Nineteen states have followed the lead of California and passed consumer privacy laws.  Three went into effect this year and eight will become effective in 2025.  The remainder become effective in 2026.  Charts at the end of this post track effective dates (see Table 1) and applicability thresholds (see Table 2).  While there are many similar aspects to these laws, they also diverge from each other in material ways, creating a compliance challenge for organizations. In addition, there are other privacy laws pertaining specifically to consumer health data,[1] laws specific to children’s and minors’ personal data and not part of a comprehensive consumer privacy law,[2] AI-specific laws,[3] or laws, including part of overall consumer privacy laws, regulating data brokers[4] that enterprises need to consider. 

A recent article published by the authors in Competition Policy International’s TechReg Chronical details the similarities and differences between the 20 state consumer privacy laws and a chart at the end of this post provides a quick reference comparison of these laws (see Table 3).

Enterprises need to determine which of these laws apply to then, and how to reconcile the differences between the laws, or adopt a high water mark approach. As enterprises prepare their annual privacy notice updates, a requirement under the California law, now is a good time to confirm what additional state laws will apply and ensure compliance with those that are, or will become in 2025, applicable.  2025 will also see the finalization of California’s data risk assessment and cybersecurity audit, and ADM/AI/Profiling, regulations, which will create complex operational and reporting requirements on businesses subject to the CCPA, which companies should be budgeting and planning for now.  

For more information on becoming 2025-ready, contact the authors or your SPB relationship partner.

Table 1

State Name and Link to LawConsumer Privacy Law TitleEffective Date
CaliforniaCalifornia Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA) (collectively, CCPA)Initial CCPA Effective Date: January 1, 2020 CPRA amendments Effective Date: January 1, 2023
ColoradoColorado Privacy Act (Colorado Law)July 1, 2023
Connecticut[5]Connecticut Data Privacy and Online Monitoring Act (Connecticut Law)July 1, 2023
DelawareDelaware Personal Data Privacy Act (Delaware Law)January 1, 2025
FloridaFlorida Digital Bill of Rights (Florida Law)July 1, 2024
IndianaIndiana Consumer Data Protection Act (Indiana Law)January 1, 2026
IowaAct Relating to Consumer Data Protection (Iowa Law)January 1, 2025
KentuckyKentucky Consumer Data Protection Act (Kentucky Law)January 1, 2026
MarylandMaryland Online Data Privacy Act (Maryland Law)October 1, 2025
MinnesotaMinnesota Consumer Data Privacy Act (Minnesota Law)July 31, 2025*
MontanaMontana Consumer Data Privacy Act (Montana Law)October 1, 2024
NebraskaData Privacy Act (Nebraska Law)January 1, 2025
New HampshireAct Relative to the Expectation of Privacy (New Hampshire Law)January 1, 2025
New JerseyAct Concerning Online Services, Consumers, and Personal Data (New Jersey Law)January 15, 2025
OregonOregon Consumer Privacy Act (Oregon Law)July 1, 2024**
Rhode IslandRhode Island Data Transparency and Privacy Protection Act (Rhode Island Law)January 1, 2026
TennesseeTennessee Information Protection Act (Tennessee Law)July 1, 2025
TexasTexas Data Privacy and Security Act (Texas Law)July 1, 2024
UtahUtah Consumer Privacy Act (Utah Law)December 31, 2023
VirginiaVirginia Consumer Data Protection Act (Virginia Law)January 1, 2023

