US State Privacy Law Comparison Chart 2026 — All 20 Laws at a Glance
2026-03-12 · Privio Team
Keeping track of 20 state privacy laws is hard. This comparison chart puts them all in one place so you can quickly see the thresholds, effective dates, and key requirements for each.
Comparison Chart
| State | Law | Effective | Revenue Threshold | Consumer Threshold | Data Sale Trigger | Cure Period | Max Penalty |
|---|---|---|---|---|---|---|---|
| California | CCPA/CPRA | Jan 2020 | $25M | 100,000 | 50% revenue | None | $7,500/violation |
| Virginia | VCDPA | Jan 2023 | None | 100,000 | 25,000 + 50% rev | 30 days | $7,500/violation |
| Colorado | CPA | Jul 2023 | None | 100,000 | 25,000 + data rev | None* | $20,000/violation |
| Connecticut | CTDPA | Jul 2023 | None | 100,000 | 25,000 + 25% rev | None* | $5,000/violation |
| Utah | UCPA | Dec 2023 | $25M | 100,000 | None | 30 days | $7,500/violation |
| Montana | MCDPA | Oct 2024 | None | 50,000 | None | 60 days | $7,500/violation |
| Texas | TDPSA | Jul 2024 | None | None | None | 30 days | $7,500/violation |
| Oregon | OCPA | Jul 2024 | None | 100,000 | 25,000 + 25% rev | 30 days* | $7,500/violation |
| Delaware | DPDPA | Jan 2025 | None | 35,000 | None | 60 days | $10,000/violation |
| Iowa | ICDPA | Jan 2025 | None | 100,000 | 50% revenue | 90 days | $7,500/violation |
| New Hampshire | NHPA | Jan 2025 | None | 35,000 | 25,000 + 25% rev | 60 days | Varies |
| New Jersey | NJDPA | Jan 2025 | None | 100,000 | None | 30 days | $10,000–$20,000 |
| Nebraska | NDPA | Jan 2025 | None | None | None | 30 days | $7,500/violation |
| Tennessee | TIPA | Jul 2025 | $25M | 25,000 | None | 60 days | $15,000/violation |
| Minnesota | MNCDPA | Jul 2025 | None | 100,000 | 25,000 + 25% rev | 30 days | $7,500/violation |
| Maryland | MODPA | Oct 2025 | None | 35,000 | None | None | $10,000–$25,000 |
| Indiana | INCDPA | Jan 2026 | None | 100,000 | 25,000 + 50% rev | 30 days | $7,500/violation |
| Kentucky | KCDPA | Jan 2026 | None | 100,000 | 25,000 + 50% rev | 30 days | $7,500/violation |
| Rhode Island | RIDTPPA | Jan 2026 | None | 35,000 | None | 30 days | $10,000/violation |
| Vermont | VTDPA | Jul 2026 | None | 25,000 | None | None | $7,500–$10,000 |
*Colorado's cure period expired Jan 2025. Connecticut's expired Dec 2024. Oregon's expires Jan 2026.
Key Takeaways from the Chart
No Revenue or Consumer Threshold
Texas and Nebraska stand out — they have no consumer count or revenue threshold. If you do business in either state and process personal data, you're likely covered.
Lowest Consumer Thresholds
Tennessee (25,000) and Vermont (25,000) have the lowest consumer thresholds among states that have one. Delaware, New Hampshire, Maryland, and Rhode Island are next at 35,000.
Revenue Thresholds Are Rare
Only California, Utah, and Tennessee include a revenue threshold. All other states focus purely on data volume.
Highest Penalties
- Colorado: Up to $20,000 per violation
- Maryland: Up to $25,000 for repeat violations
- Tennessee: Up to $15,000 per violation
- California: Up to $7,500 per violation, but includes private right of action for data breaches
- Vermont: Includes a private right of action — consumers can sue directly
No Cure Period
California, Colorado (since 2025), Connecticut (since 2025), Maryland, and Vermont have no cure period. This means the enforcing authority can take action immediately without giving businesses time to fix violations.
Consumer Rights Comparison
All 20 laws share a common core of consumer rights. Here's where they differ:
| Right | States That Include It |
|---|---|
| Right to Know | All 20 states |
| Right to Delete | All 20 states |
| Right to Opt-Out (sale/sharing) | All 20 states |
| Right to Data Portability | All 20 states |
| Right to Correct | All except Utah, Iowa |
| Right to Appeal | All except California, Utah |
| Right to Opt-Out of Profiling | CO, CT, TX, OR, NH, NJ, NE, MN, MD, VT |
| Right to Opt-Out of Targeted Ads | All 20 states |
| Right to Limit Sensitive Data | California only |
| Right to List Third Parties | Oregon only |
| Right to Question Profiling | Minnesota only |
Sensitive Data Handling
Every state requires heightened protections for sensitive personal information. The approach varies:
- California: Consumers can limit the use of sensitive data (opt-out model)
- All other states: Require opt-in consent before processing sensitive data
Most states cover the same categories (racial origin, religious beliefs, health, biometric, geolocation, genetic data, sexual orientation, children's data). Notable additions:
- California: Social security numbers, financial account info, mail/email/text contents
- Oregon: Transgender and nonbinary status
- New Jersey, Minnesota: Financial data as a separate sensitive category
Enforcement Authorities
Most states rely on their Attorney General for enforcement. Exceptions:
- California: Dedicated California Privacy Protection Agency (CPPA) + AG
- New Jersey: Division of Consumer Affairs
- Delaware: Department of Justice
Nonprofits
Almost every state exempts nonprofits. The exception: Oregon (OCPA) applies to nonprofits that meet the consumer threshold.
What's Coming Next?
Several states are actively considering privacy legislation, including Pennsylvania, Massachusetts, New York, Ohio, and Illinois. The patchwork is only getting bigger.