US State Privacy Laws Comparison Chart (2026)
The US has no single federal comprehensive data privacy law. Instead, a growing patchwork of state legislation governs how businesses collect, use, and share consumers' personal data. Each state law differs in scope, consumer rights, enforcement mechanisms, and business obligations.
This guide provides a side-by-side comparison of every US state that has enacted a comprehensive consumer data privacy law as of March 2026, covering applicability thresholds, consumer rights, sensitive data rules, enforcement provisions, and key distinguishing features.
Overview of Enacted State Privacy Laws
The following states have enacted comprehensive consumer data privacy statutes (listed in order of enactment/signing):
- California - CCPA (2018) / CPRA (2020, effective 2023)
- Virginia - VCDPA (2021, effective Jan 2023)
- Colorado - CPA (2021, effective Jul 2023)
- Connecticut - CTDPA (2022, effective Jul 2023)
- Utah - UCPA (2022, effective Dec 2023)
- Iowa - ICDPA (2023, effective Jan 2025)
- Indiana - ICDPA (2023, effective Jan 2026)
- Tennessee - TIPA (2023, effective Jul 2025)
- Montana - MCDPA (2023, effective Oct 2024)
- Oregon - OCPA (2023, effective Jul 2024)
- Texas - TDPSA (2023, effective Jul 2024)
- Florida - FDBR (2023, effective Jul 2024)
- Delaware - DPDPA (2023, effective Jan 2025)
- New Hampshire - (2024, effective Jan 2025)
- New Jersey - NJDPA (2024, effective Jan 2025)
- Kentucky - KCDPA (2024, effective Jan 2026)
- Nebraska - NDPA (2024, effective Jan 2025)
- Minnesota - MCDPA (2024, effective Jul 2025)
- Maryland - MODPA (2024, effective Oct 2025)
- Rhode Island - RIDTPPA (2024, effective Jan 2026)
Several additional states have active privacy legislation in progress, and this list may expand through 2026 and 2027 legislative sessions.
Applicability Thresholds
One of the most important practical questions for any business: does this law apply to me? The thresholds vary significantly.
| State | Revenue Threshold | Data Processing Threshold | Additional Conditions |
|---|---|---|---|
| California | $25M gross revenue | 100,000+ consumers/households OR 50%+ revenue from selling/sharing PI | Any one of the three triggers |
| Virginia | None | 100,000+ consumers OR 25,000+ consumers if deriving revenue from data sales | Calendar year |
| Colorado | None | 100,000+ consumers OR 25,000+ consumers + revenue from data sales | Calendar year |
| Connecticut | None | 100,000+ consumers OR 25,000+ consumers + revenue from data sales | Excludes Connecticut government entities |
| Utah | $25M gross revenue | 100,000+ consumers OR 25,000+ consumers + 50%+ revenue from data sales | Both revenue AND data threshold required |
| Iowa | None | 100,000+ consumers OR 25,000+ consumers + 50%+ revenue from data sales | Calendar year |
| Indiana | None | 100,000+ consumers OR 25,000+ consumers + 50%+ revenue from data sales | Calendar year |
| Tennessee | $25M revenue | 175,000+ consumers OR 25,000+ consumers + 50%+ revenue from data sales | Revenue AND data threshold |
| Montana | None | 50,000+ consumers OR 25,000+ consumers + revenue from data sales | Lower consumer threshold |
| Oregon | None | 100,000+ consumers OR 25,000+ consumers + revenue from data sales | Includes nonprofit organizations |
| Texas | None | No data volume threshold | Applies to all entities doing business in Texas that process PI (excluding small businesses per SBA definition) |
| Florida | $1B gross revenue | N/A | Also requires: significant operations in FL, 50%+ revenue from ad sales, or operating a platform with 100M+ monthly active users |
| Delaware | None | 35,000+ consumers OR 10,000+ consumers + revenue from data sales | Lower thresholds |
| New Hampshire | None | 35,000+ consumers OR 10,000+ consumers + revenue from data sales | Lower thresholds |
| New Jersey | None | 100,000+ consumers OR 25,000+ consumers + revenue from data sales | Calendar year |
| Kentucky | None | 100,000+ consumers OR 25,000+ consumers + revenue from data sales | Calendar year |
| Nebraska | None | No data volume threshold | Applies to all entities that process PI of Nebraska residents (excluding small businesses) |
| Minnesota | None | 100,000+ consumers OR 25,000+ consumers + revenue from data sales | Calendar year |
| Maryland | None | 35,000+ consumers OR 10,000+ consumers + revenue from data sales | Lower thresholds |
| Rhode Island | None | 35,000+ consumers OR 10,000+ consumers + revenue from data sales | Lower thresholds |
Notable outliers: Florida's $1 billion revenue threshold limits the law to major corporations and large tech platforms. Texas and Nebraska apply broadly to all businesses processing personal data (with small business exemptions). Montana's 50,000-consumer threshold is the lowest among states using that model.
