In the absence of a federal law on data protection in the United States, the US states enact their own consumer privacy laws. 

The bad news is that you have to learn about each privacy and data laws to ensure that you comply with all of them. The good news is that they are very similar to each other, so complying with one law will do most of the work for complying with the others at the same time.

That's doable. We created a free report on the Dos and Donts of US Consumer Data Privacy Compliance for you to get an idea of what you need to do to be compliant while operating throughout the United States.

The US consumer data privacy law landscape

State laws on consumer data privacy comprise the US consumer data privacy landscape. Each state decides how to protect its residents, as there is no federal law on data protection.

Unlike most of the data protection laws worldwide, the state privacy laws in the United States, unlike most data protection laws worldwide, do not protect personal data. They protect consumers. The General Data Protection Regulation (GDPR) of the EU, for example, protects personal data. Instead, US state data privacy laws prioritize consumer protection.

Nevertheless, many of the laws guarantee the same privacy rights to consumers and prescribe similar obligations to businesses.

Consumer Data Privacy Laws in effect

So far, the following consumer privacy laws have come into effect:

Consumer Privacy Laws not yet in effect

The following states have passed a law, but it has not come into effect yet: 

Expected Comprehensive Consumer Data Privacy Laws in the US

We can't include them all here. We expect Kentucky, Georgia, and Wisconsin to be the next three states with comprehensive data privacy legislation. However, there are at least two dozen other states with some bills progressing in the legislative bodies, so it is hard to make any predictions.

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) 

The California Privacy Rights Act (CPRA) went into effect on January 1, 2023, and it imposed the following obligations on businesses: 

• Allowing consumers to opt out of the sale of personal information
• Allowing consumers to limit the processing of sensitive personal information
• Implement data minimization and purpose limitation principles
• Honoring CPRA consumer requests
• Providing consumers with a privacy notice
• Ensure that your service providers comply with the law
• Establish a data retention period

If you own a business or sell to people in California and meet at least one of the following criteria, you must abide by these rules: 

• Has annual gross revenue of over $25 million in the preceding calendar year.
• Buys, sells, or shares the personal information of 100,000 or more consumers or households.
• Gets 50% or more of its annual revenues from selling or sharing consumers’ personal information.

Businesses that engage in extensive marketing practices will easily fall under the purview of the CPRA. If your company must comply, read our in-depth article on CPRA requirements. 

Virginia Consumer Data Protection Act

Each violation of the Virginia Consumer Data Protection Act (VCDPA) will result in a $7,500 fine. If they meet at least one of the following criteria, businesses registered in Virginia or selling to Virginia customers must comply:

• Controls or processes the personal data of at least 100,000 Virginia residents, or
• Controls or processes the personal data of at least 25,000 Virginia consumers and derives over 50% of gross revenue from the sale of personal data in a calendar year.

The following are some of the legal requirements for affected businesses: 

• Allow consumers to opt out of the sale of personal information
• Provide consumers with a privacy notice
• Ensure that you have data processing agreements in place with your data processors
• Honor consumer requests
• Conduct a Privacy Impact Assessment if required for your processing activities.

You can find more information about the Virginia Consumer Data Protection Act here. It went into effect on January 1, 2023. 

Colorado Privacy Act

The Colorado Privacy Act took effect on July 1, 2023. It imposes the following obligations on affected businesses: 

• Provide consumers with mechanisms to opt out of the sales of personal information, targeted advertising, and profiling
• Provide consumers with a privacy notice
• Conduct a data protection impact assessment where there is a risk to consumers
• Honor consumer requests

Failure to comply with CPA requirements results in fines of up to $20,000, the highest penalty cap in the US. If you register in Colorado, offer goods or services to Colorado residents, and meet at least one of the following thresholds, you must adhere to the law:

• 100,000 consumers or more during a year
• 25,000 consumers or more, and generate revenue from the sale of personal data, potentially through a discount on the price of goods or services.

The thresholds are not as high as they appear on the surface. If your Facebook Pixel collects browsing data from at least 100,000 Colorado residents, you will be subject to the law. 

Our in-depth article provides more information on the CPA. You can also learn about CPA's Cookie Consent Requirements.

Connecticut Data Privacy Act

The Connecticut Data Privacy Act (CTDPA) took effect on July 1, 2023, and it includes similar requirements to the CPA, such as: 

• Allow consumers to opt out of the processing of sensitive personal information
• Collect and process only the minimum amount of data needed for processing purpose
• Provide consumers with a privacy notice
• Conduct data protection assessments where the processing may pose a risk.

Furthermore, the applicability criteria are the same as in Colorado law. The CTDPA applies to Connecticut businesses as well as non-Connecticut businesses that interact with Connecticut customers if they meet at least one of the following requirements: 

• Process data collected from 100,000 or more consumers, excluding personal data, controlled or processed solely for the purpose of completing a payment transaction.
• Process the data of 25,000 or more consumers and derive more than 25% of their gross revenue from selling personal data.

