State | Type of Consumer Data Privacy Law↓ | Effective Date | Additional Consumer Privacy Data Law Details | |
---|---|---|---|---|
![]() | Alabama | Other Applicable Law | ||
![]() | Alaska | Other Applicable Law | ||
![]() | Arizona | Other Applicable Law | ||
![]() | Arkansas | Other Applicable Law | ||
![]() | Georgia | Other Applicable Law | ||
![]() | Hawaii | Other Applicable Law | ||
![]() | Idaho | Other Applicable Law | ||
![]() | Illinois | Other Applicable Law | ||
![]() | Kansas | Other Applicable Law | ||
![]() | Louisiana | Other Applicable Law | ||
![]() | Massachusetts | Other Applicable Law | ||
![]() | Mississippi | Other Applicable Law | ||
![]() | Missouri | Other Applicable Law | ||
![]() | New Mexico | Other Applicable Law | ||
![]() | North Carolina | Other Applicable Law | ||
![]() | North Dakota | Other Applicable Law | ||
![]() | Ohio | Other Applicable Law | ||
![]() | Oklahoma | Other Applicable Law | ||
![]() | Pennsylvania | Other Applicable Law | ||
![]() | South Carolina | Other Applicable Law | ||
![]() | South Dakota | Other Applicable Law | ||
![]() | West Virginia | Other Applicable Law | ||
![]() | Wisconsin | Other Applicable Law | ||
![]() | Wyoming | Other Applicable Law | ||
![]() | Maine | Narrow Privacy Law | ||
![]() | Michigan | Narrow Privacy Law | ||
![]() | Nevada | Narrow Privacy Law | ||
![]() | New York | Narrow Privacy Law | ||
![]() | Vermont | Narrow Privacy Law | ||
![]() | Washington | Narrow Privacy Law | ||
![]() | California | Comprehensive privacy laws | 2023 | California led the charge in being the first state to enact comprehensive data privacy legislation via the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). CCPA, signed into law on June 8, 2018, and which went into effect on Jan. 1, 2020, establishes privacy rights and business requirements for collecting and selling Californians’ personal information |
![]() | Colorado | Comprehensive privacy laws | 2023 | The Colorado Privacy Act (CPA), effective July 1, 2023, grants Colorado consumers five key rights related to their personal data: access, correction, deletion, data portability, and the ability to opt out. It protects information that can identify an individual, excluding de-identifiable and publicly available data. |
![]() | Connecticut | Comprehensive privacy laws | 2023 | The Connecticut Data Privacy Act (CTDPA), effective as of July 1, 2023, includes stronger data protections for children but a similar framework as its predecessors. |
![]() | Delaware | Comprehensive privacy laws | 2025 | Delaware Personal Data Privacy Act has stronger privacy rights for consumers, such as heightening protections for children’s data, broadening definitions of sensitive data, and being able to opt out of the processing of personal data for targeted advertising purposes. |
![]() | Florida | Comprehensive privacy laws | 2024 | The Sunshine State tackles issues related to tech platforms, like addressing alleged censorship of conservative viewpoints. The law requires search engines, such as Google, to disclose if they prioritize results based on political ideology and prohibits government-mandated content moderation on social media. |
![]() | Indiana | Comprehensive privacy laws | 2026 | The Indiana Consumer Data Protection Act will regulate businesses that process the personal data of at least 100,000 Indiana residents, or ones that handle the information of at least 25,000 state consumers but derive more than 50% of their revenue from selling data. |
![]() | Iowa | Comprehensive privacy laws | 2025 | Data Protection Act (ICDPA), is considered one of the most business-friendly so far, which privacy advocates say results in weaker data protections. Slated to go in effect Jan. 1, 2025, Iowa’s law does not grant consumers the right to delete or correct data collected by third parties. |
![]() | Kentucky | Comprehensive privacy laws | 2026 | The Kentucky Consumer Data Act (KCDPA) applies to entities that conduct business in the state or target residents and manage the personal data of at least 100,000 consumers per year. That threshold drops to 25,000 consumers if a business derives more than half its gross revenue from selling personal data. Businesses will have the opportunity to remedy violations within 30 days without penalty. Exemptions under the law include government entities, federally regulated financial institutions, and nonprofits |
![]() | Maryland | Comprehensive privacy laws | 2025 | Maryland’s law applies to companies that handle the personal data of at least 35,000 residents per year, or 10,000 residents if more than 20% of the company’s revenue comes from selling personal data. Children will receive heightened data privacy protections, as will sensitive data related to a person’s religious beliefs, sexual orientation, immigration status, and other similar information. |
![]() | Minnesota | Comprehensive privacy laws | 2025 | The law cover companies that handle the personal data of at least 100,000 Minnesota consumers each year. That threshold will drop to 25,000 consumers if the company makes more than a quarter of its revenue from selling personal data. Companies that fall under the federal definition of a small business will be exempt. |
![]() | Montana | Comprehensive privacy laws | 2024 | Montana’s Consumer Data Privacy Act limits the collection of personal data to only “adequate, relevant, and reasonably necessary” information. Residents have the right to opt-out or decline the sale of their personal data. |
![]() | Nebraska | Comprehensive privacy laws | 2025 | The Nebraska Data Privacy Act (NDPA) applies to companies that do business in the state or target its residents and also process or sell personal data. The law excludes federally defined small businesses and includes numerous exemptions, such as for federally regulated financial institutions. Residents have the right to request that companies correct or delete their data. |
![]() | New Hampshire | Comprehensive privacy laws | 2025 | The New Hampshire Privacy Act (NHPA) will apply to companies that handle the data of at least 35,000 state residents a year, or 10,000 if more than a quarter of their gross revenue comes from selling personal data. Consumers will have the right to know what data a company collects and opt out of certain uses, such as targeted advertising. |
![]() | New Jersey | Comprehensive privacy laws | 2025 | The New Jersey Data Privacy Act (NJDPA) provides New Jersey residents with comprehensive privacy protections against how companies collect and use their personal information. The law applies to entities that do business in the state and handle the personal data of at least 100,000 consumers per year, or at least 25,000 if the company also sells personal data |
![]() | Oregon | Comprehensive privacy laws | 2024 | One of the strongest data privacy laws passed to date, the Oregon Consumer Privacy Act (OCPA) includes provisions on biometric data, sensitive and personal data, and children’s data protections, and it doesn't have the same exemptions found in other state privacy laws. |
![]() | Rhode Island | Comprehensive privacy laws | 2026 | Consumers will have the right to confirm what data a company collects, correct it, receive a copy, and opt out of certain uses. Companies must also secure consent before processing sensitive data. |
![]() | Tennessee | Comprehensive privacy laws | 2025 | Backed with bipartisan support, the Tennessee Information Protection Act enables consumers to confirm that a business has collected their personal data, obtain a copy of the information, and request that inaccuracies be corrected |
![]() | Texas | Comprehensive privacy laws | 2024 | Texas Data Privacy and Security Act (TDPSA) will apply to large companies that do business in Texas or sell, collect, or process personal data. Small businesses will mostly be exempt. |
![]() | Utah | Comprehensive privacy laws | 2023 | On March 24, 2022, Utah became the fourth state to pass comprehensive data legislation. |
![]() | Virginia | Comprehensive privacy laws | 2023 | The law gives Virginians the right to access their data and request that their personal information be deleted by businesses. It also requires companies to conduct data protection assessments to process personal data for targeted advertising and sales purposes. |