Consumer Rights Comparison
All enacted state privacy laws provide a core set of consumer rights, but the specific rights and their scope vary.
| Right | CA | VA | CO | CT | UT | IA | IN | TN | MT | OR | TX | FL | DE | NH | NJ | KY | NE | MN | MD | RI |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Access | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Delete | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Portability | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Opt out of sale | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Opt out of targeted ads | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Opt out of profiling | Yes | Yes | Yes | Yes | No | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Correct | Yes | Yes | Yes | Yes | No | No | No | No | Yes | Yes | Yes | No | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes |
| Appeal | No | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
California stands alone in providing the right to know what specific pieces of personal information a business has collected (not just categories) and the right to limit the use of sensitive personal information. Oregon is notable for granting consumers the right to obtain a list of specific third parties to whom their data has been disclosed.
Minnesota's law is distinctive in providing consumers the right to question the results of profiling and to be informed about the types of profiling a controller engages in. Maryland's MODPA takes a restrictive approach by requiring businesses to limit data collection to what is reasonably necessary for the purpose disclosed to the consumer, a data minimization standard stronger than most other state laws.
Sensitive Data Treatment
How each state handles sensitive personal data reveals important differences in privacy philosophy.
| State | Sensitive Data Consent Model | Categories of Sensitive Data |
|---|---|---|
| California | Right to limit use (opt-out) | SSN, financial, precise geolocation, race, religion, health, sex life, biometrics, communications content, genetic data |
| Virginia | Opt-in consent required | Race, religion, health, sex life, citizenship/immigration, genetic, biometric, children's data, precise geolocation |
| Colorado | Opt-in consent required | Same as Virginia |
| Connecticut | Opt-in consent required | Same as Virginia |
| Utah | Opt-in consent required | Race, religion, health, sex life, citizenship, biometric, genetic, geolocation, children's data |
| Iowa | Opt-in consent required | Race, religion, health, sex life, citizenship, biometric, genetic, geolocation, children's data |
| Oregon | Opt-in consent required | Broad definition including race, religion, health, sex life, citizenship, biometric, genetic, transgender/nonbinary status, precise geolocation, children's data |
| Texas | Opt-in consent required | Race, religion, health, sex life, citizenship, biometric, genetic, precise geolocation, children's data |
| Montana | Opt-in consent required | Standard categories similar to Virginia |
| Delaware | Opt-in consent required | Standard categories plus immigration status |
| Minnesota | Opt-in consent required | Broad definition; includes precise location, children's data, gender identity |
| Maryland | Opt-in consent required; sale/sharing prohibited | Standard categories; prohibits sale of sensitive data entirely |
| Nebraska | Opt-in consent required | Standard categories similar to Virginia |
Oregon stands out for explicitly including transgender and nonbinary status as sensitive data. Maryland's MODPA goes further than any other state by prohibiting the sale of sensitive personal data entirely, not just requiring opt-in consent.
Most state laws treat children's data as sensitive personal information. The age threshold is typically 13 (aligning with COPPA), though Connecticut applies heightened protections for data about consumers aged 13-15 in the context of targeted advertising.
Enforcement and Penalties
| State | Enforcement Authority | Maximum Penalty | Private Right of Action | Cure Period |
|---|---|---|---|---|
| California | AG + CPPA | $7,500/intentional violation | Yes (data breaches only) | 30 days (AG only; CPPA: none) |
| Virginia | AG | $7,500/violation | No | 30 days |
| Colorado | AG | $20,000/violation | No | 60 days (sunset Jan 2025) |
| Connecticut | AG | $5,000/violation (CUTPA) | No | 60 days (sunset Dec 2024) |
| Utah | AG | $7,500/violation | No | 30 days |
| Iowa | AG | $7,500/violation | No | 90 days |
| Indiana | AG | $7,500/violation | No | 30 days |
| Tennessee | AG | $7,500/violation | No | 60 days |
| Montana | AG | $7,500/violation | No | 60 days |
| Oregon | AG | $7,500/violation | No | 30 days (sunset Jan 2026) |
| Texas | AG | $7,500/violation | No | 30 days |
| Florida | AG (Dept. of Legal Affairs) | $50,000/violation | No | 45 days |
| Delaware | AG (DOJ) | $10,000/violation | No | 60 days (sunset Dec 2025) |
| New Hampshire | AG | $10,000/violation | No | 60 days |
| New Jersey | AG (DCA) | $10,000/first; $20,000/subsequent | No | 30 days (sunset Jul 2026) |
| Kentucky | AG | $7,500/violation | No | 30 days |
| Nebraska | AG | $7,500/violation | No | 30 days |
| Minnesota | AG | $7,500/violation | No | 30 days |
| Maryland | AG (DCP) | $10,000/violation; $25,000/subsequent | No | 60 days (sunset Apr 2027) |
| Rhode Island | AG | $10,000/violation | No | 30 days |
California remains the only state with a private right of action (limited to data breaches involving unencrypted personal information), with statutory damages of $100-$750 per consumer per incident. No other state comprehensive privacy law currently includes a private right of action.
