Evolving Data Privacy Landscape
Canada
Name: Digital Charter Implementation Act, 2022
Introduced: June 2022
Not Yet Passed
In June 2022, Canada introduced a new consumer data privacy act for the second time, to replace the existing federal Personal Information Protection and Electronic Documents Act (PIPEDA).The act has reached its second reading in parliament as of the beginning of 2023.
Data privacy attorneys noted that the proposed federal statute relies on many of GDPR tenets as its basis. For example, the proposed law includes data portability, the right to be forgotten, codes of practice, “legitimate interest” exemptions, and a safe harbor provision. However, the law also borrows from PIPEDA, maintaining the right to withdraw consent for the collection and disclosure of personal information, and access to the information upon request. But it expands PIPEDA to allow for more direct disclosure provisions as well.
To be sure, some observers note that the guidelines in the Digital Charter Implementation Act still require more specificity such as which organizations are subject to its data mobility framework.
Connecticut
Name: Connecticut Data Privacy Act (CTDPA)
Effective: July 1, 2023
Passed: 2022
Similar to Other States
Connecticut is the newest state data privacy law to pass, and it is similar to other states’ efforts. Among the changes the law enacts: the rights to know, delete and correct personal data that organizations in Connecticut collect.
Additionally, the CTDPA also includes a right to opt out of the sale of certain data and requires businesses to have a process to respond to a consumer’s request to exercise rights under the statute. What’s more, Connecticut’s law requires companies to maintain reasonable data security to protect a consumer’s personal data. Like California’s law, Connecticut has the opt-in default age set higher than its counterparts, at 16 years old instead of 13.
The CTDPA applies to organizations that conduct business in the state or that produce products targeted to its citizens. A business falls under the law if it processes the personal data of at least 100,000 state consumers, or of 25,000 or more state consumers while deriving over 25% of its gross revenue from the sale of personal data.
California
Name: California Privacy Rights Act (CPRA)
Effective: Jan. 1, 2023
Passed: 2020
Updating the Oldest State Data Privacy Law in the Country
California has led the way in the U.S. by passing the first state consumer data privacy law, the California Consumer Privacy Act (CCPA), in 2018, which became effective in 2020. The CPRA passed in 2020 and on Jan. 1, 2023, effectively updated the CCPA.
One of the most notable aspects of the CPRA remains its “private right of action,” the only U.S. law to include it, which specifies a right for consumers to bring legal action against a company if they feel their data privacy rights have been violated. While the right remains limited to data breaches, theft, and unauthorized access or disclosure, or as a result of security procedures, it is one of the more difficult features to pass, attorneys say, as evidenced by the failure of Washington state’s privacy bill.
Among other changes, the CPRA brings stringent fines for data privacy violations that involve children’s information, with sanctions of around $75,000 per violation. It also introduced new categories of Sensitive Personal Information (SPI), and allows users to opt out of the sale or sharing of SPI with third parties. Some examples of SPI include Social Security numbers, driver’s licenses, health information, and biometric information, among other government identifiers.
Utah
Name: Utah Consumer Privacy Act (UCPA)
Effective: Dec. 31, 2023
Passed: 2022
More Business Friendly
The fourth state to pass a comprehensive data privacy law after California, Colorado and Virginia, Utah’s law changed the game according to some observers. It became the first law in the U.S. to be more lenient to businesses’ needs than its predecessors.
“Generally speaking, [the UCPA] is more business-friendly in the sense that it takes some of the more business-friendly aspects of other laws and incorporates them into one,” said Cassandra Gaedt-Sheckter, partner at Gibson, Dunn & Crutcher. “Overall, I think it makes it easier to comply with those businesses that are already working with other state laws that have come out.”
Among other features, the UCPA offers a right of appeal, which enables a consumer to push back against a business’s denial to respond to a request within a designated time period. However, the UCPA does not include a right to data correction, or a right to have companies perform data privacy assessments on their behalf.
At the same time, the law does grant consumers some of the same rights as other states, such as the consumer’s right to know whether a data controller is processing their information, the right to access their information, the right to deletion, and the right to opt out of data collection.
In order to fall under the purview of the UCPA, an entity must conduct business in Utah, have revenue of $25 million or more, and annually process the personal data of at least 100,000 state customers. Alternatively, the business may process the data of 25,000 Utah residents, but make over 50% of its revenue from the sale of personal data.
Colorado
Name: Colorado Privacy Act (CPA)
Effective: July 1, 2023
Passed: 2021
Much Like Virginia, but More Consumer Friendly
Colorado’s CPA, which passed months after Virginia’s data privacy law was approved, is often said to be more similar to Virginia’s law than any of its counterparts. To be sure, the two laws have some differences, like “cure periods” for alleged violations, the number of penalties, or a provision (or lack thereof) for responding to an appeal within a certain time period, Legaltech News reported.
But both Colorado and Virginia share the exemption from the annual revenue requirement under all circumstances. The only requirement necessary to fall under the purview of these laws is the number of consumers from whom data is processed each year—100,000 for both states. The elimination of the cap of an annual revenue requirement altogether hints at the law favoring consumers more than any of its predecessors, said Cassandra Gaedt-Sheckter, partner at Gibson Dunn.
Additionally, the CPA requires businesses, or as it calls them, “controllers,” to conduct data protection assessments for each of their processing activities involving personal data. It also grants the right for consumers to opt out of processing their data, to access, correct and delete their data, and to obtain a portable copy of their data from the business.
Virginia
Name: Virginia Consumer Data Protection Act (VCDPA)
Effective: Jan. 1, 2023
Passed: 2021
A Possible ‘Role Model’ of State Privacy Laws
Many data privacy observers say that the VCDPA was modeled, in part, after Washington state’s data privacy law, which failed to pass. Both laws have distinct similarities in the terminology, structure and verbiage like “controller” and “processor.”
