Privacy By State
Data privacy laws vary significantly across the United States, with each state implementing different regulations regarding the collection, storage, and sharing of personal information. Some states, such as California with the California Consumer Privacy Act (CCPA), have comprehensive privacy laws that grant consumers rights over their data, while others have minimal regulations in place. There are states, like Virginia, Colorado, and Connecticut, who have enacted their own consumer data privacy laws, each with unique compliance requirements. Meanwhile, some states focus more on data breach notification laws rather than comprehensive privacy protections. As privacy laws continue to evolve, businesses and individuals must stay informed about their rights and obligations under state-specific regulations.
Disclaimer: The following is for informational purposes only and does not constitute legal advice from North Star Group. Laws and regulations may change, and their application may vary depending on specific circumstances. If you require legal advice or guidance regarding data privacy compliance, you should consult a licensed attorney.
| State | Legislation | Enacted | Fundamental Requirement |
|---|---|---|---|
| California | CCPA / CPRA | Jan. 1, 2023 (enforceable March 29, 2024) | California Consumer Privacy Act applies to any controller/ processor who conducts business in California or produces a product/service that is targeted to consumers who are California residents; and either has an annual gross revenue of more than $25,000,000 in the preceding calendar year as of Jan. 1; alone or in combination, annually buys, sell, or shares the personal information of 100,000 or more consumers or households; or derives 50% or more of its annual revenues from selling/sharing consumers’ personal information. |
| Colorado | CPA | July 1st, 2023 | Colorado Privacy Act (CPA) applies to any controller/processor who conducts business in Colorado or produces/delivers commercial products or services that are intentionally targeted to residents of Colorado, and either controls or processes the personal data of 100,000 consumers or more during a calendar year; or derives revenue or receives a discount on the price of goods/services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more. |
| Connecticut | CTDPA | July 1st, 2023 | Connecticut Data Privacy Act (CTDPA) applies to any controller/ processor who conducts business in Connecticut or produces a product/service that is targeted to consumers who are Connecticut residents and that during the preceding calendar year controlled or processed the personal data of not less than 100,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data. |
| Delaware | DPDPA | September 11th, 2023 | Delaware Personal Data Privacy Act (DPDPA) imposes transparency and disclosure obligations on a controller who either: conducts business in Delaware; or produces products or services that are targeted to the residents of Delaware; and that, during the preceding calendar year: controlled or processed personal data of not less than 35,000 Delaware residents. |
| Florida | FDBR | July 1st, 2024 | Florida Digital Bill of Rights (FDBR) comprehensive privacy provisions of SB 262 cover only businesses making $1 billion in revenue and meeting other threshold requirements. |
| Indiana | INCDPA | January 1st, 2026 | Indiana Consumer Data Protection Act (INCDPA) applies to controllers/processors that conduct business in Indiana or produces products or services that are targeted to residents of Indiana and that during a calendar year either control or process personal data of at least 100,000 consumers who are Indiana residents; or controls or processes personal data of at least 25,000 consumers who are Indiana residents and derives more than 50% of gross revenue from the sale of personal data. |
| Iowa | ICDPA | January 1st, 2025 | Iowa Consumer Data Protection Act (ICDPA) applies to controllers/processors conducting business in Iowa, or producing products or services that are targeted to consumers who are Iowa residents, and that during a calendar year either controls or processes personal data of at least 100,000 IA consumers/residents per calendar year; or controls or processes personal data of at least 25,000 IA consumers/residents and derives over 50% of gross revenue from the sale of personal data. |
| Kentucky | KYCDPA | April 4th, 2024 | Kentucky Consumer Data Protection Act (KY CDPA) imposes obligations on "controllers" – individuals or legal entities that determine the purpose and means of processing personal data – who either conduct business in the Commonwealth of Kentucky or produce products or services targeted to residents of Kentucky and who, within the calendar year, either: Control or process personal data of at least 100,000 Kentucky consumers; or Control or process personal data of 25,000 Kentucky consumers and derive over 50% of gross revenue from the sale of personal data. |
| Maryland | MODPA | May 9th, 2024 | The Maryland Online Data Privacy Act (MODPA) MODPA applies to businesses that operate in Maryland or target their products and services to Maryland residents. Specifically, it covers entities that control or process the personal data of at least 35,000 consumers in the previous calendar year (excluding data used solely for payment transactions). Controlled or processed the personal data of at least 10,000 consumers and made more than 20% of their gross revenue from selling personal data. |
