US State Privacy Laws
20 states, no federal law, and an expanding patchwork
Overview
As of February 2026, 20 US states have enacted comprehensive consumer privacy laws. The United States has no federal comprehensive privacy law (the American Privacy Rights Act was introduced in 2024 but failed to advance), leaving a growing patchwork of state-level legislation as the primary framework governing consumer data protection in the country.[1]
The state privacy law landscape is dominated by the “Virginia model,” a template established by the Virginia Consumer Data Protection Act (VCDPA) in 2021 and subsequently adopted by 15 or more states. The model’s defining characteristics are: attorney general–only enforcement, no private right of action, opt-in consent for sensitive data processing, opt-out consent for general processing, and data protection assessment requirements for high-risk activities.[2]
California’s framework differs significantly from the Virginia model adopted by most states. The CCPA/CPRA created the California Privacy Protection Agency (CPPA) – the first and only dedicated state privacy enforcement agency – alongside the broadest consumer rights, a limited private right of action for data breaches, and the most detailed implementing regulations of any state. For a comprehensive treatment of California’s framework, see the California page.
For federal privacy and surveillance laws, see the US Federal page.
Comparison Table: All 20 States
| # | State | Law | Effective | Cure Period | Private Right of Action |
|---|---|---|---|---|---|
| 1 | California | CCPA/CPRA | Jan 2020 / Jan 2023 | 30 days (limited) | Yes (data breaches only) |
| 2 | Virginia | VCDPA | Jan 2023 | 30 days | No |
| 3 | Colorado | CPA | Jul 2023 | Expired Jan 2025 | No |
| 4 | Connecticut | CTDPA | Jul 2023 | Expired Dec 2024 | No |
| 5 | Utah | UCPA | Dec 2023 | 30 days | No |
| 6 | Iowa | ICDPA | Jan 2025 | 90 days | No |
| 7 | Indiana | ICDPA | Jan 2026 | 30 days (permanent) | No |
| 8 | Tennessee | TIPA | Jul 2025 | 60 days | No |
| 9 | Montana | MTCDPA | Oct 2024 | Expired early 2025 | No |
| 10 | Texas | TDPSA | Jul 2024 | 30 days | No |
| 11 | Oregon | OCPA | Jul 2024 | 30 days | No |
| 12 | Delaware | DPDPA | Jan 2025 | 60 days | No |
| 13 | Florida | FDBR | Jul 2024 | 45 days | No (limited for children) |
| 14 | New Hampshire | NHPA | Jan 2025 | Expired Dec 2025 | No |
| 15 | New Jersey | NJDPA | Jan 2025 | 30 days (18-month transition) | No |
| 16 | Kentucky | KCDPA | Jan 2026 | 30 days (permanent) | No |
| 17 | Maryland | MODPA | Oct 2025 | None specified | No |
| 18 | Minnesota | MCDPA | Jul 2025 | 30 days (expires Jan 2026) | No |
| 19 | Nebraska | NDPA | Jan 2025 | 30 days (permanent) | No |
| 20 | Rhode Island | RIDTPPA | Jan 2026 | None | No |
State-by-State Summaries
California – CCPA/CPRA
California’s framework is covered in detail on the California page. In brief: the CCPA (2018) as amended by the CPRA (2020) created the nation’s first dedicated privacy enforcement agency (CPPA) alongside the rights and protections described in the overview above. New regulations on automated decision-making, insurance data, and cybersecurity audits took effect January 1, 2026.[3]
Virginia – VCDPA
The Virginia Consumer Data Protection Act, signed March 2, 2021 and effective January 1, 2023, was the second comprehensive state privacy law and established the template that most subsequent states followed. Enforced exclusively by the Virginia Attorney General with a 30-day cure period. Applies to entities processing data of 100,000+ consumers or 25,000+ consumers where 50%+ of revenue comes from data sales. Standard consumer rights (access, correct, delete, portability, opt-out of sale/targeted advertising/profiling) with opt-in required for sensitive data.[4]
Colorado – CPA
The Colorado Privacy Act, signed July 7, 2021 and effective July 1, 2023, was the third comprehensive state privacy law. Colorado was one of the first states to require recognition of universal opt-out mechanisms (effective July 1, 2024). The cure period expired January 1, 2025, giving the AG immediate enforcement discretion. Children’s protection amendments expanding under SB 24-041 take effect July 1, 2026. Enforced by the Colorado Attorney General and District Attorneys.[5]
Connecticut – CTDPA
The Connecticut Data Privacy Act, signed May 10, 2022 and effective July 1, 2023, is among the more consumer-friendly state laws due to its absence of a revenue threshold. Required honoring universal opt-out preference signals since January 1, 2025. Significant 2024–2025 amendments added consumer health data protections and children’s online safety provisions, including a prohibition on features designed to increase minors’ usage such as endless scrolling. Cure period expired December 31, 2024.[6]
Utah – UCPA
The Utah Consumer Privacy Act, signed March 24, 2022 and effective December 31, 2023, has been characterized as among the most business-friendly of the early comprehensive privacy laws. Uses an opt-out model for both general and sensitive data (no opt-in required for sensitive data, unlike most states). Higher threshold: $25 million annual revenue AND processing data of 100,000+ consumers. Does not require data protection assessments. Utah AI Policy Act provisions updating the UCPA framework take effect July 1, 2026.[7]
