State-Specific Data Privacy Regulations in the U.S.: Essential Insights You Should Have
This narrative has been revised to include details about the Montana privacy legislation, which became effective on October 1, 2024, along with five other states set to implement their laws by January 16, 2025.
The concluding stages of the 118th U.S. Congress have arrived, yet lawmakers have not succeeded in enacting a comprehensive national data privacy scheme. As a result, marketers must prepare to adhere to the distinct regulations of 17 states. Currently, seven laws are in operation, with an additional ten anticipated to be in effect by January 2026.
This situation presents marketers with 17 different challenges to navigate. While there are some common traits among these regulations—such as granting consumers the ability to view, delete, and opt out of the sale of their personal information—key differences exist in their coverage, definitions, and stipulations.
Moreover, it’s worth noting that Americans are known for their diverse perspectives on issues. It’s entirely possible for individual states to create data protection laws that vary significantly from existing ones. Marketers operating in such environments face an uphill battle.
Explore further: MarTech’s Comprehensive Guide to GDPR — Understanding the General Data Protection Regulation
Below is a compilation of data privacy regulations enacted at the state level, along with concise descriptions outlining their applicability and the associated requirements. Please consult legal expertise to ensure compliance when functioning within these states.
Contents Overview
- Current States with Data Privacy Regulations
- Upcoming States with Data Privacy Laws
- Iowa Data Privacy Act (Effective Jan. 1, 2025)
- Tennessee Information Protection Act (Effective July 1, 2025)
- Texas Data Privacy and Security Act (Effective Jan. 1, 2025)
- Delaware Personal Data Privacy Act (Effective Jan. 1, 2025)
- New Hampshire Consumer Data Privacy Act (Effective Jan. 1, 2025)
- New Jersey Consumer Data Privacy Bill (Effective Jan. 16, 2025)
- Nebraska Data Privacy Act (Effective Oct. 1, 2025)
- Maryland Online Data Privacy Act (Effective Oct. 1, 2025)
- Indiana Data Privacy Law (Effective Jan. 1, 2026)
- Kentucky Consumer Data Protection Act (Effective Jan. 1, 2026)
States with Active Data Privacy Regulations
| STATE | LAW | INITIAL EFFECTIVE DATE |
| California | California Consumer Privacy Act | 1/1/2020 |
| Virginia | Virginia Consumer Data Protection Act | 1/1/2023 |
| Colorado | Colorado Privacy Act | 7/1/2023 |
| Connecticut | Connecticut Data Privacy Act | 7/1/2023 |
| Utah | Utah Consumer Privacy Act | 12/31/2023 |
| Oregon | Oregon Consumer Privacy Act | 7/1/2024 |
| Montana | Montana Consumer Data Privacy Act | 10/1/2024 |
California Consumer Privacy Act
Applicable to businesses that:
- Achieve an annual gross revenue of at least $25 million in the prior calendar year.
- Buy, sell, or share personal information of over 100,000 consumers or households.
- Derive over 50% of annual revenues from the sale or sharing of consumers’ personal information.
Mandates businesses to:
- Allow consumers to opt out of the sale of their personal information.
- Facilitate limits on the processing of sensitive personal information.
- Implement data minimization and purpose limitation principles.
- Provide a privacy notice to consumers.
- Ensure compliance with the law by service providers.
- Establish a data retention period.
Virginia Consumer Data Protection Act
Applies to businesses that:
- Control or process the personal information of at least 100,000 Virginia residents, or
- Control or process the personal information of at least 25,000 Virginia consumers and earn over 50% of gross revenue from the sale of personal information in a calendar year.
Obligates businesses to:
- Permit consumers to opt out of the sale of personal information.
- Provide a privacy notice to consumers.
- Maintain data processing agreements with data processors.
- Execute a Privacy Impact Assessment for data processing activities.
Colorado Privacy Act
Applies to businesses that:
- Handle the data of over 100,000 Colorado consumers in a year, or
- Manage data for 25,000+ Colorado consumers while generating revenue through the sale of personal information, such as offering discounts on goods or services.
Requires businesses to:
- Provide consumers an option to opt out of sales of personal information as well as targeted advertising and profiling.
- Issue a privacy notice to consumers.
- Conduct a data protection impact assessment in cases posing a risk to consumer data.
Connecticut Data Privacy Act
Applies to businesses that:
- Process data for over 100,000 Connecticut consumers, excluding personal information solely for payment transactions, or
- Manage data for 25,000+ Connecticut consumers and derive more than 25% of gross revenue from selling personal information.
Mandates businesses to:
- Offer consumers the choice to opt out of processing sensitive personal information.
