Share:
Last Updated: August 13, 2024
Privacy bill in legislative process
Privacy law coming into effect
Privacy law in effect
Privacy Laws
U.S. State
Click on each state for
more details.
California
The California Privacy Rights Act (CPRA) expanded and amended the California Consumer Privacy Act (CCPA) granting employees and business contacts in addition to consumers, rights over their personal information. Companies doing business with California residents must honor these rights and align to a number of obligation intended to protection individuals’ personal data. As of July 1, 2023, enforcement is through the newly created California Privacy Protection Agency (CPPA).
CPRA carries maximum fines of $7,500 per intentional or $2,500 per unintentional violation, and $7,500 for violation of the privacy rights of minors, and tightened expectations on organizations by removing the 30-day window businesses had to correct the situation before the Attorney General could take action.
California was the first U.S. state to pass comprehensive consumer privacy rights legislation.
California Privacy Rights
Law Status: In Effect
Effective Date: January 1, 2023
Right to Access
Right to Correction
Right to Deletion
Right to Data Portability
Automated Decision Making
Opt-out of Processing – Sensitive Data (only)
PRoA - Limited to Certain Violations
Colorado
Related Resource
The Colorado Privacy Act (CPA) was the third state to enact comprehensive consumer privacy legislation. The CPA's personal data definition is broad, including any information linked or reasonably linked to an identified or identifiable individual, excluding de-identified or publicly available information as defined.
Alongside typical expectations seen in similar state laws, covered businesses must implement and maintain reasonable administrative, technical, and physical safeguards, and must establish technical specifications of a user-selected universal opt-out mechanism by July 1, 2024.
The CPA provides businesses a 60-day window to correct a violation, but this cure period is only in effect until January 1, 2025.
Download the Infographic “A Guide to Changing Consumer Privacy Regulations within the United States”
Colorado Privacy Rights
Law Status: In Effect
Effective Date: July 1, 2023
Connecticut
Related Resource
The Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) is similar to the four states (CA, VA, CO, UT) that passed comprehensive consumer privacy legislation before it, but differs is significant ways. The CTDPA does not have an overriding revenue threshold like CPRA, and narrows its scope by carving out data that is collected solely for payment transactions.
Similar to Colorado and California, Connecticut defines the "sale of personal data" to include "the exchange of personal data for monetary or other valuable consideration" to a third party, which is a broader definition compared to Utah and Virginia. Also broader than Utah or Virginia, Connecticut consumers may "obtain a copy of the consumer's personal data processed by the controller" without limit to only their "previously provided" personal data.
Like Colorado, the CTDPA provides businesses a 60-day window to correct a violation, but this cure period is only in effect until January 1, 2025.
Download the Infographic “A Guide to Changing Consumer Privacy Regulations within the United States”
Connecticut Privacy Rights
Law Status: In Effect
Effective Date: July 1, 2023
Delaware
Related Resource
Delaware's Personal Data Privacy Act (HB154) makes them the twelfth state to enact comprehensive consumer privacy legislation. The DPDPA is closely aligned to Connecticut and will provide rights to consumers and prohibit processing sensitive personal data without consent. Similar to Montana, the DPDPA lowers the typical 100,000 consumer threshold to just 35,000, which is just under 3.5% of the state's population.
The DPDPA incorporates privacy by design principles such as purpose limitation and reasonable data security practices, as well as compliance with universal opt-out mechanisms.
Like Colorado and Connecticut, the DPDPA provides businesses a 60-day window to correct a violation, but this cure period is only in effect until December 31, 2025. The requirements of the DPDPA are in addition to requirements outlined by the existing, less stringent Delaware Online Privacy and Protection Act (DelOPPA).
Download the Infographic “Your Guide to Changing US Consumer Privacy Laws in 2023”
Delaware Privacy Rights
Law Status: Signed
Effective Date: January 1, 2025
Indiana
Related Resources
Lucky number seven to pass comprehensive consumer privacy legislation, Indiana's Consumer Data Privacy Act (ICDPA) is closely aligned to Virginia's CDPA, but like Connecticut, does not have a revenue threshold for businesses.
The IDPL gives businesses an option to streamline responses to consumer requests by providing a representative summary of a consumer's personal data in lieu of the data itself. Certain activities such as targeted advertising, sale of data, profiling, and processing of sensitive data require a data protection impact assessment, but assessments prepared for compliance with other laws may be considered sufficient.
While the ICDPA is closely aligned to existing states' requirements and businesses who have taken steps to comply with those should be well positioned for Indiana's law to take effect, the Indiana Attorney General is quite active in the area of privacy enforcement, so businesses processing consumer personal data should take this time to ensure preparedness.
Visit the Blog Post "Indiana, Tennessee, Montana and Texas Pass Comprehensive Consumer Privacy Laws"
Indiana Privacy Rights
Law Status: Signed
Effective Date: January 1, 2026
Iowa
Related Resource
In March, Iowa became the sixth state to pass a comprehensive consumer privacy law with legislation that is a bit broader than others in some areas, a bit more lenient in others.