So far the VCDPA has been influential. “After California, the second state that passed its law was Virginia, and the three after modeled themselves after that one, not California,” said David Zetoony, the co-chair of Greenberg Traurig’s data, privacy and cybersecurity practice.
Along with Colorado, Virginia’s law remains the only one without an annual revenue requirement cap as a criteria to fall under the statute's purview. David Saunders, a partner at McDermott Will & Emery, noted that the elimination of this cap might show up again in upcoming state laws. “[The pending laws] look and feel a lot like Virginia and Colorado,” he said.
The law applies to those that conduct business in Virginia or produce products targeted to citizens of the state and those that control or process the data of 100,000 individuals in a year. It also applies to businesses that control or process the data of 25,000 consumers and derive 50% of their gross revenue from the sale of personal data.
US-EU Data Transfer Pact
In October 2022, nearly six months after the U.S. and the European Commission reached an agreement on a new EU-U.S. Data Privacy Framework (EU-US DPF), President Joe Biden signed an executive order to implement the new pact.
The DPF would replace the former data partnership outlined in the Privacy Shield, which was the successor to Safe Harbor agreement. Both the Privacy Shield and Safe Harbor pacts were struck down in 2020 and 2015, respectively, after concerns were raised about data collection activities by U.S. intelligence agencies.
The new executive order enacts new safeguards to limit access to data by U.S. intelligence authorities and establishes a redressal mechanism to resolve complaints about access to data, Legaltech News reported.
Design by David Palmer/ALM
Click to togle - show/hide - more info
Iowa
Name: Iowa Consumer Data Protection Act (ICDPA)
Effective: Jan 1, 2025
Passed: Mar 28, 2023
In Utah’s Footsteps
The Iowa Consumer Data Protection Act (ICDPA)—the sixth state privacy law to go into effect—is as business-friendly, if not more, than Utah’s consumer privacy law.
In addition to following in Utah’s footsteps, observers noted that Iowa’s new regulation also looks to Virginia and Connecticut’s laws for its framework.
The ICDPA covers all businesses that control or process the personal data of a minimum of 100,000 Iowa consumers; or those that derive more than 50% of gross revenue from the sale of personal data, provided the said business controls or processes the data of at least 25,000 Iowans.
Some of the notable features that make the law stand out as more business-friendly: Unlike other state laws, it doesn’t have a“ right to correct,” a “right to opt out of certain processing” or a “right to opt-in for sensitive data processing,” said Guy Sereff, a partner at Michael Best & Friedrich.
While Iowa’s law closely copies Utah’s law, Sereff doesn’t see these two states' approach creating a pattern for other state data privacy laws in the pipeline. He said each state’s journey is likely to be more individualistic, depending on the makeup of its government and the number of “high-tech companies” in the jurisdiction.
Indiana
Name: Indiana Consumer Data Protection Act
Effective: Jan. 1, 2026
Passed: Mon 1, 2023
Follow the Leader: Virginia’s Model
In May, Indiana became the seventh state to pass consumer data privacy legislation with the Indiana Consumer Data Protection Act (ICDPA). The law fits within the emerging state data privacy standard modeled after Virginia, and prior to that, a failed Washington State law.
Similar to the Virginia law, Indiana grants consumers the right to know, appeal, delete and opt out of the sale of their personal information as well as the collection and processing of their sensitive personal data. The state law also follows Virginia’s definition of a “sale,” to target the exchange of personal data for monetary consideration only—as opposed to California or Colorado, for example, which include “other valuable consideration.”
While companies operating nationally likely won’t need to drastically update their compliance regime for the ICDPA, the law did come with some variations.
In a slight difference from other laws, Indiana customers will have the right to correct inaccuracies, but only for personal data previously provided to the controller.
The law also grants consumers the right to obtain either a copy or a representative summary of their personal data collected by a business. But, in a unique divergence from other laws, the state gives the controller the “discretion” to send a copy versus a summary.
Montana
Name: Montana Consumer Data Privacy Act (MCDPA)
Effective: Oct. 1, 2024
Passed: Signed by governor in May 2023.
Small But Steady?
Compared to other states, the Montana Consumer Data Privacy Act (MCDPA) has a lower compliance threshold—one privacy professionals saw as proportionate to the state’s size.
In fact, the bill targets companies processing the personal information of 50,000 or more consumers or processing the data of 25,000 or more consumers while deriving 25% of gross revenue from the sale of that data. Under the bill, consumers will have the right to access, correct and delete personal data, as well as obtain a copy of their personal data. The bill also grants Montana consumers the right to opt out of processing related to sale, profiling or targeted advertising, among other rights.
“From the states that have passed laws and signed them into law, it actually seems like the red states are taking the charge here and passing, I think, reasonable frameworks as opposed to waiting for some national standard that can be more like California,” said Alessandra Swanson, co-chair of Winston & Strawn’s global privacy and data security practice.
Tennessee
Name: Tennessee Information Protection Act (TIPA)
Effective: July 1, 2025
Passed: Signed by governor in May 2023
I’ll Have the Same Please, but With Some NIST
The Tennessee Information Protection Act (TIPA) certainly has an air of déjà vu. The law grants a standard set of consumer rights, from opting out of the sale of personal information to the right to access, correct and delete personal data, among other rights.
In a similar approach to Utah, the bill currently targets organizations that exceed $25 million in revenue and process the personal information of at least 175,000 consumers or process personal information of at least 25,000 consumers, and derive more than 50% of gross revenue from the sale of that data. Industry experts described this as a high compliance threshold.
However, in a unique approach, TIPA gives organizations specific guidance on how to deploy a privacy program by pointing to the National Institute of Standards and Technology framework for reference. It also offers companies an “affirmative defense,” if they comply with the framework.
“This is the first time we’ve seen this, and it’s a pretty interesting provision. It’s something that we’ve seen the same type of a concept being used for breach notification, as it will create an affirmative defense for companies that follow that NIST privacy framework,” said Gregory Szewczyk, a partner in Ballard Spahr’s Denver and Boulder, Colorado, offices and a practice co-leader of the privacy and data security group.