- Collect and process only the essential amount of data needed.
- Provide a privacy notice to consumers.
- Conduct data protection assessments in scenarios that may pose risks.
Utah Consumer Privacy Act
Will apply to businesses that:
- Have annual revenue of $25 million or more, and
- Control or process the personal information of over 100,000 Utah residents in a calendar year, and/or
- Earn more than 50% of gross revenue from selling personal information, and/or
- Control or process the data of at least 25,000 Utah residents.
Business responsibilities will include:
- Providing consumers the ability to opt out of selling personal information or targeted advertising.
- Maintaining data processing agreements.
- Presenting a privacy notice to consumers.
Oregon Consumer Privacy Act
Applies to businesses that:
- Control or process the personal information of over 100,000 Oregon consumers, or
- Manage the personal information of 25,000+ Oregon residents and earn at least 25% of gross revenue through data sales.
Business obligations include:
- Providing consumers access to correct, delete, and receive their personal information.
- Disclosing the specific third parties to whom personal information is shared.
- Allowing requests for the deletion of derived data.
- Securing consent for processing sensitive data.
- Obtaining explicit consent for profiling adolescent data.
- Permitting consumers to opt out of targeted advertising, data sales, and substantial profiling actions.
- Providing a privacy notice to consumers.
Montana Consumer Data Privacy Act
Will apply to businesses that:
- Control or process personal information of 50,000+ Montana residents, or
- Manage data for at least 25,000 Montana consumers and earn over 50% of gross revenue from data sales.
Requirements for businesses include:
- Responding to consumer inquiries.
- Facilitating options for consumers to opt out of data sales.
- Recognizing universal opt-out signals.
- Providing a privacy notice and privacy policy to consumers.
- Acquiring explicit consent before collecting sensitive information.
- Conducting data protection impact assessments for processing sensitive data, data sales, or targeted advertising/profiling.
States with Upcoming Data Privacy Regulations
| STATE | LAW | EFFECTIVE DATE |
| Iowa | Iowa Consumer Data Protection Act | 1/1/2025 |
| Delaware | Delaware Personal Data Privacy Act | 1/1/2025 |
| New Hampshire | New Hampshire Consumer Data Protection Act | 1/1/2025 |
| Texas | Texas Data Privacy and Security Act | 1/1/2025 |
| New Jersey | New Jersey Consumer Data Privacy Bill | 1/16/2025 |
| Tennessee | Tennessee Information Protection Act | 7/1/2025 |
| Maryland | Maryland Online Data Privacy Act | 10/1/2025 |
| Nebraska | Nebraska Data Privacy Act | 10/1/2025 |
| Indiana | Indiana Consumer Data Protection Act | 1/1/2026 |
| Kentucky | Kentucky Consumer Data Protection Act | 1/1/2026 |
Iowa Data Privacy Act (Effective Jan. 1, 2025)
Will apply to businesses that:
- Control or process the personal information of over 100,000 Iowa consumers, or
- Manage data for at least 25,000 Iowa residents while earning over 50% of gross revenue from data sales.
Will require businesses to:
- Restrict data processing to specified purposes.
- Provide a privacy notice to consumers.
- Allow consumers the option to opt out of personal information sales.
- Respond to requests for access, deletion, portability, and more.
- Enter into written agreements with service providers.
- Implement adequate security measures for data protection.
Explore further: The Importance of Consumer Privacy for Marketers
Tennessee Information Protection Act (Effective July 1, 2025)
Will apply to businesses that:
- Exceed $25 million in annual revenue and
Control or process personal information of over 175,000 Tennessee residents, and/or - Control or process data for at least 25,000 Tennessee consumers while deriving over 50% of gross revenue from those sales.
Will require businesses to:
- Provide consumers with a privacy notice and policy.
- Compensate consumer requests for access, deletion, and more.
- Process data only for its intended purposes.
- Allow consumers to opt out of data sales.
- Maintain written agreements with service providers.
Texas Data Privacy and Security Act (Effective Jan. 1, 2025)
Will apply to businesses that:
- Engage in the sale of personal information, and
- Are not classified as small businesses by the Small Business Administration.
Will require businesses to:
- Permit opting out of personal information sales.
- Fulfill consumer requests.
- Acquire explicit consent for sensitive information processing.
- Conduct data protection impact assessments.
- Have written contracts with service providers.
Delaware Personal Data Privacy Act (Effective Jan. 1, 2025)
Will apply to businesses that:
- Control or process the personal information of over 35,000 Delaware consumers, or
- Generate over 20% of revenue from selling data of at least 10,000 Delaware consumers.