Like Indiana, the Iowa Data Privacy Law (IDPL) does not include a revenue threshold, meaning small businesses may be subject to the requirements. More business-friendly than other states, the law does not include a right to correct, nor to opt out of profiling. Additionally, the law includes a right to opt OUT of processing sensitive personal data, rather than the right to opt in.
The IDPL does not align to key privacy principles, including purpose limitation nor data minimization, does not require recognition of opt-out preference signals, nor are data protection assessments required. The IDPL includes the longest cure period thus far at 90 days.
Visit the Blog Post "Iowa Enacts Comprehensive Privacy Legislation"
Iowa Privacy Rights - Hover Over Each for a Detailed Explanation
Law Status: Signed
Effective Date: January 1, 2025
Montana
Related Resources
The ninth comprehensive privacy state law to be passed, the Montana Consumer Data Privacy Act (MTCDPA), aligns closely to Connecticut's Data Privacy Act (CTDPA) in several ways. MTCDPA requires businesses to recognize universal mechanisms for opt out of sale of personal data and to opt out of targeted advertising, and permits deletion of all personal data a business has about them (not just deletion of information the business has collected directly). Also aligned to CTDPA, as well as California's CPRA, businesses may not sell data of 13 - 16 year olds without consent for the purposes of targeted advertising.
The MTCDPA has the second lowest threshold for applicability so far at 50,000 state residents or 25,000 with >25% of revenue from sale of data, which makes sense considering Montana is the least populous state. 50,000 is nearly 9% of the total population, whereas the 100,000 threshold applicable to the most populous state, California, is merely 0.25% of the state's population.
Visit the Blog Post "Indiana, Tennessee, Montana and Texas Pass Comprehensive Consumer Privacy Laws"
Montana Privacy Rights
Law Status: Signed
Effective Date: October 1, 2024
Visit the Blog Post "Privacy Bracketology"
Oregon
Related Resource
With the passing of Senate Bill 619, Oregon is the 11th overall and sixth state in 2023 to pass a comprehensive consumer privacy law. The Bill lacks the broad exemptions of most other state laws such as HIPAA covered entities and business associates, nor, like Colorado, does it exempt non-profits.
Uniquely, the Oregon Bill has a broad definition of sensitive data that includes transgender or non-binary status. Like CA, CO, CT and MT, controllers that sell personal data or use personal data for targeted advertising must respond to universal opt-out signals.
For the first 6 months, there will be a 30 day cure period, terminating January 1, 2025. Private right of action is provided after January 1, 2026.
Oregon Privacy Rights
Law Status: In Effect
Effective Date: July 1, 2024
Visit the Blog Post "Privacy Bracketology"
Tennessee
Related Resources
Tennessee's Information Protection Act (TIPA) is foundationally the most similar to Virginia, Utah and Iowa compared to the seven other states that have passed similar comprehensive consumer privacy laws. This is highlighted in the defined criteria for what constitutes sales of personal data that require opt-in consent and a 60 day cure period which does not expire. Notably, the TIPA raised the typical 100,000 consumer threshold to 175,000, which is approximately 2.5% of the state's population.
Unique to TIPA is the safe harbor allowing companies to defend themselves against claims of violations by pointing to a written privacy program aligned to the National Institute of Standards and Practices (NIST) Privacy Framework. TIPA does not provide for private right of action penalties of $7,500 per violation.
Tennessee Privacy Rights
Law Status: Signed
Effective Date: July 1, 2025
Visit the Blog Post "Privacy Bracketology"
Visit the Blog Post "Indiana, Tennessee, Montana and Texas Pass Comprehensive Consumer Privacy Laws"
Texas
Related Resources
Texas has become the tenth state overall, and fifth in 2023, to enact a comprehensive consumer privacy law. Modeled after Virginia with aspects that align well to California, the Texas Data Privacy & Security Act (TDPSA) does not contain dollar thresholds, but rather includes businesses operating in Texas or whose products or services are consumed by Texans, processing consumer personal data of Texans, and who are NOT a "small business" as defined by the U.S. Small Business Administration. Uniquely, this extends applicability to companies whose products or services are merely used by Texas residents, even if Texas residents are not necessarily a targeted audience.
Texas is the first state since California to require "two or more" methods for individuals to submit requests to exercise their rights over their personal data unless, as in California, they operate only online, then an email address to submit requests to is the minimum required option.
Confusingly, TDPSA allows for individuals to use opt-out preference signals, but does not obligate businesses to comply if they do not possess the ability to process the request.
Texas Privacy Rights
Law Status: In Effect
Effective Date: July 1, 2024
Visit the Blog Post "Deep Dive: The Texas Data Privacy and Security Act"
Visit the Blog Post "Indiana, Tennessee, Montana and Texas Pass Comprehensive Consumer Privacy Laws"
Utah
Related Resources
The fourth comprehensive state privacy bill to be signed, the Utah Consumer Privacy Act (UCPA) uses similar definitions and provisions as Virginia and Colorado but includes an exemption where "sensitive data" does not include information that reveals racial or ethnic origin when processed by a video communication service (undefined).