Iowa – ICDPA
The Iowa Consumer Data Protection Act, signed March 29, 2023 and effective January 1, 2025, is among the most business-friendly comprehensive privacy laws enacted to date. It does not grant consumers the right to correct personal data or opt out of profiling. Uses opt-out (not opt-in) for sensitive data. Features a 90-day cure period – one of the longest of any state. No data protection assessment requirement. Enforced exclusively by the Iowa Attorney General.[8]
Indiana – ICDPA
The Indiana Consumer Data Protection Act, signed May 1, 2023 and effective January 1, 2026, largely mirrors the Virginia model. Applies to entities processing data of 100,000+ Indiana residents or 25,000+ where 50%+ of revenue is from data sales. Features a permanent 30-day cure period that does not sunset. Standard consumer rights package enforced by the Indiana Attorney General.[9]
Tennessee – TIPA
The Tennessee Information Protection Act, signed May 11, 2023 and effective July 1, 2025, is the first state to formally incorporate the NIST Privacy Framework as a compliance tool – alignment with the framework serves as an affirmative defense against enforcement actions. Features among the highest applicability thresholds: $25 million revenue AND 175,000+ consumers. 60-day cure period. Fully exempts state-licensed insurance companies.[10]
Montana – MTCDPA
The Montana Consumer Data Privacy Act, signed May 19, 2023 (passed unanimously) and effective October 1, 2024, reflects Montana’s small population with a low applicability threshold of 50,000 consumers. Significant 2025 amendments (SB 297, effective October 1, 2025): removed all applicability thresholds for minor protections under age 18, eliminated the Gramm-Leach-Bliley financial institution exemption, and closed the cure period six months early.[11]
Texas – TDPSA
The Texas Data Privacy and Security Act, signed June 18, 2023 and effective July 1, 2024, covers the largest state by population after California. Texas stands out for having no revenue threshold and no minimum consumer data processing threshold – it applies to all non-exempt entities that conduct business in Texas and process or sell personal data (with a small business exemption). The Texas AG has been among the most active enforcers, announcing a $1.4 billion settlement with Meta in July 2024 for CUBI biometric violations – the largest biometric privacy settlement in history.[12]
Oregon – OCPA
The Oregon Consumer Privacy Act, signed July 18, 2023 and effective July 1, 2024 (nonprofits: July 1, 2025), is one of the few comprehensive state privacy laws that covers nonprofit organizations. Features the broadest definition of “sensitive data” among all states – uniquely including transgender or non-binary status and crime victim status. Requires controllers to disclose the specific third parties (not just categories) that received a consumer’s data. Penalties up to $7,500 per violation.[13]
Delaware – DPDPA
The Delaware Personal Data Privacy Act, signed September 11, 2023 and effective January 1, 2025, is considered one of the strongest state privacy laws. Covers nonprofits and institutions of higher education (unlike most states). Special protections for minors: parental consent required for those under 13, direct consent from teens aged 13–17 for targeted advertising or data sales. Low threshold: 35,000 consumers or 10,000 with 20%+ revenue from data sales.[14]
Florida – FDBR
The Florida Digital Bill of Rights, signed June 6, 2023 and effective July 1, 2024, has the narrowest applicability of any state – it applies only to entities with $1 billion+ in annual gross revenue, meaning very few companies are covered. Includes unique provisions prohibiting government employees from contacting social media platforms to request content removal. Some trackers do not classify it as truly “comprehensive” due to its narrow scope.[15]
New Hampshire – NHPA
The New Hampshire Privacy Act, signed March 6, 2024 and effective January 1, 2025, features a strong anti-dark-patterns provision: consent must be a “clear affirmative act” and cannot be obtained through acceptance of general terms, hovering, closing content, or dark patterns. Heightened protections for teens aged 13–16 (targeted advertising and data sales prohibited without consent). Cure period expired December 31, 2025.[16]
New Jersey – NJDPA
The New Jersey Data Protection Act, signed January 16, 2024 and effective January 15, 2025, is the first state to include both an opt-in requirement for profiling of children AND apply minor protections up to age 17 (not just under 13 as in COPPA). Covers nonprofits with no nonprofit exemption. Broad AG rulemaking authority. No revenue threshold. 18-month transitional enforcement period with 30-day cure window through approximately July 2026.[17]
Kentucky – KCDPA