Table 2

 Who is Covered?
CCPA CPRAFor-profit “businesses” that meet thresholds, including affiliates, joint ventures, and partnerships that: (1) have a gross global annual revenue of > U.S. $25 million; (2) annually buy, sell, or “share” for cross-context behavioral advertising purposes PI of 100,000 or more California consumers or households; or (3) derive 50% or more of annual revenues from selling or “sharing” for cross-context behavioral advertising PI of California consumers.   Non-profit exception from the term “Business.”
Virginia LawBusiness entities, including for-profit and B-to-B entities, that conduct business in Virginia or produce products or services that target Virginia residents and, during a calendar year, either: (1) control or process personal data of at least 100,000 Virginia residents; or (2) derive 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 Virginia residents.   Full non-profit exception.
Colorado LawAny legal entity that conducts business in Colorado or produces or delivers commercial products or services that intentionally target Colorado residents, and that satisfies one or both of the following: (1) during a calendar year, controls, or processes personal data of 100,000 or more Colorado residents; or (2) both derives revenue or receives discounts from selling personal data and processes or controls the personal data of 25,000 or more Colorado residents.  
Utah LawControllers or processors who: (1) conduct business in Utah or produce a product or service targeted to Utah residents; (2) have annual revenue of U.S. $25 million or more; and (3) (a) control or process data of 100,000 or more Utah residents in a calendar year; or (b) derive over 50% of gross revenue from the sale of personal data and control or process personal data of 25,000 or more Utah residents.   Full non-profit exception.
Connecticut LawIndividuals and entities that do business in Connecticut or produce products or services that are targeted to Connecticut residents, that in the preceding year either: (1) controlled or processed the personal data of at least 100,000 Connecticut residents (excluding for the purpose of completing a payment transaction); or (2) controlled or processed the personal data of at least 25,000 Connecticut residents and derived more than 25% of gross annual revenue from the sale of personal data.
Iowa LawPersons conducting business in Iowa or producing products or services that are targeted to consumers who are residents of Iowa and that, during a calendar year, either: (1) control or process personal data of at least 100,000 consumers; or (2) both control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.   Full non-profit exception.
Indiana LawPersons that: (1) conduct business in Indiana or produce products or services that are targeted to Indiana residents; and (2) during a calendar year, (a) control or process the personal data of at least 100,000 consumers who are Indiana residents; or (b) control or process the personal data of at least 25,000 consumers who are Indiana residents and derive more than 50% of gross revenue from the sale of personal data.   Full non-profit exception.
Tennessee LawPersons that conduct business in Tennessee producing products or services that target Tennessee residents and that: (1) exceed $25 million in revenue; and (2) (a) control or process the personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information; or (b) during a calendar year, control, or process personal information of at least 175,000 consumers.   Full non-profit exception.
Montana LawPersons that: (1) conduct business in Montana or produce products or services that are targeted to Montana residents; and (2) (a) control or process the personal data of at least 50,000 consumers, excluding personal data collected or processed solely for the purpose of completing a payment transaction; or (b) control or process the personal data of at least 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.   Full non-profit exception.
Florida Law(1) Controllers, which are defined as any sole proprietorship, partnership, LLC, corporation, association, or legal entity that meets the following requirements: (a) is organized or operated for the profit or financial benefit of its shareholders or owners; (b) conducts business Florida; (c) collects personal data about consumers, or is the entity on behalf of which such information is collected; (d) determines the purposes and means of processing personal data about consumers or jointly with others; (e) makes in excess of $1 billion in global gross annual revenues; and (f) satisfies at least one of the following: (i) derives 50% or more of its global gross annual revenues from the sale of advertisements online, including targeted advertising or the sale of ads online; (ii) operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation. For purposes of this sub-paragraph, a consumer smart speaker and voice command component service does not include a motor vehicle or speaker or device associated with or connected to a vehicle which is operated by a motor manufacturer or a subsidiary or affiliate thereof; or (iii) operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install. (2) Any entity that controls or is controlled by a controller. As used in this paragraph, the term “control” means: (a) ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of a controller; (b) control in any manner the election of a majority of the directors, or of individuals exercising similar functions; or (c) the power to exercise a controlling influence over the management of a company.   Full non-profit exception.
Texas LawPersons that: (1) conduct business in Texas or produce a product or service consumed by Texas residents; (2) process or engage in the sale of personal data; and (3) are not a small business as defined by the U.S. Small Business Administration.   Full non-profit exception.
Oregon LawPersons that: (1) conduct business in Oregon, or provide products or services to residents of Oregon; and (2) during a calendar year, control, or process (a) the personal data of at least 100,000 consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) the personal data of at least 25,000 consumers, while deriving at least 25% of annual gross revenue from the sale of personal data.   Limited non-profit exception.
Delaware LawPersons that: (1) conduct business in Delaware or produce products or services that are targeted to Delaware residents; and (2) during the preceding calendar year did any of the following: (a) controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data.   Limited non-profit exception.
New Jersey LawControllers that: (1) conduct business in New Jersey or produce products or services that are targeted to New Jersey residents; and (2) during the calendar year did any of the following: (a) controlled or processed the personal data of at least 100,000 consumers (excluding personal data processed solely for the purpose of completing a payment transaction); or (b) controlled or processed the personal data of at least 25,000 consumers and derived revenue or received a discount on the price of any goods or services from the sale of personal data.
New Hampshire LawPersons that: (1) conduct business in New Hampshire or produce products or services that are targeted to New Hampshire residents; and (2) during a one-year period did any of the following: (a) controlled or processed the personal data of at least 35,000 unique consumers (excluding personal data processed solely for the purpose of completing a payment transaction); or (b) controlled or processed the personal data of at least 10,000 unique consumers and derived more than 25% of their gross revenue from the sale of personal data.   Full non-profit exception.
Kentucky LawPersons that: (1) conduct business in Kentucky or produce products or services that are targeted to Kentucky residents; and (2) during a calendar year did any of the following: (a) controlled or processed the personal data of at least 100,000 consumers; or (b) controlled or processed the personal data of at least 25,000 consumers and derived more than 50% of their gross revenue from the sale of personal data.   Full non-profit exception.
Maryland LawPersons that: (1) conduct business in Maryland or produce products or services that are targeted to Maryland residents; and (2) during the preceding calendar year did any of the following: (a) controlled or processed the personal data of at least 35,000 consumers (excluding personal data processed solely for the purpose of completing a payment transaction); or (b) controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data.   Limited non-profit exception.
Nebraska LawPersons that: (1) conduct business in Nebraska or produce products or services that are consumed by Nebraska residents; and (2) processes or engages in the sale of personal data; and (3) is not a small business, as determined by federal law.   Full non-profit exception.
Rhode Island LawFor-profit entities that: (1) conduct business in Rhode Island or produce products or services that are targeted to Rhode Island residents; and (2) during the preceding calendar year did any of the following: (a) controlled or processed the personal data of at least 35,000 Rhode Island residents (excluding personal data processed solely for the purpose of completing a payment transaction); or (b) controlled or processed the personal data of at least 10,000 Rhode Island residents and derive more than 20% of the gross revenue from the sale of personal data.   (Some sections of the law apply to any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island (or otherwise subject to Rhode Island jurisdiction) that collects, stores, and sells customer’s personal data.)   Full non-profit exception.
Minnesota LawLegal entities (subject to exclusions, such as most government entities) that: During a calendar year, control or process the personal data of at least 100,000 consumers (excluding payments processing); Derive over 25% of gross revenues from the sale of personal data and process the personal data of at least 25,000 consumers.   Limited non-profit exception.