Further, the UCPA does not require businesses controlling the collection and processing of personal data to obtain opt-in consent to collect and process sensitive data, but individuals must receive a clear privacy notice and an opportunity to opt-out of processing.
UCPA includes a 30 day cure period, no private right of action, penalties up to $7,500 per violation, and preempts any other state and local privacy laws.
Utah Privacy Rights
Law Status: In Effect
Effective Date: December 31, 2023
Visit the Blog Post "Bi-Partisan U.S. Federal Privacy Bill Gains Momentum"
Download the infographic
A Guide to Changing Consumer Privacy Regulations within the United States"
Virginia
Related Resource
The second comprehensive privacy law in the country, Virginia's Consumer Data Privacy Act (VCDPA) contain similar scope and rights as California, with significant differences. There is no revenue threshold - businesses are subject to the requirements if they conduct business in Virginia, produces products or services targeted at Virginia residents, and control or process data of > 100,000 consumers or >25,000 consumers with >50% of gross revenue from selling personal data.
Virginia is the first state to require opt-in consent before businesses process sensitive personal data, similar to the European Union's General Data Protection Regulations (GDPR).
Both California and Virginia require clear privacy notices, though VCDPA does not include the annual update requirement. While VCDPA also allows for fines up to $7,500 per violoation, there is no private right of action.
Download the Infographic “A Guide to Changing Consumer Privacy Regulations within the United States”
Virginia Privacy Rights
Law Status: In Effect
Effective Date: January 1, 2023
Florida
Florida's Digital Bill of Rights is not a comprehensive approach like the other states profiled here. Florida has narrowly defined the businesses subject to the requirements to include those that operate in Florida, collect personal data, make in excess of $1B annual revenue and meets one or more of the following criteria:
Florida Privacy Rights
Law Status: In Effect
Effective Date: July 1, 2024
>50% global revenue from online advertising
Operates a consumer smart speaker and voice command component service..., or
...operates an app store with at least 250k offerings.
There are strict requirements for establishing consumer consent which go beyond acceptance of general terms of use or a privacy notice. Consent must be specific, informed, and unambiguous and may not utilize "dark patterns".
The Florida AG will carry enforcement authority with provisions for penalties up to $50,000 per violation, or $150,000 in case of violations involving minors.
Related Resource
Visit the Blog Post "Privacy Bracketology"
Related Resources
Download the Infographic “A Guide to Changing Consumer Privacy Regulations within the United States”
View the blog post "California Consumer Privacy Act ....It’s Here"
Visit the Blog Post "Privacy Bracketology"
Opt-out of Sale
Automated Decision Making – Limited to Certain Conditions
Opt-in for Sensitive Data Processing
Opt-out of Processing – Profiling/Targeted Advertising
Right to request a business stop processing your personal information.
PRoA - Limited to Certain Violations
ADM (Automated Decision Making)
Right to Data Portability
Opt-out of Processing – Profiling/Targeted Advertising
Opt-out of Sale
Opt-in for Sensitive Data Processing
Right to Access
Right to Correction
Right to Deletion
Right to Data Portability
Automated Decision Making
Opt-out of Processing – Sensitive Data (only)
Opt-out of Sale
Opt-out of Processing is actually Opt-IN
Opt-out of Automated Decision Making
Automated Decision Making – Limited to Certain Conditions
Right to Access
Right to Correction
Right to Deletion
Right to Data Portability
Opt-out of Sale
Right to Access
Right to Correction
Right to Deletion
Right to Data Portability
Right to Access
Right to Deletion
Opt-out of Processing – Profiling/Target Advertising
Opt-out of Sale
Right to Access
Right to Correction
Right to Deletion
Right to Data Portability
Opt-out of Processing – Profiling/Targeted Advertising
Automated Decision Making – Limited to Certain Conditions
Opt-in for Sensitive Data Processing
Opt-out of Sale
Right to Access
Right to Deletion
Right to Data Portability
Automated Decision Making – Limited to Certain Conditions
Opt-out of Sale
Right to Access
Right to Correction
Right to Deletion
Right to Data Portability
Opt-out of Automated Decision Making – Limited
Opt-in for Sensitive Data Processing
Opt-out of Sale
Opt-out of Processing – Profiling/Targeted Advertising
Right to Data Portability
Right to Access
Right to Correction
Right to Deletion
Opt-out of Processing – Profiling/Target Advertising
Opt-out of Sale
Opt-in for Sensitive Data Processing
Opt-out of Automated Decision Making – Limited
Right to Data Portability
Right to Access
Right to Correction
Right to Deletion
Opt-in for Sensitive Data Processing
Opt-out of Sale
Opt-out of Processing – Profiling/Targeted Advertising
Right to Data Portability
Right to Access
Right to Correction
Right to Deletion
Opt-in for Sensitive Data Processing
Opt-out of Processing – Profiling/Targeted Advertising
Opt-out of Sale
Right to Data Portability
Right to Access
Right to Correction
Right to Deletion
Opt-in for Sensitive Data Processing
Opt-out of Sale
Opt-out of Processing – Profiling/Targeted Advertising
Right to Access
Right to Correction
Right to Deletion
Opt-in for Sensitive Data Processing
Opt-out of Sale
Opt-out of Processing
Opt-out of Automated Decision Making – Limited
Opt-out of Automated Decision Making – Limited
Related Resources
Visit the Blog Post "Indiana, Tennessee, Montana and Texas Pass Comprehensive Consumer Privacy Laws"
Visit the Blog Post "Privacy Bracketology"
Opt-out of Automated Decision Making – Limited
Louisiana
The Louisiana Senate is considering the proposed Louisiana Consumer Privacy Act (LCPA) to provide rights to consumers. But unlike other states, this legislation does not include opt-in for sensitive data processing or opt-out of automated decision making. The LCPA also does not provide for private right of action.