Canada
Name: Digital Charter Implementation Act, 2022
Introduced: June 2022
Not Yet Passed
In June 2022, Canada introduced a new consumer data privacy act for the second time, to replace the existing federal Personal Information Protection and Electronic Documents Act (PIPEDA).The act has reached its second reading in parliament as of the beginning of 2023.
Data privacy attorneys noted that the proposed federal statute relies on many of GDPR tenets as its basis. For example, the proposed law includes data portability, the right to be forgotten, codes of practice, “legitimate interest” exemptions, and a safe harbor provision. However, the law also borrows from PIPEDA, maintaining the right to withdraw consent for the collection and disclosure of personal information, and access to the information upon request. But it expands PIPEDA to allow for more direct disclosure provisions as well.
To be sure, some observers note that the guidelines in the Digital Charter Implementation Act still require more specificity such as which organizations are subject to its data mobility framework.
US-EU Data Transfer Pact
In October 2022, nearly six months after the U.S. and the European Commission reached an agreement on a new EU-U.S. Data Privacy Framework (EU-US DPF), President Joe Biden signed an executive order to implement the new pact.
The DPF would replace the former data partnership outlined in the Privacy Shield, which was the successor to Safe Harbor agreement. Both the Privacy Shield and Safe Harbor pacts were struck down in 2020 and 2015, respectively, after concerns were raised about data collection activities by U.S. intelligence agencies.
The new executive order enacts new safeguards to limit access to data by U.S. intelligence authorities and establishes a redressal mechanism to resolve complaints about access to data, Legaltech News reported.
Connecticut
Name: Connecticut Data Privacy Act (CTDPA)
Effective: July 1, 2023
Passed: 2022
Similar to Other States
Connecticut is the newest state data privacy law to pass, and it is similar to other states’ efforts. Among the changes the law enacts: the rights to know, delete and correct personal data that organizations in Connecticut collect.
Additionally, the CTDPA also includes a right to opt out of the sale of certain data and requires businesses to have a process to respond to a consumer’s request to exercise rights under the statute. What’s more, Connecticut’s law requires companies to maintain reasonable data security to protect a consumer’s personal data. Like California’s law, Connecticut has the opt-in default age set higher than its counterparts, at 16 years old instead of 13.
The CTDPA applies to organizations that conduct business in the state or that produce products targeted to its citizens. A business falls under the law if it processes the personal data of at least 100,000 state consumers, or of 25,000 or more state consumers while deriving over 25% of its gross revenue from the sale of personal data.
California
Name: California Privacy Rights Act (CPRA)
Effective: Jan. 1, 2023
Passed: 2020
Updating the Oldest State Data Privacy Law in the Country
California has led the way in the U.S. by passing the first state consumer data privacy law, the California Consumer Privacy Act (CCPA), in 2018, which became effective in 2020. The CPRA passed in 2020 and on Jan. 1, 2023, effectively updated the CCPA.
One of the most notable aspects of the CPRA remains its “private right of action,” the only U.S. law to include it, which specifies a right for consumers to bring legal action against a company if they feel their data privacy rights have been violated. While the right remains limited to data breaches, theft, and unauthorized access or disclosure, or as a result of security procedures, it is one of the more difficult features to pass, attorneys say, as evidenced by the failure of Washington state’s privacy bill.
Among other changes, the CPRA brings stringent fines for data privacy violations that involve children’s information, with sanctions of around $75,000 per violation. It also introduced new categories of Sensitive Personal Information (SPI), and allows users to opt out of the sale or sharing of SPI with third parties. Some examples of SPI include Social Security numbers, driver’s licenses, health information, and biometric information, among other government identifiers.
Utah
Name: Utah Consumer Privacy Act (UCPA)
Effective: Dec. 31, 2023
Passed: 2022
More Business Friendly
The fourth state to pass a comprehensive data privacy law after California, Colorado and Virginia, Utah’s law changed the game according to some observers. It became the first law in the U.S. to be more lenient to businesses’ needs than its predecessors.
“Generally speaking, [the UCPA] is more business-friendly in the sense that it takes some of the more business-friendly aspects of other laws and incorporates them into one,” said Cassandra Gaedt-Sheckter, partner at Gibson, Dunn & Crutcher. “Overall, I think it makes it easier to comply with those businesses that are already working with other state laws that have come out.”
Among other features, the UCPA offers a right of appeal, which enables a consumer to push back against a business’s denial to respond to a request within a designated time period. However, the UCPA does not include a right to data correction, or a right to have companies perform data privacy assessments on their behalf.
At the same time, the law does grant consumers some of the same rights as other states, such as the consumer’s right to know whether a data controller is processing their information, the right to access their information, the right to deletion, and the right to opt out of data collection.
In order to fall under the purview of the UCPA, an entity must conduct business in Utah, have revenue of $25 million or more, and annually process the personal data of at least 100,000 state customers. Alternatively, the business may process the data of 25,000 Utah residents, but make over 50% of its revenue from the sale of personal data.
Colorado
Name: Colorado Privacy Act (CPA)
Effective: July 1, 2023
Passed: 2021
Much Like Virginia, but More Consumer Friendly
Colorado’s CPA, which passed months after Virginia’s data privacy law was approved, is often said to be more similar to Virginia’s law than any of its counterparts. To be sure, the two laws have some differences, like “cure periods” for alleged violations, the number of penalties, or a provision (or lack thereof) for responding to an appeal within a certain time period, Legaltech News reported.
But both Colorado and Virginia share the exemption from the annual revenue requirement under all circumstances. The only requirement necessary to fall under the purview of these laws is the number of consumers from whom data is processed each year—100,000 for both states. The elimination of the cap of an annual revenue requirement altogether hints at the law favoring consumers more than any of its predecessors, said Cassandra Gaedt-Sheckter, partner at Gibson Dunn.
