A growing number of US states are introducing privacy legislation protecting the data privacy rights of their residents.
Below we provide a high level summary of each state's regulation, which businesses must comply, and when they go into effect.
The states covered are:
Colorado Privacy Act (CPA)
Connecticut Data Privacy Act (CTDPA)
Delaware Personal Data Privacy Act (DPDPA)
Florida Digital Bill of Rights (FDBR)
Indiana Consumer Data Protection Act (Indiana CDPA)
Iowa Consumer Data Protection Act (Iowa CDPA)
Kentucky Consumer Data Protection Act (KCDPA)
Montana Consumer Data Privacy Act (MCDPA)
New Hampshire Data Privacy Law (SB 255)
New Jersey Data Privacy Act (NJDPA)
Oregon Consumer Privacy Act (OCPA)
Tennessee Information Protection Act (TIPA)
Texas Data Privacy and Security Act (TDPSA)
Utah Consumer Privacy Act (UCPA)
Virginia Consumer Data Protection Act (VCDPA)
You can also follow Termly's US state legislation tracker to stay up-to-date with the latest news and changes across all states.
Section 1: California, Colorado, Connecticut, Utah, and Virginia (Currently In Force)
California Consumer Privacy Act - Effective Date: January 1, 2020 | California Privacy Rights Act - Effective Date: January 1, 2023
The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) requirements are applicable to for-profit businesses that collect personal information from California consumers, determines the purposes and means of the processing of personal information, does business in California, and meets one of the following:
As of January 1 of the calendar year, had annual gross revenues in excess of $25 million in the preceding calendar year
Annually buys, sells, or shares the personal information of 100,000 or more California consumers or households
Derives 50% or more of annual revenues from selling or sharing California consumers’ personal information
Colorado Privacy Act - Effective Date: July 1, 2023
The Colorado Privacy Act (CPA) requirements are applicable to any person who conducts business in Colorado or produces or delivers products or services targeted to residents of Colorado and meets one of the following:
Annually controls or processes the personal data of 100,000 or more consumers
Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 or more consumers
Connecticut Data Privacy Act - Effective Date: July 1, 2023
The Connecticut Data Privacy Act (CTDPA) requirements are applicable to any person who conducts business in Connecticut or produces products or services targeted to residents of Connecticut and during the preceding calendar year meets one of the following:
Controlled or processed the personal data of 100,000 or more consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction
Controlled or processed the personal data of 25,000 or more consumers and derived more than 25% of their gross revenue from the sale of personal data
Utah Consumer Privacy Act - Effective Date: December 31, 2023
The Utah Consumer Privacy Act (UCPA) requirements are applicable to any person who conducts business in Utah or produces products or services targeted to residents of Utah, has an annual revenue of $25 million or more, and meets one of the following:
During a calendar year, controls or processes personal data of 100,000 or more consumers
Derives over 50% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers
Virginia Consumer Data Protection Act - Effective Date: January 1, 2023
The Virginia Consumer Data Protection Act (VCDPA) requirements are applicable to any person who conducts business in Virginia or produces products or services targeted to residents of Virginia and meets one of the following:
During a calendar year, controls or processes personal data of 100,000 or more consumers
Control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal dataSection 1: Florida, Oregon, Texas, and Montana (Effective 2024)
Section 2: Florida, Oregon, Texas, and Montana (Effective 2024)
Florida Digital Bill of Rights - Effective Date: July 1, 2024
The Florida Digital Bill of Rights (FDBR) requirements are applicable to any person who conducts business in Florida or produces products or services to residents of Florida, collects personal data from consumers, makes in excess of $1 billion in global gross annual revenues, and meets one of the following:
Derives 50% or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online
Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation
Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install
Oregon Consumer Privacy Act - Effective Date: July 1, 2024
The Oregon Consumer Privacy Act (OCPA) requirements are applicable to any person who conducts business in Oregon or provides products or services to residents of Oregon and during a calendar year meets one of the following:
Processed or controlled 100,000 or more consumers’ personal data. This does not, however, include “personal data controlled or processed solely for the purpose of completing a payment transaction.”
Processed or controlled the personal data of 25,000 or more consumers while deriving 25% or more of annual gross revenue from selling personal data.
