U.S. State Privacy Laws: Your Essential Guide
▼ Summary
– Data privacy regulation has bipartisan support with 12 states having laws and 5 more implementing them by 2026, but Congress has failed to pass national legislation.
– Marketers face compliance challenges with varying state laws that share some consumer rights like accessing, deleting, and opting out of personal information sales.
– State laws differ in scope, definitions, and requirements, with some states like Maryland banning personal data sales entirely and requiring strict necessity for data use.
– Most state laws apply based on revenue thresholds or the number of consumers whose data is processed, with common requirements including privacy notices and consumer opt-out mechanisms.
– Businesses must conduct data protection assessments, obtain consent for sensitive data processing, and establish agreements with service providers to ensure compliance across jurisdictions.
Navigating the complex web of U.S. state privacy laws presents a significant challenge for marketers and businesses today. With twelve states already implementing their own regulations and five more set to join by early 2026, the absence of a unified federal standard means organizations must juggle multiple compliance frameworks. These laws share common threads, granting consumers rights to access, delete, and opt out of the sale of their personal information, yet they diverge in critical areas like scope, definitions, and specific obligations. This patchwork approach creates operational hurdles, especially as new states introduce provisions that may differ substantially from existing rules.
California Consumer Privacy Act Businesses fall under this law if they meet one of these criteria: annual gross revenue exceeding $25 million, handling personal information for 100,000 or more consumers or households, or deriving over half of their annual revenue from selling or sharing personal data. Required actions include enabling consumers to opt out of data sales, limiting sensitive data processing, adhering to data minimization principles, issuing privacy notices, ensuring service provider compliance, and setting data retention timelines.
Virginia Consumer Data Protection Act This applies to entities controlling or processing personal information of at least 100,000 Virginia residents, or 25,000 residents if they earn 50% or more of gross revenue from data sales. Key requirements involve offering opt-out mechanisms for data sales, providing clear privacy notices, establishing data processing agreements, and performing privacy impact assessments. The law explicitly bans collecting, disclosing, selling, or sharing reproductive or sexual health information without consent, covering a wide range of related details from medical treatments to inferred health insights.
Colorado Privacy Act Covered businesses include those handling data for 100,000 or more Colorado consumers annually, or 25,000 consumers if revenue is generated from personal data sales. They must provide opt-out options for data sales, targeted advertising, and profiling; supply privacy notices; and conduct data protection impact assessments where consumer risks exist.
Connecticut Data Privacy Act Applicable to controllers processing data from 100,000 or more Connecticut consumers (excluding payment transaction data) or 25,000 consumers if 25% or more of gross revenue comes from data sales. Obligations include allowing opt-outs for sensitive data processing, practicing data minimization, issuing privacy notices, and conducting risk-based data protection assessments.
Utah Consumer Privacy Act Businesses must comply if they have $25 million or more in annual revenue and control or process personal information for 100,000 or more Utah residents, or 25,000 residents if over half of gross revenue comes from data sales. They need to provide opt-out mechanisms for data sales and targeted advertising, maintain processing agreements, and deliver privacy notices.
Oregon Consumer Privacy Act This law affects controllers processing personal information of 100,000 or more Oregon consumers, or 25,000 consumers if 25% or more of gross revenue is derived from data sales. Requirements encompass granting access, correction, deletion, and portability of personal data; listing third-party data recipients; allowing deletion of derived data; obtaining consent for sensitive data and adolescent profiling; enabling opt-outs for targeted advertising, data sales, and significant profiling; and providing privacy notices.
Montana Consumer Data Privacy Act Coverage extends to businesses controlling or processing personal information of 50,000 or more Montana consumers, or 25,000 consumers if at least 50% of gross revenue comes from data sales. Duties include responding to consumer requests, enabling data sale opt-outs, recognizing universal opt-out mechanisms, issuing privacy notices and policies, securing explicit consent for sensitive data collection, and performing impact assessments for high-risk processing activities.
