(Story updated with information on the Montana privacy law, which went into effect on October 1, and the five states whose laws will all become effective by January 16.)
The 118th session of the U.S. Congress is ending, and legislators have again failed to pass a national data privacy law. This means marketers will soon have to comply with the regulations in 17 different states. Seven are already in effect; ten more will come online by January 2026.
That’s 17 slightly different headaches for marketers to deal with. These laws have some similarities. They give consumers rights to access, delete, and opt out of selling their personal information (PI). However, there are also important differences in their scope, definitions, and requirements.
And, as you may have noticed, Americans are a cantankerous people. One or more states may pass data protections wildly different from those already in place. Pity the poor MOps people who must deal with this.
Dig deeper: MarTech’s Guide to GDPR — The General Data Protection Regulation
Here is a list of data privacy laws passed by the states. It includes brief descriptions of who they apply to and their requirements. We are not lawyers, so please carefully review each state’s law to ensure compliance when operating in those jurisdictions.
Table of contents
States with data privacy laws in effectStates with data privacy laws not yet in effectIowa Data Privacy Act (Goes into effect Jan. 1, 2025)Tennessee Information Protection Act (Goes into effect July 1, 2025)Texas Data Privacy and Security Act (Goes into effect Jan. 1, 2025)Delaware Personal Data Privacy Act (Goes into effect Jan. 1, 2025)New Hampshire Consumer Data Privacy Act (Goes into effect Jan. 1, 2025)New Jersey Consumer Data Privacy Bill (Goes into effect Jan. 16, 2025)Nebraska Data Privacy Act (Goes into effect Oct. 1, 2025)Maryland Online Data Privacy Act (Goes into effect Oct. 1, 2025)Indiana Data Privacy Law (Goes into effect Jan. 1, 2026)Kentucky Consumer Data Protection Act (Goes into effect Jan. 1, 2026)
States with data privacy laws in effect
STATELAWWENT INTO EFFECTCaliforniaCalifornia Consumer Privacy Act1/1/2020VirginiaVirginia Consumer Data Protection Act1/1/2023ColoradoColorado Privacy Act7/1/2023ConnecticutConnecticut Data Privacy Act 7/1/2023UtahUtah Consumer Privacy Act 12/31/2023Oregon Oregon Consumer Privacy Act7/1/2024MontanaMontana Consumer Data Privacy Act10/1/2024
California Consumer Privacy Act
Businesses it applies to:
Annual gross revenue of at least $25 million in preceding calendar year.
Buy, sell, or share PI of 100,000+ consumers or households.
Gets 50%+ of annual revenues from selling or sharing consumers’ PI.
Requires businesses to:
Let consumers opt out of the sale of PI
Let consumers limit the processing of sensitive PI
Implement data minimization and purpose limitation principles
Provide consumers with a privacy notice
Ensure that your service providers comply with the law
Establish a data retention period
Virginia Consumer Data Protection Act
Applies to businesses that:
Control or process PI of at least 100,000 Virginia residents, or
Control or process PI of at least 25,000 Virginia consumers and derive 50%+ of gross revenue from the sale of PI in a calendar year.
Requires business to:
Allow consumers to opt out of the sale of PI
Provide consumers with a privacy notice
Have data processing agreements in place with your data processors
Conduct a Privacy Impact Assessment of processing activities.
Colorado Privacy Act
Applies to businesses that:
Have 100,000 Colorado consumers+ during a year, or
Have 25,000 Colorado consumers+, and generate revenue from the sale of PI, potentially through a discount on the price of goods or services.
Requires business to:
Provide consumers with ways to opt out of the sales of PI, targeted advertising and profiling
Provide consumers with a privacy notice
Conduct a data protection impact assessment where there is a risk to consumers
Connecticut Data Privacy Act
Applies to businesses that:
Process data collected from 100,000+ Connecticut consumers, excluding PI, controlled or processed solely to complete a payment transaction, or
Process the data of 25,000+ Connecticut consumers and derive 25%+ of their gross revenue from selling PI.
