Comparing State Privacy Laws

Staying on top of the ever-evolving landscape of state privacy laws continues to get more challenging. Legislatures across the country have debated their own versions of a privacy law. To date, the following states have passed a law:

The state laws that are on the books are not carbon copies of each other. There are significant differences involving cure times, private right of action, applicability thresholds, and more. To help you better understand your organization’s obligations and risks in each state, we are providing this side-by-side comparison of the laws.

Effective dates

StateEffective data
CaliforniaOperative January 1, 2023, Enforceable July 1, 2023
ColoradoJuly 1, 2023
ConnecticutJuly 1, 2023
DelawareJanuary 1, 2025
IndianaJanuary 1, 2026
IowaJanuary 1, 2025
KentuckyJanuary 1, 2026
MarylandOctober 1, 2025
MinnesotaJuly 31, 2025
MontanaOctober 1, 2024
NebraskaJanuary 1, 2025
New HampshireJanuary 1, 2025
New JerseyJanuary 16, 2025
OregonJuly 1, 2024
Rhode IslandJanuary 1, 2026
TennesseeJuly 1, 2025
TexasJuly 1, 2024
UtahDecember 31, 2023
VirginiaJanuary 1, 2023

Fines

StateFines
California$2,500-$7,500 per violation
ColoradoUp to $20,000 per violation
ConnecticutUp to $5,000 per violation
DelawareNot specified
IndianaUp to $7,500 per violation
IowaUp to $7,500 per violation
KentuckyUp to $7,500 per violation
MarylandNot specified
MinnesotaUp to $7,500 per violation
MontanaNot specified
NebraskaUp to $7,500 per violation
New HampshireNot specified
New JerseyNot specified
OregonUp to $7,500 per violation
Rhode IslandNot specified
TennesseeUp to $15,000 per violation
TexasUp to $7,500 per violation
UtahUp to $7,500 per violation
VirginiaUp to $7,500 per violation

Cure Period

A cure period is the amount of time to remedy a violation after its discovery before a fine is issued. California is the only state without a cure period, increasing the risk of a fine.

StateCure Period
CaliforniaNo right to cure
Colorado60 days (expires in 2025)
Connecticut60 days (expires in 2025)
Delaware60 days (expires December 31, 2025)
Indiana30 days
Iowa90 days
Kentucky30 days
Maryland60 days (expires on April 1, 2027)
Minnesota30 days (expires January 1, 2026)
Montana60 days (expires in 2026)
Nebraska30 days
New Hampshire60 days (expires December 31, 2025)
New Jersey30 days (expires in July 2026)
Oregon30 days (expires January 1, 2026)
Rhode IslandNo right to cure
Tennessee60 days
Texas30 days
Utah30 days
Virginia30 days

Applicability Thresholds

The thresholds that determine if the privacy laws apply to your organization vary by state.

StateApplicability Thresholds
California
  • Has annual revenue of $25 million or more
  • Controls or possesses the data of 100,000 or more California residents
  • Derives 50% or more of its revenue from the sale of personal data
Colorado
  • Controls or possesses the data of 100,000 or more Colorado residents
  • Derives any revenue from the sale of data for 25,000 or more Colorado residents
Connecticut
  • Controls or possesses the data of 100,000 or more Connecticut residents
  • Derives 25% of its revenue from the sale of data for 25,000 or more Connecticut residents
Delaware
  • Controlled or processed the personal data of not less than 35,000 Delaware residents.
  • Controlled or processed the personal data of not less than 10,000 Delaware residents and derived more than 20% of their gross revenue from the sale of personal data.
Indiana
  • Controls or process personal data on at least 100,000 consumers (Indiana residents)
  • Derives more than 50% of their revenue from selling the data of 25,000 consumers
Iowa
  • Controls or process personal data on at least 100,000 consumers (Iowa residents)
  • Derives more than 50% of their revenue from selling the data of 25,000 consumers
Kentucky
  • Controls or process personal data on at least 100,000 Kentucky consumers
  • Control or process the personal data of 25,000 or more consumers and derive more than 50% of their gross revenue from the sale of personal data
Maryland
  • Controls or processes personal data on at least 35,000 consumers, excluding data for the sole purpose of completing payment transactions
  • Controls or processes the data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data
Minnesota
  • Controls or processes the data of at least 100,000 consumers, excluding data for the sole purpose of completing payment transactions
  • Controls or processes the data of at least 25,000 consumers and derived more than 25% of its gross revenue from the sale of personal data
Montana
  • Controls or process personal data on at least 50,000 consumers (Montana residents)
  • Derives more than 25% of their revenue from selling the data of 25,00 consumers
Nebraska
  • Conducts business in Nebraska or produces a product or service consumed by Nebraska residents
  • Processes or engages in the sale of personal data
  • Is not a small business as determined under the federal Small Business Act
New Hampshire
  • Control or process the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction
  • Control or process the personal data of not less than 10,000 unique consumers and derive more than 25% of their gross revenue from the sale of personal data
New Jersey
  • Control or process the personal data of 100,000 or more New Jersey consumers (excluding data used solely to complete a payment transaction)
  • Control or process the personal data of 25,000 or more New Jersey consumers and derive revenue or receive a discount on the price of any good or service from the sale of data.
Oregon
  • Controls or processes the personal data of not less than 100,000 Oregon residents.
  • Controlled or processed the personal data of not less than 25,000 residents and derived more than 25% of their gross revenue from the sale of personal data.
Rhode Island
  • Control or process the personal data of 35,000 or more Rhode Island consumers (excluding data used solely to complete a payment transaction)/li>
  • Control or process the personal data of 10,000 or more consumers and derive more than 20% of their gross revenue from the sale of personal data.
Tennessee
  • Controls or process personal data on at least 100,000 consumers (Tennessee residents)
  • Derives more than 50% of their revenue from selling the data of 25,000 consumers
Texas
  • Conducts business in Texas or produce a product or service consumed by Texas residents.
UtahHas more than $25 million in annual revenue and meets one or more of the following criteria:
  • Controls or possesses the data of 100,000 or more Utah residents
  • Derives 50% or more of its revenue from the sale of data for more than 25,000 Utah residents
Virginia
  • Controls or possesses the data of 100,000 or more Virginia residents
  • Derives 50% or more of its revenue from the sale of data for more than 25,000 Virginia residents

