US privacy legislations overview

Disclaimer: Please note that this table does not provide exhaustive guidance on each single legislation and their application. For further information, we recommend consulting the link to the official texts of the legislations below.

This table is intended to present an overview of the state-level privacy legislations in the United States (“US”), that have been recently adopted or are expected to be passed in the near future.

The effective date of the bills that have not been passed yet and the content thereof may be subject to changes. The rights granted to users indicated in the table are identified through standard denominations. Although such denominations can overlap, the name attributed in each legislation, the content and the details relating to their exercise may differ.

As most of the US state-level privacy legislations have been broadly inspired by the California Consumer Privacy Act (“CCPA”), the table includes a column that identifies the specific elements of each legislation resembling the CCPA.

Legislations already in force (highlighted in green)
Legislations adopted but not in force (highlighted in yellow)
No comprehensive privacy legislation currently available (highlighted in light red)

US privacy cheatsheet – Comparison table

Questions	Nevada	California	Colorado	Virginia	Connecticut	Utah	Oregon	Texas	Montana	Maryland	Iowa	Illinois	Minnesota	Alabama	Oklahoma	Washington	New York	Massachussetts	Arizona	Kentucky	Maine
Date of entry into force	2017 Subsequent amendments in 2019 and 2021, with latest version becoming effective on: 1 Oct 2021	California Privacy Rights Act (CPRA) Effective January 1, 2023	Colorado Privacy Act Effective July 1, 2023	Virginia Consumer Data Protection Act (VCDPA) Effective January 1, 2023	An Act Concerning Personal Data Privacy and Online Monitoring Effective July 1, 2023	Utah Consumer Privacy Act Effective December 31, 2023	Oregon Consumer Privacy Act Effective July 1, 2024	Texas Data Privacy and Security Act Effective July 1, 2024	Consumer Data Privacy Act Effective October 1, 2024	No comprehensive privacy legislation currently available	An Act Relating to Consumer Data Protection Effective January 1, 2025	No comprehensive privacy legislation currently available	No comprehensive privacy legislation currently available	No comprehensive privacy legislation currently available	No comprehensive privacy legislation currently available	No comprehensive privacy legislation currently available	No comprehensive privacy legislation currently available	No comprehensive privacy legislation currently available	No comprehensive privacy legislation currently available	Consumer Data Protection Act Effective January 1, 2026	No comprehensive privacy legislation currently available
Does it apply to me?	It applies to you if you fall into the category of either Data collector, namely any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information. Operators and data brokers are also included.	The law applies to you if you’re a legal entity doing business in California for profit, that collect consumers’ personal information, or on behalf of which such information is collected and alone, or jointly with others, determine the purposes and means of the processing of consumers’ personal information and that meet one or more of the following: annual gross revenues in excess of $25,000,000; annually buy, sell, or share the personal information of 100,000 or more consumers or households; and/or derive 50% or more of their annual revenues from selling, or sharing consumers’ personal information.	The law applies to you if you’re a legal entity that does business in Colorado or produces commercial products or services that intentionally targets Colorado residents and controls or processes personal data of at least 100K consumers per year, or control or process the personal data of at least 25,000 consumers and derive revenue (or receive a discount on the price of goods or services) from the sale of personal data.	The law applies to you if you’re a person that does business in Virginia or who targets Virginia residents and: controls or processes personal data of at least 100K consumers per year, or controls or processes personal data of at least 25K consumers and with over 50% of the gross revenue coming from the sale of personal data.	The law applies to you if you’re a Business (whether based in Connecticut or not) that targets Connecticut residents and that: during a calendar year, control or process personal data of not less than 100,000 consumers; or control or process personal data of not less than 25,000 consumers and derive more than 50% of their gross revenue from the sale of personal data.	The law applies to any controller or processor who conducts business in Utah or produces a product or service that is targeted to residents of Utah, has annual revenue of $25,000,000 minimum, and satisfies one or more of the following: during a calendar year, controls or processes personal data of 100,000 or more consumers; or derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.	The law applies to any person that conducts business in Oregon, or that provides products or services to residents of Oregon, and that during a calendar year, controls or processes the personal data of: 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or 25,000 or more consumers, while deriving 25 percent or more of its annual gross revenue from selling personal data.	The law applies to any person conducting business in Texas or producing a product or service consumed by Texas residents and that: processes or engages in the sale of personal data; and is not a small business under the Small Business Administration (SBA). However, even small businesses are required to obtain consumers’ consent for the sale of sensitive data.	The law applies to persons that conduct business in Montana, or that produce products or services that are targeted to Montana residents, and: control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed for completing a payment transaction; or control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.