Requires business to:
Allow consumers to opt out of the processing of sensitive PI
Collect and process only the minimum amount of data needed for processing purposes
Provide consumers with a privacy notice
Conduct data protection assessments where the processing may pose a risk.
Utah Consumer Privacy Act
Will apply to businesses that:
Have annual revenue of $25 million+, and
Control or process the PI of 100,000+ Utah residents over a calendar year, and/or
Derive 50%+ of gross revenue from the sale of PI and/or
Control or process the PI of 25,000+ Utah residents.
Will require businesses to:
Provide consumers with mechanisms to opt out of the sale of PI or from targeted advertising
Have processing agreements in place
Provide consumers with a privacy notice
Oregon Consumer Privacy Act
Applies to businesses that:
Control or process PI of 100,000+ Oregon consumers, or
Control or process PI of 25,000+ Oregon consumers and derive 25%+ of the gross revenue by selling the data.
Requires businesses to:
Provide access to, and correct, delete and receive PI
Provide a list of the “specific third parties” to whom a controller discloses PI
Right to request the deletion of “derived data”
Obtain consent for the processing of sensitive data
Obtain affirmative consent to profile adolescent data
Let consumers opt out of targeted advertising, data sales and significant profiling decisions
Provide a privacy notice to consumers
Montana Consumer Data Privacy Act
Will apply to businesses that:
Control or process the PI of 50,000+ Montana consumers, or
Control or process the PI of 25,000+ Montana consumers and derive at least 50% of the gross revenue by selling the data.
Will require businesses to:
Respond to consumers’ requests
Enable consumers to opt out of the sale of data
Recognize universal opt-out mechanisms
Serve consumers with a privacy notice and a privacy policy
Obtain explicit consent before collecting sensitive data
Conduct data protection impact assessments for processing sensitive data, selling data, or using data for targeted advertising and/or profiling.
States with data privacy laws not yet in effect
STATELAWTAKES EFFECTIowaIowa Consumer Data Protection Act1/1/2025DelawareDelaware Personal Data Privacy Act1/1/2025New HampshireNew Hampshire Consumer Data Protection Act1/1/2025TexasTexas Data Privacy and Security Act1/1/2025New JerseyNew Jersey Consumer Data Privacy Bill1/16/2025TennesseeTennessee Information Protection Act7/1/2025MarylandMaryland Online Data Privacy Act10/1/2025NebraskaNebraska Data Privacy Act10/1/2025IndianaIndiana Consumer Data Protection Act1/1/2026KentuckyKentucky Consumer Data Protection Act1/1/2026
Iowa Data Privacy Act (Goes into effect Jan. 1, 2025)
Will apply to businesses that:
Control or process the PI of 100,000+ Iowa consumers, or
Control or process the PI of 25,000+ Iowa consumers and derive 50%+ of gross revenue by selling the data.
Will require businesses to:
Limit data processing to specified purposes
Provide consumers with a privacy notice
Allow consumers to opt out of the sale of PI
Respond to consumer requests for access, deletion, portability, opt-out, and others
Have written contracts with service providers
Ensure that data is safe
Dig deeper: Why marketers should care about consumer privacy
Tennessee Information Protection Act (Goes into effect July 1, 2025)
Will apply to businesses that:
Exceeds $25 million in annual revenue, and
Control or process PI of 175,000+ Tennessee consumers, and/or
Control or process PI of 25,000+ Tennessee consumers and derive at least 50% of the gross revenue by selling the data.
Will require businesses to:
Provide consumers with a privacy notice and a privacy policy
Honor consumer requests to know, access, delete, and others
Process the data only for the purposes it has been collected for
Allow consumers to opt out of the sale of their data
Have written contracts with service providers
Texas Data Privacy and Security Act (Goes into effect Jan. 1, 2025)
Will apply to businesses that:
Process of engaging in the sale of PI, and
Are not excluded as a small business, according to the Small Business Administration.
Will require businesses to:
Allow opting out of the sale of PI
Honor consumer requests
Obtain explicit consent for the processing of sensitive data
Conduct data protection impact assessments
Have written contracts with service providers
Delaware Personal Data Privacy Act (Goes into effect Jan. 1, 2025)
Will apply to businesses that:
Control or process PI of 35,000 Delaware consumers, or
Derive 20%+ of revenue from selling data of 10,000 Delaware consumers.
