US State Privacy Laws: A Complete Guide to Every Active Data Privacy Law
Compare all active US state privacy laws plus GDPR and UK GDPR. Thresholds, consumer rights, penalties, and what your business needs to do.
Last updated: 2026-02-08
The United States does not have a single federal data privacy law. Instead, 19 states have now enacted their own comprehensive consumer privacy legislation, each with its own thresholds, consumer rights, enforcement mechanisms, and deadlines. For a small business owner trying to figure out what applies, the landscape can feel overwhelming. Add in the EU's GDPR and the UK GDPR, and you are looking at 21 distinct privacy frameworks that could affect your business depending on where your customers live.
This guide puts all of them in one place. You will find a summary table of every active jurisdiction, a quick-reference section to help you figure out which laws apply to your business, and a side-by-side comparison of the consumer rights each law grants. Every jurisdiction links to a detailed, standalone guide with compliance checklists and enforcement details.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business.
Complete Jurisdiction Overview
The table below lists all 21 jurisdictions covered in this guide. Each row includes the law's abbreviation, when it took effect (or will take effect), who it applies to, whether there is a cure period before enforcement, and the maximum penalty per violation.
| Jurisdiction | Law | Effective Date | Threshold Summary | Cure Period | Max Penalty |
|---|---|---|---|---|---|
| California | CCPA/CPRA | Jan 1, 2020 | $26.625M revenue OR 100K consumers OR 50% data sale revenue | None | $7,500/violation |
| Virginia | VCDPA | Jan 1, 2023 | 100K consumers OR 25K consumers + 50% revenue from data sales | 30 days | $7,500/violation |
| Colorado | CPA | Jul 1, 2023 | 100K consumers OR 25K consumers + revenue from data sales | 60 days (expired Jan 2025) | $20,000/violation |
| Connecticut | CTDPA | Jul 1, 2023 | 100K consumers OR 25K + data sale revenue (drops to 35K in Jul 2026) | 60 days (expired Dec 2024) | $5,000/violation |
| Utah | UCPA | Dec 31, 2023 | $25M+ revenue AND (100K consumers OR 25K + 50% data sale revenue) | 30 days (no sunset) | $7,500/violation |
| Oregon | OCPA | Jul 1, 2024 | 100K consumers OR 25K consumers + revenue from data sales | 30 days (expired Jan 2026) | $7,500/violation |
| Texas | TDPSA | Jul 1, 2024 | Any business processing personal data (SBA small business exemption) | 30 days (expired Jan 2026) | $7,500/violation |
| Montana | MTCDPA | Oct 1, 2024 | 50K consumers OR 25K consumers + revenue from data sales | 60 days (expires Apr 2026) | $7,500/violation |
| Delaware | DPDPA | Jan 1, 2025 | 35K consumers OR 10K consumers + 20% revenue from data sales | 60 days (sunset Jan 2026) | $10,000/violation |
| Iowa | ICDPA | Jan 1, 2025 | 100K consumers OR 25K consumers + 50% revenue from data sales | 90 days (no sunset) | $7,500/violation |
| Nebraska | NDPA | Jan 1, 2025 | No consumer count -- applies to all non-SBA-small-businesses | 30 days (no sunset) | $7,500/violation |
| New Hampshire | NHPA | Jan 1, 2025 | 35K consumers OR 10K consumers + 25% revenue from data sales | 60 days (sunset Jan 2026) | $10,000/violation |
| New Jersey | NJDPA | Jan 15, 2025 | 100K consumers OR 25K consumers + revenue from data sales | 30 days (expires Jul 2026) | $10,000/$20,000 per violation |
| Tennessee | TIPA | Jul 1, 2025 | $25M+ revenue AND (100K consumers OR 25K + 50% data sale revenue) | 60 days (sunsets Jul 2027) | $7,500/violation |
| Minnesota | MCDPA | Jul 31, 2025 | 100K consumers OR 25K consumers + 25% revenue from data sales | 30 days (expires Jul 2026) | $7,500/violation |
| Maryland | MODPA | Oct 1, 2025 | 35K consumers OR 10K consumers + 20% revenue from data sales | Until Apr 2027 | $10,000/$25,000 per violation |
| Indiana | INCDPA | Jan 1, 2026 | 100K consumers OR 25K consumers + 50% revenue from data sales | 30 days (sunsets Jan 2028) | $7,500/violation |
| Kentucky | KCDPA | Jan 1, 2026 | 100K consumers OR 25K consumers + 50% revenue from data sales | 30 days (sunsets Jan 2026) | $7,500/violation |
| Rhode Island | RIDTPPA | Jan 1, 2026 | 35K consumers OR 10K consumers + 20% revenue from data sales | 30 days (sunsets Jan 2027) | $10,000/violation |
| GDPR (EU) | GDPR | May 25, 2018 | No size threshold -- any business serving EU residents | None | EUR 20M or 4% global revenue |
| UK GDPR | UK GDPR | Jan 1, 2021 | No size threshold -- any business serving UK residents | None | GBP 17.5M or 4% global revenue |
Which Law Applies to Me?