Additionally, the CPA requires businesses, or as it calls them, “controllers,” to conduct data protection assessments for each of their processing activities involving personal data. It also grants the right for consumers to opt out of processing their data, to access, correct and delete their data, and to obtain a portable copy of their data from the business.
Virginia
Name: Virginia Consumer Data Protection Act (VCDPA)
Effective: Jan. 1, 2023
Passed: 2021
A Possible ‘Role Model’ of State Privacy Laws
Many data privacy observers say that the VCDPA was modeled, in part, after Washington state’s data privacy law, which failed to pass. Both laws have distinct similarities in the terminology, structure and verbiage like “controller” and “processor.”
So far the VCDPA has been influential. “After California, the second state that passed its law was Virginia, and the three after modeled themselves after that one, not California,” said David Zetoony, the co-chair of Greenberg Traurig’s data, privacy and cybersecurity practice.
Along with Colorado, Virginia’s law remains the only one without an annual revenue requirement cap as a criteria to fall under the statute's purview. David Saunders, a partner at McDermott Will & Emery, noted that the elimination of this cap might show up again in upcoming state laws. “[The pending laws] look and feel a lot like Virginia and Colorado,” he said.
The law applies to those that conduct business in Virginia or produce products targeted to citizens of the state and those that control or process the data of 100,000 individuals in a year. It also applies to businesses that control or process the data of 25,000 consumers and derive 50% of their gross revenue from the sale of personal data.
Texas
Name: Texas Data Privacy and Security Act (TDPSA)
Effective: July 1, 2024
Passed: Signed by governor in June 2023.
‘High Watermark’ for Data Privacy Standards
The Texas Data Privacy and Security Act contains some familiar concepts found in similar laws in Colorado, Connecticut, and more recently, Montana. Still, among these Virginia-inspired laws, the Texas law aligns most closely with some of the strictest data privacy regulations in the country.
Texas moved away from the familiar applicability thresholds—such as minimum annual revenues or numbers of consumers’ data processed in a year— found in other states’ data privacy laws. Instead, the bill simply exempts “small businesses” as defined by the U.S. Small Business Administration (SBA) from having to comply—an approach that some professionals say could lead to confusion.
“The SBA sets out various thresholds for a whole bunch of different industries. So it really varies from one to another. It kind of starts with the basis as if you’re 500 employees or less you’re a small business, but then from one industry to another there’s other specific requirements,” said Ben Rossen, special counsel at Baker Botts and former senior attorney at the FTC. “So it actually gets quite nuanced to figure out whether you’re covered.”
The scope of the bill becomes broader when it comes to sensitive data. The current legislation notes that all businesses—including small organizations—will be required to obtain opt-in consent from subjects before engaging in the sale of sensitive data.
Florida
Name: Digital Bill of Rights
Effective: July 1, 2024
Passed: Signed in June 2023.
The Outlier
The Florida Digital Bill of Rights comes with unique provisions. In fact, data privacy professionals say some companies might be caught by surprise by the bill’s very targeted definition of controllers, an expanded list of data breach reporting requirements and its unprecedented scope of compliance regarding sensitive data.
Though similar to many of the other state data privacy laws both in structure and in the rights granted to consumers—such as the right to know, access and delete data, among others—Florida’s Digital Bill of Rights takes a different approach on what “controllers” are covered.
Under the law, a controller is defined as a for-profit corporation that conducts business in Florida, collects personal data about consumers and makes over $1 billion in global gross revenue. In addition to these requirements, an entity will only qualify as a controller if it also derives 50% of its revenue from the sale of advertising, operates a smart speaker or runs an app store with at least 250,000 applications.
Among the provisions included in the bill, the Florida law also forbids a government entity from communicating with a social media platform to remove content or accounts from their platform, and from having a working relationship with social media platforms for purposes of content moderation. In addition, the bill requires providers that operate search engines to make available, in plain language, a description of the parameters used to determine the ranking of search results, specifically whether it prioritizes political partisanship or political ideology to do so.
The scope of the bill expands significantly when it comes to sensitive data, which now includes personal data from a child under the age of 18, biometric data and precise geolocation data in Florida. There is no controller test for companies collecting sensitive data—any for-profit entity that conducts business in Florida and collects personal data is subject to certain requirements under the law.
Oregon
Name: Oregon Consumer Privacy Act (OCPA)
Effective: July 1, 2024
Passed: July 2023
Unlike Virginia’s data privacy law, the Oregon Consumer Privacy Act (OCPA) takes on California and Colorado’s definition of a sale to include the sale of personal information for monetary or “other valuable consideration.” Oregon also expanded its definition of sensitive data to include transgender or nonbinary status, citizenship and immigration status, and a new category: status as a victim of crime.
The OCPA offered lesser exemptions to organizations regulated by the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA) compared to other state data privacy laws. The Oregon law only provides data-level exemptions, not entity-based, for financial institutions subject to the GLBA or covered entities regulated under HIPAA.
The OCPA targets any organization that conducts business in the state and processes the personal data of 100,000 or more consumers, or the personal data of 25,000 or more consumers, while deriving 25% or more of its annual revenue from selling personal data.
Delaware
Name: Delaware Personal Data Privacy Act (DPDPA)
Effective: Jan. 1, 2025
Passed: September 2023
Broadened Definition of Sensitive Data
The Delaware Personal Data Privacy Act (DPDPA) is perhaps closest in nature to Colorado’s data privacy regulation, with a broader definition of sale that includes the exchange of personal data for monetary consideration as well as “other valuable consideration.” But like many of the other comprehensive data privacy laws, Delaware’s law contains unique divergences and provisions.
The DPDPA adds transgender and nonbinary status as well as citizenship and immigration status to its list of sensitive data. It also offers a uniquely detailed definition of what constitutes genetic data.
Delaware also took a different approach to the common entity-level exemptions for organizations regulated by the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA) found in other bills.The DPDPA only provides data-level exemptions for organizations regulated under HIPAA. It does, however, offer both entity-wide and data-based exemptions for financial institutions under the GLBA.