Table 3

The following chart demonstrates the similarities and differences among current U.S. consumer privacy laws of general application, compares them to the GDPR and notes differences between the original CCPA and the current version amended by the California Privacy Rights Act (“CPRA”).

GDPR, CCPA, CPRA, Virginia Law & Colorado Law

 GDPRCCPACPRAVirginia LawColorado Law
Right to Access
Right to Confirm Personal Data is Being ProcessedImpliedImplied
Right to Data Portability
Right to Delete[6]
Right to Correct / Right to RectificationX
Right to Opt-Out of Sale[7][8][17][9][17]
Right to Opt-Out of Targeted / Behavioral Advertising[10]X[11]
Right to Object or Opt-Out of ADMX[12]X[13]
Right to Opt-Out of Profiling[14]X
Choice Required for Processing of “Sensitive” Personal DataOpt-InXOpt-Out[15]Opt-InOpt-In
Right to Object to or Restrict Processing GenerallyXXXX
Required Opt-Out Links on Website or ElsewhereNo Explicit RequirementDNSDNSell, DNShare, Sensitive PI Opt-Out[16]Targeted Ad & Sale Opt-OutsTargeted Ad & Sale Opt-Outs
Right to Non-Discrimination[17]Implied
Specific Privacy Policy Content Requirements
Purpose, Use, and/or Retention LimitationsImplied
Privacy & Security Impact Assessments Sometimes RequiredX
“Reasonable” Security ObligationImplied
Notice at Collection Requirement (Statute + Regs)XX
Honor Universal Opt-out SignalsXXX

Utah Law, Connecticut Law, Nevada Law, Iowa Law & Indiana Law

 Utah LawConnecticut LawNevada LawIowa LawIndiana Law[18]
Right to AccessX
Right to Confirm Personal Data is Being ProcessedX
Right to Data PortabilityX
Right to DeleteX
Right to Correct / Right to RectificationXXX
Right to Opt-Out of Sale[18][17][19][18][18]
Right to Opt-Out of Targeted / Behavioral AdvertisingX
Right to Object or Opt-Out of ADMXXXXX
Right to Opt-Out of ProfilingXXX
Choice Required for Processing of “Sensitive” Personal DataNotice & Opp. to Opt-OutOpt-InXNotice & Opp. to Opt-OutOpt-In
Right to Object to or Restrict Processing GenerallyXXXXX
Required Opt-Out Links on Website or ElsewhereTargeted Ad & Sale Opt-OutsTargeted Ad & Sale Opt-OutsNoneTargeted Ad & Sale Opt-OutsTargeted Ad & Sale Opt-Outs
Right to Non-DiscriminationX
Specific Privacy Policy Content Requirements
Purpose, Use, and/or Retention LimitationsXXX
Privacy and Security Impact Assessments Sometimes RequiredXXX
“Reasonable” Security Obligation
Notice at Collection RequirementXXXXX
Honor Universal Opt-out SignalsXXXX