Exemptions

There are some key exemptions that apply to state privacy laws, most notably for the Gramm-Leach-Biley-Act (GLBA) and HIPAA. For all existing state laws, data that is covered under GLBA or HIPAA is exempt. In certain cases, an entire entity that falls under the GLBA or HIPAA umbrella is exempt.

StateGLBAHIPAA
CaliforniaDataData
ColoradoData & EntityData
ConnecticutData & EntityData & Entity
DelawareData & EntityData
IndianaData & EntityData & Entity
IowaData & EntityData & Entity
KentuckyData & EntityData & Entity
MarylandData & EntityData & Entity
MinnesotaDataData
MontanaData & EntityData & Entity
NebraskaData & EntityData & Entity
New HampshireData & EntityData & Entity
New JerseyData & EntityData
OregonDataData
Rhode IslandData & EntityData & Entity
TennesseeData & EntityData & Entity
TexasData & EntityData & Entity
UtahData & EntityData & Entity
VirginiaData & EntityData & Entity

Sale Definitions and Opt-out Considerations

What is considered a “sale” of data varies between the states. States with a broad definition consider the exchange of monetary or other valuable consideration a “sale.” States with a traditional definition consider a “sale” to be the exchange of data for money.

In each state, organizations must allow people to opt out of targeted advertising. In California, organizations must also provide the option to opt out of having their data shared.

StateSale DefinitionOpt-out
CaliforniaBroadSale and Sharing
ColoradoBroadSale and Targeted Advertising
ConnecticutBroadSale and Targeted Advertising
DelawareTraditionalSale and Targeted Advertising
IndianaTraditionalSale and Targeted Advertising
IowaTraditionalSale and Targeted Advertising
KentuckyTraditionalSale and Targeted Advertising
MarylandTraditionalSale and Targeted Advertising
MinnesotaTraditionalSale and Targeted Advertising
MontanaTraditionalSale and Targeted Advertising
NebraskaTraditionalSale and Targeted Advertising
New HampshireTraditionalSale and Targeted Advertising
New JerseyBroadSale and Targeted Advertising
OregonTraditionalSale and Targeted Advertising
Rhode IslandTraditionalSale and Targeted Advertising
TennesseeTraditionalSale and Targeted Advertising
TexasTraditionalSale and Targeted Advertising
UtahTraditionalSale and Targeted Advertising
VirginiaTraditionalSale and Targeted Advertising

Other California Considerations

The CPRA does not exempt business-to-business or employee data, the other state laws do.

Also included in the CPRA is the private right of action which authorizes consumers to file lawsuits for breaches. Damages from a private right of action suite can range from $100-$750 per consumer per incident. Breaches often include hundreds or thousands of personal records, so the private right of action exposes organizations to large financial risks.

For a more in-depth exploration of state privacy laws watch our Current State of Privacy Laws webinar.

CompliancePoint has a team of privacy professionals that can help your organization stay in compliance with all state laws and avoid risk. Contact us today at connect@compliancepoint.com to learn more about how we can help you.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.