The Kentucky Consumer Data Protection Act, signed April 4, 2024 and effective January 1, 2026, largely mirrors the Virginia model. Features a permanent (non-sunsetting) 30-day cure period, one of the most business-friendly enforcement provisions. Standard applicability: 100,000 consumers or 25,000 with 50%+ revenue from data sales. Data protection assessment requirements for higher-risk processing.[18]
Maryland – MODPA
The Maryland Online Data Privacy Act, signed May 2024 and effective October 1, 2025, is considered one of the most restrictive state privacy laws, imposing significant compliance requirements. Key distinctions: (1) prohibits the sale of sensitive data entirely, regardless of consent – a unique approach where consent does not override the prohibition; (2) strict data minimization requiring collection to be “reasonably necessary and proportionate”; (3) unique anti-discrimination provision; (4) prohibits advertising/sale of data for anyone under 18; (5) regulates consumer health data including gender-affirming treatment and reproductive health data.[19]
Minnesota – MCDPA
The Minnesota Consumer Data Privacy Act, signed May 24, 2024 and effective July 31, 2025, contains a unique right to question profiling – including the right to ask for results of profiling and challenge inaccurate information, especially regarding automated decisions affecting access to jobs, housing, education, insurance, or essential services. First state to require controllers to designate a chief privacy officer and include their contact information in privacy policies. 30-day cure period expires January 31, 2026. Penalties up to $7,500 per violation.[20]
Nebraska – NDPA
The Nebraska Data Privacy Act, signed April 17, 2024 and effective January 1, 2025, has no revenue threshold and no minimum consumer data processing threshold (similar to Texas), applying broadly to any person conducting business in Nebraska that processes or sells personal data – with a small business exemption per the federal Small Business Act. The exemption does not apply if the business sells sensitive data without consent. Permanent 30-day cure period. Known child data classified as sensitive data requiring opt-in consent.[21]
Rhode Island – RIDTPPA
The Rhode Island Data Transparency and Privacy Protection Act, transmitted without the governor’s signature June 28, 2024 and effective January 1, 2026, features a unique two-tiered applicability structure: Tier One applies transparency requirements to any commercial website or ISP that sells personally identifiable information; Tier Two applies full requirements to for-profit entities processing data of 35,000+ Rhode Island residents. Rhode Island is among the strictest states with no cure period – businesses must be in compliance from day one. Penalties up to $10,000 per violation (higher than the standard $7,500).[22]
Sector-Specific State Privacy Laws
Beyond comprehensive consumer privacy laws, several sector-specific state statutes have had significant impact on privacy enforcement and litigation.
Illinois BIPA (Biometric Information Privacy Act, 2008)
Illinois BIPA is the most litigated privacy statute in the United States. Enacted in 2008, it regulates the collection, use, storage, and destruction of biometric identifiers (fingerprints, retina/iris scans, voiceprints, face geometry scans). BIPA is the only biometric privacy law with a private right of action, which has generated massive litigation: damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation.[23]
A 2024 amendment (SB 2979, signed August 2, 2024) limits damages by redefining repeated collection or transmission of the same biometric data by the same party as a single violation – previously, each individual scan could constitute a separate violation, creating enormous potential liability. Despite this amendment, BIPA remains the most actively litigated privacy statute in the country. Notable settlements include $51.75 million (nationwide class, 2024), $47.5 million (facial recognition), and $8.75 million (student data).[23]
Washington My Health My Data Act (MHMDA, 2023)
Enacted in 2023 and effective March 31, 2024 (large businesses) and June 30, 2024 (small businesses), the MHMDA broadly regulates collection, use, and sale of “consumer health data” – defined expansively to include data used to identify physical or mental health status, including reproductive health, gender-affirming care, and more. Features a broad private right of action with presumptions benefiting plaintiffs; any violation is a per se violation of the Washington Consumer Protection Act. Notably prohibits geofencing around health care facilities. Enacted in response to Dobbs concerns about reproductive health data.[24]
Texas CUBI (Capture or Use of Biometric Identifier Act)
Originally enacted in 2001 (expanded 2009), Texas CUBI regulates biometric identifiers including retina/iris scans, fingerprints, voiceprints, and hand/face geometry. No private right of action – the Texas AG has exclusive enforcement with penalties up to $25,000 per violation. The statute gained national prominence through the $1.4 billion Meta settlement described above, which specifically concerned Meta’s unauthorized capture of facial geometry data through Facebook’s photo-tagging feature in violation of CUBI.[25]