Tennessee Law, Montana Law, Florida Law, Texas Law & Oregon Law

 Tennessee LawMontana LawFlorida Law[20]Texas LawOregon Law[21]
Right to Access
Right to Confirm Personal Data is Being Processed
Right to Data Portability
Right to Delete
Right to Correct / Right to Rectification
Right to Opt-Out of Sale[18][17][17][17][17]
Right to Opt-Out of Targeted / Behavioral Advertising
Right to Object or Opt-Out of ADMXXXXX
Right to Opt-Out of Profiling
Choice Required for Processing of “Sensitive” Personal DataOpt-InOpt-InOpt-In (with a right to opt out later)Opt-InOpt-In
Right to Object to or
Restrict Processing Generally
XXXXX
Required Opt-Out Links on Website or ElsewhereTargeted Ad & Sale Opt-OutsTargeted Ad & Sale Opt-OutsTargeted Ad & Sale Opt-OutsTargeted Ad & Sale Opt-OutsTargeted Ad & Sale Opt-Outs
Right to Non-Discrimination
Specific Privacy Policy Content Requirements
Purpose, Use, and/or Retention Limitations
Privacy and Security Impact Assessments Sometimes Required
“Reasonable” Security Obligation
Notice at Collection RequirementXXXXX
Honor Universal Opt-out SignalsXX

Delaware Law, New Jersey Law, New Hampshire Law, Kentucky Law & Minnesota Law

 Delaware Law[22]New Jersey LawNew Hampshire LawKentucky LawMinnesota Law[23]
Right to Access
Right to Confirm Personal Data is Being Processed
Right to Data Portability
Right to Delete
Right to Correct / Right to Rectification
Right to Opt-Out of Sale[17][17][17][18][17]
Right to Opt-Out of Targeted / Behavioral Advertising
Right to Object or Opt-Out of ADMXXXX
Right to Opt-Out of Profiling
Choice Required for Processing of “Sensitive” Personal DataOpt-InOpt-InOpt-InOpt-InOpt-In
Right to Object to or Restrict Processing GenerallyXXXXX
Required Opt-Out Links on Website or ElsewhereTargeted Ad & Sale Opt-OutsTargeted Ad, Sale & Profiling Opt-OutsTargeted Ad & Sale Opt-OutsNoneNot required, but noted as an approved method.
Right to Non-Discrimination
Specific Privacy Policy Content Requirements
Purpose, Use, and/or Retention Limitations
Privacy and Security Impact Assessments Sometimes Required
“Reasonable” Security Obligation
Notice at Collection RequirementXXXXX
Honor Universal Opt-out SignalsX

Maryland Law, Nebraska Law & Rhode Island Law

 Maryland Law[24]Nebraska LawRhode Island Law
Right to Access
Right to Confirm Personal Data is Being Processed
Right to Data Portability
Right to Delete
Right to Correct / Right to Rectification
Right to Opt-Out of Sale171717
Right to Opt-Out of Targeted / Behavioral Advertising
Right to Object or Opt-Out of ADMXXX
Right to Opt-Out of Profiling
Choice Required for Processing of “Sensitive” Personal DataOnly when strictly necessary, no sale allowedOpt-InOpt-In
Right to Object to or Restrict Processing GenerallyXXX
Required Opt-Out Links on Website or ElsewhereTargeted Ad & Sale Opt-OutsTargeted Ad & Sale Opt-OutsX
Right to Non-Discrimination
Specific Privacy Policy Content Requirements
Purpose, Use, and/or Retention Limitations
Privacy and Security Impact Assessments Sometimes Required
“Reasonable” Security Obligation
Notice at Collection RequirementXXX
Honor Universal Opt-out SignalsX

[1] For example, Washington’s My Health My Data Act and a similar Nevada law. See https://www.privacyworld.blog/2024/04/are-you-ready-for-washington-and-nevadas-consumer-health-data-laws.

