Comprehensive State Consumer Privacy Laws
Passage of state-level comprehensive consumer privacy laws has picked up speed in the last twelve months, and the trend is likely to continue. As the state 2023-2024 legislative sessions end, a total of seventeen states have enacted their own omnibus privacy laws: California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Nebraska and Maryland. The legislatures in Vermont, Michigan and Rhode Island recently passed comprehensive privacy laws. Vermont’s legislation was vetoed by its governor while Michigan and Rhode Island’s await signatures by their governors.
Common Features
Most, but not all, of the state privacy laws, provide consumers the rights to (1) access personal data, (2) correct personal data, (3) delete personal data, (4) have their personal data transmitted directly from one controller to another, i.e. data portability, (5) opt-out of the sale of data, (6) opt-out of some forms of data processing, (7) not be subject to automated decision-making and (8) opt-in to sensitive data processing. Businesses are generally required to provide clear notice to consumers about how their data may be used, practice data minimization, perform risk assessments of data use, not discriminate against consumers that exercise their data privacy rights, and abide by limitations on the lawful purposes for processing data. The state laws differ in their threshold for applicability, but most apply to businesses that control or process the data of more than 100,000 consumers or derive a share of their total gross revenue, usually 25-50%, from the sale of the personal data of at least 25,000 consumers.
The newest state privacy laws have adopted additional consumer-friendly provisions. For example, Oregon, Colorado and Maryland have included nonprofit organizations as covered entities that must comply with consumer privacy regulations. Additionally, California (only in the case of a data breach) and more targeted privacy laws, like the Illinois Biometric Information Privacy Act, include similar provisions. Private rights of action, and the deterrent of statutory damages that come with them, may become more common in state privacy laws.
State Privacy Laws in Order of Enactment
California Consumer Privacy Act (“CCPA”) enacted June 28, 2018, effective January 1, 2020
The CCPA was the first comprehensive state consumer privacy law and is considered one of the strongest state privacy laws. Unlike other state privacy laws, the CCPA requires businesses to obtain opt-in consent from minors under sixteen to process personal information, whereas other states abide by a lower threshold of thirteen. However, the law does not guarantee consumers the choice to opt-in to the processing of sensitive data.
Virginia Consumer Data Protection Act (“VCDPA”) enacted March 2, 2021, effective January 1, 2023
Virginia has adopted the standard rights and obligations discussed above.
Colorado Privacy Act (“CPA”) enacted July 7, 2021, effective July 1, 2023
The CPA is one of only three state privacy laws that apply to nonprofit organizations. The law’s applicability thresholds are the same for nonprofits as they are for for-profit businesses: entities that control or process the personal data of either 100,000 consumers a year or derive revenue from the sale of personal data of at least 25,000 consumers are subject to the CPA.
Connecticut Data Privacy Act (“CDPA”) enacted May 10, 2022, effective July 1, 2023
Connecticut has adopted the standard rights and obligations discussed above.
Utah Consumer Privacy Act (“UCPA”) enacted March 24, 2022, effective December 21, 2023
The UCPA does not contain the rights to correct data, opt-in to sensitive data processing or the right against automated decision-making. The law imposes no limitations on the purposes for which a business can use personal information and does not require businesses to perform risk assessments of data use.
Iowa Consumer Data Protection Act (“ICDPA”) enacted March 29, 2023, effective January 1, 2025
The ICDPA does not contain the rights to correct data, opt out of certain kinds of data processing, opt-in for sensitive data processing or any rights against automated decision-making. The ICDPA also does not create an obligation for businesses to provide consumers with notice of how their data will be used.
Indiana Consumer Data Protection Act (“INCDPA”) enacted May 1, 2023, effective January 1, 2026
Indiana has adopted the standard rights and obligations discussed above.
Tennessee Information Protection Act (“TIPA”) enacted May 11, 2023, effective July 1, 2025
Tennessee has adopted the standard rights and obligations discussed above.
Montana Consumer Data Privacy Act (“MCDPA”) enacted May 19, 2023, effective October 1, 2024
The MCDPA has a lower applicability threshold than most other states, extending to businesses that control or process the personal data of at least 50,000 consumers.
Texas Data Privacy and Security Act (“TDPSA”) enacted June 18, 2023, effective July 1, 2024
The TDPSA stands apart from other state privacy laws in its approach to applicability. The TDPSA applies to data processors or controllers who conduct business in the state, produce a product or service consumed by Texas residents, and do not qualify as small businesses under the federal Small Business Act. Unlike other state privacy laws, the Texas law does not define its scope based upon a business’s revenue or the number of consumers’ data it processes.
Oregon Consumer Privacy Act (“OCPA”) enacted July 18, 2023, effective July 1, 2024
The OCPA, like the privacy laws of Colorado and Maryland, applies to nonprofit organizations. The law’s applicability thresholds are the same for nonprofits as they are for for-profit businesses: entities that control or process the personal data of either 100,000 consumers a year or derive more than 25% of their annual gross revenue from the sale of personal data from at least 25,000 consumers are subject to OCPA. However, nonprofits have an additional year, until July 1, 2025, to comply with the law.
Delaware Personal Data Privacy Act (“DPDPA”) enacted September 11, 2023, effective January 1, 2025
The DPDPA requires businesses to obtain opt-in consent from minors under seventeen to process personal information. This is the highest age of consent threshold of any comprehensive state privacy laws.
New Jersey Privacy Act (“NJPA”) enacted January 16, 2024, effective January 15, 2025
New Jersey has adopted the standard rights and obligations discussed above.
