US privacy legislations overview

Disclaimer: Please note that this table does not provide exhaustive guidance on each single legislation and their application. For further information, we recommend consulting the link to the official texts of the legislations below.

This table is intended to present an overview of the state-level privacy legislations in the United States (“US”), that have been recently adopted or are expected to be passed in the near future.

The effective date of the bills that have not been passed yet and the content thereof may be subject to changes. The rights granted to users indicated in the table are identified through standard denominations. Although such denominations can overlap, the name attributed in each legislation, the content and the details relating to their exercise may differ.

As most of the US state-level privacy legislations have been broadly inspired by the California Consumer Privacy Act (“CCPA”), the table includes a column that identifies the specific elements of each legislation resembling the CCPA.

Legislations already in force (highlighted in green)
Legislations adopted but not in force (highlighted in yellow)
No comprehensive privacy legislation currently available (highlighted in light red)

US privacy cheatsheet – Comparison table

Nevada California Colorado Virginia Iowa Kentucky New Jersey Delaware New Hampshire Nebraska Maryland Illinois Minnesota Alabama Connecticut Oklahoma Washington New York Massachussetts Utah Oregon Texas Montana Arizona Maine

Questions	Nevada	California	Colorado	Virginia	Connecticut	Utah	Oregon	Texas	Montana	Iowa	Kentucky	New Jersey	Delaware	New Hampshire	Nebraska	Maryland	Illinois	Minnesota	Alabama	Oklahoma	Washington	New York	Massachussetts	Arizona	Maine
Date of entry into force	First enacted in 2017 and subsequently amended in 2019 and 2021	California Privacy Rights Act (CPRA) Effective January 1, 2023	Colorado Privacy Act Effective July 1, 2023	Virginia Consumer Data Protection Act (VCDPA) Effective January 1, 2023	An Act Concerning Personal Data Privacy and Online Monitoring Effective July 1, 2023	Utah Consumer Privacy Act Effective December 31, 2023	Oregon Consumer Privacy Act Effective July 1, 2024	Texas Data Privacy and Security Act Effective July 1, 2024	Consumer Data Privacy Act Effective October 1, 2024	An Act Relating to Consumer Data Protection Effective January 1, 2025	Consumer Data Protection Act Effective January 1, 2026	Effective Date: January 15, 2025	Effective Date: January 1, 2025	Effective Date: January 1, 2025	Effective Date: January 1, 2025	No comprehensive privacy legislation currently available	No comprehensive privacy legislation currently available	No comprehensive privacy legislation currently available	No comprehensive privacy legislation currently available	No comprehensive privacy legislation currently available	No comprehensive privacy legislation currently available	No comprehensive privacy legislation currently available	No comprehensive privacy legislation currently available	No comprehensive privacy legislation currently available	No comprehensive privacy legislation currently available
Does it apply to me?	The Nevada Privacy Law applies, among others, to operators, generally persons who own or operate websites or online services for commercial purposes, collect and maintain personally identifiable information from Nevada consumers, and direct their activities toward Nevada.	The law applies to you if you’re a legal entity doing business in California for profit, that collect consumers’ personal information, or on behalf of which such information is collected and alone, or jointly with others, determine the purposes and means of the processing of consumers’ personal information and that meet one or more of the following: annual gross revenues in excess of $25,000,000; annually buy, sell, or share the personal information of 100,000 or more consumers or households; and/or derive 50% or more of their annual revenues from selling, or sharing consumers’ personal information.	The law applies to you if you’re a legal entity that does business in Colorado or produces commercial products or services that intentionally targets Colorado residents and controls or processes personal data of at least 100K consumers per year, or control or process the personal data of at least 25,000 consumers and derive revenue (or receive a discount on the price of goods or services) from the sale of personal data.	The law applies to you if you’re a person that does business in Virginia or who targets Virginia residents and: controls or processes personal data of at least 100K consumers per year, or controls or processes personal data of at least 25K consumers and with over 50% of the gross revenue coming from the sale of personal data.	The law applies to you if you’re a Business (whether based in Connecticut or not) that targets Connecticut residents and that: during a calendar year, control or process personal data of not less than 100,000 consumers; or control or process personal data of not less than 25,000 consumers and derive more than 50% of their gross revenue from the sale of personal data.	