The LCPA incorporates privacy by design principles for reasonable security measures.
If enacted, the effective date would be December 31, 2024.
Louisiana Privacy Rights
Law Status: In Legislative Process
Effective Date: January 1, 2025
Right to Access
Right to Correction
Right to Deletion
Right to Data Portability
Opt-out of Sale
Opt-out of Processing – Profiling/Targeted Advertising
Related Resource
Visit the Blog Post "Privacy Bracketology"
ME
Maine
In late May 2023, lawmakers presented An Act to Create Data Privacy and Protection Act (LD 1977) in the Maine House of Representatives. The act sets obligations for businesses, such as requiring a privacy notice outlining data collection, processing and transfer activities, mitigating risks, implementing reasonable safeguards and establishing a training program to promote compliance.
An impact assessment would be required where "covered algorithms" are applied to personal data. Such use cases qualifying for an assessment would involve the use of "machine learning, natural language processing, artificial intelligence techniques or other computational processing techniques of similar or greater complexity," including when used to rank products or services or determine the display of information to an individual. Businesses that are not "small businesses" would be required to conduct a privacy impact assessment every other year.
If enacted, the effective date would be 180 days after the legislature adjourns.
Maine Privacy Rights
Law Status: In Legislative Process
Right to Data Portability
Right to Access
Right to Correction
Right to Deletion
Opt-out of Processing – Profiling/Targeted Advertising
Automated Decision Making – Limited to Certain Conditions
Opt-out of Sale
Opt-in for Sensitive Data Processing
ME
Massachusetts
Related Resources
The Massachusetts Data Privacy Protection Act (MDPPA) proposes to expand rights for Massachusetts residents over their personal data beyond the MA Data Protection Act (201 CMR 17).
The MDPPA incorporates privacy by design principles such as purpose limitation, technical safeguards and notice requirements. The legislation also requires data protection assessments and creates a private right of action. Like New York and Oklahoma, the MDPPA does not contain a cure period.
The MDPPA exempts information regulated under HIPAA. But unlike most other similar state laws, the MDPPA does not exempt other federally regulated data, such as data regulated under the Gramm-Leach-Bliley Act (GLBA).
Massachusetts Privacy Rights
Law Status: In Legislative Process
Right to Data Portability
Right to Access
Right to Correction
Right to Deletion
Opt-out of Processing – Profiling/Targeted Advertising
Automated Decision Making – Limited to Certain Conditions
Opt-out of Sale
Opt-in for Sensitive Data Processing
Related Resource
Visit the Blog Post "Privacy Bracketology"
PRoA - Limited to Certain Violations
MI
Michigan
The Michigan Personal Data Privacy Act (SB 659) proposes to establish consumer rights and notice requirements for residents of Michigan.
Notably, the MPDPA provides for data broker registration to be managed by the Michigan Attorney General. The privacy notice requirements are standard, outlining categories of personal data processed, purpose of processing, categories of data shared with third parties and how consumers may exercise their rights. There is a provision for a 30-day cure period, as well as private right of action.
If enacted, the effective date would be one year after the date it is signed into law.
Michigan Privacy Rights
Law Status: In Legislative Process
Right to Data Portability
Right to Access
Right to Correction
Right to Deletion
Automated Decision Making
Opt-out of Sale
Opt-in for Sensitive Data Processing
PRoA - Limited to Certain Violations
Related Resource
Visit the Blog Post "Privacy Bracketology"
MI
New Hampshire
Related Resources
The New Hampshire Act Relative to the Expectation of Privacy (SB 255) is similar to Connecticut's Data Privacy Act and the proposed Massachusetts Data Privacy Protection Act—trending toward regional cohesion.
The NH DPPA incorporates privacy by design principles, such as purpose limitation, technical safeguards, notice requirements and data protection assessments. This legislation also allows for private right of action. Like Massachusetts, New York and Oklahoma, the NH DPPA does not contain a cure period.
The NH DPPA exempts information regulated under HIPAA, the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA).
New Hampshire Privacy Rights
Law Status: Signed
The ability of a private citizen to legally enforce their rights upon other people or organizations.