Florida's $50,000 per-violation maximum is the highest among state privacy laws, though the law's narrow applicability (limited to businesses with over $1 billion in revenue) means it affects relatively few companies.
The trend toward eliminating or sunsetting cure periods reflects a maturation of the enforcement landscape. Early laws like Virginia and Utah have permanent cure periods, while newer laws like Colorado, Connecticut, Oregon, and Delaware included cure periods that expire, shifting from a collaborative to a punitive enforcement model over time.
Effective Dates Timeline
| Year | State Laws Taking Effect |
|---|---|
| 2020 | California CCPA |
| 2023 | California CPRA amendments, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA |
| 2024 | Montana MCDPA, Oregon OCPA, Texas TDPSA, Florida FDBR |
| 2025 | Iowa ICDPA, Delaware DPDPA, New Hampshire, New Jersey NJDPA, Nebraska NDPA, Tennessee TIPA, Minnesota MCDPA, Maryland MODPA |
| 2026 | Indiana ICDPA, Kentucky KCDPA, Rhode Island RIDTPPA |
Key Distinctions by State
Several states have provisions that set them apart from the majority model:
California (CCPA/CPRA): Only state with a dedicated privacy enforcement agency (CPPA). Only state with a private right of action. Lowest revenue threshold ($25M). Broadest definition of "sale" (any exchange for valuable consideration). Right to limit use of sensitive personal information rather than opt-in consent model.
Oregon (OCPA): Only state that applies to nonprofit organizations. Includes transgender/nonbinary status as sensitive data. Grants consumers the right to obtain a list of specific third parties receiving their data.
Texas (TDPSA): No data-processing volume threshold, applying to all businesses processing personal data (excluding SBA-defined small businesses). Combined with no revenue threshold, this gives Texas one of the broadest applicability scopes.
Maryland (MODPA): Prohibits the sale of sensitive personal data entirely. Imposes a data minimization standard requiring collection to be "reasonably necessary" for the disclosed purpose. Among the most protective state privacy laws enacted.
Minnesota (MCDPA): Grants profiling-related rights including the right to question profiling results. Requires privacy impact assessments. Includes a data minimization requirement.
Florida (FDBR): Narrowest applicability ($1B revenue threshold). Targets large technology companies and digital platforms. Includes specific provisions for children's online protections.
Montana (MCDPA): Lowest consumer threshold (50,000) among states using the volume-based model, reflecting Montana's smaller population.
How These Laws Interact with Federal Law
No comprehensive federal privacy law exists as of March 2026, though the American Data Privacy and Protection Act (ADPPA) has been introduced in multiple Congressional sessions. The relationship between state and federal privacy law involves several layers:
- HIPAA preempts state laws for covered health data but only applies to healthcare providers, insurers, and their business associates. State privacy laws cover health data held by other businesses (health apps, fitness trackers, etc.).
- GLBA preempts state laws for financial institutions regarding customer financial information, though state laws may impose additional requirements.
- COPPA provides a federal floor for children's data (under 13), but state laws can provide additional protections.
- FCRA governs consumer reporting agencies and is not preempted by state privacy laws.
Most state privacy laws explicitly exclude data that is already regulated by these federal frameworks, avoiding direct conflict.
For detailed analysis of individual state laws, see our state-by-state guides:
- California (CCPA/CPRA)
- Virginia (VCDPA)
- Colorado (CPA)
- Connecticut (CTDPA)
- Texas (TDPSA)
- Oregon (OCPA)
- Maryland (MODPA)
- Minnesota
For a comparison of these laws against international frameworks, see our GDPR vs CCPA analysis.
This information reflects the law as of March 2026. State privacy legislation is an active area, with new bills introduced in multiple states each legislative session. Consult an attorney for advice specific to your situation.
Sources and References
- California Consumer Privacy Act (CCPA)(leginfo.legislature.ca.gov).gov
- Virginia Consumer Data Protection Act (VCDPA)(law.lis.virginia.gov).gov
- Colorado Privacy Act (CPA)(leg.colorado.gov).gov
- Texas Data Privacy and Security Act (TDPSA)(capitol.texas.gov).gov
- Oregon Consumer Privacy Act (OCPA)(olis.oregonlegislature.gov).gov
- Maryland Online Data Privacy Act (MODPA)(mgaleg.maryland.gov).gov
- California Privacy Protection Agency (CPPA)(cppa.ca.gov).gov
- Connecticut Data Privacy Act (CTDPA)(cga.ct.gov).gov
- Minnesota Consumer Data Privacy Act(revisor.mn.gov).gov