Still, Delaware’s privacy law has a relatively small scope and targets organizations that conduct business in the state or produce services targeted to Delaware residents. Organizations must also process the personal data of 35,000 consumers in the year or process the personal data of at least 10,000 consumers and derive more than 20% of their revenue from the sale of that data.
NJ
New Jersey
Name: New Jersey Data Privacy Act (NJDPA)
Effective: Jan. 15, 2025
Passed: Jan 15, 2024
A New Focus on Financial Information
The New Jersey Data Privacy Act, which is set to go into effect on Jan. 15, 2025, will be applicable to any company that conducts business in New Jersey and either controls or processes the personal data of 100,000 or more New Jersey consumers; or controls or processes the personal data of 25,000 or more New Jersey consumers and derives revenue from, or receives a discount on the price of any good or service from, the sale of personal data.
While, on the one hand, the law is similar to many of its predecessors, especially Colorado, California and Virginia, offering the increasingly common privacy rights of access, deletion, correction, and the opt out of sale and of targeted advertising, the law also breaks from the crowd in subtle but significant ways.
The most glaring difference in the New Jersey law is its expansion of the definition of “sensitive personal data”—which traditionally included information such as an individual’s race or ethnicity, biometrics, mental or physical health condition, sexual orientation, and immigration status, among others—to now include an individual’s financial information.
While nonlawyers and data security professionals have considered financial information to be technically sensitive, tacking it on under the “privacy” label is likely to create a whole new set of requirements.
“The inclusion is important because the statute requires that companies conduct data protection assessments if they collect sensitive information,” said David Zetoony, an attorney and co-chair of the data, privacy and cybersecurity practice at Greenberg Traurig. “In other words, New Jersey will functionally require every company subject to its statute, and that collects credit cards, to create a data protection assessment that documents the risks and benefits to their credit card usage.”
New Jersey
Name: New Jersey Data Privacy Act (NJDPA)
Effective: Jan. 15, 2025
Passed: Jan 15, 2024
A New Focus on Financial Information
The New Jersey Data Privacy Act, which is set to go into effect on Jan. 15, 2025, will be applicable to any company that conducts business in New Jersey and either controls or processes the personal data of 100,000 or more New Jersey consumers; or controls or processes the personal data of 25,000 or more New Jersey consumers and derives revenue from, or receives a discount on the price of any good or service from, the sale of personal data.
While, on the one hand, the law is similar to many of its predecessors, especially Colorado, California and Virginia, offering the increasingly common privacy rights of access, deletion, correction, and the opt out of sale and of targeted advertising, the law also breaks from the crowd in subtle but significant ways.
The most glaring difference in the New Jersey law is its expansion of the definition of “sensitive personal data”—which traditionally included information such as an individual’s race or ethnicity, biometrics, mental or physical health condition, sexual orientation, and immigration status, among others—to now include an individual’s financial information.
While nonlawyers and data security professionals have considered financial information to be technically sensitive, tacking it on under the “privacy” label is likely to create a whole new set of requirements.
“The inclusion is important because the statute requires that companies conduct data protection assessments if they collect sensitive information,” said David Zetoony, an attorney and co-chair of the data, privacy and cybersecurity practice at Greenberg Traurig. “In other words, New Jersey will functionally require every company subject to its statute, and that collects credit cards, to create a data protection assessment that documents the risks and benefits to their credit card usage.”
Virginia
Name: Virginia Consumer Data Protection Act (VCDPA)
Effective: Jan. 1, 2023
Passed: 2021
A Possible ‘Role Model’ of State Privacy Laws
Many data privacy observers say that the VCDPA was modeled, in part, after Washington state’s data privacy law, which failed to pass. Both laws have distinct similarities in the terminology, structure and verbiage like “controller” and “processor.”
So far the VCDPA has been influential. “After California, the second state that passed its law was Virginia, and the three after modeled themselves after that one, not California,” said David Zetoony, the co-chair of Greenberg Traurig’s data, privacy and cybersecurity practice.
Along with Colorado, Virginia’s law remains the only one without an annual revenue requirement cap as a criteria to fall under the statute's purview. David Saunders, a partner at McDermott Will & Emery, noted that the elimination of this cap might show up again in upcoming state laws. “[The pending laws] look and feel a lot like Virginia and Colorado,” he said.
The law applies to those that conduct business in Virginia or produce products targeted to citizens of the state and those that control or process the data of 100,000 individuals in a year. It also applies to businesses that control or process the data of 25,000 consumers and derive 50% of their gross revenue from the sale of personal data.
Virginia
Name: Virginia Consumer Data Protection Act (VCDPA)
Effective: Jan. 1, 2023
Passed: 2021
A Possible ‘Role Model’ of State Privacy Laws
Many data privacy observers say that the VCDPA was modeled, in part, after Washington state’s data privacy law, which failed to pass. Both laws have distinct similarities in the terminology, structure and verbiage like “controller” and “processor.”
So far the VCDPA has been influential. “After California, the second state that passed its law was Virginia, and the three after modeled themselves after that one, not California,” said David Zetoony, the co-chair of Greenberg Traurig’s data, privacy and cybersecurity practice.
Along with Colorado, Virginia’s law remains the only one without an annual revenue requirement cap as a criteria to fall under the statute's purview. David Saunders, a partner at McDermott Will & Emery, noted that the elimination of this cap might show up again in upcoming state laws. “[The pending laws] look and feel a lot like Virginia and Colorado,” he said.
The law applies to those that conduct business in Virginia or produce products targeted to citizens of the state and those that control or process the data of 100,000 individuals in a year. It also applies to businesses that control or process the data of 25,000 consumers and derive 50% of their gross revenue from the sale of personal data.