PRoA - Limited to Certain Violations
Related Resource
Visit the Blog Post "Privacy Bracketology"
New Jersey
New Jersey Privacy Act (NJPA) establishes requirements for disclosure and processing of personal information. These requirements are similar to those in recent state laws.
Notably, businesses impacted will be required to obtain affirmative consent, establish consumer rights and regulate automated decision-making processing.
Following the effective date, data controllers have six months to honor consumer opt-outs of targeted advertising via universal opt-out mechanisms.
There is a no provision for private right of action and non-profit organizations are largely NOT exempt.
New Jersey Privacy Rights
Law Status: Signed
Effective Date: January 15, 2025
Right to Data Portability
Right to Access
Right to Correction
Right to Deletion
Opt-out of Processing
Automated Decision Making – Limited to Certain Conditions
Opt-out of Sale
Opt-in for Sensitive Data Processing
Related Resource
Visit the Blog Post "Privacy Bracketology"
New York
The New York Privacy Act is a bill that would grant New York resident consumers the rights over their personal information. Notably, the bill would require consent for certain data processing purposes and to change existing processing or processing purposes that may result in less data protection than what the consumer previously consented to.
The bill incorporates privacy by design principles, such as purpose limitation, technical safeguards and notice requirements. The bill requires data protection assessments where there is "heightened risk of harm" and creates a private right of action. Like Massachusetts and Oklahoma, the bill does not provide a cure period.
New York Privacy Rights
Law Status: In Legislative Process
Right to Data Portability
Right to Access
Right to Correction
Right to Deletion
Opt-out of Processing – Profiling/Targeted Advertising
Opt-out of Sale
Opt-in for Sensitive Data Processing
Related Resource
Visit the Blog Post "Privacy Bracketology"
North Carolina
Related Resources
The North Carolina Consumer Privacy Act (NCCPA) would establish limited consumer rights for North Carolina residents. Unlike most other state laws and proposals, the NCCPA does not require opt-in for sensitive personal data processing nor provide for opt-out of automated decision making.
The bill does require that a business provide consumers with a clear privacy notice outlining key requirements. Additionally, the NCCPA requires that reasonable administrative, technical and physical data security practices are in place.
Like other laws, there is provision for fines up to $7,500 per violation and a 45-day cure period.
North Carolina Privacy Rights
Law Status: In Legislative Process
Right to Data Portability
Right to Access
Right to Correction
Right to Deletion
Opt-out of Processing – Profiling/Targeted Advertising
Opt-out of Sale
Related Resource
Visit the Blog Post "Privacy Bracketology"
WI
Wisconsin
Related Resources
The Wisconsin Consumer Data Protection Bill (AB 466) is a comprehensive consumer privacy proposal that would provide consumer rights similar to those provided by other states. The proposed legislation includes requirements for providing notice, obtaining consent for processing sensitive personal data and conducting data protection assessments.
Privacy by design elements are evident in the requirements for purpose limitation, as well as technical and organizational security measures for data controllers and processors.
The Wisconsin Consumer Data Protection Bill allows for fines up to $7,500 per violation and a 30-day cure period.
Wisconsin Privacy Rights
Law Status: In Legislative Process
Right to Data Portability
Right to Access
Right to Correction
Right to Deletion
Opt-out of Processing – Profiling/Targeted Advertising
Automated Decision Making – Limited to Certain Conditions
Opt-out of Sale
Opt-in for Sensitive Data Processing
WI
Pennsylvania
Related Resources
The Pennsylvania Consumer Data Protection Act (HB 1201) is a comprehensive consumer privacy proposal that would provide consumer rights similar to those provided by other states. The PCDPA includes requirements for providing notice and obtaining consent for processing sensitive personal data. The act further requires that controllers allow opt-out for targeted advertising or sale through an opt-out preference signal by January 1, 2026.
The PCDPA incorporates privacy by design principles, such as purpose limitation and reasonable data security practices. Moreover, the PCDPA provides a 60-day cure period for the first 18 months that the law is in force, does not provide for a privacy right of action and would go into effect immediately upon enactment.
Pennsylvania Privacy Rights
Law Status: In Legislative Process
Right to Data Portability
Right to Access
Right to Correction
Right to Deletion
Opt-out of Processing – Profiling/Targeted Advertising
Automated Decision Making – Limited to Certain Conditions
Opt-out of Sale
Opt-in for Sensitive Data Processing
Related Resource
Visit the Blog Post "Privacy Bracketology"
Opt-in to Processing
PRoA – Privacy Right of Action
Louisiana
The Louisiana Senate is considering the proposed Louisiana Consumer Privacy Act (LCPA) to provide rights to consumers. But unlike other states, this legislation does not include opt-in for sensitive data processing or opt-out of automated decision making. The LCPA also does not provide for private right of action.
The LCPA incorporates privacy by design principles for reasonable security measures.
If enacted, the effective date would be December 31, 2024.