Will require businesses to:
Limit the collection of PI to what is adequate, relevant and reasonably necessary
Obtain consent for the processing of sensitive data
Honor consumer requests
Allow consumers to opt out of processing through an opt-out preference signal
Provide a privacy notice to consumers
Conduct data protection assessments
New Hampshire Consumer Data Privacy Act (Goes into effect Jan. 1, 2025)
Will apply to businesses that:
Control or process PI of at least 35,000 unique consumers, excluding PI controlled or processed solely to complete a payment transaction; or
Control or process PI of at least 10,000 unique consumers and derive 25%+ of gross revenue from the sale of PI.
Will require businesses to:
Provide consumers with the same privacy protections as in other states.
New Jersey Consumer Data Privacy Bill (Goes into effect Jan. 16, 2025)
Will apply to businesses that:
Control or process the PI of 100,000+ New Jersey consumers, excluding data processed solely to complete a payment transaction; or
Control or process the PI of 25,000+ New Jersey consumers, and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of PI.
Will require businesses to:
Collect only the minimum amount of data necessary for processing purposes and process it for adequate purposes;
Collect consent for the processing of sensitive or children’s data and provide mechanisms for revoking consent;
Obtain consent for processing the data of a child for purposes of targeted advertising, the sale of the consumer’s PI, or profiling, where the controller has actual knowledge or willfully disregards, that the consumer is at least 13 years of age but younger than 17 years of age;
Inform consumers about the processing, including the purposes of processing
Implement administrative, technical, and physical data security measures;
Conduct a data protection impact assessment where necessary,
Ensure that they have written agreements with service providers for the processing of data.
Confirm whether a controller processes the consumer’s PI and accesses such PI, trade secrets excluded;
Correct inaccuracies in PI on request
Delete PI on request
Data portability
Let consumers opt out of processing PI for targeted advertising or sales of data.
Nebraska Data Privacy Act (Goes into effect Oct. 1, 2025)
Will apply to businesses that:
Process of engaging in the sale of PI, and
Are not excluded as a small business, according to the Small Business Administration.
Will require businesses to:
Allow consumers to
Know what PI is being used
Access PI is being used
Delete PI is being used
Opt-out of the sale of data or processing for targeted advertising
Implement technical and organizational safeguards to protect the data
Respond to consumer requests promptly
Maryland Online Data Privacy Act (Goes into effect Oct. 1, 2025)
Bans the sale of personal data. Companies can only collect, process or share personal data that is “strictly necessary to provide or maintain a specific product or service requested by the consumer.”
Will apply to businesses that:
Process the data of 35,000+ consumers, or
Process the data of 10,000+ consumers and derive 20%+ of its revenue from the sale of data.
Will require businesses to:
Allow consumers to
Know what PI is being used
Access PI being used
Delete PI being used
Opt-out of the sale of data or processing for targeted advertising or profiling
Indiana Data Privacy Law (Goes into effect Jan. 1, 2026)
Will apply to businesses that:
Control or process the PI of 100,000+ Indiana consumers, or
Control or process the PI of 25,000+ Indiana consumers and derive 50%+ of gross revenue by selling the data.
Will require businesses to:
Allow consumers to opt out of the sale of PI
Provide with a comprehensive privacy notice
Conduct a data impact assessment in the case of targeted advertising
Limit data processing to the intended purposes
Obtain explicit consent for the processing of sensitive PI
Kentucky Consumer Data Protection Act (Goes into effect Jan. 1, 2026)
Will apply to businesses that:
Process the data of 100,000+ Kentucky residents, or
Process the data of 25,000+ Kentucky residents and derive 50%+ of profits from sale of PI
Will require businesses to:
Allow consumers to
Know what PI is being used
Access PI is being used
Delete PI is being used
Opt-out of the sale of data or processing for targeted advertising
Implement technical and organizational safeguards to protect the data
Respond to consumer requests promptly
Conduct data protection impact assessments for high-risk processing
