights Act

    Applicability Thresholds
    • $25M+ annual revenue
    • 100K+ consumers/households
    • 50%+ revenue from selling data
    Consumer Rights
    Know: YesDelete: YesCorrect: YesOpt-out: YesPortability: Yes
    Private Right of Action: Yes
    California Privacy Protection Agency (CPPA)

    Virginia

    VCDPA
    January 1, 2023

    Virginia Consumer Data Protection Act

    Applicability Thresholds
    • 100K+ consumers' data processed
    • 25K+ consumers' data processed AND 50%+ revenue from data sales
    Consumer Rights
    Know: YesDelete: YesCorrect: YesOpt-out: YesPortability: Yes
    Private Right of Action: No
    Virginia Attorney General

    Colorado

    CPA
    July 1, 2023

    Colorado Privacy Act

    Applicability Thresholds
    • 100K+ consumers' data processed
    • 25K+ consumers' data processed AND revenue from data sales
    Consumer Rights
    Know: YesDelete: YesCorrect: YesOpt-out: YesPortability: Yes
    Private Right of Action: No
    Colorado Attorney General

    Connecticut

    CTDPA
    July 1, 2023

    Connecticut Data Privacy Act

    Applicability Thresholds
    • 100K+ consumers' data processed
    • 25K+ consumers' data processed AND 25%+ revenue from data sales
    Consumer Rights
    Know: YesDelete: YesCorrect: YesOpt-out: YesPortability: Yes
    Private Right of Action: No
    Connecticut Attorney General

    Utah

    UCPA
    December 31, 2023

    Utah Consumer Privacy Act

    Applicability Thresholds
    • $25M+ annual revenue
    • 100K+ consumers' data processed OR 50%+ revenue from data sales
    Consumer Rights
    Know: YesDelete: YesCorrect: NoOpt-out: YesPortability: Yes
    Private Right of Action: No
    Utah Attorney General

    Texas

    TDPSA
    July 1, 2024

    Texas Data Privacy and Security Act

    Applicability Thresholds
    • Conducts business in Texas or produces products/services consumed by Texas residents
    • Not a small business as defined by the SBA
    Consumer Rights
    Know: YesDelete: YesCorrect: YesOpt-out: YesPortability: Yes
    Private Right of Action: No
    Texas Attorney General

    Oregon

    OCPA
    July 1, 2024

    Oregon Consumer Privacy Act

    Applicability Thresholds
    • 100K+ consumers' data processed
    • 25K+ consumers' data processed AND 25%+ revenue from data sales
    Consumer Rights
    Know: YesDelete: YesCorrect: YesOpt-out: YesPortability: Yes
    Private Right of Action: No
    Oregon Attorney General

    Montana

    MCDPA
    October 1, 2024

    Montana Consumer Data Privacy Act

    Applicability Thresholds
    • 50K+ consumers' data processed
    • 25K+ consumers' data processed AND 25%+ revenue from data sales
    Consumer Rights
    Know: YesDelete: YesCorrect: YesOpt-out: YesPortability: Yes
    Private Right of Action: No
    Montana Attorney General

    Delaware

    DPDPA
    January 1, 2025

    Delaware Personal Data Privacy Act

    Applicability Thresholds
    • 35K+ consumers' data processed
    • 10K+ consumers' data processed AND 20%+ revenue from data sales
    Consumer Rights
    Know: YesDelete: YesCorrect: YesOpt-out: YesPortability: Yes
    Private Right of Action: No
    Delaware Attorney General

    New Jersey

    NJDPA
    January 15, 2025

    New Jersey Data Privacy Act

    Applicability Thresholds
    • 100K+ consumers' data processed
    • 25K+ consumers' data processed AND revenue from data sales
    Consumer Rights
    Know: YesDelete: YesCorrect: YesOpt-out: YesPortability: Yes
    Private Right of Action: No
    New Jersey Attorney General

    Need Help with Multi-State Compliance?

    Building a privacy program that satisfies multiple state laws requires a unified strategy. We can help you navigate the patchwork.

    Learn About Our Privacy Services