GeneratePolicy.com - AI Security Policy Generator

In recent years, the United States has seen a significant proliferation of state-level comprehensive data privacy laws. These laws are designed to bolster consumer rights and impose new responsibilities on businesses regarding cybersecurity and data handling. Drawing on the provided sources, this article offers a detailed overview of key state privacy statutes, highlights overarching trends, and discusses the implications for businesses and privacy professionals.

Overview of Key State Privacy Laws

While sharing common goals, each state’s law has unique features, particularly concerning scope, consumer rights, and enforcement mechanisms.

Global Privacy & Compliance Explorer

California: CCPA as Amended by CPRA

  • Full Name & Effective Date: California Consumer Privacy Act of 2018 (CCPA), amended by the California Privacy Rights Act of 2020 (CPRA). The CPRA amendments became effective on January 1, 2023, with modifications enforceable starting in 2023.- Scope of Application: Applies to for-profit businesses collecting personal information of California residents that meet specific thresholds: over $25 million in annual gross revenue; or buy/sell/share personal information of 100,000+ consumers/households; or derive 50%+ of revenue from selling or sharing personal data. As of 2023, the law includes employees and B2B contacts as “consumers”. “Personal information” is broadly defined as information linked or linkable to an individual or household. Exemptions include HIPAA-regulated health data, GLBA financial data, and publicly available information. Nonprofits and government entities are exempt.- Consumer Rights: Includes the right to non-discrimination for exercising privacy rights. Consumers cannot be retaliated against, such as being denied services or charged different prices, for exercising their privacy rights.- Sensitive Data & Children’s Data: California requires opt-in consent to sell or share data from minors under 16. For consumers under 16, businesses cannot sell or share data unless the minor (ages 13–15) authorizes it, or a parent authorizes it for children under 13. This raises the bar, requiring opt-in for teens aged 13-15 and aligning with COPPA for under-13s. California also enacted the Age-Appropriate Design Code Act (AADC) in 2022, mandating stringent privacy-by-default settings (like disabling precise location tracking and profiling) and risk assessments for online services likely accessed by under-18s. Although enforcement of the AADC was delayed by a legal challenge, California shows a trend of treating children’s data with heightened sensitivity.- Opt-Out Preference Signals: California’s regulations require honoring user-selected universal opt-out mechanisms (OOPS).- Right to Cure: There is no general right to cure violations before enforcement; the CPRA removed the CCPA’s 30-day cure period for most violations as of 2023. A limited private right of action exists only for certain data breaches resulting from a business’s failure to implement reasonable security. In such cases, consumers can sue for damages after giving notice and 30 days to cure the specific security violation. For other CCPA/CPRA violations, individuals cannot sue; enforcement is exclusive to the AG/CPPA.- Enforcement & Penalties: Enforced by both the California Attorney General and the California Privacy Protection Agency (CPPA), the first dedicated state privacy regulator. The CPPA gained enforcement powers on July 1, 2023. Violations can result in civil penalties up to $2,500 per violation or $7,500 per intentional violation or violations involving children’s data. The California AG has already taken enforcement actions, such as a significant settlement with Sephora in 2022 for failing to honor opt-outs. The CPPA is expected to increase enforcement.- Notable Updates & Litigation: The CPRA created the CPPA and led to updated regulations. Litigation has challenged the enforcement timing of CPRA regulations and the constitutionality of the AADC. California’s law is the most expansive and has influenced other states while facing industry pushback. The core statutory requirements of CCPA/CPRA are in effect, requiring businesses to comply with this rigorous regime.

Unmasking Data Privacy: California Appeals Court Greenlights CPRA Regulations

Colorado: CPA

  • Full Name & Effective Date: Colorado Privacy Act (CPA), effective July 1, 2023. A requirement for universal opt-out mechanisms took effect on July 1, 2024.- Scope of Application: Applies to controllers conducting business in Colorado or targeting Colorado residents who process personal data of 100,000+ Colorado consumers per year, or 25,000+ consumers while deriving any revenue or receiving a discount from selling personal data. “Consumers” are Colorado residents acting in an individual or household context, excluding employment or B2B contexts. Exemptions include entities/data subject to GLBA, HIPAA, FERPA, and COPPA. Nonprofits are exempt.- Consumer Rights: Controllers must allow an appeal process if they refuse a consumer’s request and inform consumers how to contact the AG if an appeal is denied.- Sensitive Data & Children’s Data: The sources do not detail specific children’s data rules unique to the Colorado CPA, but it follows the standard that sensitive data requires consent.- Opt-Out Preference Signals: Colorado’s CPA was the first after California to mandate universal opt-out mechanisms, specifically requiring controllers to honor user-selected signals for targeted advertising and data sales starting July 1, 2024. The Colorado AG’s rules specify technical requirements and formally recognized the Global Privacy Control (GPC) as an approved mechanism. This requires covered businesses to treat GPC or similar “do not sell or share” signals as a valid opt-out across sites.- Right to Cure: Initially, the law included a mandatory 60-day right to cure violations if the AG/DA provided notice. This cure period sunsets on January 1, 2025. After this date, the AG has discretion and is not required to offer a cure period before taking action. Businesses can seek informal opinion letters or guidance from the AG’s office as the automatic cure period ends.- Enforcement & Penalties: Enforced by the Colorado Attorney General (and district attorneys) under the state Consumer Protection Act. There is no private right of action. Violations can incur civil penalties up to $20,000 per violation, though the CPA references a $2,000 penalty cap per consumer, not exceeding $500,000 total for a related series of violations. Enforcement began with an “educative” phase, sending warning letters. As of 2025, Colorado is fully enforcing the law.- Notable Updates & Litigation: The Colorado AG developed regulations, particularly for the universal opt-out mechanism. Final rules were adopted in March 2023, and a list of recognized opt-out signal providers was published by 2024. The law was amended in 2023 to enable the elimination of the cure period and authorize interpretive opinions. No major court challenges have occurred, possibly due to its bipartisan passage.