Will require businesses to:
- Limit the collection of personal information to what’s adequate and necessary.
- Obtain consent for processing sensitive personal information.
- Honor consumer requests.
- Allow consumers to opt out via an opt-out preference signal.
- Provide a privacy notice to consumers.
- Conduct data protection assessments.
New Hampshire Consumer Data Privacy Act (Effective Jan. 1, 2025)
Will apply to businesses that:
- Control or process personal information of at least 35,000 unique consumers, excluding data processed solely for payment transactions; or
- Control or process the personal information of at least 10,000 unique consumers while earning over 25% of gross revenue from data sales.
Will require businesses to:
- Afford consumers the same privacy protections mandated in other states.
New Jersey Consumer Data Privacy Bill (Effective Jan. 16, 2025)
Will apply to businesses that:
- Control or process personal information of 100,000+ New Jersey consumers, excluding data handled solely for payment transactions; or
- Control or process the personal information of 25,000+ New Jersey residents while deriving revenue or discounts from personal information sales.
Will require businesses to:
- Collect only the minimum data necessary for intended purposes;
- Secure consent for processing sensitive data or data concerning children, with clear revocation mechanisms;
- Obtain consent for processing data of children for targeted advertising, sales, or profiling if the business has knowledge that the consumer is aged between 13 and 17;
- Inform consumers about data processing intentions;
- Establish comprehensive data security measures;
- Conduct necessary data protection assessments;
- Ensure written agreements with service providers for data processing;
- Verify whether the business processes consumer’s personal information, excluding trade secrets;
- Correct inaccuracies upon request;
- Delete personal data upon request;
- Facilitate data portability;
- Allow consumers to opt out of targeted advertising or data sales.
Nebraska Data Privacy Act (Effective Oct. 1, 2025)
Will apply to businesses that:
- Engage in the sale of personal information and
- Are not deemed a small business by the Small Business Administration.
Will require businesses to:
- Allow consumers to:
- Understand what personal information is being used.
- Access their personal information.
- Delete their personal information.
- Opt-out of data sales or targeted advertising processing.
- Implement necessary technical and organizational safeguards for data protection.
- Respond promptly to consumer requests.
Maryland Online Data Privacy Act (Effective Oct. 1, 2025)
This law prohibits the sale of personal data. Companies may only gather, process, or share personal data that is strictly necessary for fulfilling or maintaining the specific products or services requested by the consumer.
Will apply to businesses that:
- Handle data for 35,000+ consumers, or
- Manage data for 10,000+ consumers with sales deriving over 20% of revenue from data sales.
Will require businesses to:
- Allow consumers to:
- Understand what personal information is being utilized.
- Access their personal information.
- Delete personal information.
- Opt out of data sales or processing for targeted advertising or profiling.
Indiana Data Privacy Law (Effective Jan. 1, 2026)
Will apply to businesses that:
- Manage personal information for over 100,000 Indiana consumers, or
- Handle data for at least 25,000 Indiana consumers while deriving over 50% of revenue from data sales.
Will require businesses to:
- Facilitate consumers’ options to opt out of data sales.
- Furnish a detailed privacy notice.
- Conduct data impact assessments when involved in targeted advertising.
- Limit data processing to its intended purposes.
- Obtain explicit consent before processing sensitive personal information.
Kentucky Consumer Data Protection Act (Effective Jan. 1, 2026)
Will apply to businesses that:
- Handle personal information for 100,000+ Kentucky residents, or
- Manage data for at least 25,000 Kentucky residents while earning over 50% of revenue from personal information sales.
Will require businesses to:
- Allow consumers to:
- Understand what personal information is being used.
- Access personal information.
- Delete their personal information.
- Opt out of data sales or targeted advertising processing.
- Establish necessary technical and organizational safeguards for data security.
- Respond to consumer requests in a timely manner.
- Conduct data protection impact assessments for any high-risk processing activities.
Email:
See terms.
OptiPrime – Global leading total performance marketing “mate” to drive businesses growth effectively. Elevate your business with our tailored digital marketing services. We blend innovative strategies and cutting-edge technology to target your audience effectively and drive impactful results. Our data-driven approach optimizes campaigns for maximum ROI.
Spanning across continents, OptiPrime’s footprint extends from the historic streets of Quebec, Canada to the dynamic heartbeat of Melbourne, Australia; from the innovative spirit of Aarhus, Denmark to the pulsating energy of Ho Chi Minh City, Vietnam. Whether boosting brand awareness or increasing sales, we’re here to guide your digital success. Begin your journey to new heights with us!