RI
Delaware
Name: Delaware Personal Data Privacy Act (DPDPA)
Effective: Jan. 1, 2025
Passed: September 2023
Broadened Definition of Sensitive Data
The Delaware Personal Data Privacy Act (DPDPA) is perhaps closest in nature to Colorado’s data privacy regulation, with a broader definition of sale that includes the exchange of personal data for monetary consideration as well as “other valuable consideration.” But like many of the other comprehensive data privacy laws, Delaware’s law contains unique divergences and provisions.
The DPDPA adds transgender and nonbinary status as well as citizenship and immigration status to its list of sensitive data. It also offers a uniquely detailed definition of what constitutes genetic data.
Delaware also took a different approach to the common entity-level exemptions for organizations regulated by the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA) found in other bills.The DPDPA only provides data-level exemptions for organizations regulated under HIPAA. It does, however, offer both entity-wide and data-based exemptions for financial institutions under the GLBA.
Still, Delaware’s privacy law has a relatively small scope and targets organizations that conduct business in the state or produce services targeted to Delaware residents. Organizations must also process the personal data of 35,000 consumers in the year or process the personal data of at least 10,000 consumers and derive more than 20% of their revenue from the sale of that data.
Nebraska
Name: Nebraska Data Privacy Act (NEDPA)
Effective: Jan. 1, 2025
Passed: April 2024
Same as Others, With One Exception
The Nebraska Data Privacy Act (NEDPA) applies to a person that conducts business in Nebraska or produces a product or service consumed by residents of Nebraska, and processes or engages in the sale of personal data and does not qualify as a small business under the federal Small Business Act.
In many ways, the law falls under the same umbrella as many of the other state data privacy laws, granting consumers the rights to access, correct and delete personal data, the right to opt out of data sales and to opt in to sensitive data processing, along with the right to opt out of processing for profiling or targeted advertisement.
However, one key difference stands out.
“The only real difference I saw is that the Nebraska Law has time-stamped certain provisions.” For example, a number of the state laws “define ‘dark patterns’ to include [the] practice [as it is] designated by the FTC’,” whereas Nebraska said “it’s any practice designated by the FTC as of January 1 2024,” explained Andrea Maciejewski, an attorney in the data privacy and cybersecurity practice at Greenberg Traurig.
Essentially, this stops the definitions from being “moving targets,” she added.
NE
Kentucky
Name: Kentucky Consumer Data Protection Act (KCDPA)
Effective: Jan. 1, 2026
Passed: April 2024
A Different Enforcement Approach
The Kentucky Consumer Data Protection Act targets businesses who either conduct business in Kentucky or produce products or services targeted to the state’s residents. Such businesses must also, within the calendar year, either control or process personal data of at least 100,000 consumers; or control or process personal data of 25,000 Kentucky consumers and derive over 50% of gross revenue from the sale of personal data.
Unlike California, Colorado or New Hampshire, the KCDPA limits its definition of “sale of personal data” to include only exchanges of personal data for monetary consideration. Though Kentucky offers an already well-known set of consumer rights, it only gives consumers the right to opt out of targeted advertising and the sale of personal data and doesn’t require controllers to recognize universal opt-out signals.
Businesses under the scope of the act are also required to limit the collection of personal data to what is “adequate, relevant, and reasonably necessary” in relation to the disclosed purposes for which the data is processed, unless the controller obtains the consumer’s consent.
While the law will be exclusively enforced by Kentucky’s attorney general, the state takes a somewhat unusual approach to enforcement. While many state data privacy laws ultimately sunset their cure provisions, the KCDPA provides a 30-day cure period which doesn’t sunset.
KY
New Hampshire
Name: SB 255
Effective: Jan. 1, 2025
Passed: March 2024
Middle of the Road
New Hampshire’s data privacy law has a fairly low threshold of applicability, covering entities that conduct business in the state or produce products or services targeted to New Hampshire residents that, “during a one-year period controlled or processed the personal data of more than 35,000 unique consumers.” The law also applies to businesses that “controlled or processed the personal data of more than 10,000 unique consumers, and derived more than 25% of their gross revenue from the sale of personal data.”
The consumer rights offered in the New Hampshire act are similar to those found in many state data privacy laws including the right to access, correct and delete data; and the right to opt-out of processing for purposes of targeted advertising, sale or profiling.
For businesses, the requirements mandated by the law are also familiar, such as risk assessments, notice and transparency requirements and data minimization principles, requiring controllers to “limit the collection of personal data to what is adequate, relevant and reasonably necessary.”
“Others describe it as a kind of boring law, which is a little bit remarkable,” said Matthew B. Welling, partner at Crowell & Moring. He added, “Looking at the law and going through the comparisons to the other states it seems to be pretty squarely in the middle of the approaches that other states have taken.”
NH
Colorado
Name: Colorado Privacy Act (CPA)
Effective: July 1, 2023
Passed: 2021
Much Like Virginia, but More Consumer Friendly
Colorado’s CPA, which passed months after Virginia’s data privacy law was approved, is often said to be more similar to Virginia’s law than any of its counterparts. To be sure, the two laws have some differences, like “cure periods” for alleged violations, the number of penalties, or a provision (or lack thereof) for responding to an appeal within a certain time period, Legaltech News reported.
But both Colorado and Virginia share the exemption from the annual revenue requirement under all circumstances. The only requirement necessary to fall under the purview of these laws is the number of consumers from whom data is processed each year—100,000 for both states. The elimination of the cap of an annual revenue requirement altogether hints at the law favoring consumers more than any of its predecessors, said Cassandra Gaedt-Sheckter, partner at Gibson Dunn.
Additionally, the CPA requires businesses, or as it calls them, “controllers,” to conduct data protection assessments for each of their processing activities involving personal data. It also grants the right for consumers to opt out of processing their data, to access, correct and delete their data, and to obtain a portable copy of their data from the business.
Nebraska
Name: Nebraska Data Privacy Act (NEDPA)
Effective: Jan. 1, 2025
Passed: April 2024
Same as Others, With One Exception
The Nebraska Data Privacy Act (NEDPA) applies to a person that conducts business in Nebraska or produces a product or service consumed by residents of Nebraska, and processes or engages in the sale of personal data and does not qualify as a small business under the federal Small Business Act.