Law Status: In Legislative Process
Related Resource
Visit the Blog Post "Privacy Bracketology"
Maine
In late May 2023, lawmakers presented An Act to Create Data Privacy and Protection Act (LD 1977) in the Maine House of Representatives. The act sets obligations for businesses, such as requiring a privacy notice outlining data collection, processing and transfer activities, mitigating risks, implementing reasonable safeguards and establishing a training program to promote compliance.
An impact assessment would be required where "covered algorithms" are applied to personal data. Such use cases qualifying for an assessment would involve the use of "machine learning, natural language processing, artificial intelligence techniques or other computational processing techniques of similar or greater complexity," including when used to rank products or services or determine the display of information to an individual. Businesses that are not "small businesses" would be required to conduct a privacy impact assessment every other year.
If enacted, the effective date would be 180 days after the legislature adjourns.
Law Status: In Legislative Process
Massachusetts
The Massachusetts Data Privacy Protection Act (MDPPA) proposes to expand rights for Massachusetts residents over their personal data beyond the MA Data Protection Act (201 CMR 17).
The MDPPA incorporates privacy by design principles such as purpose limitation, technical safeguards and notice requirements. The legislation also requires data protection assessments and creates a private right of action. Like New York and Oklahoma, the MDPPA does not contain a cure period.
The MDPPA exempts information regulated under HIPAA. But unlike most other similar state laws, the MDPPA does not exempt other federally regulated data, such as data regulated under the Gramm-Leach-Bliley Act (GLBA).
Law Status: In Legislative Process
Related Resource
Visit the Blog Post "Privacy Bracketology"
Michigan
The Michigan Personal Data Privacy Act (SB 659) proposes to establish consumer rights and notice requirements for residents of Michigan.
Notably, the MPDPA provides for data broker registration to be managed by the Michigan Attorney General. The privacy notice requirements are standard, outlining categories of personal data processed, purpose of processing, categories of data shared with third parties and how consumers may exercise their rights. There is a provision for a 30-day cure period, as well as private right of action.
If enacted, the effective date would be one year after the date it is signed into law.
Law Status: In Legislative Process
New Hampshire
The New Hampshire Act Relative to the Expectation of Privacy (SB 255) is similar to Connecticut's Data Privacy Act and the proposed Massachusetts Data Privacy Protection Act—trending toward regional cohesion.
The NH DPPA incorporates privacy by design principles, such as purpose limitation, technical safeguards, notice requirements and data protection assessments. This legislation also allows for private right of action. Like Massachusetts, New York and Oklahoma, the NH DPPA does not contain a cure period.
The NH DPPA exempts information regulated under HIPAA, the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA).
Law Status: Signed
Effective Date: December 31, 2025
Related Resource
Visit the Blog Post "Privacy Bracketology"
New Jersey
New Jersey Privacy Act (NJPA) establishes requirements for disclosure and processing of personal information. These requirements are similar to those in recent state laws.
Notably, businesses impacted will be required to obtain affirmative consent, establish consumer rights and regulate automated decision-making processing.
Following the effective date, data controllers have six months to honor consumer opt-outs of targeted advertising via universal opt-out mechanisms.
There is a no provision for private right of action and non-profit organizations are largely NOT exempt.
Law Status: Signed
Effective Date: January 15, 2025
Related Resource
Visit the Blog Post "Privacy Bracketology"
New York
The New York Privacy Act is a bill that would grant New York resident consumers rights over their personal information. Notably, the bill would require consent for certain data processing purposes and to change existing processing or processing purposes that may result in less data protection than what the consumer previously consented to.
The bill incorporates privacy by design principles, such as purpose limitation, technical safeguards and notice requirements. The bill requires data protection assessments where there is "heightened risk of harm" and creates a private right of action. Like Massachusetts and Oklahoma, the bill does not provide a cure period.
Law Status: In Legislative Process
Related Resource
Visit the Blog Post "Privacy Bracketology"
Pennsylvania
The Pennsylvania Consumer Data Protection Act (HB 1201) is a comprehensive consumer privacy proposal that would provide consumer rights similar to those provided by other states. The PCDPA includes requirements for providing notice and obtaining consent for processing sensitive personal data. The act further requires that controllers allow opt-out for targeted advertising or sale through an opt-out preference signal by January 1, 2026.
The PCDPA incorporates privacy by design principles, such as purpose limitation and reasonable data security practices. Moreover, the PCDPA provides a 60-day cure period for the first 18 months that the law is in force, does not provide for a privacy right of action and would go into effect immediately upon enactment.
Florida Privacy Rights - Hover Over Each for a Detailed Explanation
Law Status: In Legislative Process
Related Resource
Visit the Blog Post "Privacy Bracketology"
North Carolina
The North Carolina Consumer Privacy Act (NCCPA) would establish limited consumer rights for North Carolina residents. Unlike most other state laws and proposals, the NCCPA does not require opt-in for sensitive personal data processing nor provide for opt-out of automated decision making.
The bill does require that a business provide consumers with a clear privacy notice outlining key requirements. Additionally, the NCCPA requires that reasonable administrative, technical and physical data security practices are in place.
Like other laws, there is provision for fines up to $7,500 per violation and a 45-day cure period.