Texas Data Privacy and Security Act - Effective Date: July 1, 2024
The Texas Data Privacy and Security Act (TDPSA) requirements are applicable to any person who conducts business in Texas or produces products or services to residents of Texas that meet both of the following conditions:
Is not a small business as defined by the United States Small Business Administration. The SBA defines a small business as an independent business having fewer than 500 employees.
Processes or sells personal data
Montana Consumer Data Privacy Act - Effective Date: October 1, 2024
The Montana Consumer Data Privacy Act (MCDPA) requirements are applicable to any person who conducts business in Montana or produces products or services targeted to residents of Montana and meets one or more of the following thresholds:
Process or control 50,000 or more consumers’ personal data. This does not, however, include “personal data controlled or processed solely for the purpose of completing a payment transaction.”
Process or control the personal data of 25,000 or more consumers while deriving more than 25% of gross revenue from selling personal data.
Section 3: Delaware, Iowa, New Hampshire, New Jersey, and Tennessee (Effective 2025)
Delaware Personal Data Privacy Act - Effective Date: January 1, 2025
The Delaware Personal Data Privacy Act (DPDPA) requirements are applicable to any person who conducts business in Delaware or produces products or services targeted to residents of Delaware and during the preceding calendar year meets one of the following:
Processed or controlled the personal data of 35,000 or more consumers. This does not, however, include “personal data controlled or processed solely for the purpose of completing a payment transaction.”
Processed or controlled the personal data of 10,000 or more consumers while deriving more than 20% of gross revenue from selling personal data.
Iowa Consumer Data Protection Act - Effective Date: January 1, 2025
The Iowa Consumer Data Protection Act (Iowa CDPA) requirements are applicable to any person conducting business in Iowa or produces products or services targeted to residents of Iowa and during a calendar year meets one of the following:
Processes or controls the personal data of 100,000 or more consumers.
Processes or controls the personal data of 25,000 or more consumers while deriving 50% or more of gross revenue from selling personal data.
New Hampshire Privacy Law - Effective Date: January 1, 2025
The New Hampshire privacy law (SB 255) requirements are applicable to any person who conducts business in New Hampshire or produces products or services targeted to residents of New Hampshire and during a one-year period meets one of the following:
Processed or controlled the personal data of 35,000 or more consumers. This does not, however, include “personal data controlled or processed solely for the purpose of completing a payment transaction.”
Processed or controlled the personal data of 10,000 or more consumers while deriving 25% or more of gross revenue from selling personal data.
New Jersey Data Privacy Act - Effective Date: January 16, 2025
The New Jersey Data Privacy Act (NJDPA) requirements are applicable to controllers who conduct business in New Jersey or produce products or services targeted to residents of New Jersey and, during a calendar year, meet one of the following:
Process or control the personal data of 100,000 or more consumers. This does not, however, include “personal data controlled or processed solely for the purpose of completing a payment transaction.”
Process or control the personal data of 25,000 or more consumers while deriving revenue or receiving a discount on the price of any goods or services from selling personal data.
Tennessee Information Protection Act - Effective Date: July 1, 2025
The Tennessee Information Protection Act (TIPA) requirements are applicable to any person who conducts business in Tennessee producing products or services that target residents of Tennessee and exceed $25,000,000 in revenue. You must also meet one or more of the following thresholds:
Process or control personal data of 25,000 or more consumers and derive more than 50% of gross revenue from selling personal data.
During a calendar year, process or control the personal data of at least 175,000 consumers.
Section 4: Indiana and Kentucky (Effective 2026)
Indiana Consumer Data Protection Act - Effective Date: January 1, 2026
The Indiana Consumer Data Protection Act (Indiana CDPA) requirements are applicable to any person who conducts business in Indiana or produces products or services targeted to residents of Indiana and during a calendar year meets one of the following:
Processes or controls the personal data of 100,000 or more consumers.
Processes or controls the personal data of 25,000 or more consumers while deriving more than 50% of gross revenue from selling personal data.
Kentucky Consumer Data Protection Act - Effective Date: January 1, 2026
The Kentucky Consumer Data Protection Act (KCDPA) requirements are applicable to any person conducting business in Kentucky or produces products or services targeted to residents of Kentucky and during a calendar year meets one of the following:
Processes or controls the personal data of 100,000 or more consumers.
Processes or controls the personal data of 25,000 or more consumers while deriving 50% or more of gross revenue from selling personal data.