| Minnesota | MNCDPA | May 24th, 2024 | The Minnesota Consumer Data Privacy Act (MNCDPA) applies to controllers who either conduct business in the state of Minnesota or produce products or services targeted to residents of Minnesota and who, within a calendar year, either: Control or process the personal data of at least 100,000 unique Minnesota consumers; or Control or process personal data of 25,000 unique Minnesota consumers and derive over 25% of gross revenue from the sale of personal data. |
| Montana | MCDPA | Ocober 1st, 2024 | Applies to controllers/processors that conduct business in Montana or persons that produce products/services that are targeted to residents of Montana and control or process the personal data of not less than 50,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data. |
| Nebraska | NDPA | April 17th, 2024 | The Nebraska Data Privacy Act (NDPA) applies to conducts business in Nebraska or produces a product or service consumed by residents of Nebraska; processes or engages in the sale of personal data; and is not a small business as determined under the federal Small Business Act, except if such person engages in the sale of sensitive data without receiving prior consent from the consumer. |
| New Hampshire | NHPA | March 6th, 2024 | The New Hampshire Privacy Act (NHPA) applies to controllers who either conduct business in the state of New Hampshire or produce products or services targeted to residents of New Hampshire and who, within a one-year period, either: Control or process the personal data of at least 35,000 unique New Hampshire consumers; or Control or process personal data of 10,000 unique New Hampshire consumers and derive more than 25% of gross revenue from the sale of personal data. |
| New Jersey | NJDPL | January 16th, 2024 | The New Jersey Data Privacy Law (NJDPL) applies to controllers who conduct business in New Jersey or produce products or services targeted to residents of New Jersey and also, within the calendar year: Control or process personal data of at least 100,000 New Jersey consumers; or Control or process personal data of 25,000 New Jersey consumers and derive revenue (or receive discounts) from the sale of personal data. |
| Oregon | OCPA | July 18th, 2023 | The Oregon Consumer Privacy Act (OCPA) imposes transparency and disclosure obligations on a controller who either:conducts business in Oregon; or produces products or services that are targeted to the residents of Oregon; and that during a calendar year: controls or processes personal data of not less than 100,000 Oregon residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or controls or processes personal data of not less than 25,000 Oregon residents and derives more than 25 percent of its gross revenue from the sale of personal data. |
| Rhode Island | RIDTPPA | June 28th, 2024 | The Rhode Island Data Transparency and Privacy Protection Act applies to controllers who conduct business in Rhode Island, or produce products or services targeted to residents of Rhode Island, within the preceding calendar year, and who: controlled or processed personal data of at least 35,000 Rhode Island customers, excluding instances where controllers are processing data "solely for the purpose of completing a financial transaction"; or controlled or processed personal data of 10,000 Rhode Island customers and derived more than 20 percent of their gross revenue from the sale of personal data. |
| Tennessee | TIPA | July 1st, 2025 | Tennessee Information Protection Act (TIPA) applies to controllers/processors that conduct business in Tennessee producing products or services that are targeted residents of TN and that exceed $25,000,0000 in revenue; and control or process personal information of at least 25,000 consumers and derive more than 50% gross revenue from the sale of personal information; or control or process personal information of at least 175,000 consumers during a calendar year. |
| Texas | TDPSA | July 1st, 2024 | Texas Data Privacy and Security Act (TDPSA) applies to controllers/processors that conduct business in Texas or produces products/services that are targeted to residents of Texas; processes or engages in the sale of personal data; and is not a “small business” as defined by the US Small Business Administration, with the exception that small businesses may not engage in the sale of sensitive personal data without first obtaining consent from the consumer. |
| Utah | UCPA | December 31st, 2023 | Utah Consumer Privacy Act (UCPA) applies to any controller/ processor who conducts business in Utah or produces a product/ service that is targeted to consumers who are Utah residents; has annual revenue of $25,000,000 or more; and either controls/ processes personal data of 100,000 or more consumers during a calendar year; or derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers. |
| Virginia | VCDPA | January 1st, 2023 | Virginia Consumer Data Privacy Act (VCDPA) applies to any controller/processor who conducts business in Virginia or produces a product/service that is targeted to consumers who are Virginia residents and either during a calendar year, control or process personal data of at least 100,000 consumers; or control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data. |