In many ways, the law falls under the same umbrella as many of the other state data privacy laws, granting consumers the rights to access, correct and delete personal data, the right to opt out of data sales and to opt in to sensitive data processing, along with the right to opt out of processing for profiling or targeted advertisement.
However, one key difference stands out.
“The only real difference I saw is that the Nebraska Law has time-stamped certain provisions.” For example, a number of the state laws “define ‘dark patterns’ to include [the] practice [as it is] designated by the FTC’,” whereas Nebraska said “it’s any practice designated by the FTC as of January 1 2024,” explained Andrea Maciejewski, an attorney in the data privacy and cybersecurity practice at Greenberg Traurig,
Essentially, this stops the definitions from being “moving targets,” she added.
NE
Kentucky
Name: Kentucky Consumer Data Protection Act (KCDPA)
Effective: Jan. 1, 2026
Passed: April 2024
A Different Enforcement Approach
The Kentucky Consumer Data Protection Act targets businesses who either conduct business in Kentucky or produce products or services targeted to the state’s residents. Such businesses must also, within the calendar year, either control or process personal data of at least 100,000 consumers; or control or process personal data of 25,000 Kentucky consumers and derive over 50% of gross revenue from the sale of personal data.
Unlike California, Colorado or New Hampshire, the KCDPA limits its definition of “sale of personal data” to include only exchanges of personal data for monetary consideration. Though Kentucky offers an already well-known set of consumer rights, it only gives consumers the right to opt out of targeted advertising and the sale of personal data and doesn’t require controllers to recognize universal opt-out signals.
Businesses under the scope of the act are also required to limit the collection of personal data to what is “adequate, relevant, and reasonably necessary” in relation to the disclosed purposes for which the data is processed, unless the controller obtains the consumer’s consent.
While the law will be exclusively enforced by Kentucky’s attorney general, the state takes a somewhat unusual approach to enforcement. While many state data privacy laws ultimately sunset their cure provisions, the KCDPA provides a 30-day cure period which doesn’t sunset.
KY
New Hampshire
Name: SB 255
Effective: Jan. 1, 2025
Passed: March 2024
Middle of the Road
New Hampshire’s data privacy law has a fairly low threshold of applicability, covering entities that conduct business in the state or produce products or services targeted to New Hampshire residents that, “during a one-year period controlled or processed the personal data of more than 35,000 unique consumers.” The law also applies to businesses that “controlled or processed the personal data of more than 10,000 unique consumers, and derived more than 25% of their gross revenue from the sale of personal data.”
The consumer rights offered in the New Hampshire act are similar to those found in many state data privacy laws including the right to access, correct and delete data; and the right to opt-out of processing for purposes of targeted advertising, sale or profiling.
For businesses, the requirements mandated by the law are also familiar, such as risk assessments, notice and transparency requirements and data minimization principles, requiring controllers to “limit the collection of personal data to what is adequate, relevant and reasonably necessary.”
“Others describe it as a kind of boring law, which is a little bit remarkable,” said Matthew B. Welling, partner at Crowell & Moring. He added, “Looking at the law and going through the comparisons to the other states it seems to be pretty squarely in the middle of the approaches that other states have taken.”
NH
Oregon
Name: Oregon Consumer Privacy Act (OCPA)
Effective: July 1, 2024
Passed: July 2023
Unlike Virginia’s data privacy law, the Oregon Consumer Privacy Act (OCPA) takes on California and Colorado’s definition of a sale to include the sale of personal information for monetary or “other valuable consideration.” Oregon also expanded its definition of sensitive data to include transgender or nonbinary status, citizenship and immigration status, and a new category: status as a victim of crime.
The OCPA offered lesser exemptions to organizations regulated by the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA) compared to other state data privacy laws. The Oregon law only provides data-level exemptions, not entity-based, for financial institutions subject to the GLBA or covered entities regulated under HIPAA.
The OCPA targets any organization that conducts business in the state and processes the personal data of 100,000 or more consumers, or the personal data of 25,000 or more consumers, while deriving 25% or more of its annual revenue from selling personal data.
OR
MN
Minnesota
Name: Minnesota Consumer Data Privacy Act (MCDPA)
Effective: July 31, 2025
Signed: May 2024
Some GDPR-Like Characteristics
The Minnesota Consumer Data Privacy Act (MCDPA) applies to organizations that conduct business in Minnesota or provide products or services that are targeted to Minnesota residents.
The law gives consumers a similar set of rights as other state statutes, including: the rights to know, access and obtain a list of third parties holding their data; the rights to correction, deletion and opting out of targeted advertising; the rights to non-discrimination and to question the results of profiling, and the right to data portability and to appeal.
Government entities, certain financial entities like banks and insurance companies, small businesses, airlines and federally recognized Native American tribes are exempt from the law, as well as data collected in the employee-context.
To be sure, the MCDPA has some unique qualities. While other states give consumers the right to opt out of profiling, “Minnesota goes a bit further by expanding those … comparable to GDPR, is the right to question the results of profiling,” said Guy Sereff, a partner at Michael Best.
The second key unique attribute seen in the MCDPA is the mandatory inventory or mapping of an organization’s data, Sereff said.
While keeping track of an organization’s data has been written between the lines in many previous state statutes, this one is more explicit about this requirement as part of its data security compliance regime.
MN
Minnesota
Name: Minnesota Consumer Data Privacy Act (MCDPA)
Effective: July 31, 2025
Signed: May 2024
Some GDPR-Like Characteristics
The Minnesota Consumer Data Privacy Act (MCDPA) applies to organizations that conduct business in Minnesota or provide products or services that are targeted to Minnesota residents.
The law gives consumers a similar set of rights as other state statutes, including: the rights to know, access and obtain a list of third parties holding their data; the rights to correction, deletion and opting out of targeted advertising; the rights to non-discrimination and to question the results of profiling, and the right to data portability and to appeal.