The law applies to any controller or processor who conducts business in Utah or produces a product or service that is targeted to residents of Utah, has annual revenue of $25,000,000 minimum, and satisfies one or more of the following: during a calendar year, controls or processes personal data of 100,000 or more consumers; or derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.	The law applies to any person that conducts business in Oregon, or that provides products or services to residents of Oregon, and that during a calendar year, controls or processes the personal data of: 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or 25,000 or more consumers, while deriving 25 percent or more of its annual gross revenue from selling personal data.	The law applies to any person conducting business in Texas or producing a product or service consumed by Texas residents and that: processes or engages in the sale of personal data; and is not a small business under the Small Business Administration (SBA). However, even small businesses are required to obtain consumers’ consent for the sale of sensitive data.	The law applies to persons that conduct business in Montana, or that produce products or services that are targeted to Montana residents, and: control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed for completing a payment transaction; or control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.	The ICDPA applies to persons that conduct business in Iowa or offer products or services targeted at Iowa residents andDuring a calendar year, either: Control or process the personal data of at least 100,000 consumers; or Control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.		The NJDPA applies to businesses that Conduct business in New Jersey or offer products or services targeting New Jersey residents andDuring a calendar year, either: Control or process personal data of at least 100,000 consumers (excluding data processed solely for payment transactions), or Control or process the personal data of at least 25,000 consumers and derive revenue, or receive discounts on goods or services, from the sale of personal data.	This law applies to businesses that operate in Delaware or offer products or services to Delaware residents and: process the personal data of at least 35,000 consumers (excluding data solely related to payment transactions) process the personal data of at least 10,000 consumers and derive more than 20% of gross revenue from selling personal data.	The NHDPA applies to businesses that Conduct business in New Hampshire or offer products or services targeted to New Hampshire residents andDuring a calendar year, either: Control or process the personal data of at least 100,000 consumers (excluding data processed solely for payment transactions), or Control or process the personal data of at least 25,000 consumers and derive more than 25% of their revenue from the sale of personal data.	The NDPA applies to businesses that: Conduct business in Nebraska or produce products or services consumed by Nebraska residents; Process or engage in the sale of personal data; and Are not classified as small businesses under the federal Small Business Act.
Who does it protect?	Nevada consumers	Consumers. Natural persons who reside in the state of California.	Consumers. An individual who is a Colorado resident acting only in an individual or household context.	Consumers. Natural persons who reside in the state of Virginia.	Consumers. A natural person who is a resident of Connecticut	Consumer. An individual who is a resident of the state acting in an individual or household context.	Consumers. Individuals who reside in the state of Oregon.	Consumers. Individuals who reside in the state of Texas.	Consumers. Individuals who reside in the state of Montana.	This legislation aims to safeguard the personal data of Iowa consumers		New Jersey consumers	Delaware cosumers	New Hampshire consumers	Nebraska consumers
What rights does the law grant to users?	Right to Opt-Out of Sale: Nevada residents have the right to opt out of the sale of their personal information. Operators must establish a designated request address (e.g., an email address, toll-free number, or online form) for consumers to submit verified requests to opt out. Operators must respond within 60 days (with an optional 30-day extension, if necessary).	Right to know and access Right to delete personal information Right to correct inaccurate personal information Right to opt-out of the sale or sharing of personal information Right to limit the use/disclosure of sensitive personal information Right to non-discrimination for the exercise of consumers’ privacy rights	Rights of access and data portability Right to correction Right to deletion Right to opt-out of processing for purposes of targeted advertising, profiling, or the sale of personal data, and right to appeal.	