[Updated: June 26, 2024]
Since 2018, US state legislative bodies have shown no signs of slowing their efforts to pass comprehensive privacy laws.
While these laws often mirror one another, they also often differ in notable and material ways. This creates a complicated patchwork of obligations and requirements for businesses navigating the data ecosystem, because operating nationwide may require formulating a compliance approach broad enough to satisfy all of the different US state comprehensive privacy laws.
The first step to formulating compliance efforts is to determine which laws apply, and that requires analyzing each law’s threshold for applicability and effective date. To assist with this first step, the following list provides a brief overview of the current US state comprehensive privacy laws.
Please note that this list does not include each law’s exemptions and exceptions.
CALIFORNIA
Law: The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020
Applies to:
For-profit entities that, jointly or alone, collect and control the processing of California residents’ personal information and meet at least one of the following criteria:
- Annual gross revenue in preceding calendar year that exceeds $25 million.
- Annually buys, sells, or shares personal information of 100,000 or more California residents or households.
- Derives 50% or more of annual revenue from selling or sharing California residents’ personal information.
Effective date: January 1, 2020
Enforcement authorities: Dual enforcement shared between the California Attorney General and the California Privacy Protection Agency, with a limited private right of action for certain data breaches.
Enforcement date: July 1, 2023
COLORADO
Applies to:
Entities that conduct business in Colorado or produce / deliver commercial products or services intentionally targeted to Colorado residents and satisfy one of the following criteria:
- Controls or processes personal data of 100,000 or more Colorado residents during a calendar year.
- Controls or processes personal data of 25,000 or more Colorado residents and derives revenue or receives a discount on the price of goods or services from the sale of personal data.
Effective date: July 1, 2023
Enforcement authorities: Both the Colorado Attorney General and district attorneys are empowered to enforce the law.
Enforcement date: July 1, 2023
CONNECTICUT
Law: The Connecticut Data Privacy Act
Applies to:
For-profit entities that conduct business in Connecticut or produce products or services targeted to Connecticut residents and during preceding calendar year satisfied one of the following criteria:
- Controlled or processed personal data of 100,000 or more Connecticut residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction).
- Controlled or processed personal data of 25,000 or more Connecticut residents and derived more than 25% of gross revenue from the sale of personal data.
Effective date: July 1, 2023
Enforcement authorities: Connecticut Attorney General
Enforcement date: July 1, 2023
DELAWARE
Law: The Personal Data Privacy Act
Applies to:
Entities that conduct business in Delaware or produce products / services targeted to Delaware residents and satisfy one of the following criteria:
- Control or process personal data of 35,000 or more Delaware residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
- Control or process personal data of 10,000 or more Delaware residents and derive more than 20% of gross revenue from the sale of personal data.
Effective date: January 1, 2025
Enforcement authorities: Delaware Department of Justice
Enforcement date: January 1, 2025
FLORIDA
Law: The Florida Digital Bill of Rights
Applies to:
For-profit entities (with an annual gross revenue in excess of $1 billion) that conduct business in Florida and that, jointly or alone, collect and control the processing of personal data about Florida residents, and satisfy one of the following criteria:
- Derives 50% or more of its global gross annual revenue from the sale of advertisements online, including targeted advertising.
- Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computer service that uses hands-free verbal activation (but not including vehicle-integrated speakers or software operated by a motor vehicle manufacturer or subsidiary thereof).
- Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download or install.
Effective date: July 1, 2024
Enforcement authorities: Florida Attorney General
Enforcement date: July 1, 2024
INDIANA
Law: The Indiana Consumer Data Protection Act
Applies to:
For-profit entities that conduct business in Indiana or produce products / services targeted to Indiana residents and during a calendar year satisfy one of the following criteria:
- Control or process personal data of 100,000 or more Indiana residents.
- Control or process personal data of 25,000 or more Indiana residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2026
Enforcement authorities: Indiana Attorney General
Enforcement date: January 1, 2026
IOWA
Law: The Iowa Consumer Data Protection Act
Applies to:
For-profit entities that conduct business in Iowa or produce products / services targeted to Iowa residents and during a calendar year satisfy one of the following criteria:
- Control or process personal data of 100,000 or more Iowa residents.
- Control or process personal data of 25,000 or more Iowa residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2025
Enforcement authorities: Iowa Attorney General
Enforcement date: January 1, 2025
KENTUCKY
Law: The Kentucky Consumer Data Protection Act
Applies to:
For-profit entities that conduct business in Kentucky or produce products / services targeted to Kentucky residents and during a calendar year satisfy one of the following criteria:
- Control or process personal data of 100,000 or more Kentucky residents.
- Control or process personal data of 25,000 or more Kentucky residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2026
Enforcement authorities: Kentucky Attorney General
Enforcement date: January 1, 2026
MARYLAND
Law: Maryland Online Data Privacy Act of 2024
Applies to:
Entities that conduct business in Maryland or produce products / services targeted to Maryland residents and satisfy one of the following criteria:
- Control or process personal data of 35,000 or more Maryland residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
- Control or process personal data of 10,000 or more Maryland residents and derive more than 20% of gross revenue from the sale of personal data.
Effective date: October 1, 2025
(However, the law will not have any effect on or application to processing activities prior to April 1, 2026.)
