State Data Privacy Laws: A Comparative Reference

State-level data privacy legislation in the United States has produced a fragmented but increasingly structured regulatory landscape, with 20 states having enacted comprehensive consumer privacy laws as of 2024. This reference documents the structural differences, definitional boundaries, enforcement mechanisms, and compliance obligations across the major state frameworks — serving practitioners, legal researchers, and organizational compliance teams navigating multi-state obligations. The absence of a federal omnibus privacy statute means that state laws collectively define the operative compliance floor for most US-based data processing activities.

Definition and Scope

State comprehensive data privacy laws are statutes that establish baseline rights for residents regarding the collection, processing, sale, and sharing of personal data by private-sector entities. Unlike sector-specific federal statutes — such as HIPAA data protection requirements for health data or COPPA children's data protection for minors under 13 — comprehensive state laws apply horizontally across industries, subject to defined thresholds and exemptions.

The foundational model for most state frameworks traces to the California Consumer Privacy Act of 2018 (CCPA), later amended by the California Privacy Rights Act of 2020 (CPRA), which created the California Privacy Protection Agency (CPPA) as the first dedicated state privacy enforcement body. The CCPA/CPRA compliance reference details California's specific regime.

Scope is generally determined by two axes: (1) the volume of personal data processed about state residents, and (2) whether revenue thresholds or data-sale percentages are met. Virginia's Consumer Data Protection Act (CDPA), effective January 1, 2023, applies to entities controlling or processing the personal data of at least 100,000 Virginia consumers annually, or 25,000 consumers if the entity derives more than 50% of gross revenue from personal data sales (Virginia CDPA, Va. Code § 59.1-578). Most states follow a structurally similar threshold approach.

Core Mechanics or Structure

All major state privacy frameworks share a common structural skeleton built around five elements: consumer rights, controller obligations, processor requirements, sensitive data categories, and enforcement mechanisms.

Consumer Rights — The canonical rights set includes the right to access personal data, the right to correct inaccuracies, the right to delete, the right to data portability, and the right to opt out of certain processing — primarily targeted advertising, profiling with legal effects, and sale of personal data. California extends this to include limiting the use of sensitive personal information.

Controller and Processor Distinctions — State laws generally adopt the controller/processor model used in the EU General Data Protection Regulation (GDPR), distinguishing entities that determine the purposes and means of processing (controllers) from those that process on behalf of controllers (processors). Processor obligations are primarily established through contractual data processing agreements.

Consent Mechanisms — Opt-out consent applies to standard commercial processing in most states. Opt-in consent is reserved for sensitive data categories such as biometric data, precise geolocation, health information, and data concerning children. Colorado's Privacy Act (CPA), effective July 1, 2023, requires opt-in consent for the processing of sensitive data (Colorado CPA, C.R.S. § 6-1-1308).

Data Protection Assessments — Colorado, Connecticut, Virginia, and Texas require controllers to conduct privacy impact assessments for high-risk processing activities, including profiling and processing of sensitive data.

Enforcement — Enforcement mechanisms vary. California's CPPA holds independent rulemaking and enforcement authority. Most other states vest enforcement exclusively in the state Attorney General, with civil penalty ranges between $7,500 per intentional violation (California) and $25,000 per violation (Washington's My Health MY Data Act).

Causal Relationships or Drivers

The proliferation of state privacy legislation is structurally driven by the absence of a federal omnibus statute. Congressional attempts, including the American Data Privacy and Protection Act (ADPPA) discussed under emerging federal privacy legislation, have not resulted in enacted law, leaving states as the primary legislative actors.

Secondary drivers include high-profile data breach incidents, the expansion of data broker regulation activity, and growing commercial use of behavioral tracking technologies. The CCPA was directly triggered by a 2018 ballot initiative effort; to prevent a broader measure from reaching voters, the California legislature negotiated and passed the CCPA in under a week. This legislative dynamic — industry preference for a narrower statute over a ballot-driven alternative — recurred in Connecticut and Virginia, where business coalitions supported negotiated frameworks.

The FTC's enforcement posture under Section 5 of the FTC Act, documented in FTC data security enforcement, also shapes state legislative development, as states frequently look to FTC consent decrees for baseline practices that define reasonable security.

Classification Boundaries

State privacy laws establish explicit exemption structures that define which entities and data categories fall outside their scope.

Entity Exemptions — Nonprofit organizations are exempt in California but covered in Colorado, Connecticut, Oregon, and Texas. Small businesses below revenue or data-volume thresholds are exempt in all states. Government entities are universally excluded from state consumer privacy statutes.

Data Exemptions — Protected health information regulated under HIPAA, financial data governed by Gramm-Leach-Bliley financial data requirements, and employee data subject to state labor law are partially or fully exempt under most frameworks. However, employee data exemptions are narrowing: California's CPRA eliminated temporary employee exemptions effective January 1, 2023.

Sensitive DataBiometric data protection laws at the state level add an additional classification layer. Illinois' Biometric Information Privacy Act (BIPA), 740 ILCS 14, predates comprehensive privacy statutes and operates independently, with a private right of action yielding per-violation statutory damages of $1,000 to $5,000.

Children's Data — Age-appropriate design requirements and data minimization obligations for minors constitute a distinct classification tier. California's Age-Appropriate Design Code Act, enacted in 2022, imposes design-level obligations on services likely to be accessed by users under 18 — a stricter standard than the federal age threshold under COPPA children's data protection.

Tradeoffs and Tensions

Uniformity vs. Comprehensiveness — Uniform state laws (notably the model approach discussed in the Uniform Law Commission's work) reduce compliance burden but may produce lower protections than individually negotiated statutes. California's CPRA deliberately exceeds any model framework.