[2] For example, the California Age-Appropriate Design Code Act (“CA AADCA”). See https://www.privacyworld.blog/2023/10/california-attorney-general-appeals-federal-court-ruling-that-online-child-safety-act-is-likely-unconstitutional/ and https://www.privacyworld.blog/2023/07/texas-two-steps-into-the-childrens-privacy-dance-the-securing-children-online-through-parental-empowerment-act/. A 9th Circuit federal Court of Appeals decision has struck down the risk assessment and abatement provisions of CA AADCA, and laws making favored and disfavored content distinctions for minors face similar challenges. See https://www.privacyworld.blog/2024/08/are-data-practice-risk-assessments-at-risk-in-the-us/.

[3] For example, Colorado’s Artificial Intelligence (AI) law (C.R.S. 6-1-1701).

[4] A data broker is typically a controller that sells personal data that the controller did not collect directly from consumers. CA, NV, VT, OR and TX all regulate data brokers. VT and NV do not have broad consumer privacy laws and do so on a separate basis.

[5] The General Statutes of Connecticut are supplemented as of January 1, 2024 here.

[6] In California, Utah, and Iowa, deletion obligations are limited to PI collected from the consumer; all other state consumer privacy laws include PI collected about the consumer is in scope of the deletion right.

[7] Selling personal data under the GDPR generally would require the consent of the data subject for collection and would be subject to the right to object to processing.

[8] Any consideration sufficient, but cash consideration not required.

[9] Cash consideration required.

[10] Right to opt-out of cross-context behavioral advertising sharing for California; right to opt-out of targeted advertising in all other state consumer privacy laws.

[11] However, certain data disclosures inherent in this type of advertising are arguably a “sale,” subject to opt-out rights. The CPRA Regulations combine the opt-out right for “sale” and “share.”

[12] Subject to substantial expansion under the CPRA Regulations. Based on preliminary rulemaking activities, it appears that the CPPA is contemplating a GDPR-like approach for ADM and profiling.

[13] Under the CPA Rules, if a consumer requests to opt out of human involved automated processing, organizations can reject the request, but must inform the consumer of the rejection within 45 days and include the following information or link to such information: the decision subject to profiling, the categories of PI used, the logic used in the profiling process, the role of human involvement, how profiling is used in the decision-making process, benefits and potential consequences of the decision, and how consumers can correct or delete the data used in the profiling.

[14] The CPRA’s concept of profiling subject to change under the regulations. The profiling concepts in the other 2023 state consumer privacy laws require legal or substantially similar effects.

[15] Under the CPRA, the Sensitive PI opt-out right applies to certain processing activities beyond business purposes. Section 7027 of the CA Regs includes contextual but not cross-context behavioral advertising.

[16] Businesses will be able to utilize “a single, clearly labeled link” to cover all opt-outs. The CA Regs permit titling the link “Your Privacy Choices” or “Your California Privacy Choices” plus an icon. It is not clear if organizations need to provide both sale/share and limit sensitive info opt-outs where it is not engaging in activities that necessitate both in order to use the alternative link. The former could work well to direct a consumer to the other state opt-outs too.

[17] The CCPA (and the CPRA) take a more onerous approach to non-discrimination with respect to financial incentives and price/service differences, requiring businesses to prove that they are reasonably related to the value of the consumer’s data to the business.

[18] Indiana Law also provides the right to obtain a copy or a representative summary of the consumer’s personal data provided to the controller.

[19] In Nevada, website and online service operators are required to offer an “opt-out,” but only for limited disclosures of certain information and only if the disclosure is made in exchange for monetary consideration.

[20] Florida Law also contains the rights to: (i) opt out of the collection or processing of sensitive data; and (ii) opt out of the collection of personal data through voice or facial recognition.

[21] Oregon Law also contains the right to obtain a list of specific third parties to which the controller has disclosed the consumer’s personal data, OR any personal data (at the controller’s option).

[22] Delaware Law also provides the right to obtain a list of categories of third-party recipients of the consumer’s personal data, by category of personal data.

[23] Under the Minnesota Law, a consumer has a right to obtain a list of the specific third parties to which the controller has disclosed the consumer’s personal data. If the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers’ personal data may be provided instead

[24] Maryland Law also provides the right to obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data, OR a list of the categories of third parties to which the controller has disclosed any consumer’s personal data IF the controller does not maintain this information in a format specific to the consumer.


Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.