[email protected]

An overview of the nineteen (and counting!) US state comprehensive privacy laws

[Updated: May 28, 2024]

Since 2018, US state legislative bodies have shown no signs of slowing their efforts to pass comprehensive privacy laws.

While these laws often mirror one another, they also often differ in notable and material ways. This creates a complicated patchwork of obligations and requirements for businesses navigating the data ecosystem, because operating nationwide may require formulating a compliance approach broad enough to satisfy all of the different US state comprehensive privacy laws.

The first step to formulating compliance efforts is to determine which laws apply, and that requires analyzing each law’s threshold for applicability and effective date. To assist with this first step, the following list provides a brief overview of the current US state comprehensive privacy laws.

Please note that this list does not include each law’s exemptions and exceptions.


CALIFORNIA

Law: The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020

Applies to:

For-profit entities that, jointly or alone, collect and control the processing of California residents’ personal information and meet at least one of the following criteria:

  • Annual gross revenue in preceding calendar year that exceeds $25 million.
  • Annually buys, sells, or shares personal information of 100,000 or more California residents or households.
  • Derives 50% or more of annual revenue from selling or sharing California residents’ personal information.

Effective date: January 1, 2020

Enforcement authorities: Dual enforcement shared between the California Attorney General and the California Privacy Protection Agency, with a limited private right of action for certain data breaches.

Enforcement date: July 1, 2023


COLORADO

Law: The Colorado Privacy Act

Applies to:

Entities that conduct business in Colorado or produce / deliver commercial products or services intentionally targeted to Colorado residents and satisfy one of the following criteria:

  • Controls or processes personal data of 100,000 or more Colorado residents during a calendar year.
  • Controls or processes personal data of 25,000 or more Colorado residents and derives revenue or receives a discount on the price of goods or services from the sale of personal data.

Effective date: July 1, 2023

Enforcement authorities: Both the Colorado Attorney General and district attorneys are empowered to enforce the law.

Enforcement date: July 1, 2023


CONNECTICUT

Law: The Connecticut Data Privacy Act

Applies to:

For-profit entities that conduct business in Connecticut or produce products or services targeted to Connecticut residents and during preceding calendar year satisfied one of the following criteria:

  • Controlled or processed personal data of 100,000 or more Connecticut residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction).
  • Controlled or processed personal data of 25,000 or more Connecticut residents and derived more than 25% of gross revenue from the sale of personal data.

Effective date: July 1, 2023

Enforcement authorities: Connecticut Attorney General

Enforcement date: July 1, 2023


DELAWARE

Law: The Personal Data Privacy Act

Applies to:

Entities that conduct business in Delaware or produce products / services targeted to Delaware residents and satisfy one of the following criteria:

  • Control or process personal data of 35,000 or more Delaware residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 10,000 or more Delaware residents and derive more than 20% of gross revenue from the sale of personal data.

Effective date: January 1, 2025

Enforcement authorities: Delaware Department of Justice

Enforcement date: January 1, 2025


FLORIDA

Law: The Florida Digital Bill of Rights

Applies to:

For-profit entities (with an annual gross revenue in excess of $1 billion) that conduct business in Florida and that, jointly or alone, collect and control the processing of personal data about Florida residents, and satisfy one of the following criteria:

  • Derives 50% or more of its global gross annual revenue from the sale of advertisements online, including targeted advertising.
  • Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computer service that uses hands-free verbal activation (but not including vehicle-integrated speakers or software operated by a motor vehicle manufacturer or subsidiary thereof).
  • Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download or install.

Effective date: July 1, 2024

Enforcement authorities: Florida Attorney General

Enforcement date: July 1, 2024


INDIANA

Law: The Indiana Consumer Data Protection Act

Applies to:

For-profit entities that conduct business in Indiana or produce products / services targeted to Indiana residents and during a calendar year satisfy one of the following criteria:

  • Control or process personal data of 100,000 or more Indiana residents.
  • Control or process personal data of 25,000 or more Indiana residents and derive more than 50% of gross revenue from the sale of personal data.

Effective date: January 1, 2026

Enforcement authorities: Indiana Attorney General

Enforcement date: January 1, 2026


IOWA

Law: The Iowa Consumer Data Protection Act

Applies to:

For-profit entities that conduct business in Iowa or produce products / services targeted to Iowa residents and during a calendar year satisfy one of the following criteria:

  • Control or process personal data of 100,000 or more Iowa residents.
  • Control or process personal data of 25,000 or more Iowa residents and derive more than 50% of gross revenue from the sale of personal data.

Effective date: January 1, 2025

Enforcement authorities: Iowa Attorney General

Enforcement date: January 1, 2025


KENTUCKY

Law: The Kentucky Consumer Data Protection Act

Applies to:

For-profit entities that conduct business in Kentucky or produce products / services targeted to Kentucky residents and during a calendar year satisfy one of the following criteria:

  • Control or process personal data of 100,000 or more Kentucky residents.
  • Control or process personal data of 25,000 or more Kentucky residents and derive more than 50% of gross revenue from the sale of personal data.

Effective date: January 1, 2026

Enforcement authorities: Kentucky Attorney General

Enforcement date: January 1, 2026


MARYLAND

Law: Maryland Online Data Privacy Act of 2024

Applies to:

Entities that conduct business in Maryland or produce products / services targeted to Maryland residents and satisfy one of the following criteria:

  • Control or process personal data of 35,000 or more Maryland residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 10,000 or more Maryland residents and derive more than 20% of gross revenue from the sale of personal data.

