State Data Privacy Laws: A Comparative Reference
The United States lacks a single omnibus federal data privacy statute equivalent to the European Union's General Data Protection Regulation, leaving a fragmented patchwork of state-level frameworks that govern how personal information is collected, processed, and disclosed. As of 2024, at least 20 states have enacted comprehensive consumer data privacy laws, each with distinct thresholds, rights structures, and enforcement mechanisms. This reference covers the structural components, classification criteria, enforcement landscape, and comparative mechanics of major state privacy laws for professionals navigating compliance obligations, regulatory research, or service sector analysis.
- Definition and Scope
- Core Mechanics or Structure
- Causal Relationships or Drivers
- Classification Boundaries
- Tradeoffs and Tensions
- Common Misconceptions
- Checklist or Steps
- Reference Table or Matrix
- References
Definition and Scope
State data privacy laws are legislative instruments that establish enforceable rights for residents regarding personal data held by private-sector entities, and impose corresponding obligations on businesses that collect, process, or sell that data. Unlike sector-specific federal statutes — such as the Health Insurance Portability and Accountability Act (HIPAA) for protected health information or the Gramm-Leach-Bliley Act (GLBA) for financial data — comprehensive state privacy laws apply broadly across industries and data categories.
The term "personal data" across these statutes typically encompasses any information that is linked or reasonably linkable to an identified or identifiable natural person. Sensitive data subsets — including precise geolocation, biometric identifiers, health data, racial or ethnic origin, and data concerning minors — trigger heightened obligations in all enacted frameworks. The data protection providers sector spans entities subject to one or more of these jurisdictional frameworks simultaneously.
Scope is defined along two axes: geographic (residents of the enacting state, regardless of where the business operates) and volumetric (thresholds tied to the number of consumers whose data is processed or revenue derived from data sales). California's law, amended by the California Privacy Rights Act (CPRA, Proposition 24, 2020), applies to businesses processing personal information of 100,000 or more California consumers annually, or deriving 25% or more of annual revenue from selling personal information (California Attorney General, CPRA text).
Core Mechanics or Structure
All enacted comprehensive state privacy laws share a common structural skeleton, though operational details diverge substantially.
Consumer Rights. The canonical rights cluster includes: the right to know what data is collected and how it is used; the right to access personal data; the right to correct inaccuracies; the right to delete personal data; the right to data portability; the right to opt out of the sale or sharing of personal data and targeted advertising; and, for sensitive data categories, an opt-in consent requirement. Virginia's Consumer Data Protection Act (CDPA, effective January 1, 2023) and Colorado's Privacy Act (CPA, effective July 1, 2023) both enumerate this rights structure (Virginia Attorney General, CDPA).
Controller and Processor Obligations. These laws distinguish between data controllers (entities that determine the purposes and means of processing) and data processors (entities that process data on behalf of controllers). Controllers bear primary compliance obligations; processors are governed by contractual data processing agreements. This architecture mirrors GDPR's Article 28 structure, though without identical enforcement mechanisms.
Purpose Limitation and Data Minimization. Controllers must limit collection to data that is "adequate, relevant, and reasonably necessary" relative to disclosed processing purposes — a formulation appearing in the Colorado Privacy Act (Colorado Attorney General, CPA) and mirrored in Connecticut, Montana, Oregon, and Texas.
Data Protection Assessments. Processing activities that present heightened risk — including targeted advertising, sale of personal data, profiling, and processing of sensitive data — require documented data protection impact assessments (DPIAs) under Virginia, Colorado, Connecticut, and Oregon's frameworks.
Causal Relationships or Drivers
The proliferation of state privacy laws after 2018 was catalyzed primarily by the California Consumer Privacy Act (CCPA), enacted June 28, 2018, and effective January 1, 2020 (California Legislative Information, AB 375). California's first-mover status, combined with the absence of federal preemption, created a regulatory vacuum that other states moved to fill independently.