We have an in-depth article on CTDPA requirements for your business where you can learn more about how to prepare for compliance. 

Utah Consumer Privacy Act

The Utah Consumer Privacy Act (UCPA) will take effect on December 31, 2023. You should be ready if you: 

• Conduct business in the state of Utah or produce a product or service that is targeted to consumers who are Utah residents of the state, and
• Have annual revenue of $25,000,000 or more, and
• Meet one or more of the following thresholds: During a calendar year, control or process the personal data of 100,000 or more Utah residents, Derive over 50% of the entity’s gross revenue from the sale of personal data and Control or process the personal data of 25,000 or more consumers.

It will not affect all businesses, but if you are required to comply, you must be prepared to: 

• Provide consumers with mechanisms to opt out of the sale of personal information or from targeted advertising
• Have processing agreements in place
• Provide consumers with a privacy notice
• Honor consumer requests

The fine is up to $7,500 per violation. 

You can find more information about the Utah UCPA here.

Iowa Data Privacy Act

On March 28, 2023, the Iowa Data Privacy Act became a law. It comes into effect on January 1, 2025.

It won’t affect all businesses, but only those that do business in Iowa or target Iowa residents, and either:

• Control or process the personal data of more than 100,000 consumers, or
• Control or process the personal data of more than 25,000 and derive at least 50% of the gross revenue by selling the data.

There are no revenue thresholds, like in other US states.

The IDPA imposes the standard legal obligations on businesses that are affected, including

• Limiting data processing to the specified purposes
• Provide consumers with a privacy notice
• Allow consumers to opt out of the sale of personal information
• Respond to consumer requests for access, deletion, portability, opt-out, and others
• Have written contracts with service providers
• Ensure that the data is safe

Check out our latest article to explore IDPA in more detail.

Indiana Data Privacy Law

The Indiana Data Privacy Law was signed on May 1, 2023, and comes into effect on January 1, 2026. Until then, affected businesses have enough time to adjust to their requirements.

If you comply with other privacy laws already, it won’t be much of a hassle. The IDPL requirements overlap greatly with other US state privacy laws.

This applies to businesses operating from Indiana or targeting residents of Indiana.

• Control or process the personal data of more than 100,000 consumers, or
• Control or process the personal data of more than 25,000 and derive at least 50% of the gross revenue by selling the data.

Again, there are no revenue thresholds for applicability.

The IDPL grants consumers privacy rights, including the right to know, to delete, to opt out, and others. It requires businesses to:

• Honor consumer requests
• Allow consumers to opt out of the sale of personal information
• Provide them with a comprehensive privacy notice
• Conduct a data impact assessment in the case of targeted advertising
• Limit the processing to the intended purposes
• Obtain explicit consent for the processing of sensitive personal data

Tennessee Information Protection Act

On May 11, 2023, lawmakers passed the Tennessee Information Protection Act (TIPA). Starting on July 1, 2025, it affects the following businesses:

• Conducting business from Tennessee or with residents of Tennessee
• Exceeds $25 million in annual revenue, and Meets one of the following criteria:
  Control or process the personal data of more than 175,000 Tennessee consumers, or Control or process the personal data of more than 25,000 Tennessee consumers and derive at least 50% of the gross revenue by selling the data.

If the TIPA applies to you, here’s what you must do:

• Provide consumers with a privacy notice and a privacy policy
• Honor consumer requests to know, access, delete, and others
• Process the data only for the purposes it has been collected for
• Allow consumers to opt out of the sale of their data
• Have written contracts with service providers

Montana Consumer Data Privacy Act

The Montana Consumer Data Privacy Act (MTCDPA) made Montana the ninth US state to pass a data privacy law. It was passed on May 19, 2023, and comes into force on October 1, 2024.

This applies to businesses that operate from Montana or target Montana residents who:

• Control or process the personal data of more than 50,000 Montana consumers, or
• Control or process the personal data of more than 25,000 Montana consumers and derive at least 50% of the gross revenue by selling the data.

That leads to the following obligations:

• Responding to consumers’ requests
• Enabling consumers to opt out of the sale of data
• Recognize universal opt-out mechanisms
• Serving consumers with a privacy notice and a privacy policy
• Obtain explicit consent before collecting sensitive data
• Conduct data protection impact assessments for processing sensitive data, selling data, or using data for targeted advertising and/or profiling.

Check out our article on MTCDPA.

Texas Data Privacy and Security Act

The Texas Data Privacy and Security Act (TDPSA) was passed on May 28, 2023, and will be enforced starting on July 1, 2024.

The TDPSA applies to businesses that:

• Operate in Texas or target Texas residents,
• Process of engaging in the sale of personal information, and
• Is not excluded as a small business, according to the Small Business Administration.