Government entities, certain financial entities like banks and insurance companies, small businesses, airlines and federally recognized Native American tribes are exempt from the law, as well as data collected in the employee-context.
To be sure, the MCDPA has some unique qualities. While other states give consumers the right to opt out of profiling, “Minnesota goes a bit further by expanding those … comparable to GDPR, is the right to question the results of profiling,” said Guy Sereff, a partner at Michael Best.
The second key unique attribute seen in the MCDPA is the mandatory inventory or mapping of an organization’s data, Sereff said.
While keeping track of an organization’s data has been written between the lines in many previous state statutes, this one is more explicit about this requirement as part of its data security compliance regime.
R I
MD
Maryland
Name: Maryland Online Data Privacy Act of 2024 (MODPA)
Effective: Oct. 1, 2025
Signed: May 2024
Maryland Bucks Ongoing Privacy Trends
The Maryland Online Data Privacy Act of 2024 (MODPA) has bucked many ongoing data privacy trends with its stringent take on data minimization and sensitive data protections.
Take biometric data, for example. The language used in many privacy laws specifies that data qualifies as biometric if it’s intended to be used to identify someone. But in MODPA, data collected will be considered biometric even if it “can” be used to identify someone, regardless of intent.
MODPA also introduces strict data minimization requirements and expands protections for children. In the law, controllers are prohibited from processing the personal data of children for targeted advertising purposes, and prohibited to sell such data—whether the controller “knew or should have known” that the children in question were under the age of 18.
The Maryland law otherwise offers its residents a familiar set of consumer rights, including the right to confirm data is being processed and the right to access it, delete it or correct inaccuracies, and to obtain a copy and a list of the categories of third parties to which an organization has disclosed personal data.
The law applies to organizations that conduct business in the state or provide goods and services targeted to Maryland residents and that, in the last year, have controlled or processed the personal data of at least 35,000 consumers; or of at least 10,000 consumers while deriving more than 20% of their gross revenue from the sale of such data.
MD
Maryland
Name: Maryland Online Data Privacy Act of 2024 (MODPA)
Effective: Oct. 1, 2025
Signed: May 2024
Maryland Bucks Ongoing Privacy Trends
The Maryland Online Data Privacy Act of 2024 (MODPA) has bucked many ongoing data privacy trends with its stringent take on data minimization and sensitive data protections.
Take biometric data, for example. The language used in many privacy laws specifies that data qualifies as biometric if it’s intended to be used to identify someone. But in MODPA, data collected will be considered biometric even if it “can” be used to identify someone, regardless of intent.
MODPA also introduces strict data minimization requirements and expands protections for children. In the law, controllers are prohibited from processing the personal data of children for targeted advertising purposes, and prohibited to sell such data—whether the controller “knew or should have known” that the children in question were under the age of 18.
The Maryland law otherwise offers its residents a familiar set of consumer rights, including the right to confirm data is being processed and the right to access it, delete it or correct inaccuracies, and to obtain a copy and a list of the categories of third parties to which an organization has disclosed personal data.
The law applies to organizations that conduct business in the state or provide goods and services targeted to Maryland residents and that, in the last year, have controlled or processed the personal data of at least 35,000 consumers; or of at least 10,000 consumers while deriving more than 20% of their gross revenue from the sale of such data.
Rhode Island
Name: Rhode Island Data Transparency and Privacy Protection (RIDTPPA)
Effective: Jan. 1 2026
Signed: Aug. 29, 2024
Key Differences, Depending on Its Interpretation
The Rhode Island Data Transparency and Privacy Protection (RIDTPPA) is, in many ways, similar to most non-California data privacy laws, but has a handful of key differences.
Specifically, the law offers consumers the rights to access, correct and delete their data, a partial right to opt out of certain data processing, and the right to opt out of the sale of their data. In addition, it also includes the right to data portability, the right to opt into sensitive data processing and the right to reject automated decision-making.
However, two provisions in the RIDTPPA are of particular note: a separate section in the legislation that applies to any commercial website or internet service provider conducting business in Rhode Island, and the absence of a cure period in the text.
Andrea Maciejewski, an associate at Greenberg Traurig.said the missing cure period for remedying consumer complaints strikes her as the biggest difference. Still, she said it’s unclear what the impact of this ambiguity would be on a business or how the attorney general would necessarily use that in their enforcement.
What’s more, the law, unlike others, does not specify what constitutes PII, but does stipulate to protect it as far as consumer rights are concerned.
Ultimately though, Maciejewski stressed that until the RIDTPPA is interpreted by the regulatory bodies and courts, the impact of these small differences is anyone’s guess.
Rhode Island
Name: Rhode Island Data Transparency and Privacy Protection (RIDTPPA)
Effective: Jan. 1 2026
Signed: Aug. 29, 2024
Key Differences, Depending on Its Interpretation
The Rhode Island Data Transparency and Privacy Protection (RIDTPPA) is, in many ways, similar to most non-California data privacy laws, but has a handful of key differences.
Specifically, the law offers consumers the rights to access, correct and delete their data, a partial right to opt out of certain data processing, and the right to opt out of the sale of their data. In addition, it also includes the right to data portability, the right to opt into sensitive data processing and the right to reject automated decision-making.
However, two provisions in the RIDTPPA are of particular note: a separate section in the legislation that applies to any commercial website or internet service provider conducting business in Rhode Island, and the absence of a cure period in the text.
Andrea Maciejewski, an associate at Greenberg Traurig.said the missing cure period for remedying consumer complaints strikes her as the biggest difference. Still, she said it’s unclear what the impact of this ambiguity would be on a business or how the attorney general would necessarily use that in their enforcement.
What’s more, the law, unlike others, does not specify what constitutes PII, but does stipulate to protect it as far as consumer rights are concerned.
Ultimately though, Maciejewski stressed that until the RIDTPPA is interpreted by the regulatory bodies and courts, the impact of these small differences is anyone’s guess.