Who does it protect?	Residents of Nevada	Consumers. Natural persons who reside in the state of California.	Consumers. An individual who is a Colorado resident acting only in an individual or household context.	Consumers. Natural persons who reside in the state of Virginia.	Consumers. A natural person who is a resident of Connecticut	Consumer. An individual who is a resident of the state acting in an individual or household context.	Consumers. Individuals who reside in the state of Oregon.	Consumers. Individuals who reside in the state of Texas.	Consumers. Individuals who reside in the state of Montana.
What rights does the law grant to users?	Right to review and request changes to their covered information; right to opt-out of the sale of personal information.	Right to know and access Right to delete personal information Right to correct inaccurate personal information Right to opt-out of the sale or sharing of personal information Right to limit the use/disclosure of sensitive personal information Right to non-discrimination for the exercise of consumers’ privacy rights	Rights of access and data portability Right to correction Right to deletion Right to opt-out of processing for purposes of targeted advertising, profiling, or the sale of personal data, and right to appeal.	Rights of access and data portability Right to erasure Right to rectification Right to opt-out of processing for purposes of targeted advertising, profiling, or the sale of personal data.	Rights of access and data portability Right to correction Right to deletion Right to opt-out of processing for purposes of targeted advertising, profiling, or the sale of personal data, and right to appeal.	Right of access Right to rectification Right to erasure Right to data portability Right to opt-out of the processing of the consumer’s personal data for purposes of: targeted advertising the sale of personal data	Confirm whether the controller has or is processing their personal data and relevant categories of personal data; Obtain, at the controller’s option, a list of specific third parties with whom the controller has shared their personal data; Obtain a copy of all consumer’s personal data that the controller has processed or is processing (portable and, to the extent technically feasible, readily usable format); Require the controller to correct inaccurate personal data; Require the deletion of all personal data, including personal data the consumer provided to the controller, personal data the controller obtained from another source, and derived data; Opt out of any processing activity performed for purposes of targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal effects or effects of similar significance; Not to be discriminated against for the exercise of rights	Confirm whether their personal data is being processed and access it; correct inaccuracies; deletion; obtain a copy of all consumer’s personal data that the controller has processed or is processing (portable and, to the extent technically feasible, readily usable format); opt out of the processing for purposes of targeted advertising, sale, and profiling; not to be discriminated against for the exercise of rights.	confirm whether a controller is processing their personal data and access it (unless confirmation/access would require the controller to reveal a trade secret); obtain a copy of the consumer’s personal data (portable and, to the extent technically feasible, readily usable format → should allow the consumer to transmit data to another controller without hindrance when processing is performed with automated means); request the controller to correct inaccurate personal data; require the deletion of personal data; opt out of processing activities performed for purposes of targeted advertising, sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects; not to be discriminated against for the exercise of rights.
Do I need to provide a privacy notice?	YES	YES	YES	YES	YES	YES	YES	YES	YES
Are trackers (e.g. cookies) regulated?	NO	NO	NO	NO	NO	NO	NO	NO	NO
Do I need to honor consumers’ opt-out preference signals? (e.g. GPC – Global Privacy Control)	NO	YES	YES	NO	YES	NO	YES	YES	YES
Do I need to allow consumers to opt-out of the processing of personal data with regard to certain purposes?	YES	YES	YES	YES	YES	YES	YES	YES	YES
Do I need to obtain consumers’ prior consent (opt-in) before processing sensitive data?	NO	NO	YES	YES	YES	NO	YES	YES	YES
What are the consequences in case of violation?	Civil penalty for violation or injunction. Civil penalties up to $5,000 per violation.	Civil penalty of $2,500 per violation or $7,500 if the violation is intentional or involves the personal information of a child.	Civil penalty of not more than $20,000 per violation.	Civil penalty of up to $7,500 for each violation.	Civil penalty of not more than $5,000 for each willful violation, plus expenses incurred by the Attorney General in investigating and preparing the case, including attorney fees.	By initiating an action, Attorney General may recover (i) actual damages to the consumer; and (ii) an amount not to exceed $7,500 for each violation.	The Attorney General may bring an action to seek a civil penalty of not more than $7,500 for each violation or to enjoin a violation or obtain other equitable relief.	A person who violates the obligations imposed under the law following the cure period or who breaches a written statement provided to the attorney general is liable for a civil penalty in an amount not to exceed $7,500 for each violation	The Attorney General may bring an action to seek a civil penalty. However, the penalties amount is not specified in the law.