Iowa Data Privacy Act Applicable to entities controlling or processing personal information of 100,000 or more Iowa consumers, or 25,000 consumers if 50% or more of gross revenue is from data sales. They must limit data processing to stated purposes, provide privacy notices, allow opt-outs from data sales, respond to consumer requests, establish service provider contracts, and ensure data security.
Texas Data Privacy and Security Act This applies to businesses engaged in selling personal data that do not qualify as small businesses under Small Business Administration guidelines. Requirements include offering opt-outs for data sales, honoring consumer requests, obtaining explicit consent for sensitive data processing, conducting data protection impact assessments, and maintaining written service provider contracts.
Delaware Personal Data Privacy Act Covered businesses control or process personal information of 35,000 or more Delaware consumers, or derive 20% or more of revenue from selling data of 10,000 consumers. They must collect only necessary personal information, obtain consent for sensitive data processing, honor consumer requests, support opt-out preference signals, provide privacy notices, and conduct data protection assessments.
New Hampshire Consumer Data Privacy Act This law applies to controllers processing personal information of 35,000 or more unique consumers (excluding payment data) or 10,000 consumers if 25% or more of gross revenue comes from data sales. It mandates providing privacy protections consistent with other state laws.
New Jersey Consumer Data Privacy Act Businesses must comply if they control or process personal information of 100,000 or more New Jersey consumers (excluding payment data) or 25,000 consumers if they derive revenue or discounts from data sales. Requirements include data minimization, consent for sensitive or children’s data, consent for processing data of teens for targeted advertising or sales, transparency about processing purposes, implementing security measures, conducting impact assessments, maintaining service provider agreements, confirming data processing, correcting inaccuracies, enabling data deletion and portability, and allowing opt-outs for targeted advertising and data sales.
Minnesota Data Privacy Act Covered entities control or process personal information of 100,000 or more unique Minnesota consumers, or 25,000 consumers if over 25% of gross revenue comes from data sales. They must confirm data processing (without revealing trade secrets), correct inaccuracies, delete data upon request, provide accessible data copies, allow opt-outs for targeted advertising and data sales, and list third-party data recipients.
Tennessee Information Protection Act Applicable to businesses with over $25 million in annual revenue that control or process personal information of 175,000 or more Tennessee consumers, or 25,000 consumers if at least 50% of gross revenue comes from data sales. Duties include providing privacy notices and policies, honoring consumer requests, limiting data processing to original purposes, enabling data sale opt-outs, and maintaining service provider contracts.
Maryland Online Data Privacy Act This law prohibits the sale of personal data, allowing collection, processing, or sharing only when strictly necessary for providing or maintaining a consumer-requested product or service. It applies to businesses processing data of 35,000 or more consumers, or 10,000 consumers if 20% or more of revenue comes from data sales. Requirements include allowing consumers to know, access, delete, and opt out of data sales or processing for targeted advertising or profiling.
Nebraska Data Privacy Act Covered businesses are those engaged in selling personal data that do not qualify as small businesses under Small Business Administration guidelines. They must enable consumers to know, access, and delete their personal information, opt out of data sales or processing for targeted advertising, implement technical and organizational safeguards, and respond promptly to consumer requests.
Upcoming State Privacy Laws Indiana Consumer Data Protection Act (effective January 1, 2026) will apply to businesses controlling or processing personal information of 100,000 or more Indiana consumers, or 25,000 consumers if 50% or more of gross revenue comes from data sales. It will require opt-out mechanisms for data sales, comprehensive privacy notices, data impact assessments for targeted advertising, limited data processing, and explicit consent for sensitive data.
Kentucky Consumer Data Protection Act (effective January 1, 2026) will cover businesses processing data of 100,000 or more Kentucky residents, or 25,000 residents if 50% or more of profits come from data sales. Obligations will include allowing consumers to know, access, and delete their personal information, opt out of data sales or targeted advertising, implement data safeguards, respond to requests promptly, and conduct impact assessments for high-risk processing.
(Source: MarTech)