The fastest way to figure out your exposure is to start with how many consumers you serve in each state. Below, the laws are grouped by their applicability threshold so you can quickly see which ones might cover your business.
Low Threshold: 35,000 Consumers
If you have 35,000 or more customers from any of these states, you are covered:
- Maryland (MODPA) -- Effective October 1, 2025. Also applies at 10,000 consumers if 20%+ of revenue comes from data sales.
- Delaware (DPDPA) -- Effective January 1, 2025. Also applies at 10,000 consumers if 20%+ of revenue comes from data sales.
- Rhode Island (RIDTPPA) -- Effective January 1, 2026. Also applies at 10,000 consumers if 20%+ of revenue comes from data sales.
- New Hampshire (NHPA) -- Effective January 1, 2025. Also applies at 10,000 consumers if 25%+ of revenue comes from data sales.
- Connecticut (CTDPA) -- Currently at 100,000 consumers, but drops to 35,000 as of July 1, 2026. Plan accordingly.
These low-threshold laws are the ones most likely to catch smaller e-commerce businesses and regional SaaS products off guard. A Shopify store with 40,000 customers in Maryland is covered. A newsletter with 50,000 Delaware subscribers may be covered depending on how personal data is processed.
Mid Threshold: 50,000 Consumers
- Montana (MTCDPA) -- Effective October 1, 2024. Also applies at 25,000 consumers if the business derives revenue from data sales.
Montana's 50,000-consumer threshold sits between the low-threshold states and the standard 100,000-consumer tier. If you serve customers across the Mountain West, this one is easy to trip.
Standard Threshold: 100,000 Consumers
Most state privacy laws use the 100,000-consumer threshold as their primary trigger. If you process personal data from 100,000 or more consumers in any of these states during a calendar year, the law applies:
- Virginia (VCDPA) -- Effective January 1, 2023
- Colorado (CPA) -- Effective July 1, 2023
- Iowa (ICDPA) -- Effective January 1, 2025
- Indiana (INCDPA) -- Effective January 1, 2026
- New Jersey (NJDPA) -- Effective January 15, 2025
- Kentucky (KCDPA) -- Effective January 1, 2026
- Minnesota (MCDPA) -- Effective July 31, 2025
- Oregon (OCPA) -- Effective July 1, 2024
Most of these also have a secondary threshold of 25,000 consumers if the business derives a significant portion of revenue from data sales. The exact revenue percentage varies by state (50% in most cases, 25% in Minnesota).
No Consumer Threshold
These laws can apply regardless of how many consumers you have. They use different criteria to determine applicability:
- Texas (TDPSA) -- Applies to any business processing or selling personal data of Texas residents. The only exemption is for businesses that qualify as "small" under the SBA definition (and even that exemption does not apply if the business sells personal data). Effective July 1, 2024.