Rights of access and data portability Right to erasure Right to rectification Right to opt-out of processing for purposes of targeted advertising, profiling, or the sale of personal data.	Rights of access and data portability Right to correction Right to deletion Right to opt-out of processing for purposes of targeted advertising, profiling, or the sale of personal data, and right to appeal.	Right of access Right to rectification Right to erasure Right to data portability Right to opt-out of the processing of the consumer’s personal data for purposes of: targeted advertising the sale of personal data	Confirm whether the controller has or is processing their personal data and relevant categories of personal data; Obtain, at the controller’s option, a list of specific third parties with whom the controller has shared their personal data; Obtain a copy of all consumer’s personal data that the controller has processed or is processing (portable and, to the extent technically feasible, readily usable format); Require the controller to correct inaccurate personal data; Require the deletion of all personal data, including personal data the consumer provided to the controller, personal data the controller obtained from another source, and derived data; Opt out of any processing activity performed for purposes of targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal effects or effects of similar significance; Not to be discriminated against for the exercise of rights	Confirm whether their personal data is being processed and access it; correct inaccuracies; deletion; obtain a copy of all consumer’s personal data that the controller has processed or is processing (portable and, to the extent technically feasible, readily usable format); opt out of the processing for purposes of targeted advertising, sale, and profiling; not to be discriminated against for the exercise of rights.	confirm whether a controller is processing their personal data and access it (unless confirmation/access would require the controller to reveal a trade secret); obtain a copy of the consumer’s personal data (portable and, to the extent technically feasible, readily usable format → should allow the consumer to transmit data to another controller without hindrance when processing is performed with automated means); request the controller to correct inaccurate personal data; require the deletion of personal data; opt out of processing activities performed for purposes of targeted advertising, sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects; not to be discriminated against for the exercise of rights.	Access and Confirmation: Consumers can confirm whether a business is processing their personal data and access that data. Data Portability: Consumers can obtain a copy of their personal data in a portable and, to the extent technically practicable, readily usable format that enables data transfer to another controller. Deletion: Consumers can request the deletion of their personal data. Opt-Out Rights: Consumers can opt out of the sale of their personal data and targeted adv. Non-Discrimination: Consumers must not be discriminated against for exercising their rights.		Access and Confirmation: Consumers can confirm whether their personal data is being processed and access that data (unless revealing the data would expose trade secrets). Data Portability: Consumers can obtain a copy of their personal data in a portable, usable format that allows for easy transfer to another controller. Correction: Consumers can request that inaccurate personal data be corrected. Deletion: Consumers can request the deletion of their personal data. Opt-Out Rights: Consumers can opt out of targeted advertising, the sale of their personal data, and certain profiling activities. Non-Discrimination: Consumers cannot be discriminated against for exercising their rights.	Access and Confirmation: Consumers can ask if a business is processing their data and can access it, unless this would reveal trade secrets. Data Copy in a Usable Format: individuals have the right to request a copy of their personal data in a format they can easily use or transfer to another entity. Correction of Inaccurate Data: Consumers may request corrections to inaccurate personal data. Deletion: Consumers can request the deletion of their personal data. Opt-Out Options: Consumers can opt out of having their data used for targeted advertising, being sold, or profiling. Non-Discrimination: Businesses are not allowed to treat consumers unfairly if they choose to exercise their DPDPA rights. List of Third-Party Data Sharing: Consumers can request a list of third parties with whom the business has shared their data.	