The definition of small business by the Small Business Administration is vague and depends on various criteria.

The two primary criteria used by the SBA to define a small business are:

• Employee-based size standards take into account the average number of employees in a business over a 12-month period. The number of employees can vary depending on the industry. For example, in manufacturing, the limit for a small business ranges from 500 to 1,500 employees, depending on the specific industry.
• Revenue-based size standards, taking into account the average annual revenue of a business over a specific period. The revenue thresholds also vary by industry. For example, in the retail trade industry, the maximum average annual receipts for a business to be considered small can range from $7.5 million to $41.5 million, depending on the specific type of retail trade.

If you belong to any of these groups, here’s what you need to do by October 2024:

• Allow opting out of the sale of personal data
• Honor consumer requests
• Obtain explicit consent for the processing of sensitive data
• Conduct data protection impact assessments
• Have written contracts with service providers

If you're interested in learning more, check out our article on TDPSA.

Delaware Personal Data Privacy Act

The Delaware Personal Data Privacy Act was passed on June 30, 2023, and is set to take effect on January 1, 2025, pending governor approval.

The DPDPA covers businesses that:

• Control or process personal data on more than 35,000 consumers, or
• Derive 20% of revenue from selling the data of more than 10,000 consumers.

Notably, the DPDPA does not exempt most nonprofit organizations and contains a 60-day cure provision that sunsets on December 31, 2025.

If you are covered by the DPDPA, here is a list of what you’re required to do:

• Limit the collection of personal data to what is adequate, relevant, and reasonably necessary
• Obtain consent for the processing of sensitive data
• Honor consumer requests
• Allow consumers to opt out of processing through an opt-out preference signal
• Provide a privacy notice to consumers
• Conduct data protection assessments

Update: On September 11, 2023, Delaware Governor John Carney signed the Delaware Personal Data Privacy Act (DPDPA). Learn what you need to know about the DPDPA.

Oregon Consumer Privacy Act

On June 22, 2023, the Oregon Consumer Privacy Act was passed. The bulk of OCPA’s requirements will take effect on July 1, 2024 (with a July 1, 2025 effective date for nonprofit organizations).

The OCPA applies to businesses doing business in Oregon or targeting Oregon residents, and:

• Control or process the personal data of more than 100,000 consumers, or
• Control or process the personal data of more than 25,000 and derive at least 25% of the gross revenue by selling the data.

There are novel consumer rights introduced in the OCPA that businesses need to be aware of. Aside from the right to access, correct, delete, and receive personal information, individuals also have the following additional rights:

• Right to obtain a list of the “specific third parties” to whom a controller discloses personal data
• Right to request the deletion of “derived data”

Businesses covered by the OCPA must do the following:

• Obtain consent for the processing of sensitive data
• Obtain affirmative consent in order to profile adolescent data
• Honor consumer requests
• Allow consumers to opt out of targeted advertising, data sales, and significant profiling decisions
• Provide a privacy notice to consumers
• Conduct data protection impact assessments and retain them for five years

Read more about the Oregon Consumer Privacy Act.

New Jersey Consumer Data Privacy Bill

The New Jersey Consumer Data Privacy Bill was passed in January 2024 and comes into effect on January 16, 2025. The Connecticut privacy law served as its model.

It applies to businesses that conduct business in New Jersey or offer products or services to residents of the state, and that during a calendar year either:

• Control or process the personal data of at least 100,000 consumers, excluding data processed solely to complete a payment transaction; or
• Control or process the personal data of at least 25,000 consumers, and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.

Meeting these thresholds leads to the following obligations:

• Collect only the minimum amount of data necessary for processing purposes and process it for adequate purposes;
• Collect consent for the processing of sensitive or children's data and provide mechanisms for revoking consent;
• Obtain consent for processing the data of a child for purposes of targeted advertising, the sale of the consumer’s personal data, or profiling, where the controller has actual knowledge, or willfully disregards, that the consumer is at least 13 years of age but younger than 17 years of age;
• Inform consumers about the processing, including the purposes of processing
• Implement administrative, technical, and physical data security measures;
• Honor consumer requests;
• Conduct a data protection impact assessment where necessary, and
• Ensure that they have written agreements with service providers for the processing of data.

The New Jersey privacy legislation grants consumers the right to:

• Confirm whether a controller processes the consumer’s personal data and accesses such personal data, trade secrets excluded;
• Correct inaccuracies in the consumer’s personal data;
• Delete their own personal data;
• Data portability and
• Opt out of processing personal data for targeted advertising or sales of data.

Read more about the New Jersey Consumer Data Privacy Bill.

New Hampshire Consumer Data Privacy Act

The comprehensive privacy legislation in New Hampshire applies to businesses that offer products and services specifically targeted at New Hampshire residents.

• Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely to complete a payment transaction; or
• Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.

These laws are significantly lower compared to those in the other comprehensive data privacy laws throughout the United States. Meeting them leads to the requirement of providing consumers with the same privacy protections as in other states.

To learn more about how to navigate the data collection and processing of New Hampshire residents, read our detailed article on the New Hampshire Consumer Data Privacy Act.

Kentucky Consumer Data Protection Act

The Kentucky Consumer Data Protection Act does not differ much from the other US state privacy bills.

It grants Kentucky consumers the same rights as the other states, including the right to:

• Know
• Access
• Delete
• Data Portability
• Opt-out of the sale of data or processing for targeted advertising

Covered businesses must either:

• Process the data of at least 100.000 Kentucky residents,
• Process the data of at least 25.000 Kentucky residents and derive at least 50% of the profits from the sale of personal data

These businesses must implement technical and organizational safeguards to protect the data, respond timely to consumer requests, conduct data protection impact assessments for high-risk processing, and perform other duties.

Read in detail about the Kentucky Consumer Data Processing Act.

Maryland Online Data Privacy Act (MODPA)

The Maryland Online Data Privacy Act (MODPA) brings strict data minimization requirements. Aside from that, it does not differ too much from other state laws.

Maryland consumers have the right to:

• Know
• Access
• Delete
• Data Portability
• Opt-out of the sale of data or processing for targeted advertising or profiling.

It has lower thresholds for applicability compared to other states. It applies to any business that operates from Maryland or targets Maryland consumers and either:

• Processes the data of at least 35.000 consumers, or
• Processes the data of at least 10.000 consumers and derives at least 20% of its revenue from the sale of data.

The Maryland law is typical for its strict data minimization and purpose limitation requirements. It is the first US state consumer privacy law to ban selling sensitive data and children's data.

Read more about the Maryland Online Data Privacy Act.

Nebraska Data Privacy Act (NDPA)

The Nebraska Data Privacy Act bears a strong resemblance to the Texas state consumer privacy law, primarily because of its applicability requirements. It applies to businesses that:

• Do business with Nebraska residents
• Are not small businesses under the Small Businesses Act, and
• Engage in the processing or sale of personal data.

Furthermore, it grants Nebraska consumers the following rights:

• Know
• Access
• Delete
• Data Portability
• Opt-out of the sale of data, processing for targeted advertising, or profiling

Covered entities must honor consumer requests, but they must also implement technical and organizational safeguards to protect the data, process only the minimum amount of data, and fulfill other obligations.

Read in detail about the Nebraska Data Privacy Act.

Minnesota Consumer Data Privacy Act (MCDPA)

The Minnesota Consumer Data Privacy Act is quite similar to the other US state privacy bills, which means that complying with the other laws may automatically mean compliance with the MCDPA simultaneously.

The law grants Minnesota consumers the same rights as those in other states, including the following:

• Know
• Access
• Delete
• Data Portability
• Opt out of the sale of data or processing for targeted advertising

Covered businesses must either:

• During a calendar year, you must control or process the personal data of at least 100,000 consumers (excluding payment transaction data).
• Derive over 25% of gross revenue from the sale of personal data and process the personal data of at least 25,000 consumers.

Covered businesses must limit the use of data, collect only the minimum necessary data, implement technical and organizational safeguards to protect the data, respond timely to consumer requests, conduct data protection impact assessments for high-risk processing, and perform other duties.

Read in detail about the Minnesota Consumer Data Privacy Act.

Vermont Data Privacy Act (VDPA)

The Vermont landmark state privacy bill has very low applicability thresholds, meaning it will apply to most businesses.

It applies to many businesses, keeping in mind the low applicability thresholds. This applies to businesses that operate in Maryland.

• Controlled or processed the personal data of at least 25,000 consumers, excluding data processed solely for payment transactions.
• Controlled or processed the personal data of at least 12,500 consumers and derived more than 25% of their gross revenue from the sale of personal data.

Covered businesses must ensure data security, allow consumers to opt out of certain types of data processing, minimize data usage, and perform other duties. They also have the duty to honor consumer requests. Maryland consumers have the right to:

• Know
• Access
• Delete
• Data Portability
• Opt out of the sale or processing of data for targeted advertising or profiling.

Read in more detail about the Vermont Data Privacy Act.

What comes next for the data privacy legislation in the US?

Comprehensive privacy laws are in the process of passing in many other US states. Legislative bodies are progressing with these laws, and you'll find details about them here as soon as they pass.

In the meantime, take care of the compliance with the processing of personal data that is underway in your organization. We prepared a short guide that takes only a few minutes to read and will give you an idea of what you need to do to navigate the comprehensive consumer privacy legislation in the US, how to protect the privacy rights of consumers, and how to keep your business safe from penalties.