Law Status: In Legislative Process
Related Resource
Visit the Blog Post "Privacy Bracketology"
Wisconsin
The Wisconsin Consumer Data Protection Bill (AB 466) is a comprehensive consumer privacy proposal that would provide consumer rights similar to those provided by other states. The proposed legislation includes requirements for providing notice, obtaining consent for processing sensitive personal data and conducting data protection assessments.
Privacy by design elements are evident in the requirements for purpose limitation, as well as technical and organizational security measures for data controllers and processors.
The Wisconsin Consumer Data Protection Bill allows for fines up to $7,500 per violation and a 30-day cure period.
Law Status: In Legislative Process
Minnesota
Related Resource
The Minnesota Consumer Data Privacy Act (MCDPA) is a bill that is similar to Virginia's CDPA and would establish rights for Minnesota residents over their personal data.
The bill will require consent prior to collection, processing or disclosure of any personal data (not just sensitive personal data).
Violations will carry penalties up to $7,500 and MCDPA provides for private right of action. Like Massachusetts, New York and Oklahoma, the bill does not contain a cure period.
View bill on Minnesota Legislature website (external link)
Minnesota Privacy Rights
Law Status: Signed
Effective Date: July 31, 2025
Right to Access
Right to Correction
Right to Deletion
Right to Data Portability
Automated Decision Making – Limited to Certain Conditions
Opt-out of Sale
Opt-out of Processing – Profiling/Targeted Advertising
Opt-in for Sensitive Data Processing
KY
Kentucky
The Kentucky Consumer Data Privacy Act (KCDPA) is the fifteenth state comprehensive consumer privacy law and aligns closely to Virginia and Connecticut in scope.
Like the VCDPA and CTDPA, there is no revenue threshold--businesses are subject to the requirements if they conduct business in Kentucky, produces products or services targeted at Kentucky residents and control or process data of >100,000 consumers or >25,000 consumers with >50% of gross revenue from selling personal data.
Kentucky requires opt-in consent before businesses process sensitive personal data.
Data controllers are obligated to enact privacy by design principles and require agreements with data processors.
Like Virginia, the KCDPA also allows for fines up to $7,500 per violation and there is no private right of action.
Kentucky Privacy Rights
Law Status: Signed
Effective Date: January 1, 2026
Related Resource
Visit the Blog Post "Privacy Bracketology"
KY
MD
MD
Maryland
The Maryland Online Data Privacy Act (MODPA) has a low threshold of applicability, applying to businesses that control or process data of >35,000 consumers or 10,000 consumers with >20% gross revenue from sale of personal data.
Like other states, privacy by design principles are invoked, requiring data minimization and reasonable administrative, technical and physical data security practices. Data protection impact assessments are required when there is heightened risk of harm
.
Data controllers must establish technical specifications of a user-selected universal opt-out mechanism as similarly required by California, Connecticut and New Jersey. As with California and New Jersey, the Act includes "valuable consideration" in their definitions of "sale of personal data."
There is no provision for private right of action. Fines may be imposed up to $10,000 for each violation and $25,000 for repeated violations.
Maryland Privacy Rights
Law Status: Signed
Effective Date: October 1, 2025
PRoA - Limited to Certain Violations
Related Resource
Visit the Blog Post "Privacy Bracketology"
MD
NE
Nebraska
Nebraska has become the seventeenth state overall, and fourth in 2024, to enact a comprehensive consumer privacy law.
With aspects that align to neighboring Texas, the Nebraska Data Privacy Act (NDPA) does not contain dollar nor volume thresholds for applicability. This definition extends applicability to companies whose products or services are merely used by Nebraska residents, even if Nebraska residents are not necessarily a targeted audience.
Data processor activities must be governed by a contract with the data controller, and certain guardrails for data governance and protection are expected (i.e., data protection assessments).
Like California, Maryland, and New Jersey, the NDPA includes "valuable consideration" in the definition of "sale of personal data."
Unlike other states whose cure periods sunset after a few months, Nebraska's legislation provides a permanent 30-day cure period.
Nebraska Privacy Rights
Law Status: Signed
Effective Date: October 1, 2025
Related Resource
Visit the Blog Post "Privacy Bracketology"
NE
Rhode Island
Rhode Island's Data Privacy Act (RIDPA) is closely aligned to Connecticut and Delaware and will provide rights to consumers and prohibit processing sensitive personal data without consent. Similar to Montana, the RIDPA lowers the typical 100,000 consumer threshold to just 35,000, which is just over 3% of the state's population.
The RIDPA incorporates privacy by design principles such as reasonable data security practices. However, the legislation will not require purpose limitation nor compliance with universal opt-out mechanisms.
The RIDPA provides for civil penalties up to $10,000 and that any individual or entity that intentionally discloses personal data may be fined $100 - $500.