In-Depth Analysis of the Colorado Privacy Act (CPA)

Connecticut: CTDPA

  • Full Name & Effective Date: Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA), effective July 1, 2023, for most provisions. A requirement to honor global opt-out signals took effect on January 1, 2025.- Scope of Application: Applies to entities conducting business in Connecticut or targeting Connecticut residents that, in the previous calendar year, controlled or processed personal data of 100,000+ consumers, or 25,000+ consumers and derived over 25% of gross revenue from selling personal data. These thresholds exclude data processed solely for payment transactions. “Consumers” are CT residents acting in an individual or household context, excluding employment or B2B. Exemptions include government entities, nonprofits, higher-ed, and data regulated by HIPAA, GLBA, etc.. The scope and exemptions closely track the Virginia/Colorado model.- Consumer Rights: Controllers must respond to requests within 45 days (extendable once) and provide a mechanism for consumers to appeal refusals. If an appeal is denied, the consumer must be informed how to contact the Attorney General.- Sensitive Data & Children’s Data: HIPAA-regulated health information is exempt, but “health condition” or medical information outside HIPAA falls under sensitive data requiring consent. Connecticut uniquely prohibits the sale of health data (and genetic data) without consent in certain contexts. The law included provisions on “online monitoring,” covering activities like tracking via cookies. Like other states, sensitive data includes personal data about a known child under 13, requiring parental consent. Connecticut offers protection for ages 13-15.- Opt-Out Preference Signals: The requirement to honor global opt-out signals took effect on January 1, 2025. Businesses were expected to ensure technical capability to process these signals by early 2025.- Right to Cure: The law originally required the CT AG to give businesses notice of violations and 60 days to cure until December 31, 2024. After January 1, 2025, this cure period is no longer mandated; the AG has discretion to enforce without offering time to cure. This phased approach gave businesses time to correct issues after warnings.- Enforcement & Penalties: Enforced by the Connecticut Attorney General. There is no private right of action. Penalties can reach up to $7,500 per violation, consistent with states like Virginia. Connecticut’s statute adopts the penalty provisions of the Connecticut Unfair Trade Practices Act. No major enforcement actions were publicized as of 2024; it was largely a period of outreach.- Notable Updates: Connecticut was the fifth state with a broad privacy law and closely tracks Virginia’s statute but with some augmentations like the global opt-out and protection for ages 13–15. The CT AG’s office has been active in educating businesses and consumers, setting up a complaint system and publishing guidance.

In-Depth Analysis of the Connecticut Data Privacy Act (CTDPA)

Delaware: DPDPA

  • Full Name & Effective Date: Delaware Personal Data Privacy Act (DPDPA), effective January 1, 2025.- Scope of Application: Applies to persons conducting business in Delaware or targeting Delaware residents who control or process personal data of ≥35,000 Delaware consumers, or ≥10,000 consumers while deriving over 20% of gross revenue from selling personal data. These thresholds are somewhat more inclusive than states like VA/CT (35k vs 100k). Exemptions include state bodies, nonprofits, higher-ed, GLBA/HIPAA/FERPA/COPPA data, etc.. Modeled largely on Connecticut’s and Virginia’s laws.- Consumer Rights: Grants the five core rights seen in CO/CT/VA (access, deletion, correction, portability, opt-out of sale/targeted ads/profiling). Consumers can exercise rights twice yearly free of charge, with a 45-day response period (extendable once). A clear appeals process is required.- Sensitive Data & Children’s Data: The law extends protections to minors under 18, going beyond many other states. It requires opt-in consent to sell personal data or use it for targeted advertising if the consumer is a child or teenager. For ages 13–17, their consent is required; for under 13, parental consent is needed (aligning with COPPA). This effectively raises the age threshold for heightened protection to 18, the broadest of any state privacy law so far. It treats any minor’s data as sensitive for sale/ads purposes. Businesses must implement age gating or reasonable estimation methods. Health data (outside HIPAA) is considered sensitive and requires consent for processing.- Opt-Out Preference Signals: Delaware requires controllers to honor universal opt-out mechanisms by January 1, 2025, the same date the law becomes effective. This means browser signals like the GPC must be treated as an opt-out of sale/targeted ads for Delaware residents. This aligns its timeline with Connecticut’s. Controllers must ensure the signal can be authenticated as a Delaware resident’s preference. Businesses were expected to be OOPS-ready by Day 1.- Right to Cure: For the first year (2025), Delaware mandates a mandatory 60-day cure period if the AG finds a violation and issues notice. Starting in 2026, this mandatory cure period expires. The AG can still offer a cure opportunity at discretion but is not obligated.- Enforcement & Penalties: Enforced by the Delaware Department of Justice (Attorney General). No private right of action. If uncured, the AG may impose penalties under Delaware’s Consumer Fraud Act – up to $10,000 per violation. $10k is higher than the $7,500 in some other states. Violations are considered a deceptive trade practice. Active enforcement is anticipated; the DOJ launched resources ahead of the effective date.- Notable Updates: Enacted in September 2023, it became the 13th state law. It launched a consumer-facing website and privacy rights tool. No legal challenges reported. Its under-18 provision is new ground and could influence future laws. It aligns well with CT/CO on opt-out signals and clarified definitions like “sale” to include non-monetary exchanges.

Florida: Digital Bill of Rights

  • Full Name & Effective Date: Florida’s Digital Bill of Rights (part of Florida Senate Bill 262, 2023). Key provisions took effect July 1, 2024.- Scope of Application: Applies only to very large companies meeting high thresholds: over $1 billion in gross revenues AND meeting one of three criteria: deriving 50%+ revenue from advertising, operating a smart speaker with voice recognition, or operating an app store with 50,000+ apps. This targets primarily Big Tech companies. It does not cover most smaller or mid-sized businesses, and nonprofits/many sectors are exempt. There is debate on whether this law is “comprehensive” due to its narrow scope.- Consumer Rights: For covered entities, grants rights to confirm collection, access, delete, correct, and opt out of the sale of personal data. These apply only in the context of these large companies. Also allows consumers under 18 to opt out of personalized content algorithms (parents can request disabling algorithmic content for minors). Requires search engines to disclose prioritization based on political ideology.- Sensitive Data & Children’s Data: Allows consumers under 18 to opt out of personalized content algorithms. Penalties are higher for violations involving a consumer under 18.- Opt-Out Preference Signals: The source does not mention specific requirements for honoring global opt-out signals.- Right to Cure: Provides a 45-day cure period after the AG gives notice of violations, extendable to 90 days at the AG’s discretion. There is no set sunset for this cure period in the statute.- Enforcement & Penalties: Enforced by the Florida Department of Legal Affairs (Attorney General). Explicitly states no private right of action. Penalties can reach $50,000 per violation for offenses involving a consumer under 18, and $15,000 per violation for general violations. These can stack with Florida’s Unfair and Deceptive Trade Practices Act fines.- Notable Updates: Unique in scope, targeting specific Big Tech issues like algorithms and minor data. Almost immediately faced litigation challenging parts of the law (particularly content/search engine provisions) on First Amendment grounds. Companies outside the narrow criteria are largely unaffected. Covered entities (Google, Meta, Amazon, etc.) must incorporate Florida’s requirements into nationwide strategies.

In-Depth Analysis of the Florida Digital Bill of Rights (FDBOR)

Indiana: ICDPA

  • Full Name & Effective Date: Indiana Consumer Data Protection Act (ICDPA), effective January 1, 2026. (Signed May 2023).- Scope of Application: Applies to businesses operating in Indiana or targeting Indiana residents that process personal data of 100,000+ Indiana consumers annually, or 25,000+ consumers while deriving over 50% of gross revenue from selling personal data. Thresholds mirror Virginia’s. Exempts similar entities/data (government, nonprofits, higher-ed, HIPAA, GLBA, FERPA) and excludes employment/B2B data. Essentially a copy of the Virginia/Connecticut template.- Consumer Rights: Grants the standard rights: access, correction, deletion, data portability, and opt-out of targeted advertising, sale of personal data, and profiling in furtherance of significant decisions. Align one-for-one with Virginia/Colorado. Controllers must respond within 45 days (extendable) and provide an appeal process. Consumers can contact the Indiana AG if an appeal is denied.- Sensitive Data & Children’s Data: Treats data about known children under 13 as sensitive data requiring parental consent. It does not explicitly extend special opt-in rights to teens (13–17) for sales like California or Delaware do; for this age group, only the general opt-out of sale/ads applies. Non-HIPAA health data is sensitive and requires consent to process. Sensitive data includes health, biometric, genetic, precise geolocation, and children’s data.- Opt-Out Preference Signals: The statute does not explicitly mention global opt-out signals. It adheres to the basic opt-out via “user request” model. Businesses must provide opt-out methods (web forms, links) but are not mandated to honor browser signals.- Right to Cure: Provides a notice and 30-day cure period for violations. The law does not include a sunset for the cure provision, implying it’s presumably permanent unless amended.- Enforcement & Penalties: Enforced by the Indiana Attorney General. No private right of action. If a controller fails to cure, the AG may seek civil penalties up to $7,500 per violation. Enforcement preparations are early due to the 2026 effective date.- Notable Updates: Signed May 1, 2023, with a long lead time. Similar to Virginia’s law. Creates a consumer privacy fund for collected penalties. No regulations or major guidance yet. Considered business-friendly.

Iowa: ICDPA

  • Full Name & Effective Date: Iowa Consumer Data Protection Act (ICDPA), effective January 1, 2025. (Signed March 28, 2023).- Scope of Application: Applies to persons conducting business in Iowa or targeting Iowa residents that process personal data of 100,000+ Iowa consumers annually, or 25,000+ consumers while deriving 50%+ of gross revenue from the sale of personal data. Thresholds mimic Utah’s and Virginia’s. Exemptions: government entities, nonprofits, higher education, GLBA/HIPAA/FCRA data, etc.. Employee and B2B data excluded by the definition of “consumer” (Iowa resident acting in a personal context). Considered one of the more business-friendly laws.- Consumer Rights: Grants rights to access, delete, and obtain a copy of data (portability). Notably, it does not explicitly list rights to correct inaccurate data or opt out of targeted advertising.- Sensitive Data & Children’s Data: Sensitive data (including data about a known child under 13) requires consent for processing. However, Iowa is an outlier, allowing an opt-out for sensitive data rather than requiring opt-in, though doing opt-in everywhere covers Iowa too. For children under 13, parental consent is required.- Opt-Out Preference Signals: The source does not explicitly mention global opt-out signals.- Right to Cure: Provides a 90-day cure period after the AG provides notice of a violation. This is the lengthiest cure period among current state laws and has no set sunset.- Enforcement & Penalties: Enforced by the Iowa Attorney General. No private lawsuits allowed. If a violation is not cured, the AG can seek civil penalties of up to $7,500 per violation. The AG can also recover investigation and attorney costs. No enforcement actions yet due to 2025 effective date. The legislature did not include rulemaking authority.- Notable Updates: Among the quick second-wave states in 2023. Considered “weakest” by some privacy advocates due to fewer rights and narrow sale definition (only monetary exchange). No opposition or lawsuits reported. Businesses may voluntarily extend broader rights. No amendments since passage.

Montana: MTCDPA

  • Full Name & Effective Date: Montana Consumer Data Privacy Act (MCDPA), effective October 1, 2024. Universal opt-out support required by January 1, 2025.- Scope of Application: Applies to businesses conducting business in Montana or targeting Montana residents that process personal data of 50,000+ Montana consumers (excluding payment data), or 25,000+ consumers while deriving over 25% of gross revenue from selling personal data. Thresholds (50k) are slightly lower than some states. Exempts government, nonprofits, HIPAA entities, GLBA data, and employee/B2B data.- Consumer Rights: Grants the full suite of rights (access, deletion, correction, portability, opt-out of sale/targeted ads/profiling). Requires a process for consumers to appeal refusals within 45 days, and if denied, inform consumers how to contact the AG.- Sensitive Data & Children’s Data: Sensitive data includes personal data of a known child under 13, requiring parental consent. Montana also requires opt-in consent to sell or use for targeted advertising if the consumer is under 18. This treats teens as a sensitive category.- Opt-Out Preference Signals: Requires universal opt-out support by January 1, 2025. The AG may specify technical standards.- Right to Cure: Grants a 60-day cure period until April 1, 2026. From Oct 2024 through March 31, 2026, the AG must give 60 days to cure after notice. After April 1, 2026, the right to cure lapses.- Enforcement & Penalties: Enforced by the Montana Attorney General. No private right of action. Statute does not explicitly set a penalty amount, but the AG can use unfair trade practices laws; standard $7,500 per violation is likely implied.- Notable Updates: Amended in 2023 to add a mandatory data protection assessment (DPIA) requirement for high-risk processing (targeted advertising, selling data, sensitive data processing, certain profiling). DPIA takes effect for processing after Jan 1, 2025. Requires data processing agreements between controllers and processors. No regulations yet. No legal challenges reported.

In-Depth Analysis of the Montana Consumer Data Privacy Act (MCDPA)

Nebraska: NDPA

  • Full Name & Effective Date: Nebraska Consumer Data Privacy Act (NDPA), effective January 1, 2025. (Enacted April 2024).- Scope of Application: Applies to businesses operating in Nebraska or targeting Nebraska residents that control/process personal data of ≥50,000 NH consumers, or control/process data of ≥10,000 consumers and derive over 50% of revenue from sale of personal data. Thresholds are relatively low (50k). Exemptions: government, nonprofits, banks/GLBA, HIPAA entities, etc.. Source note mentions 50k threshold and opt-in for sensitive data. Very much a copy of Connecticut’s law with minor tweaks.- Consumer Rights: The source doesn’t detail consumer rights but notes it copies Connecticut’s law, which grants the standard rights (access, correction, deletion, portability, opt-out of sale/targeted advertising/profiling).- Sensitive Data & Children’s Data: Sensitive data requires opt-in consent. Sensitive data includes personal data from a known child (under 13).- Opt-Out Preference Signals: The source does not mention specific requirements for honoring global opt-out signals.- Right to Cure: The AG must allow 60 days to cure a violation before enforcement, but only until January 1, 2026 (a one-year grace period from the effective date). Starting in 2026, there is no such requirement.- Enforcement & Penalties: Enforced by the Nebraska Attorney General. No private lawsuits allowed. Source notes $10,000 per violation penalty, matching New Hampshire.- Notable Updates: Enacted in 2024. Short compliance window (April 2024 to Jan 2025). No litigation or significant pushback reported. The AG might coordinate with Iowa’s AG (effective same day).

New Hampshire: NHDPA

  • Full Name & Effective Date: New Hampshire Data Privacy and Protection Act (NHDPA), effective January 1, 2025.- Scope of Application: Covers entities conducting business in NH or targeting NH consumers that control/process personal data of ≥25,000 NH consumers, or control/process data of ≥10,000 consumers and derive over 50% of revenue from sale of personal data. Sets a relatively low threshold (25k). Exemptions: government, nonprofits, banks/GLBA, HIPAA entities, etc..- Consumer Rights: Grants the standard rights (access, deletion, correction, portability, opt-out of sale/targeted advertising/profiling).- Sensitive Data & Children’s Data: Includes “sensitive data” requiring opt-in consent, covering health condition, genetic/biometric data, precise geolocation, and personal data from a known child (under 13). Parental consent is needed to process under-13 data. No special provisions for ages 13–17. Requires reasonable security measures to protect personal data, implicitly covering health data security. Also requires consent for collection of data beyond what is necessary for the initial purpose.- Opt-Out Preference Signals: The source does not mention specific requirements for honoring global opt-out signals.- Right to Cure: The statute gave a 60-day cure period until December 31, 2024. Since the law was not effective during this period, this was theoretical. Starting in 2025, there is no statutory right to cure; the AG is not obligated to offer cure after the effective date.- Enforcement & Penalties: Enforced by the New Hampshire Attorney General’s Office. No private lawsuits allowed. Sets civil penalties up to $10,000 per violation. Matches Colorado’s Consumer Protection Act maximum. The AG can also issue injunctive relief.- Notable Updates: Signed in July 2024, the first New England state after Connecticut. The AG’s office published FAQs and guidance and created a Data Privacy Unit. Includes a provision requiring consent for data collection beyond necessity. Requires businesses to implement reasonable security practices. No court challenges known. Businesses should ensure their privacy programs meet standards set by Connecticut and Colorado, which covers NH’s requirements.

New Jersey: NJCPA

  • Full Name & Effective Date: New Jersey Consumer Privacy Act (NJCPA), effective January 15, 2025.- Scope of Application: Targets businesses operating in NJ or targeting NJ residents that process personal data of 25,000+ NJ consumers or derive over 50% of gross revenue from selling personal data and process data of ≥10,000 consumers. Thresholds are essentially identical to New Hampshire’s (25k or 10k+50%). Exemptions: governmental entities, nonprofits, GLBA, HIPAA entities/data, etc.. Does not apply to employee or business contact data. Largely aligns with the Connecticut template.- Consumer Rights: Grants rights to access, correction, deletion, portability, and opt-out of sale of data and targeted advertising. The source indicates it may not explicitly list an opt-out of profiling. Requires an appeals process and timely responses (45 days +45). Controllers must disclose loyalty program impacts if a consumer opts out.- Sensitive Data & Children’s Data: Requires opt-in consent for processing sensitive data, which includes personal data about a known child (under 13), health, biometrics, etc.. Parental consent is needed for under-13 data processing. No special provisions for ages 13–17 are noted in the comprehensive law. Health data is sensitive and requires consent for any usage beyond necessary. If a controller has actual knowledge a consumer is 13–15, they must treat a sale opt-out request as an opt-out. Obtaining consent from a 13–15-year-old for a sale is allowed, aligning with California’s model for this age group.- Opt-Out Preference Signals: The source does not mention specific requirements for honoring global opt-out signals.- Right to Cure: Provides a 60-day cure period until the end of 2024. Once active on Jan 15, 2025, the AG can enforce without giving cure time, unless the AG chooses to. Businesses should not expect leniency.- Enforcement & Penalties: New Jersey Attorney General enforcement. No private right. Civil penalties up to $7,500 per violation. Violations explicitly labeled an unlawful practice under its Consumer Fraud Act. New Jersey regulators are known for stringent enforcement.- Notable Updates: Enacted in 2024 after years of consideration. Slightly trimmed to ease passage (e.g., potentially dropping profiling opt-out). Mid-January effective date was likely to avoid the holiday period. May issue rules or FAQs; Office of Consumer Privacy anticipated. NJ has a clause encouraging data protection assessments for high-risk processing.

Enhancing State Cybersecurity Measures: A Comprehensive Review of New Regulation in New Jersey and New Hampshire

Oregon: OCPA

  • Full Name & Effective Date: Oregon Consumer Privacy Act (OCPA), effective July 1, 2024, for most provisions. The universal opt-out requirement is delayed until January 1, 2026.- Scope of Application: Applies to persons conducting business in Oregon or providing products/services to Oregon residents that control/process personal data of 100,000+ Oregon consumers, or 25,000+ consumers while deriving 25%+ of gross revenue from selling personal data. Thresholds are standard (100k or 25k+ revenue condition). Exemptions: some nonprofits, government bodies, GLBA/HIPAA data, etc.. Notably, does cover certain business-to-business data if it’s personal data not involving individuals acting in a commercial context. Exempts employment data.- Consumer Rights: Grants the standard rights: access, deletion, correction, portability, opt-out of sale/targeted ads/profiling.- Sensitive Data & Children’s Data: Sensitive data includes personal data of a known child (under 13), requiring parental consent. If a controller has actual knowledge a consumer is 13–15, they may not sell their data unless obtaining the consumer’s consent (opt-in). This provides stronger protection for teens similar to California and Delaware. Oregon also passed a separate Oregon Age-Appropriate Design Code (AADC), imposing extra obligations (risk assessments, high-privacy defaults) on online services likely accessed by under-18s, effective July 1, 2024. Health data outside HIPAA is sensitive data requiring consent. Oregon also passed a Consumer Health Data Act (CHDA) in 2023 (effective July 1, 2024), creating a dual regime for health data.- Opt-Out Preference Signals: Universal opt-out requirement delayed until January 1, 2026. The AG is expected to draft rules for the mechanism details. The law allows controllers to authenticate opt-out requests and ignore a global signal if they reasonably suspect fraud or conflict with deliberate consent.- Right to Cure: Violations before January 1, 2025, if cured within 30 days of notice, are deemed cured. After January 1, 2025, the AG is not required to allow cure. This is a relatively short grace period (July–Dec 2024).- Enforcement & Penalties: Enforced by the Oregon Attorney General. No private right under OCPA. Penalties can reach $7,500 per violation under Oregon’s Unlawful Trade Practices Act. The separate Consumer Health Data Act does provide a private right of action under the state Consumer Protection Act for violations related to health data. This allows individuals to sue for damages and attorneys’ fees.- Notable Updates: Enacted OCPA, CHDA, and AADC in 2023, making Oregon one of the stricter privacy states when combined. OCPA is close to Colorado’s model. Compliance may require separate analysis for health data streams due to the CHDA. No legal challenges to OCPA itself reported. The Oregon DOJ has started outreach.

In-Depth Analysis of the Oregon Consumer Privacy Act (OCPA)

Tennessee: TIPA

  • Full Name & Effective Date: Tennessee Information Protection Act (TIPA), effective July 1, 2025. (Signed May 2023).- Scope of Application: Applies to businesses conducting business in TN or producing goods/services for TN residents, that exceed $25 million in revenue AND meet one of: control/process personal data of 175,000+ consumers, or control/process data of 25,000+ consumers and over 50% of gross revenue from sale of personal data. Unique among states to have a revenue floor ($25M) as a hard requirement in addition to data volumes. Exemptions: government, nonprofits, HIPAA/GLBA/FCRA data, and employee/B2B data.- Consumer Rights: Grants the full suite: access, correction, deletion, portability, opt-out of targeted advertising, sale of personal data, and profiling for significant decisions. Requires an appeals process. A controller may decline delete/correct requests if data is not reasonably linkable (pseudonymous data exception).- Sensitive Data & Children’s Data: Health data is sensitive, requiring consent for processing. Sensitive data includes personal data of a known child (under 13), requiring parental consent. Tennessee uniquely doubles the penalties (up to $15,000 per violation) if the violation involves personal data of consumers known to be under 13, or involves certain sensitive categories (like SSNs). This “penalty escalator” signals strong deterrence for misuse of children’s data.- Opt-Out Preference Signals: The source does not mention specific requirements for honoring global opt-out signals.- Right to Cure: Provides a 60-day right to cure. This mandatory period lasts through December 31, 2025. From 2026 onward, the AG may provide an opportunity to cure but is not required; it becomes discretionary.- Enforcement & Penalties: Tennessee Attorney General enforcement. No private right (explicitly barred). Penalties up to $7,500 per violation, plus investigative costs. Penalties double (up to $15,000) for violations involving children under 13 or certain sensitive categories.- Notable Updates: Built in more business-friendly elements (revenue threshold, permanent discretionary cure). Penalty multiplier for kids is unique. Two years lead time for effective date. No regulations needed per statute. No amendments yet. Because of the revenue threshold, many small/mid companies in TN won’t be covered.

Texas: TDPSA

  • Full Name & Effective Date: Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024. (Signed June 2023).- Scope of Application: Applies to persons conducting business in Texas or producing products/services consumed in Texas, who are not small businesses (defined by SBA standards). Applies if they process or sell personal data of 50,000+ Texans, or sell data of 25,000+ Texans. The small business exemption is unique. Exemptions: state bodies, nonprofits, higher-ed, GLBA/HIPAA data, etc.. Employee and B2B data excluded. Criteria aim to focus on larger data handlers.- Consumer Rights: Grants the full suite: access, correction, deletion, portability, opt-out of targeted advertising, sale of personal data, and profiling for significant decisions.- Sensitive Data & Children’s Data: Requires opt-in consent for processing sensitive data, which includes personal data of a known child (under 13). For consumers under 18, requires opt-in consent to sell or share data. The source also notes $250 per consumer if the violation is about unlawful sale of sensitive data.- Opt-Out Preference Signals: The TDPSA does not require honoring browser opt-out signals until January 1, 2025, AND THEN only if a business opts to use one as a compliance method. The law tasked the AG with evaluating/approving mechanisms by Sept 1, 2024, but didn’t mandate use. However, a separate 2023 amendment requires recognition of GPC-like signals for opt-outs of sale starting Jan 1, 2025, for certain data brokers. Texas’s stance is somewhat permissive on OOPS, not as compulsory as Colorado. Practically, many covered businesses will likely treat GPC as an opt-out for Texans by 2025.- Right to Cure: The law initially gave the AG discretion to offer a 30-day cure period for violations until September 1, 2025. Starting on that date, the cure provision is repealed entirely. The AG may still choose to warn, but it’s not mandated.- Enforcement & Penalties: Texas Attorney General enforcement. No private right. Penalties up to $7,500 per violation. Allows $250 per consumer if the violation is about unlawful sale of sensitive data. TDPSA violations tied into the Texas Deceptive Trade Practices Act. The Texas AG filed the first enforcement action under TDPSA on its effective date (July 1, 2024) against a biometric ID company.- Notable Updates: Texas becoming the fifth large state with a privacy law was significant. Often called “the strongest privacy law in a state without a comprehensive one” (before it became one). Key features: mandatory data security requirement (implement and maintain reasonable security practices) and broad definition of “sale” (includes sharing for monetary or other valuable consideration). Requires data processing agreements and suggests risk assessments. Texas voters approved a constitutional amendment creating a Texas Data Privacy Protection Agency in coming years. The AG’s aggressive first enforcement sends a message to take compliance seriously. No known lawsuits against TDPSA provisions. Texas also passed a data broker registration law (effective 2024).

Texas Secures $1.4 Billion Settlement with Google Over Privacy Violations

Utah: UCPA

  • Full Name & Effective Date: Utah Consumer Privacy Act (UCPA), effective December 31, 2023. (Signed March 2022).- Scope of Application: Applies to controllers/processors conducting business in Utah or targeting Utah residents that have annual revenue of $25 million or more AND satisfy volume thresholds: process personal data of 100,000+ Utah consumers, or process data of 25,000+ consumers while deriving 50%+ of gross revenue from sale of personal data. Includes a revenue threshold like Tennessee but for slightly different criteria. Exemptions: government entities, nonprofits, higher education, GLBA/HIPAA/FCRA data, etc.. Employee and B2B data excluded. Considered one of the more business-friendly laws, similar to Iowa’s.- Consumer Rights: Grants rights to access, delete, obtain a copy of data (portability), and opt out of sale of data and targeted advertising. Notably, it does not include a right to correct inaccurate data. Utah’s sale opt-out is limited by a narrow “sale” definition (only monetary exchange, excluding other valuable consideration). If an appeal is denied, unlike other states, Utah does not require informing consumers of further recourse via the AG.- Sensitive Data & Children’s Data: Sensitive data (including data about a known child under 13) requires consent for processing. Utah is the only outlier requiring opt-out for sensitive data rather than opt-in. Processing data about children under 13 online requires parental consent (aligning with COPPA). No special rules for teens 13-17.- Opt-Out Preference Signals: The VCDPA does not require honoring global opt-out signals.- Right to Cure: Includes a 30-day cure period that is permanent. The AG must allow 30 days to cure after notice and obtain written confirmation before initiating enforcement. This indefinite and mandatory cure period made Utah an outlier in its lenient enforcement approach.- Enforcement & Penalties: Utah Attorney General enforcement, with support from the Utah Division of Consumer Protection. No private right. If not cured, the AG may seek civil penalties up to $7,500 per violation, and actual damages for consumers (paid to the state). No enforcement activity publicized in the first months of 2024.- Notable Updates: Hailed as the most business-friendly law when passed. No amendments since. No detailed regs or guidance issued. Compliance with Virginia’s law likely covered Utah’s basics, except for the sensitive data opt-out model. Narrow definition of “sale” means disclosure for free (like for cross-context ads) isn’t a “sale” requiring opt-out. No known legal challenges.

In-Depth Analysis of the Utah Consumer Privacy Act (UCPA)

Virginia: VCDPA

  • Full Name & Effective Date: Virginia Consumer Data Protection Act (VCDPA), effective January 1, 2023. (Signed March 2021, the first state law after California).- Scope of Application: Applies to persons conducting business in Virginia or targeting Virginia residents that control or process personal data of 100,000+ Virginia consumers, or 25,000+ consumers and derive over 50% of gross revenue from the sale of personal data. These thresholds became the template for many other states. Exemptions: state/local government, nonprofits, HIPAA, GLBA, FERPA, FCRA entities/data. Explicitly excludes employee or B2B data from the definition of consumer.- Consumer Rights: Grants the standard rights: access, deletion, correction, portability, opt-out of targeted advertising, sale of personal data, and profiling for significant decisions.- Sensitive Data & Children’s Data: Defines “sensitive data” to include personal data of a known child (under 13). Controllers may not process sensitive data without obtaining consent (or parent’s consent for a child). This means processing data about children under 13 requires parental opt-in consent, aligning with COPPA. For teens 13–17, no special rules; they are treated as adults (no opt-in required for sale). Non-HIPAA health data is sensitive and requires consent. Genetic or biometric data is also sensitive and requires consent. Virginia also has a separate Genetic Data Privacy Act.- Opt-Out Preference Signals: The VCDPA does not require honoring global opt-out signals. Businesses must provide “clear and conspicuous” opt-out methods but need not monitor browser signals.- Right to Cure: Originally mandated a 30-day cure period for any violations with no expiration date. Virginia amended the law in 2022 to make this cure period requirement expire on January 1, 2025. Starting in 2025, the AG is no longer required to grant an opportunity to cure, making it discretionary.- Enforcement & Penalties: Enforced by the Virginia Attorney General. No private right. Penalties up to $7,500 per violation. AG can seek actual damages for harmed consumers and injunctive relief. Established a Consumer Privacy Fund for penalties. As of late 2023, no public enforcement action under VCDPA.- Notable Updates: VCDPA was the template for many states, establishing core definitions and rights. Amended in 2022 to refine definitions and add the cure period sunset. AG established a Consumer Privacy Ombudsman. Consumer Reports filed a complaint in 2023 alleging failure to honor GPC, though VA law doesn’t require it. With cure ending in 2025, enforcement might ramp up. Lack of global opt-out requirement means VA residents might have a lesser experience exercising rights compared to, say, Colorado residents. Virginia also has strong data breach notification and computer trespass laws that complement VCDPA.

In-Depth Analysis of the Virginia Consumer Data Protection Act (VCDPA)

Washington: My Health My Data Act (MHMDA)

  • (Note: This is not a comprehensive privacy law but specifically targets health data and was included in the source materials for its significance).- Full Name & Effective Date: Washington My Health My Data Act (MHMDA), effective March 31, 2024, for large organizations and June 30, 2024, for small organizations.- Scope of Application: Covers “regulated entities” (any legal entity, including nonprofits) that collect “consumer health data” from Washington residents and determine processing purposes/means. Applies regardless of size (no revenue/volume threshold, though small businesses get delayed effective date). Applies even to entities outside Washington targeting WA consumers. “Consumer health data” is defined very broadly – any personal information linked or linkable to an individual that reveals or could be derived as health-related information. This includes traditional health data, data about seeking health services, and even location data indicating visiting a clinic. Exempts HIPAA-covered entities/data. Small businesses (under $25M revenue AND processing data of <100k consumers/yr) are exempt from the private right of action.- Consumer Rights/Obligations: Primarily an opt-in regime for health data. Requires consumer consent for collection of consumer health data unless needed for a requested service. Requires separate consent for sharing with third parties. Prohibits sale of consumer health data without consent, and even with consent, requires notice and opt-out ability. Prohibits geofencing around health services facilities to collect/track location. Requires publishing a Consumer Health Data Privacy Policy. Cannot condition service on obtaining consent for health data unless the service inherently requires it.- Sensitive Data & Children’s Data: MHMDA does not have separate provisions for minors. If a minor’s data is health-related and not HIPAA-covered, it is consumer health data under MHMDA and protected the same way. This is stricter than COPPA for teens (13-17), as MHMDA requires their consent for health data usage like adults. The broad definition of health data covers various types of health-related info.- Opt-Out Preference Signals: The law doesn’t specifically mention global opt-out signals. Since it’s opt-in oriented for health data, a global “do not sell” signal is less relevant.- Right to Cure: None formally. Enforcement can be immediate.- Enforcement & Penalties: Enforced by the Washington Attorney General. Notably provides a private right of action under the state Consumer Protection Act for violations (small orgs exempt). Individuals can sue for damages and attorneys’ fees; treble damages possible for willful violations. Penalties via AG or private action up to $7,500 per violation. Private right means companies need extreme caution.- Notable Updates: Rushed after general privacy bills failed. Narrower scope (health data only) but very impactful. Some data brokers announced they would stop sharing certain health info nationwide in response. Private right of action could lead to challenges, but none emerged as of early 2024. Companies had to comply quickly. Geofencing ban took effect earlier (July 2023). Sets a new bar for health data privacy, influencing other states. For cybersecurity, means heightened focus on protecting health-related datasets, robust consent management, and preparing for legal demands.

Compliance Fines in 2025: A Mid-Year Review of Regulatory Penalties

As the state privacy landscape evolves, several clear trends emerge, shaping the compliance obligations for businesses operating nationwide.

  • Expansion of Consumer Rights and Control: A common set of core consumer rights has emerged: access, deletion, correction, and opting out of certain uses (sales, targeted ads, profiling). This reflects GDPR-influenced principles. While states differ (Iowa/Utah omit some, California adds unique ones), the trend is towards empowering individuals. Implication: Businesses need scalable systems for handling data subject requests (access, deletion, correction) within tight timelines (often 45 days), verifying identities, and managing appeal processes.- Convergence and Subtle Divergence in Scope: Most laws target businesses over certain data volume thresholds, but specifics vary. California includes businesses over $25M revenue without a data volume requirement for that threshold. Definitions of “sale” differ significantly; California, Colorado, Connecticut, etc., include sharing for any valuable consideration, covering adtech/analytics, while Utah, Iowa, etc., limit “sale” to monetary exchanges. Implication: A practice might be a “sale” requiring opt-out in one state but not another. Many companies choose to treat all third-party data disclosures as “sales” for opt-out purposes universally to simplify compliance.- Emphasis on Sensitive Data and Consent: Nearly all states define “sensitive personal data” (health, biometrics, race, sexuality, precise location, children’s data). The strong trend is requiring opt-in consent before processing sensitive data, a significant shift towards a consent model in the U.S.. Utah is the primary outlier, allowing an opt-out. Implication: Businesses must implement consent processes (popups, forms) for sensitive data and segregate this data in systems. This also means heightened security for sensitive data, as regulators expect strong protection.- Special Protections for Children and Teens: Protection for minors extends beyond COPPA’s under-13 rule. Several states (California, Delaware, Oregon, Texas in part) require opt-in consent to sell or share data of minors under 16 or 18, treating teens as a sensitive category. Age-Appropriate Design Code-style requirements are emerging (California’s AADC, Oregon’s AADC), mandating privacy-by-design for kids (risk assessments, default protections). Enforcement authorities prioritize children’s data, with specific penalties (California $7,500, Tennessee double fines for under-13 data, Texas $50,000 for under-18 violations). Implication: Companies need robust age detection or verification methods, potentially managing different data handling rules for minors and adults, or applying stricter rules universally. Protecting young users’ data is now deeply woven into state privacy regimes with strong penalties and litigation risk.- Rise of Global Opt-Out Signals (Do-Not-Sell/Share): Universal opt-out preference signals (OOPS) like GPC are becoming legally recognized. California pioneered this via regulation, while Colorado, Connecticut, Montana, and Delaware wrote it into statutes with deadlines in 2024–2025. By 2025, companies in multiple states will likely need to honor GPC or similar signals. This pushes towards a one-click privacy setting that works across sites. Even states not mandating it (VA, UT) will be indirectly affected as companies adopt broad signal compliance. This creates a de facto “Do Not Track 2.0” that is enforceable. Implication: Businesses must update websites/apps to detect and process these signals, often requiring coordination with ad/analytics partners to suppress trackers for targeted ads. Failure to comply has already led to enforcement (e.g., California AG in the Sephora case).- “Right to Cure” is Fading: Early laws (VA, UT) guaranteed a cure period. Most newer laws either sunset the cure period (CO, CT, VA soon, DE, MT, NE) or never had it (CA). The trend is towards immediate enforceability without grace periods. By 2025, many states will have no mandatory cure. Utah and Iowa are exceptions with permanent cure periods. Tennessee transitions to discretionary cure after 2025. Texas repealed its cure period effective Sept 2025. Implication: Businesses cannot rely on warnings; proactive compliance audits and fixing issues before regulators find them is essential. The cost of non-compliance is rising with no second chances in several jurisdictions.- New Regulatory Bodies and Harmonization Efforts: California has the CPPA. Texas may create its own agency. As more laws emerge, multi-state coordination among AGs is likely. Many companies adopt a “most stringent requirement” approach, complying in all markets to the toughest standard to simplify. Applying CCPA/CPRA rights (like a “Do Not Sell or Share My Personal Info” link, data correction) or honoring global opt-out signals universally are examples of this harmonization. Applying opt-in for sensitive data universally is another strategy. Implication: Aiming for a baseline “U.S. privacy framework” meeting or exceeding all state laws is the most efficient compliance path, reducing error risk and providing consistency.- Continued Emergence of Specific Sectoral Laws: Alongside comprehensive laws, states pass issue-specific laws, sometimes with private rights. Examples: Washington’s My Health My Data Act, Illinois’ BIPA and other biometric privacy laws (some with private action). Data broker laws (CA, VT, TX). Laws on AI/automated decision-making. Provisions targeting “dark patterns” that undermine consent. Implication: Compliance requires navigating multiple layers. These sectoral laws often heighten the need for strong data protection measures (“reasonable security”). Breaches can trigger both breach notification and privacy law violations.- Enforcement Trends: Caution and Collaboration Evolving: Initially, AGs took a cautious, education-focused stance. This is changing as grace periods end (mid/late 2024 into 2025). Expect more enforcement, likely targeting flagrant violations (ignoring opt-outs, selling data without notice/consent). Cross-state cooperation is likely. Private litigation is significant where available (California’s limited breach right, Washington MHMDA, Illinois BIPA). Implication: Businesses should not be complacent. Proactively documenting compliance (like conducting required DPIAs in CO, CT, MT) is crucial. Building relationships with regulators can help anticipate focus areas.

GeneratePolicy.com - AI Security Policy Generator

Implications for Compliance Programs

Navigating this evolving landscape requires businesses, especially those operating nationally, to invest in robust and comprehensive privacy compliance programs.

  • Data Mapping/Inventory: Essential to know where personal data is stored to fulfill rights (access, deletion, correction) and conduct risk assessments. This process can also improve security by revealing data silos.- Consent Management and Preference Centers: Needed to handle various opt-ins and opt-outs (sale, sensitive data, marketing). A centralized preference center provides transparency and control to consumers.- Enhancing Security Measures: Most laws require “reasonable safeguards,” and some create liability for certain breaches. Strong security (encryption, access controls, incident response plans) is effectively part of privacy law compliance.- Training and Culture: Front-line employees (customer service, marketing) need training. Fostering a “privacy by design” culture means considering privacy in every project, asking questions about data usage, consent needs, and required assessments (like DPIAs).- Consumer Expectations: Beyond legal compliance, these laws raise consumer awareness. Offering strong privacy choices can build trust and be a competitive advantage. Demonstrating compliance and respecting privacy can enhance brand reputation.

Cyber Risk Through a Compliance Lens: Navigating the Regulatory Landscape

Conclusion

The U.S. state privacy landscape is forming a complex but patterned tapestry. Businesses must handle personal data with increased care – from collection (justification, minimization), to security (breach protection), usage (honoring preferences, avoiding unlawful practices), through deletion (honoring “right to be forgotten”). For cybersecurity and compliance professionals, this means an expanded role: aligning data governance, implementing technical solutions (opt-out signal handling, data subject rights portals), and adapting to new laws. The clear trend is increased individual control over personal information and higher accountability standards for organizations. Companies that proactively integrate privacy into operations will be better positioned to avoid penalties and succeed in a market where consumers value privacy and security.

Global Privacy & Compliance Explorer