New Hampshire Privacy Act (“NHPA”) enacted March 6, 2024, effective January 1, 2025
The NHPA has lower applicability thresholds than other state privacy laws and applies to businesses that process the data of at least 35,000 consumers or generate more than 35% of their revenue from the sale of data from at least 10,000 consumers.
Kentucky Consumer Data Protection Act (“KCDPA”) enacted April 4, 2024, effective January 1, 2026
Kentucky has adopted the standard rights and obligations discussed above.
Nebraska Data Privacy Act (“NDPA”) enacted April 17, 2024, effective January 1, 2025
The NDPA’s applicability standard mirrors that of the Texas Data Privacy and Security Act. NDPA applies to data controllers that do business in Nebraska or produce a product or service that Nebraska consumers use, and which do not qualify as small businesses under the federal Small Business Act.
Maryland Online Data Privacy Act (“MODPA”) enacted May 9, 2024, effective October 1, 2025
The MODPA is one of the stronger state privacy laws, restricting the processing of consumer data to only those uses that are “strictly necessary” and proportionate to the provision of goods or services to consumers. This contrasts with most other state privacy laws, which allow businesses to collect and use data that is reasonably necessary “for the purposes they disclose to consumers.” The MODPA also has lower applicability thresholds than most other state privacy laws, extending to businesses and nonprofit organizations that control or process the personal data of at least 35,000 consumers a year or derive more than 20% of their revenue from the sale of the personal data of at least 10,000 consumers. The only nonprofits exempted from MODPA are those that process or share data for the purpose of assisting law enforcement agencies in investigating crime and insurance fraud or first responders.
Vermont Data Privacy Act (“VDPA”) passed the legislature May 12, 2024, vetoed June 13, 2024
The Vermont legislature recently passed the VDPA, which would have been one of the strongest state privacy laws in the U.S. However, Governor Phil Scott vetoed the bill on June 13, 2024, because of the bill’s private right of action. In his letter to the General Assembly, Governor Scott urged lawmakers to adopt policies that more closely align with other privacy laws in the region, like those of Connecticut and New Hampshire, to avoid making Vermont an outlier. The VDPA would have applied to businesses that process or control the personal data of at least 25,000 consumers or derive more than 50% of their gross profits from the sale of personal data. In addition to granting standard consumer privacy rights, the VDPA would have prohibited companies from using “dark patterns” or manipulative techniques to condition users’ access to goods or services on their choice of whether to exercise their data privacy rights. The Act would have also created the Age-Appropriate Design Code (“AADC”) to require companies targeting minors to consider the distinct needs of the various age ranges of minors seventeen and under. This provision mirrors AADC laws in California and Maryland. The VDPA also would have incorporated additional protections for children’s privacy, including limitations on the collection, sale and storage of the data of minors. Unlike most other consumer privacy laws, which state governments enforce, the VDPA included a private right of action against companies that process the personal data of over 100,000 consumers.
Minnesota Consumer Data Privacy Act (“MCDPA”) passed the legislature May 19, 2024
The MCDPA contains notable differences from other state privacy laws. The first is that, in addition to the basic data privacy rights that most comprehensive privacy laws grant, the MCDPA grants consumers the right to contest the results of decisions made through data profiling and to know the specific third parties with whom data controllers have shared their information. Data controllers would have an additional responsibility under the act to disclose whether they have collected certain types of data from consumers, like social security numbers or driver’s license information. Finally, the MCDPA would also require data controllers to appoint data privacy officers (DPOs) and maintain inventories of the data they collect from consumers. This differs from the standard requirement to employ reasonable data privacy practices in most other state privacy laws. The Minnesota Legislature has sent the bill to the governor, and it is widely anticipated that it will become law.
Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”) passed the legislature June 13, 2024
If signed, the RIDTPPA would apply to businesses that process the data of at least 35,000 consumers or generate more than 20% of their revenue from the sale of data from at least 10,000 consumers a year. The law generally adopts the standard rights and obligations discussed above but does not provide any extra protections for adolescents’ data or require businesses to practice data minimization. Finally, the RIDPPA has a privacy notice provision which would require commercial websites to identify all of the third parties to which they have sold or may sell consumers’ personally identifiable information.
Conclusion: Sorting Through the Confusion
Currently, there are active comprehensive privacy bills in committee in ten other states: Hawaii, Illinois, Louisiana, Massachusetts, Michigan, Missouri, New York, North Carolina, Ohio and Pennsylvania. Although many of the enacted consumer privacy laws mirror each other, it is necessary for businesses and organizations to keep track of the nuances of each law to ensure proper compliance. Additionally, familiarity with state privacy laws is essential because the Internet crosses borders, and businesses and nonprofits do not need to have a physical presence in a state for its privacy law to apply to them. Without a unifying federal privacy law that preempts the state laws, businesses and nonprofits are subject to enforcement under any state law that applies to them, and violations could result in hefty fines and additional consequences. Larger entities that process the data of consumers in many states may want to consider whether it is preferable to commit to privacy practices that meet the most stringent requirements of the state laws rather than analyzing the detailed provisions of each state law to which they might be subject. In most cases the former approach will represent best business practices – that is, as long as the entity has and uses the technical capacity to do what it says it will do in its privacy policy. Whatever the size or geographical reach of the entity and whatever path is taken, it is critical to keep website privacy policies up to date; old “last updated” dates are a red flag for state regulators seeking to enforce the privacy laws.
Lutzker & Lutzker will continue to monitor developments in consumer privacy laws, state and federal, and is available to assist in drafting website privacy policies.
The authors wish to acknowledge the contributions of the International Association of Privacy Professionals (IAPP) and its US State Privacy Legislation Tracker to this article.