Secondary drivers include high-profile data breach incidents affecting tens of millions of consumers — the Equifax breach of 2017 exposed data of approximately 147 million individuals (FTC, Equifax Data Breach) — which elevated legislative attention to commercial data practices. The advertising technology sector's monetization of behavioral data at scale drew particular scrutiny, driving opt-out rights for targeted advertising as a common legislative feature.
The International Association of Privacy Professionals (IAPP) tracks state legislative activity and notes that the Washington Privacy Act failed passage multiple times before a narrower version (My Health MY Data Act) passed in 2023, illustrating the contested political economy surrounding privacy legislation. Industry lobbying consistently shapes exemption structures — notably the carve-outs for employment data, HIPAA-covered entities, and financial institutions subject to GLBA.
Classification Boundaries
State privacy statutes divide along several operative classification lines.
Comprehensive vs. Sectoral. Comprehensive laws cover all industries subject to thresholds, while sectoral laws cover specific data types (e.g., Illinois Biometric Information Privacy Act, BIPA, 740 ILCS 14, targeting biometric identifiers only). BIPA permits a private right of action — yielding per-violation statutory damages of $1,000 for negligent violations and $5,000 for intentional violations (Illinois General Assembly, BIPA) — a structure absent from most comprehensive laws.
Opt-Out vs. Opt-In Frameworks. General processing under comprehensive laws defaults to opt-out models (consent presumed unless declined), while sensitive data categories uniformly require affirmative opt-in consent. California, via CPRA, requires opt-in for minors under 16 for the sale or sharing of their data.
Private Right of Action. California and Illinois remain the primary states granting consumers direct litigation rights. California's CPRA created the California Privacy Protection Agency (CPPA) as an independent enforcement body with rulemaking authority — the first such dedicated agency in the US (CPPA). Most other enacted comprehensive laws vest exclusive enforcement authority in state attorneys general, limiting consumer remedies to regulatory complaints.
Threshold Structures. Virginia's CDPA applies to entities processing personal data of 100,000 or more Virginia residents annually, or 25,000 residents where data sales comprise over 50% of gross revenue. Colorado and Connecticut use identical 100,000-consumer thresholds. Texas's Data Privacy and Security Act (TDPSA, effective July 1, 2024) diverges by applying to controllers that process personal data and are not small businesses as defined by the Small Business Administration — a structural outlier (Texas Legislature Online, TDPSA).
Tradeoffs and Tensions
The fragmentation of state-level frameworks generates compliance complexity proportional to the number of states in which a business processes consumer data. A national data broker subject to laws in California, Virginia, Colorado, Connecticut, Texas, Montana, Oregon, and Florida must maintain eight distinct consent management frameworks, eight appeal processes, and eight sets of contractual processor obligations — often with incompatible timelines. The reference covers the professional service sectors that have emerged to address this compliance demand.
Enforcement authority concentrated in attorneys general creates tension between political priorities and consistent application. States with aggressive attorneys general may pursue high-profile investigations while states with limited enforcement resources leave obligations effectively unenforced. The CPPA's independent status partially addresses this in California, but remains unique among enacted frameworks.
Definitional inconsistencies create classification risks. "Sale of personal data" is defined in Virginia's CDPA to exclude transfers for "valuable consideration" that don't meet a monetary exchange threshold, while California's CCPA/CPRA defines "sale" to include exchange for "other valuable consideration" — meaning the same data transfer may constitute a "sale" under California law and not under Virginia law.
Common Misconceptions
Misconception: HIPAA compliance satisfies state privacy law obligations. HIPAA applies to covered entities and business associates processing protected health information. Most comprehensive state privacy laws contain HIPAA-covered entity exemptions for data governed by HIPAA — but those same entities may process non-HIPAA data (employee records, website analytics, marketing lists) that falls squarely within state law scope.
Misconception: A single opt-out mechanism satisfies all state requirements. California requires a "Do Not Sell or Share My Personal Information" link. Virginia and Colorado use "opt out of sale" and "opt out of targeted advertising" as distinct rights requiring separate mechanisms. An implementation designed only for California's requirements does not satisfy Virginia's or Colorado's separately enumerated opt-out structures.