- Nebraska (NDPA) -- Applies to all businesses that process personal data and are not classified as small businesses under the SBA definition. Effective January 1, 2025.
- GDPR (EU) -- Applies to any business offering goods or services to, or monitoring the behavior of, EU residents. No revenue or size threshold. Effective May 25, 2018.
- UK GDPR -- Applies to any business processing personal data of UK residents. No revenue or size threshold. Effective January 1, 2021.
If you do business online and have customers in Texas, Nebraska, the EU, or the UK, you should review these laws regardless of your company's size.
Revenue-Based Threshold
Some laws use annual revenue as a trigger, either as the sole criterion or in combination with a consumer count:
- California (CCPA/CPRA) -- $26.625 million in annual gross revenue (inflation-adjusted, started at $25M). Revenue alone is enough to trigger coverage, even if you have very few California consumers.
- Utah (UCPA) -- $25 million in annual revenue AND either 100,000 consumers or 25,000 consumers + 50% revenue from data sales. Both prongs are required, making Utah the most business-friendly state privacy law.
- Tennessee (TIPA) -- $25 million in annual revenue AND either 100,000 consumers or 25,000 consumers + 50% revenue from data sales. Same dual-prong structure as Utah.
Revenue triggers mean the law can apply even if you serve relatively few consumers in that state, as long as your business is large enough by revenue.
What Rights Do Consumers Have Across States?
Not every state grants the same set of rights. The table below compares consumer rights across six representative laws -- from the broadest (California and GDPR) to the most typical (Virginia and Colorado) to the most restrictive (Texas and Maryland). For a full breakdown of any specific law, click through to its dedicated guide.
| Right | California (CCPA/CPRA) | Virginia (VCDPA) | Colorado (CPA) | Texas (TDPSA) | Maryland (MODPA) | GDPR |
|---|---|---|---|---|---|---|
| Right to access | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Right to correct | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Right to delete | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Right to portability | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Opt out of sale | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Opt out of targeted advertising | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Opt out of profiling | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Limit sensitive data use | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Right to appeal | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Private right of action | ✅ (breaches) | ❌ | ❌ | ❌ | ❌ | ✅ |
| Universal opt-out (GPC) required | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ |
A few patterns stand out:
- Access, correction, deletion, and portability are universal. Every comprehensive privacy law grants these four rights.
- Opt-out of targeted advertising is standard in US state laws but is handled differently under the GDPR, which uses a consent-based model instead.
- Private right of action is rare. Only California (for data breaches) and the GDPR grant consumers the ability to sue directly. In all other US states, only the Attorney General can bring enforcement actions.
- Universal opt-out mechanisms like Global Privacy Control (GPC) are increasingly required. California, Colorado, and Texas all mandate that businesses honor GPC signals.
References
- CCPA/CPRA: Cal. Civ. Code sections 1798.100-1798.199.100. California Legislative Information
- VCDPA: Va. Code Ann. sections 59.1-575 through 59.1-585. Virginia Legislative Information System
- CPA: C.R.S. sections 6-1-1301 through 6-1-1313. Colorado Legislature
- CTDPA: Conn. Gen. Stat. sections 42-515 through 42-525. Connecticut General Assembly
- UCPA: Utah Code sections 13-61-101 through 13-61-404. Utah Legislature
- TDPSA: Tex. Bus. & Com. Code chapter 541. Texas Legislature
- GDPR: Regulation (EU) 2016/679. Official Journal of the European Union
- UK GDPR: Retained EU law, Data Protection Act 2018. UK Legislation
- IAPP US State Comprehensive Privacy Law Comparison: IAPP Resource Center
Last reviewed: February 2026. Privacy laws change frequently. New states may enact laws and existing laws may be amended. Verify all statutory references against the current text of each law and consult qualified legal counsel before making compliance decisions for your business.
Need help handling data subject requests? Download our free DSAR Response Templates -- ready-to-use templates that work across all US state privacy laws.