Access and Confirmation: Consumers can confirm whether their personal data is being processed and access it (unless revealing the data would expose trade secrets). Data Portability: Consumers can obtain a copy of their personal data in a portable format, allowing easy transfer to another service provider. Correction of Inaccurate Data: Consumers can request that inaccurate or incomplete data be corrected. Deletion: Consumers can request the deletion of their personal data. Opt-Out Rights: Consumers can opt out of the sale of their personal data, targeted advertising, and certain profiling activities. Non-Discrimination: Consumers cannot be discriminated against for exercising their rights under the NHDPA.	Access and Confirmation: Consumers can confirm whether a controller is processing their personal data and access that data. Correction: Consumers can request the correction of inaccurate personal data. Deletion: Consumers can request the deletion of personal data they have provided or that has been obtained about them. Data Portability: If the data is processed via automated means and in a digital format, consumers can request a copy of their personal data in a portable and usable format. Opt-Out Rights: Consumers can opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, and profiling that leads to decisions with legal or similarly significant effects. Non-Discrimination: Consumers cannot be discriminated against for exercising their rights under the NDPA.
Do I need to provide a privacy notice?	YES	YES	YES	YES	YES	YES	YES	YES	YES	YES		YES	YES	YES	YES
Are trackers (e.g. cookies) regulated?	NO	NO	NO	NO	NO	NO	NO	NO	NO	NO		NO	NO	NO	NO
Do I need to honor consumers’ opt-out preference signals? (e.g. GPC – Global Privacy Control)	NO	YES	YES	NO	YES	NO	YES	YES	YES	NO		By July 15, 2025, businesses will need to provide consumers with an option to opt out of the sale of personal data, targeted advertising, and profiling through universal opt-out signals.	Starting January 1, 2026, businesses must honor consumers’ universal opt-out signals to opt out of targeted advertising and data sales.	By January 1, 2025, businesses will need to allow consumers to opt out of the sale of their personal data and targeted advertising through universal opt-out signals.	NO
Do I need to allow consumers to opt-out of the processing of personal data with regard to certain purposes?	YES	YES	YES	YES	YES	YES	YES	YES	YES	YES		YES	YES	YES	YES
Do I need to obtain consumers’ prior consent (opt-in) before processing sensitive data?	Not Applicable	NO	YES	YES	YES	NO	YES	YES	YES	Businesses can only process sensitive data if they offer consumers with a clear notice the opportunity to opt out. Please note that the processing of children’s sensitive data must align with the Children’s Online Privacy Protection Act (COPPA) and requires opt-in consent.		YES	YES	YES	YES
What are the consequences in case of violation?	Civil penalty for violation or injunction. Civil penalties up to $5,000 per violation.	Non-compliance with the Nevada Privacy Law may result in civil penalties of up to $5,000 per violation. Authorities may also seek injunctions to prevent further violations.	Civil penalty of not more than $20,000 per violation.	Civil penalty of up to $7,500 for each violation.	Civil penalty of not more than $5,000 for each willful violation, plus expenses incurred by the Attorney General in investigating and preparing the case, including attorney fees.	By initiating an action, Attorney General may recover (i) actual damages to the consumer; and (ii) an amount not to exceed $7,500 for each violation.	The Attorney General may bring an action to seek a civil penalty of not more than $7,500 for each violation or to enjoin a violation or obtain other equitable relief.	A person who violates the obligations imposed under the law following the cure period or who breaches a written statement provided to the attorney general is liable for a civil penalty in an amount not to exceed $7,500 for each violation	The Attorney General may bring an action to seek a civil penalty. However, the penalties amount is not specified in the law.	Non-compliance can result in civil penalties of up to $7,500 per violation, payable to the consumer education and litigation fund.		Businesses that fail to comply with the law may be subject to civil penalties, which could result in significant financial consequences. Until July 1, 2026, violators have 30 days to remedy any violations after receiving written notice.	While the DPDPA does not explicitly mention specific civil penalties or fines, non-compliance with the provisions is generally subject to the enforcement powers of the Delaware DOJ. This could result in civil fines, penalties, or required corrective actions.	The New Hampshire Attorney General’s Office will have exclusive authority to enforce the NHDPA. Non-compliance with the law can result in significant penalties, with businesses given 60 days to remedy violations after receiving written notice (until December 31, 2025).	The Nebraska Attorney General’s Office will have exclusive authority to enforce the NDPA. Non-compliance with the law could result in significant penalties, and businesses will have 30 days to remedy violations after receiving written notice.