California Age-Appropriate Design Code Act (CAADCA / AB 2273)
Enacted September 15, 2022, the CAADCA requires online services “likely to be accessed by children” to configure default privacy settings to high privacy, assess whether algorithms or data collection could harm children, and use age-appropriate language. Modeled on the UK’s Age-Appropriate Design Code. However, a preliminary injunction was issued in September 2023 by the Northern District of California in NetChoice v. Bonta, blocking enforcement on First Amendment grounds. The case is on appeal to the Ninth Circuit.[26]
Children’s Social Media and Age Verification Laws
At least nine states – Arkansas, California, Texas, Florida, Georgia, Louisiana, Mississippi, Tennessee, and Utah – have enacted laws restricting minors’ social media access, requiring age verification and/or parental consent. Utah’s App Store Age Verification Law is the first to require app store providers to verify all users’ ages and obtain parental consent for minors’ downloads. Many of these laws face ongoing constitutional challenges on First Amendment grounds.[27]
States Without Comprehensive Privacy Laws
Several large or notable states have not enacted comprehensive consumer privacy legislation despite active legislative efforts:
- New York: Despite being the nation’s fourth-largest state, New York has repeatedly failed to pass comprehensive privacy legislation. The NY Privacy Act has been introduced in multiple sessions but not enacted. New York does have the SHIELD Act (data security and breach notification) but no omnibus consumer privacy law
- Illinois: Despite having the nation’s strongest biometric privacy law (BIPA), Illinois has not enacted a comprehensive consumer privacy law
- Massachusetts: Bills introduced but not enacted
- Washington: Has the My Health My Data Act and a biometric privacy law (HB 1493) but no comprehensive omnibus consumer privacy law
- Pennsylvania, Michigan, Ohio, Georgia, North Carolina: No comprehensive privacy laws enacted
Key Trends (February 2026)
1. The Virginia Model Dominates
Fifteen or more states have followed the template established by Virginia: AG-only enforcement, no private right of action, opt-in for sensitive data, opt-out for general processing, and data protection assessments for high-risk activities. This convergence provides some degree of harmonization across states but entrenches a framework that consumer advocates consider insufficiently protective.[2]
2. California Remains the Outlier
With its dedicated enforcement agency, private right of action, and the broad consumer rights described above, California’s framework is significantly more complex than any other state’s. The CPPA’s 2026 regulations on automated decision-making are the first US state regulations to address this area in detail.[3]
3. Maryland Takes a Distinct Approach
MODPA’s prohibition on selling sensitive data regardless of consent, strict data minimization requirements, and anti-discrimination provisions represent the direction consumer privacy advocacy is pushing. Maryland’s approach represents a different model from the opt-out model toward substantive restrictions on data practices that cannot be overridden by consent.[19]
4. Universal Opt-Out Mechanisms Are Becoming Standard
California, Colorado, Connecticut, Oregon, Delaware, Maryland, Minnesota, Montana, New Hampshire, New Jersey, and Texas now require recognition of universal opt-out preference signals such as the Global Privacy Control (GPC). This standardization reduces friction for consumers and creates a technical expectation that companies must honor browser-level privacy preferences.[28]
5. Children’s Privacy Is a Rapidly Expanding Area
Nearly every new state privacy law includes enhanced protections for minors. Standalone children’s online safety and social media laws are proliferating, with at least nine states enacting restrictions. Age-appropriate design codes, dark pattern prohibitions for minors, and restrictions on targeted advertising to children are becoming standard features of new legislation.[27]
6. No Federal Comprehensive Privacy Law
The American Privacy Rights Act (APRA) was introduced in 2024 with bipartisan support but did not advance. The absence of federal legislation means the patchwork of 20 state laws, with differing thresholds, definitions, consumer rights, and enforcement mechanisms, continues to grow, creating significant compliance complexity for companies operating nationally.[1]
7. Enforcement Is Accelerating
The Texas AG’s $1.4 billion Meta settlement and the CPPA’s expanding enforcement program demonstrate that state-level privacy enforcement has reached a level of financial consequence previously associated only with federal agencies or European DPAs. The expiration of cure periods in Colorado, Connecticut, Montana, and New Hampshire gives AGs immediate enforcement authority without the delay of a mandatory cure window.[12]