Misconception: Small businesses are universally exempt. Texas's TDPSA applies the SBA small-business definition as its primary threshold, but California's CPRA includes businesses that alone meet revenue or processing thresholds regardless of employee count. A business with annual gross revenue exceeding $25 million is subject to CPRA regardless of whether it qualifies as a small business under other definitions.
Misconception: Federal legislation will preempt state laws imminently. The American Data Privacy and Protection Act (ADPPA) passed the House Energy and Commerce Committee in July 2022 but did not advance to a floor vote (Congress.gov, ADPPA). No federal omnibus privacy statute has been enacted as of 2024, and the legislative track record since 2018 does not support assumptions of near-term preemption.
For professionals cross-referencing service providers operating within these frameworks, the how-to-use-this-data-protection-resource page describes the provider network's organizational structure.
Checklist or Steps
The following sequence describes the standard operational phases organizations undertake when conducting a multi-state privacy law applicability assessment. This is a structural description of the assessment process, not professional advice.
Phase 1 — Resident Population Identification
- Map data processing activities by the state of residence of data subjects, not the state of business incorporation.
- Identify whether processing volumes meet each state's numeric threshold (e.g., 100,000 consumers for Virginia, Colorado, Connecticut; revenue-based threshold for California).
Phase 2 — Data Inventory and Classification
- Enumerate personal data categories collected, processed, or sold.
- Classify data against each state's sensitive data definitions (biometric, health, precise geolocation, children's data, etc.).
- Identify processing purposes: targeted advertising, profiling, sale, and internal analytics must be tracked separately.
Phase 3 — Controller/Processor Relationship Mapping
- Identify all third-party vendors receiving personal data.
- Confirm whether contractual data processing agreements exist and whether they satisfy each applicable state's processor contract requirements.
Phase 4 — Rights Infrastructure Assessment
- Confirm consumer rights request intake mechanisms exist for: access, correction, deletion, portability, and opt-out.
- Verify appeal mechanisms are in place (Virginia, Colorado, and Connecticut require a formal appeal process for denied rights requests).
Phase 5 — Sensitive Data Consent Review
- Confirm opt-in consent mechanisms are in place for each sensitive data category processed.
- Confirm DPIA documentation exists for processing activities triggering assessment requirements under applicable state laws.
Phase 6 — Privacy Notice Review
- Verify privacy notices disclose data categories collected, processing purposes, third-party sharing, and rights exercise instructions.
- Confirm "Do Not Sell or Share" links or equivalent disclosures appear on applicable web properties.
Reference Table or Matrix
| Law | State | Effective Date | Consumer Threshold | Sensitive Data Opt-In | Private Right of Action | Enforcement Body |
|---|---|---|---|---|---|---|
| CCPA/CPRA | California | Jan 1, 2020 / Jan 1, 2023 | 100,000 consumers or $25M gross revenue | Yes | Limited (data breach) | CPPA + AG |
| CDPA | Virginia | Jan 1, 2023 | 100,000 consumers | Yes | No | Attorney General |
| CPA | Colorado | Jul 1, 2023 | 100,000 consumers | Yes | No | Attorney General |
| CTDPA | Connecticut | Jul 1, 2023 | 100,000 consumers | Yes | No | Attorney General |
| UCPA | Utah | Dec 31, 2023 | 100,000 consumers | No (opt-out only) | No | Attorney General |
| TDPSA | Texas | Jul 1, 2024 | Non-small-business entities | Yes | No | Attorney General |
| MCDPA | Montana | Oct 1, 2024 | 50,000 consumers | Yes | No | Attorney General |
| OCPA | Oregon | Jul 1, 2024 | 100,000 consumers | Yes | No | Attorney General |
| FDBR | Florida | Jul 1, 2024 | 100,000 consumers (controllers only) | Yes | Limited | Attorney General |
| BIPA | Illinois | 2008 (ongoing) | No threshold — per-collection | Yes (biometric only) | Yes | Private + AG |
Sources: IAPP State Privacy Legislation Tracker; individual state legislative texts linked in body sections above.