Enforcement authorities: Maryland Attorney General
Enforcement date: October 1, 2025
MINNESOTA
Law: The Minnesota Consumer Data Privacy Act
Applies to:
Entities that conduct business in Minnesota or produce products / services targeted to Minnesota residents and satisfy one of the following criteria:
- Control or process personal data of 100,000 or more Minnesota residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
- Control or process personal data of 25,000 or more Minnesota residents and derive more than 25% of gross revenue from the sale of personal data.
Effective date: July 31, 2025
Enforcement authorities: Minnesota Attorney General
Enforcement date: July 31, 2025
MONTANA
Law: The Montana Consumer Data Privacy Act
Applies to:
For-profit entities that conduct business in Montana or produce products / services targeted to Montana residents and satisfy one of the following criteria:
- Control or process personal data of 50,000 or more Montana residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
- Control or process personal data of 25,000 or more Montana residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: October 1, 2024 (spooky season!)
Enforcement authorities: Montana Attorney General
Enforcement date: October 1, 2024
NEBRASKA
Law: Nebraska Data Privacy Act
Applies to:
For-profit entities that:
- Conduct business in Nebraska or produce products / services consumed by Nebraska residents;
- Process or engage in the sale of personal data; and
- Are not a small business as defined by the US Small Business Administration.
Effective date: January 1, 2025
Enforcement authorities: Nebraska Attorney General.
Enforcement date: January 1, 2025
NEW HAMPSHIRE
Law: An Act Relative to the Expectation of Privacy
Applies to:
For-profit entities that conduct business in New Hampshire or produce products / services targeted to New Hampshire residents and satisfy one of the following criteria:
- Control or process personal data of 35,000 or more New Hampshire residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
- Control or process personal data of 10,000 or more New Hampshire residents and derive more than 25% of gross revenue from the sale of personal data.
Effective date: January 1, 2025
Enforcement authorities: New Hampshire Attorney General.
Enforcement date: January 1, 2025
NEW JERSEY
Law: Senate Bill 332
Applies to:
Entities that conduct business in New Jersey or produce products / services targeted to New Jersey residents and satisfy one of the following criteria:
- Control or process personal data of 100,000 or more New Jersey residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
- Control or process personal data of 25,000 or more New Jersey residents and derive revenue, or receives a discount on the price of any goods or services, from the sale of personal data.
Effective date: July 15, 2025
Enforcement authorities: New Jersey Attorney General.
Enforcement date: July 15, 2025
OREGON
Law: Senate Bill 619
Applies to:
Entities that conduct business in Oregon or produce products / services targeted to Oregon residents and satisfy one of the following criteria:
- Control or process personal data of 100,000 or more Oregon residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
- Control or process personal data of 25,000 or more Oregon residents and derive more than 25% of gross revenue from the sale of personal data.
Effective date: July 1, 2024
Enforcement authorities: Oregon Attorney General
Enforcement date: July 1, 2024
RHODE ISLAND
Law: The Rhode Island Transparency and Privacy Protection Act
Applies to:
For-profit entities that conduct business in Rhode Island or produce products / services targeted to Rhode Island residents and satisfy one of the following criteria:
- Control or process personal data of 35,000 or more Rhode Island residents (excluding personal data controller or processed for the purpose of completing a payment transaction).
- Control or process personal data of 10,000 or more Rhode Island residents and derive more than 20% of gross revenue from the sale of personal data.
Effective date: January 1, 2026
Enforcement authorities: Rhode Island Attorney General
Enforcement date: January 1, 2026
TENNESSEE
Law: The Tennessee Information Protection Act
Applies to:
For-profit entities (with revenue in excess of $25 million) that conduct business in Tennessee producing products / services targeted to Tennessee residents and satisfy one of the following criteria:
- Control or process personal data of 175,000 or more Tennessee residents.
- Control or process personal data of 25,000 or more Tennessee residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: July 1, 2025
Enforcement authorities: Tennessee Attorney General
Enforcement date: July 1, 2025
TEXAS
Law: The Texas Data Privacy and Security Act
Applies to:
For-profit entities that conduct business in Texas or produce products / services targeted to Texas residents and satisfy all of the following criteria:
- Control or process personal data of Texas residents.
- Are not a small business as defined by the US Small Business Administration.
(However, the law imposes limited restrictions on for-profit entities that are classified as small businesses by the US Small Business Administration.)
Effective date: July 1, 2024
Enforcement authorities: Texas Attorney General
Enforcement date: July 1, 2024
UTAH
Law: The Utah Consumer Privacy Act
Applies to:
For-profit entities (with annual revenue in excess of $25 million) that conduct business in Utah or produce products / services targeted to Utah residents and satisfy one of the following criteria:
- Control or process personal data of 100,000 or more Utah residents during a calendar year.
- Control or process personal data of 25,000 or more Utah residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: December 31, 2023
Enforcement authorities: Utah Attorney General and the Department of Commerce’s Division of Consumer Protection
Enforcement date: December 31, 2023
VIRGINIA
Law: The Virginia Consumer Data Protection Act
Applies to:
For-profit entities that conduct business in Virginia or produce products / services targeted to Virginia residents and satisfy one of the following criteria:
- Control or process personal data of 100,000 or more Virginia residents during a calendar year.
- Control or process personal data of 25,000 or more Virginia residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2023
Enforcement authorities: Virginia Attorney General
Enforcement date: January 1, 2023