Effective date: October 1, 2025

(However, the law will not have any effect on or application to processing activities prior to April 1, 2026.)

Enforcement authorities: Maryland Attorney General

Enforcement date: October 1, 2025


MINNESOTA

Law: The Minnesota Consumer Data Privacy Act

Applies to:

Entities that conduct business in Minnesota or produce products / services targeted to Minnesota residents and satisfy one of the following criteria:

  • Control or process personal data of 100,000 or more Minnesota residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 25,000 or more Minnesota residents and derive more than 25% of gross revenue from the sale of personal data.

Effective date: July 31, 2025

Enforcement authorities: Minnesota Attorney General

Enforcement date: July 31, 2025


MONTANA

Law: The Montana Consumer Data Privacy Act

Applies to:

For-profit entities that conduct business in Montana or produce products / services targeted to Montana residents and satisfy one of the following criteria:

  • Control or process personal data of 50,000 or more Montana residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 25,000 or more Montana residents and derive more than 50% of gross revenue from the sale of personal data.

Effective date: October 1, 2024 (spooky season!)

Enforcement authorities: Montana Attorney General

Enforcement date: October 1, 2024


NEBRASKA

Law: Nebraska Data Privacy Act

Applies to:

For-profit entities that:

  • Conduct business in Nebraska or produce products / services consumed by Nebraska residents;
  • Process or engage in the sale of personal data; and
  • Are not a small business as defined by the US Small Business Administration.

Effective date: January 1, 2025

Enforcement authorities: Nebraska Attorney General.

Enforcement date: January 1, 2025


NEW HAMPSHIRE

Law: An Act Relative to the Expectation of Privacy

Applies to:

For-profit entities that conduct business in New Hampshire or produce products / services targeted to New Hampshire residents and satisfy one of the following criteria:

  • Control or process personal data of 35,000 or more New Hampshire residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 10,000 or more New Hampshire residents and derive more than 25% of gross revenue from the sale of personal data.

Effective date: January 1, 2025

Enforcement authorities: New Hampshire Attorney General.

Enforcement date: January 1, 2025


NEW JERSEY

Law: Senate Bill 332

Applies to:

Entities that conduct business in New Jersey or produce products / services targeted to New Jersey residents and satisfy one of the following criteria:

  • Control or process personal data of 100,000 or more New Jersey residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 25,000 or more New Jersey residents and derive revenue, or receives a discount on the price of any goods or services, from the sale of personal data.

Effective date: July 15, 2025

Enforcement authorities: New Jersey Attorney General.

Enforcement date: July 15, 2025


OREGON

Law: Senate Bill 619

Applies to:

Entities that conduct business in Oregon or produce products / services targeted to Oregon residents and satisfy one of the following criteria:

  • Control or process personal data of 100,000 or more Oregon residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 25,000 or more Oregon residents and derive more than 25% of gross revenue from the sale of personal data.

Effective date: July 1, 2024

Enforcement authorities: Oregon Attorney General

Enforcement date: July 1, 2024


TENNESSEE

Law: The Tennessee Information Protection Act

Applies to:

For-profit entities (with revenue in excess of $25 million) that conduct business in Tennessee producing products / services targeted to Tennessee residents and satisfy one of the following criteria:

  • Control or process personal data of 175,000 or more Tennessee residents.
  • Control or process personal data of 25,000 or more Tennessee residents and derive more than 50% of gross revenue from the sale of personal data.

Effective date: July 1, 2025

Enforcement authorities: Tennessee Attorney General

Enforcement date: July 1, 2025


TEXAS

Law: The Texas Data Privacy and Security Act

Applies to:

For-profit entities that conduct business in Texas or produce products / services targeted to Texas residents and satisfy all of the following criteria:

  • Control or process personal data of Texas residents.
  • Are not a small business as defined by the US Small Business Administration.

(However, the law imposes limited restrictions on for-profit entities that are classified as small businesses by the US Small Business Administration.)

Effective date: July 1, 2024

Enforcement authorities: Texas Attorney General

Enforcement date: July 1, 2024


UTAH

Law: The Utah Consumer Privacy Act

Applies to:

For-profit entities (with annual revenue in excess of $25 million) that conduct business in Utah or produce products / services targeted to Utah residents and satisfy one of the following criteria:

  • Control or process personal data of 100,000 or more Utah residents during a calendar year.
  • Control or process personal data of 25,000 or more Utah residents and derive more than 50% of gross revenue from the sale of personal data.

Effective date: December 31, 2023

Enforcement authorities: Utah Attorney General and the Department of Commerce’s Division of Consumer Protection

Enforcement date: December 31, 2023


VIRGINIA

Law: The Virginia Consumer Data Protection Act

Applies to:

For-profit entities that conduct business in Virginia or produce products / services targeted to Virginia residents and satisfy one of the following criteria:

  • Control or process personal data of 100,000 or more Virginia residents during a calendar year.
  • Control or process personal data of 25,000 or more Virginia residents and derive more than 50% of gross revenue from the sale of personal data.

Effective date: January 1, 2023

Enforcement authorities: Virginia Attorney General

Enforcement date: January 1, 2023