State Privacy Legislation

Enacted Legislation

• California Consumer Privacy Act and California Privacy Rights Act

  The California Consumer Privacy Act (CCPA), enacted in 2018 and effective January 1, 2020, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. The law protects the personal data of "residents" of California—either by living in California or temporarily outside the state—collected by any company that does business in California for profit. CCPA applies to any business that (1) has annual gross revenue of more than 25 million, (2) buys, receives, sells, or shares the personal information of 50,000+ "residents," or (3) derives more than 50 percent of their annual revenue from the sale of personal data. Personal data subject to the Health Insurance Portability and Accountability Act (HIPAA) and certain other laws are exempted from the CCPA, but data subject to the Family Educational Rights and Privacy Act (FERPA) are not included in those exemptions.

  In November 2020, California voters approved Proposition 24, a ballot measure that creates the California Privacy Rights Act (CPRA). The CPRA modifies the CCPA, creating new and expanded rights for California residents and new compliance obligations for businesses. The CPRA applies to any for-profit entity that does business in California, collects and uses the personal information of Californians, and either (1) has annual gross revenues of at least $25 million in the preceding calendar year, (2) buys, sells, or shares the personal information of at least 100,000 California residents or households, or (3) derives at least 50 percent of its revenue from selling or sharing personal information. The CPRA takes effective on January 1, 2023, and enforcement begins on July 1, 2023.

• Colorado Privacy Act

  The Colorado Privacy Act (CPA), effective July 1, 2023, provides residents with a right to opt-out of processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling; and create rights of access, correction, deletion, and data portability; among other things. The law applies to legal entities that conduct business or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado, and either: (1) controls or processes personal data of 100,000 consumers during a calendar year or (2) derives revenue or receives a discount on the price of goods from the sale of personal data or processes or controls the personal data of 25,000 consumers or more. Personal data subject to FERPA, HIPAA, and certain other laws are exempted from the CPA.

• Connecticut Personal Data Privacy and Online Monitoring Act

  The Connecticut Personal Data Privacy and Online Monitoring Act contains substantially similar obligations and rights as the Colorado Privacy Act (CPA) and Virginia Consumer Data Protection Act (VCDPA). The bulk of the statute took effect July 1, 2023. The Connecticut Privacy Act provides status-based exemptions for institutions of higher education, as well as data-based exemptions for personal information regulated by the Family Educational Rights and Privacy Act (FERPA).

• Delaware Personal Data Privacy Act

  The Delaware Personal Data Privacy Act, slated to take effect on January 1, 2025, applies to businesses that control or process the personal data of either 35,000 or more consumers (excluding data for payment transactions) or 10,000 or more consumers while deriving 20 percent or more of their annual gross revenue from selling personal data. The act exempts data subject to federal regulations such as HIPAA (Health Insurance Portability and Accountability Act), the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act (FERPA).

• Indiana Consumer Data Protection Act

  The Indiana Consumer Data Protection Act (ICDPA), slated to take effect on January 1, 2026, hews closely to the laws in Virginia, Utah, and Iowa. The law applies to entities that do business in Indiana and process personal data of more than 100,000 Indiana consumers, or process personal data of 25,000 Indiana consumers while also deriving a significant percentage of income from the "sale" of personal data—50 percent. The ICDPA does not apply to institutions of higher education, government entities (including third parties while doing business with those entities), nonprofits, or public utilities.

• Iowa Consumer Data Protection Act

  The Iowa Consumer Data Protection Act, effective on January 1, 2025, applies to companies that (1) control or process data of at least 100,000 Iowa consumers, or (2) control or process data of at least 25,000 Iowa consumers and derive 50 percent of their revenue from the sale of personal data. Like other data privacy laws, the Iowa legislation assigns specific requirements to controllers of personal data and establishes rights for consumers, or data subjects. Such consumer rights include the right to data portability; to confirm whether a controller is processing data and to access that data; to delete data provided by the consumer; and to opt out of the sale of personal data, among other things. The law incorporates broad exemptions for various entities and data regulated under certain federal laws, including non-profits and higher education institutions, as well as personal data regulated by Family Educational Rights and Privacy Act (FERPA).

• Montana Consumer Data Privacy Act

  The Montana Consumer Data Privacy Act, effective on October 1, 2024, generally follows the models set forth by Virginia and Connecticut and expand privacy protections for state residents. The act includes broad exemptions for various entities and data regulated under certain federal laws, including non-profits and higher education institutions, as well as personal data regulated by Family Educational Rights and Privacy Act (FERPA).

• Oregon Consumer Privacy Act

  The Oregon Consumer Privacy Act, which will take effect on July 1, 2024, applies to businesses that control or process the personal data of either 100,000 or more consumers (excluding data for payment transactions) or 25,000 or more consumers while deriving 25 percent or more of their annual gross revenue from selling personal data. The act exempts data subject to federal regulations such as HIPAA (Health Insurance Portability and Accountability Act), the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act (FERPA).

• Tennessee Information Protection Act

  The Tennessee Information Protection Act, slated to take effect on July 1, 2025, generally follows the models set forth by Virginia and Connecticut and expand privacy protections for state residents. The act includes broad exemptions for various entities and data regulated under certain federal laws, including non-profits and higher education institutions, as well as personal data regulated by Family Educational Rights and Privacy Act (FERPA).

• Texas Data Privacy and Security Act

  The Texas Data Privacy and Security Act, slated to take effect on July 1, 2024, follows the framework of Virginia's state privacy bill, but does not include common monetary stipulations for applicability that other states adopted. Entities are required to comply with requirements if they meet the following standards: (a) conducts business in Texas or generates products or services consumed by Texas residents; (b) processes or engages in the sale of personal data; (c) does not identify as a small business as defined by the U.S. Small Business Administration. Similar to other state legislation, the act exempts institutions of higher education, as well as personal data regulated by FERPA.

• Utah Consumer Privacy Act

  The Utah Consumer Privacy Act, effective December 31, 2023, contains provisions similar to the Virginia Data Privacy Act (VCDPA), the Colorado Privacy Act (CPA), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA). It provides Utah residents with certain consumer protections, including the right to access, right of deletion, right to data portability, and right to opt-out. The law exempts information covered under the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLBA), among other things.

• Virginia Consumer Data Protection Act

  The Virginia Consumer Data Protection Act, enacted in March 2021 and effective January 1, 2023, gives residents new rights to ownership over their data and establishes new transparency requirements for entities that process personal data. The law applies to any entity that conducts business in Virginia or targets Virginia intentionally with products and/or services and that (1) either controls or processes personal data of 100,000+ consumers or (2) derives more than 50 percent of their annual revenue from the sale of personal data and processes or controls personal data of not fewer than 25,000 customers. Personal data subject to FERPA, HIPAA, and certain other laws are exempted from the Virginia Consumer Data Protection Act.

Proposed Legislation

Lawmakers in numerous states have unveiled legislative proposals to regulate personal consumer data privacy. Other states are likely to follow suit. View a comparison of state comprehensive privacy laws developed by the International Association of Privacy Professionals (IAPP) Westin Research Center.