Rhode Island Privacy Rights
Law Status: Passed
Effective Date: January 1, 2026
Related Resource
Visit the Blog Post "Privacy Bracketology"
Right to Access
Right to Correction
Right to Deletion
Right to Data Portability
Automated Decision Making – Limited to Certain Conditions
Opt-out of Sale
Opt-out of Processing – Profiling/Targeted Advertising
Opt-in for Sensitive Data Processing
Right to Access
Right to Correction
Right to Deletion
Right to Data Portability
Automated Decision Making – Limited to Certain Conditions
Opt-out of Sale
Opt-out of Processing – Profiling/Targeted Advertising
Opt-in for Sensitive Data Processing
Right to Access
Right to Correction
Right to Deletion
Right to Data Portability
Automated Decision Making – Limited to Certain Conditions
Opt-out of Sale
Opt-out of Processing – Profiling/Targeted Advertising
Opt-in for Sensitive Data Processing
Right to Access
Right to Correction
Right to Deletion
Right to Data Portability
Automated Decision Making – Limited to Certain Conditions
Opt-out of Sale
Opt-out of Processing – Profiling/Targeted Advertising
Opt-in for Sensitive Data Processing
Right to Access
Right to Correction
Right to Deletion
Right to Data Portability
Automated Decision Making – Limited to Certain Conditions
Opt-out of Sale
Opt-out of Processing – Profiling/Targeted Advertising
Opt-in for Sensitive Data Processing
KY
MD
MD
Minnesota
The Minnesota Consumer Data Privacy Act (MCDPA) is a bill that is similar to Virginia's CDPA and would establish rights for Minnesota residents over their personal data.
The bill will require consent prior to collection, processing or disclosure of any personal data (not just sensitive personal data).
Violations will carry penalties up to $7,500 and MCDPA provides for private right of action. Like Massachussetts, New York and Oklahoma, the bill does not contain a cure period.
Law Status: Signed
Effective Date: January 1, 2025
Nebraska
Nebraska has become the seventeenth state overall, and fourth in 2024, to enact a comprehensive consumer privacy law.
With aspects that align to neighboring Texas, the Nebraska Data Privacy Act (NDPA) does not contain dollar nor volume thresholds for applicability. This definition extends applicability to companies whose products or services are merely used by Nebraska residents, even if Nebraska residents are not necessarily a targeted audience.
Data processor activities must be governed by a contract with the data controller, and certain guardrails for data governance and protection are expected (i.e., data protection assessments).
Like California, Maryland,and New Jersey, the Act includes "valuable consideration" in the definition of "sale of personal data."
Unlike other states whose cure periods sunset after a few months, Nebraska's legislation provides a permanent 30-day cure period.
Law Status: Signed
Effective Date: October 1, 2025
Related Resource
Visit the Blog Post "Privacy Bracketology"
Visit the Blog Post "Iowa Enacts Comprehensive Privacy Legislation"
Kentucky
Related Resources
The Kentucky Consumer Data Privacy Act (KCDPA) is the fifteenth state comprehensive consumer privacy law and aligns closely to Virginia and Connecticut in scope.
Like the VCDPA and CTDPA, there is no revenue threshold--businesses are subject to the requirements if they conduct business in Kentucky, produces products or services targeted at Kentucky residents and control or process data of >100,000 consumers or >25,000 consumers with >50% of gross revenue from selling personal data.
Kentucky requires opt-in consent before businesses process sensitive personal data. Data controllers are obligated to enact privacy by design principles and require agreements with data processors.
Like Virginia, the KCDPA also allows for fines up to $7,500 per violoation and there is no private right of action.
Law Status: Signed
Effective Date: January 1, 2026
Visit the Blog Post "Privacy Bracketology"
Maryland
Related Resources
The Maryland Online Data Privacy Act (MODPA) has a low threshold of applicability, applying to businesses that control or process data of >35,000 consumers or 10,000 consumers with >20% gross revenue from sale of personal data.
Like other states, privacy by design principles are invoked, requiring data minimization and reasonable administrative, technical and phsyical data security practices. Data protection impact assessments are required when there is heightened risk of harm.
Data controllers must establish technical specifications of a user-selected universal opt-out mechanism as similarly required by California, Connecticut and New Jersey. As with California and New Jersey, the Act includes "valuable consideration" in their definitions of "sale of personal data."
There is no provision for private right of action. Fines may be imposed up to $10,000 for each violation and $25,000 for repeated violations.
Law Status: Signed
Effective Date: January 1, 2026
Visit the Blog Post "Privacy Bracketology"
Rhode Island
Rhode Island's Data Privacy Act (RIDPA) is closely aligned to Connecticut and Delaware and will provide rights to consumers and prohibit processing sensitive personal data without consent. Similar to Montana, the RIDPA lowers the typical 100,000 consumer threshold to just 35,000, which is just over 3% of the state's population.
The RIDPA incorporates privacy by design principles such as reasonable data security practices. However, the legislation will not require purpose limitation nor compliance with universal opt-out mechanisms.
The Act provides for civil penalties up to $10,000 and that any individual or entity that intentionally discloses personal data may be fined $100 - $500.
Law Status: Signed
Effective Date: January 1, 2026
Related Resource
Visit the Blog Post "Privacy Bracketology"
PRoA(L)