Comparing State Privacy Laws
Staying on top of the ever-evolving landscape of state privacy laws continues to get more challenging. Legislatures across the country have debated their own versions of a privacy law. To date, seven states have passed a law:
- California (California Privacy Rights Act)
- Utah (Utah Consumer Privacy Act)
- Colorado (Colorado Privacy Act)
- Virginia (Virginia Consumer Data Protection Act)
- Connecticut (Connecticut Data Privacy Act)
- Iowa (Iowa Privacy Bill)
- Indiana (Indiana Privacy Bill)
- Montana (Montana Consumer Data Privacy Act)
- Tennessee (Tennessee Information Protection Act)
The state laws that are on the books are not carbon copies of each other. There are significant differences involving cure times, private right of action, applicability thresholds, and more. To help you better understand your organization’s obligations and risks in each state, we are providing this side-by-side comparison of the laws.
Effective dates
State | Effective data |
California | Operative January 1, 2023, Enforceable July 1, 2023 |
Colorado | July 1, 2023 |
Connecticut | July 1, 2023 |
Delaware | January 1, 2025 |
Indiana | January 1, 2026 |
Iowa | January 1, 2025 |
Montana | October 1, 2024 |
Oregon | July 1, 2024 |
Tennessee | July 1, 2024 |
Texas | March 1, 2024 |
Utah | December 31, 2023 |
Virginia | January 1, 2023 |
Fines
State | Fines |
California | $2,500-$7,500 per violation |
Colorado | Up to $20,000 per violation |
Connecticut | Up to $5,000 per violation |
Delaware | Not specified |
Indiana | Up to $7,500 per violation |
Iowa | Up to $7,500 per violation |
Montana | Not specified |
Oregon | Up to $7,500 per violation |
Tennessee | Up to $15,000 per violation |
Texas | Up to $7,500 per violation |
Utah | Up to $7,500 per violation |
Virginia | Up to $7,500 per violation |
Cure Period
A cure period is the amount of time to remedy a violation after its discovery before a fine is issued. California is the only state without a cure period, increasing the risk of a fine.
State | Cure Period |
California | No right to cure |
Colorado | 60 days (expires in 2025) |
Connecticut | 60 days (expires in 2025) |
Delaware | 60 days (expires December 31, 2025) |
Indiana | 30 days |
Iowa | 90 days |
Montana | 60 days (expires in 2026) |
Oregon | 30 days (expires January 1, 2026) |
Tennessee | 60 days |
Texas | 30 days |
Utah | 30 days |
Virginia | 30 days |
Applicability Thresholds
The thresholds that determine if the privacy laws apply to your organization vary by state.
State | Applicability Thresholds |
California |
|
Colorado |
|
Connecticut |
|
Delaware |
|
Indiana |
|
Iowa |
|
Montana |
|
Oregon |
|
Tennessee |
|
Texas |
|
Utah | Has more than $25 million in annual revenue and meets one or more of the following criteria:
|
Virginia |
|
Exemptions
There are some key exemptions that apply to state privacy laws, most notably for the Gramm-Leach-Biley-Act (GLBA) and HIPAA. For all existing state laws, data that is covered under GLBA or HIPAA is exempt. In certain cases, an entire entity that falls under the GLBA or HIPAA umbrella is exempt.
State | GLBA | HIPAA |
California | Data | Data |
Colorado | Data & Entity | Data |
Connecticut | Data & Entity | Data & Entity |
Delaware | Data & Entity | Data |
Indiana | Data & Entity | Data & Entity |
Iowa | Data & Entity | Data & Entity |
Montana | Data & Entity | Data & Entity |
Oregon | Data | Data |
Tennessee | Data & Entity | Data & Entity |
Texas | Data & Entity | Data & Entity |
Utah | Data & Entity | Data & Entity |
Virginia | Data & Entity | Data & Entity |
Sale Definitions and Opt-out Considerations
What is considered a “sale” of data varies between the states. States with a broad definition consider the exchange of monetary or other valuable consideration a “sale.” States with a traditional definition consider a “sale” to be the exchange of data for money.
In each state, organizations must allow people to opt out of targeted advertising. In California, organizations must also provide the option to opt out of having their data shared.
State | Sale Definition | Opt-out |
California | Broad | Sale and Sharing |
Colorado | Broad | Sale and Targeted Advertising |
Connecticut | Broad | Sale and Targeted Advertising |
Delaware | Traditional | Sale and Targeted Advertising |
Indiana | Traditional | Sale and Targeted Advertising |
Iowa | Traditional | Sale and Targeted Advertising |
Montana | Traditional | Sale and Targeted Advertising |
Oregon | Traditional | Sale and Targeted Advertising |
Tennessee | Traditional | Sale and Targeted Advertising |
Texas | Traditional | Sale and Targeted Advertising |
Utah | Traditional | Sale and Targeted Advertising |
Virginia | Traditional | Sale and Targeted Advertising |
Other California Considerations
The CPRA does not exempt business-to-business or employee data, the other state laws do.
Also included in the CPRA is the private right of action which authorizes consumers to file lawsuits for breaches. Damages from a private right of action suite can range from $100-$750 per consumer per incident. Breaches often include hundreds or thousands of personal records, so the private right of action exposes organizations to large financial risks.
For a more in-depth exploration of state privacy laws watch our Current State of Privacy Laws webinar.
CompliancePoint has a team of privacy professionals that can help your organization stay in compliance with all state laws and avoid risk. Contact us today at connect@compliancepoint.com to learn more about how we can help you.
Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.