Opt-Out vs. Opt-In Consent — The opt-out default for commercial data processing reflects a deliberate policy choice favoring data economy efficiency over individual autonomy. Critics, including privacy advocacy organizations like the Electronic Frontier Foundation, argue this default disadvantages consumers who are unaware of their rights or lack the literacy to exercise them.

Private Right of Action — California's CCPA provides a limited private right of action for data breaches involving unredacted, unencrypted personal information. Extending a private right of action to general privacy violations — as BIPA does — dramatically increases litigation exposure and is the single most contested provision in state legislative negotiations. No state enacted after California has included a general private right of action in its comprehensive privacy statute as of 2024.

Preemption Pressure — Federal preemption debates create structural uncertainty. Industry groups generally support federal preemption of state laws as part of any federal framework, while California's CPPA and state attorneys general have opposed preemption provisions that would weaken California's standards.

Common Misconceptions

Misconception: All state privacy laws follow the CCPA model. Correction: Virginia's CDPA and most laws enacted after 2021 follow a controller/processor model more closely aligned with the GDPR, while California's model is distinct, emphasizing a "sale" of personal information construct not found in other state laws.

Misconception: Compliance with California's law satisfies obligations in all other states. Correction: State-specific thresholds, sensitive data definitions, assessment requirements, and enforcement mechanisms differ materially. Texas, for example, does not include revenue thresholds — any entity meeting the consumer data threshold is covered regardless of size (Texas Data Privacy and Security Act, Tex. Bus. & Com. Code § 541.002).

Misconception: B2B data is always exempt. Correction: Business contact information and data collected in commercial transactions is treated differently across states. Colorado and Connecticut do not provide blanket B2B exemptions equivalent to what was provided under early CCPA interpretations.

Misconception: The opt-out of "sale" covers all commercial data sharing. Correction: Targeted advertising and data sharing are distinct legal categories in most state frameworks. An entity may not "sell" data under a statutory definition while still engaging in sharing that triggers separate opt-out rights. The data minimization principles reference addresses this processing distinction in greater detail.

Compliance Verification Elements

The following elements constitute the structural checklist for cross-state privacy compliance verification — organized as observable program components, not as legal advice.

  1. Threshold Analysis — Document the number of state residents whose data is processed annually and calculate revenue derived from data sales, per each state's specific statutory threshold.
  2. Privacy Notice Inventory — Confirm that privacy notices disclose all categories of personal data collected, purposes of processing, and third-party sharing arrangements — meeting the most specific disclosure standard among applicable state laws.
  3. Consumer Rights Mechanism — Establish and document a verified process for receiving and responding to access, deletion, correction, and opt-out requests within statutory response windows (45 days is standard; extensions vary by state).
  4. Sensitive Data Identification — Catalog all sensitive data categories processed — including biometric data, precise geolocation, health data, and financial account data — against each state's enumerated sensitive categories.
  5. Data Processing Agreements — Confirm that contracts with all data processors include required clauses (confidentiality, processing limitations, subprocessor notification, audit rights) as specified in applicable statutes.
  6. Data Protection Assessments — Conduct and document assessments for all high-risk processing activities identified in applicable state laws (Colorado, Connecticut, Virginia, Texas, and Oregon all require this).
  7. Opt-In Consent Flows — Verify that opt-in consent mechanisms are implemented for all sensitive data processing and for processing of data from consumers under 16 (California) or 13 (other states).
  8. Data Retention Schedules — Align retention practices with data retention and disposal standards and confirm deletion workflows extend to processors and sub-processors.
  9. Universal Opt-Out Signal Recognition — California and Colorado require recognition of Global Privacy Control (GPC) signals as a valid opt-out of sale and sharing. Confirm technical implementation.
  10. Employee and B2B Data Review — Determine whether applicable state laws include or exclude employee and business contact data, and document the basis for any exemption claimed.

Reference Table: Major State Privacy Laws Compared

State Law Name Effective Date AG Enforcement Private Right of Action Consumer Threshold Sensitive Data Opt-In Assessment Required
California CCPA/CPRA Jan 1, 2023 (CPRA) Yes (+ CPPA) Limited (breach only) 100,000 consumers or 25% revenue from sale Yes Yes
Virginia CDPA Jan 1, 2023 Yes No 100,000 consumers or 25,000 + 50% revenue Yes Yes
Colorado CPA Jul 1, 2023 Yes No 100,000 consumers or 25,000 + 50% revenue Yes Yes
Connecticut CTDPA Jul 1, 2023 Yes No 100,000 consumers or 25,000 + 25% revenue Yes Yes
Utah UCPA Dec 31, 2023 Yes No 100,000 consumers or 25,000 + 50% revenue No (opt-out only) No
Texas TDPSA Jul 1, 2024 Yes No 100,000 consumers (no revenue threshold) Yes Yes
Oregon OCPA Jul 1, 2024 Yes No 100,000 consumers or 25,000 + 50% revenue Yes Yes
Montana MCDPA Oct 1, 2024 Yes No 50,000 consumers or 25,000 + 50% revenue Yes Yes
Florida FDBR Jul 1, 2024 Yes No $1B revenue + 50% from online advertising Yes No
Washington My Health MY Data Mar 31, 2024 (regulated entities) Yes Yes (limited) Health data — no standard threshold Yes (health data) No

Statutory citations, enforcement thresholds, and effective dates are drawn from official state legislative publications. For data subject rights structures applicable across these frameworks, see data subject rights US.

References

📜 16 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator