Comprehensive consumer privacy laws continue to hit the desks of governors in states across the country, with nineteen state laws now on the books. Since we wrote our 2023 Round-Up on State Consumer Data Privacy Laws article detailing the various privacy statutes enacted at the end of last year, 7 more states have passed these laws, and 5 statutes passed before 2024 became effective during that time. What started only a few years ago as a patchwork of state laws is quickly turning into a dense web of similar but varying requirements across the country. It is becoming increasingly complex for companies collecting personal data from consumers to assess if and where consumer privacy laws apply to their business operations.
U.S. State Consumer Privacy Law
Latest Consumer Privacy Laws
To help our readers better understand the latest consumer privacy laws, we will be rolling out a series of articles providing in-depth summaries of privacy laws we have not covered on the blog in the past, including laws passed in Oregon; Nebraska, Delaware, Iowa, Minnesota, and Kentucky.
On March 28, 2023, Iowa Governor Kim Reynolds (R) signed into law Senate File 262 (the Iowa Consumer Data Protection Act or “IACDPA”) which becomes effective on January 1, 2025. The law aligns with other business-friendly state consumer privacy laws, but notably foregoes the requirement of conducting data protection impact assessments, and the IACDPA does not give consumers the right to correct personal data.
Oregon’s consumer privacy law took effect in July of 2024, a year after Oregon governor Tina Kotek (D) signed the Oregon Consumer Data Privacy Act (OCDPA). Oregon Attorney General Ellen Rosenblum asserted that the OCDPA establishes “the gold standard in consumer privacy protections nationwide.”
The Nebraska Data Privacy Act (or NEDPA) becomes effective on January 1, 2025. This relatively short period between signature and effective date left little time for impacted companies to prepare; however, Nebraska’s approach to applicability criteria has cast a specifically tailored net focused on businesses selling personal data of Nebraska residents.
Iowa Consumer Privacy Law
On March 28, 2023, Iowa Governor Kim Reynolds (R) signed into law Senate File 262 (the Iowa Consumer Data Protection Act or “IACDPA”) which becomes effective on January 1, 2025. The law aligns with other business-friendly state consumer privacy laws, but notably foregoes the requirement of conducting data protection impact assessments, and the IACDPA does not give consumers the right to correct personal data.
Learn More About Iowa Consumer Privacy Law >>
Oregon Consumer Privacy Law
Oregon’s consumer privacy law took effect in July of 2024, a year after Oregon governor Tina Kotek (D) signed the Oregon Consumer Data Privacy Act (OCDPA). Oregon Attorney General Ellen Rosenblum asserted that the OCDPA establishes “the gold standard in consumer privacy protections nationwide.” The law aligns with other robust state privacy laws, such as those enacted by California, Connecticut, and Virginia. However, Oregon’s statute imposes even more stringent requirements and features, notably by declining to exempt non-profit organizations, and it takes a more sweeping approach to applicability as described below to cover a broader range of businesses.
Learn More About Oregon Consumer Privacy Law >>
Nebraska Consumer Privacy Law
The Nebraska Data Privacy Act (or NEDPA) becomes effective on January 1, 2025. This relatively short period between signature and effective date left little time for impacted companies to prepare; however, Nebraska’s approach to applicability criteria has cast a specifically tailored net focused on businesses selling personal data of Nebraska residents.
Similar to the Texas Data Privacy and Security Act, but unlike most other state privacy laws, the NEDPA bypasses applicability thresholds based on gross revenues or volume of data collected from in-state residents. Instead, the NEDPA focuses on regulating businesses engaged in the sale of personal data.
2023 Round-Up on State Consumer Data Privacy Laws
View the 2023 State Consumer Privacy LawsConsumer Privacy Law Index
The following articles cover all other states that have enacted consumer privacy laws.
The California Privacy Rights Act of 2020 (“CPRA”) will provide significant new rights to California consumers, create new compliance obligations for covered businesses, establish a new enforcement agency, and provide for data minimization and retention obligations, among other aspects.
Colorado passed a comprehensive data privacy legislation when Governor Jared Polis signed the Colorado Privacy Act (CPA) into law on July 8, 2021. The new law is set to take effect on July 1, 2023.
Connecticut Governor Ned Lamont has signed the country’s fifth comprehensive consumer privacy act, “An Act Concerning Personal Data Privacy and Online Monitoring,” (the “Connecticut Data Privacy Act” or the “CDPA” as we refer to it in this article). The CDPA became effective on July 1, 2023.
Indiana’s governor signed the Indiana Consumer Data Privacy Act (“ICDPA’) into law. The effective date for the ICDPA is January 1, 2026.
Governor Wes Moore signed both the Maryland Online Data Privacy Act of 2024 (MODPA) and the Maryland Age Appropriate Design Code (HB 603/SB 5712023, the “Kids Code”) into law on May 9, 2024. The MODPA will go into effect October 1, 2025, and the Kids Code will go into effect October 1 of this year.
Governor Greg Gianforte signed the Montana’s Consumer Data Privacy Act (S.B. 384) (“MCDPA”) on May 19, 2023 – one of the strongest privacy bills signed in a red state. Montana now becomes the ninth state to enact a comprehensive consumer data privacy law.
Details and information you and your business need to know about the New Hampshire Privacy Act (NHPA), signed into law by Governor Sununu in March of 2024.
Details and information you and your business need to know about the New Jersey Privacy Act (NJPA), signed into law by Governor Phil Murphy.
Rhode Island Governor Daniel McKee allowed the Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”) to pass on June 25, 2024 when he transmitted the bill back to the legislature without signature, making Rhode Island the 20th U.S. state to enact a comprehensive privacy law.
The Volunteer State became the eighth state to enact a comprehensive data privacy law after Gov. Bill Lee (R) signed the Tennessee Information Protection Act (“TIPA”) into law on May 11, 2023.
On June 18, 2023, Governor Abbott (R) signed H.B.4, otherwise known as the Texas Data Privacy and Security Act (“TDPSA”).
On March 24, 2022, Governor Spencer Cox signed the Utah Consumer Privacy Act (“UCPA”) and went into effect on December 31, 2023.
Virginia Governor Ralph Northam signed the Consumer Data Protection Act (“CDPA”) into law, making Virginia the second U.S. state after California to pass a comprehensive data privacy law.
California Consumer Privacy Law
Voters in California have passed Proposition 24, commonly referred to as the California Privacy Rights Act of 2020 (“CPRA”). Less than a year after the CCPA became effective, the voters’ approval of the CPRA will provide significant new rights to California consumers, create new compliance obligations for covered businesses, establish a new enforcement agency, and provide for data minimization and retention obligations, among other aspects.
Learn More About California Consumer Privacy Law >>
Colorado Consumer Privacy Law
Colorado passed a comprehensive data privacy legislation when Governor Jared Polis signed the Colorado Privacy Act (CPA) into law on July 8, 2021. The new law is set to take effect on July 1, 2023.
The CPA borrows in part from the European Union’s General Data Protection Regulation (“GDPR”), but more significantly from both the California Consumer Privacy Act (“CCPA”, including as amended by the California Privacy Rights Act (“CPRA”)), and the Virginia Consumer Data Protection Act (“VCDPA”). Below, we highlight some of the CPA’s key elements and explore how the law compares to the CCPA and VCDPA.
Learn More About Colorado Consumer Privacy Law >>
Connecticut Consumer Privacy Law
The Connecticut Data Privacy Act (CDPA) became effective on July 1, 2023. The CDPA extends its privacy protections only to Connecticut residents acting in an individual capacity, and not in a commercial or employment context.
Connecticut Consumer Privacy Law Consumer Rights
The CDPA does not contain any consumer rights that are groundbreaking in comparison to other US state privacy laws. Consumers may exercise their rights via a secure and reliable means and may in most cases do so through an authorized agent (which in some circumstances may be by way of a technology, including, but not limited to, an Internet link or a browser setting, browser extension or global device setting).
Learn More About Consumer Rights Under the Connecticut Data Privacy Act
Learn More About Connecticut Consumer Privacy Law >>
Indiana Consumer Privacy Law
The Indiana Consumer Data Privacy Act (ICDPA) becomes effective on January 1, 2026. The ICDPA’s applicability criteria applies to persons that conduct business in Indiana or produce products or services that are targeted to Indiana residents that during a calendar year: control or process personal data of at least 100,000 consumers who are Indiana residents; or control or process personal data of at least 25,000 consumers who are Indiana residents and derive over 50% of gross revenue from the sale of personal data.
Indiana Consumer Privacy Law Consumer Rights
Consumers who are Indiana residents will be able to exercise the right to confirm whether or not their personal data is processed, access their personal data, correct their personal data (limited to data the consumer previously provided), right to deletion of their personal data, and more.
Learn More About Consumer Rights Under the Indiana Data Privacy Act
Learn More About Indiana Consumer Privacy Law >>
Maryland Consumer Privacy Law
The push by U.S. states to pass data privacy laws continues with Maryland being the 18th state to join their ranks. However, Maryland has taken a more stringent and comprehensive approach than many of its peers: Governor Wes Moore signed both the Maryland Online Data Privacy Act of 2024 (MODPA) and the Maryland Age Appropriate Design Code (HB 603/SB 5712023, the “Kids Code”) into law on May 9, 2024. The MODPA will go into effect October 1, 2025, and the Kids Code will go into effect October 1 of this year. See the Mintz Privacy blog for discussion of the Kids Code.
Learn More About Maryland Consumer Privacy Law >>
Montana Consumer Privacy Law
Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (MCDPA) on May 19, 2023 and has gone into effect in October, 2024.
The MCDPA applies to persons that conduct business in Montana or that produce products or services that are targeted to Montana residents and control or process personal data of at least 50,000 consumers; or control or process personal data of at least 25,000 consumers and derive over 25% of gross revenue from the sale of personal data.
Montana Consumer Privacy Law Consumer Rights
Consumers who are Montana residents will be able to exercise the right to confirm whether or not their personal data is processed, right to access their personal data, right to correct inaccuracies in their personal data, right to deletion of their personal data, and more.
Learn More About Consumer Rights Under the Montana Consumer Data Privacy Act
Learn More About Montana Consumer Privacy Law >>
New Hampshire Consumer Privacy Law
The New Hampshire Privacy Act (NHPA) was signed into law by Governor Sununu in March of 2024 and goes into effect on January 1, 2025.
The New Hampshire Privacy Act applicability criteria applies to any business or person that produces products or services that are targeted to residents of New Hampshire, and either controls or processes the personal data of at least 35,000 unique New Hampshire consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or controls or processes the personal data of at least 10,000 unique New Hampshire consumers and derives more than 25% of its gross revenue from the sale of personal data.
New Hampshire Consumer Privacy Law Consumer Rights
Consumers who are New Hampshire residents will be able to exercise the right to confirm whether or not their personal data is processed (unless such confirmation or access would require the controller to reveal a trade secret), the right to access their personal data, the right to correct inaccuracies in their personal data (limited to data the consumer previously provided), and more.
Learn More About Consumer Rights Under the New Hampshire Privacy Act
Learn More About New Hampshire Consumer Privacy Law >>
New Jersey Consumer Privacy Law
The New Jersey Privacy Act (NJPA) was signed into law by Governor Phil Murphy and goes into effect on January 15, 2025.
The New Jersey Privacy Act applicability criteria applies to any business or person that produces products or services that are targeted to residents of New Jersey, and either: control or process the personal data of at least 100,000 New Jersey consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or control or process the personal data of at least 25,000 New Jersey consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.
New Jersey Consumer Privacy Law Consumer Rights
Consumers who are New Jersey residents will be able to exercise the right to confirm whether or not their personal data is processed (unless such confirmation or access would require the controller to reveal a trade secret), the right to access their personal data, the right to correct inaccuracies in their personal data, the right to deletion of their personal data, and more.
Learn More About Consumer Rights Under the New Jersey Privacy Act
Learn More About New Jersey Consumer Privacy Law >>
Rhode Island Consumer Privacy Law
Rhode Island Governor Daniel McKee allowed the Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”) to pass on June 25, 2024 when he transmitted the bill back to the legislature without signature, making Rhode Island the 20th U.S. state to enact a comprehensive privacy law.
Several notable privacy advocate organizations including Consumer Reports, the Electronic Privacy Information Center (EPIC), and Restore the Fourth, opposed the RIDTPPA, claiming that it was not sufficient to protect Rhode Island residents’ personal information. While the RIDTPPA provides privacy rights to Rhode Islanders and imposes obligations on covered entities largely in line with several other U.S. state privacy laws, the RIDTPPA leans business-friendly.
Learn More About Rhode Island Consumer Privacy Law >>
Tennessee Consumer Privacy Law
Gov. Bill Lee (R) signed the Tennessee Information Protection Act (“TIPA”) into law on May 11, 2023. If enacted, the TIPA will become effective July 1, 2025.
The Tennessee Information Protection Act applies to persons that conduct business in Tennessee producing products or services that target Tennessee residents and that: exceed $25,000,000 in revenue and (A) control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information or (B) during a calendar year, control or process personal information of at least 175,000 consumers.
Tennessee Consumer Privacy Law Consumer Rights
Persons covered by the TIPA will be able to exercise the right to confirm whether or not their personal data is processed, the right to access their personal data, the right to correct their personal data, the right to deletion of their personal data (for data provided by or about the consumer)
Right to portability of their personal data (for data the consumer previously provided), and more.
Learn More About Tennessee Consumer Privacy Law Consumer Rights
Learn More About Tennessee Consumer Privacy Law >>
Texas Consumer Privacy Law
Governor Abbott (R) signed H.B.4, otherwise known as the Texas Data Privacy and Security Act (“TDPSA”). The TDPSA took effect on July 1, 2024.
The TDPSA does away with thresholds based on revenue thresholds or volume of data collected from in-state residents. Instead, the TDPSA applies to persons that conduct business in Texas or produce products or services that are consumed by Texas residents, process or engage in the sale of personal data and do not qualify as a small business as defined by the United States Small Business Administration.
Texas Consumer Privacy Law Consumer Rights
Consumers have the right to confirm whether or not their personal data is processed, the right to access their personal data, the right to correct inaccuracies in their personal data, the right to deletion of their personal data, and more.
Learn More About Texas Consumer Privacy Law Consumer Rights
Learn More About Texas Consumer Privacy Law >>
Utah Consumer Privacy Law
The Utah Consumer Privacy Act (“UCPA”) applies to any “controller” or “processor” who: conducts business in Utah or produces a product or service that is targeted to Utah residents; has annual revenue of $25M or more; and satisfies at least one of the following: (i) during a calendar year, controls or processes personal data of 100,000 or more consumers; or (ii) derives over 50% of the entity's gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
Utah Consumer Privacy Law Consumer Rights
Consumers under the Utah Consumer Privacy Act have the right to confirm whether or not their personal data is processed, the right to access their personal data, the right to deletion of their personal data, the right to obtain a copy of their personal data, and more.
Learn More About Utah Consumer Privacy Law Consumer Rights
Learn More About Utah Consumer Privacy Law >>
Virginia Consumer Privacy Law
On March 2, 2021 Virginia Governor Ralph Northam signed the Consumer Data Protection Act (“CDPA”) into law, making Virginia the second U.S. state after California to pass a comprehensive data privacy law. The law became effective on January 1, 2023.
The CDPA applies to persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents that: (i) during a calendar year, control or process personal data of at least 100,000 consumers; or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
Virginia Consumer Privacy Law Consumer Rights
Consumers under the Consumer Data Protection Act have the right to confirm whether or not their personal data is processed, right to access their personal data, Right to correct their personal data, right to deletion of their personal data, and more.
Learn More About Virginia Consumer Privacy Law Consumer Rights
Mintz Matrix
State Data Security Breach Notification Laws
Find Your State's Data Security Breach Notification Laws
Consumer Privacy Law Experts
Our members possess Privacy Professional certifications, including Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) certifications. Our practitioners' experience includes leading penetration tests, conducting forensic investigations of security incidents, advising on legislative and policy activities related to cybersecurity, and designing and implementing network security solutions for Fortune 500 companies.
Member / Co-Chair, Privacy & Cybersecurity Practice
