Search
Close this search box.
Search
Close this search box.

U.S. state data privacy laws: What you need to know

{
“@context”: ”
“@type”: “AnalysisNewsArticle”,
“mainEntityOfPage”: {
“@type”: “WebPage”,
“@id”: ”
},
“headline”: “U.S. state data privacy laws: What you need to know”,
“datePublished”: “2026-01-07T08:13:00-05:00”,
“description”: “This analysis provides a comprehensive breakdown of the fragmented U.S. data privacy landscape, detailing specific compliance thresholds and consumer rights across multiple state-level regulations.”,
“author”: {
“@type”: “Person”,
“name”: “Constantine von Hoffman”,
“jobTitle”: “Managing Editor at MarTech”,
“url”: ”
“sameAs”: (

)
},
“publisher”: {
“@type”: “Organization”,
“name”: “MarTech”,
“logo”: {
“@type”: “ImageObject”,
“url”: ”
}
},
“backstory”: “The author, a veteran journalist with over 25 years of experience in business and technology reporting, synthesized compliance data from the IAPP, Foley & Lardner LLP, and Mintz to create this regulatory guide.”,
“speakable”: {
“@type”: “SpeakableSpecification”,
“cssSelector”: (
“h1”,
“.article-content p:first-of-type”
)
}
}

Updated with information on new privacy laws in Louisiana and Vermont.

Data privacy regulation is an issue with broad, national bipartisan support. Red states like Texas and Tennessee, and Blue states like California and Colorado, are among the many states that now have laws governing the handling of consumers’ personal information. Despite this, Congress has failed to pass a much-needed national law.

Each one of those laws is a different headache for marketers to deal with. These laws have some similarities. They give consumers the right to access, delete, and opt out of the sale of their personal information (PI). However, there are also important differences in their scope, definitions, and requirements. 

Even so, as more states adopt these laws, some may adopt data protections that differ widely from those already in place. Pity the poor MOps people who must deal with that.

Here is a list of state data privacy laws currently in effect, followed by a list of states whose data laws are not yet in effect. They include brief descriptions of who they apply to and the requirements for each. We are not lawyers, so please carefully review each state’s law to ensure compliance when operating in those jurisdictions.

States with data privacy laws in effect

STATE LAW WENT INTO EFFECT
California California Consumer Privacy Act 1/1/2020
Virginia Virginia Consumer Data Protection Act 1/1/2023
Colorado Colorado Privacy Act 7/1/2023
Connecticut Connecticut Data Privacy Act  7/1/2023
Utah Utah Consumer Privacy Act  12/31/2023
Oregon Oregon Consumer Privacy Act 7/1/2024
Montana Montana Consumer Data Privacy Act 10/1/2024
Iowa Iowa Consumer Data Protection Act 1/1/2025
Delaware Delaware Personal Data Privacy Act 1/1/2025
New Hampshire New Hampshire Consumer Data Protection Act 1/1/2025
Texas Texas Data Privacy and Security Act 1/1/2025
New Jersey New Jersey Consumer Data Privacy Act 1/16/2025
Minnesota Minnesota Consumer Data Privacy Act 6/24/2025
Tennessee Tennessee Data Protection Act 7/1/2025
Maryland Maryland Online Data Privacy Act 10/1/2025
Nebraska Nebraska Data Privacy Act 10/1/2025
Indiana Indiana Consumer Data Protection Act 1/1/2026
Kentucky Kentucky Consumer Data Protection Act 1/1/2026
Rhode Island Rhode Island Data Transparency and Privacy Protection Act 1/1/2026

California Consumer Privacy Act  

Businesses it applies to:

  • Annual gross revenue of at least $25 million in the preceding calendar year.
  • Buy, sell, or share PI of 100,000+ consumers or households.
  • Gets 50%+ of annual revenues from selling or sharing consumers’ PI.

Requires businesses to: 

  • Let consumers opt out of PI sales.
  • Let consumers limit the processing of sensitive PI.
  • Implement data minimization and purpose limitation principles.
  • Provide consumers with a privacy notice.
  • Ensure that your service providers comply with the law.
  • Establish a data retention period.

California’s Delete Request and Opt-Out Platform

California’s Delete Request and Opt-Out Platform (DROP) — a first-of-its-kind statewide system — officially launched on January 1, 2026, allowing residents to submit a single request to have their personal information deleted from more than 500 registered data brokers at once. Under the state’s Delete Act, data brokers will be required to begin processing these deletion requests by August 1, 2026, and must regularly check the DROP system, which could reduce the amount of personal data circulating online and curb spam, scam contacts, and unauthorized profiling. The platform operationalizes California’s expanding privacy protections by centralizing and simplifying what was once a fragmented and time-consuming deletion process, forcing data brokers to overhaul their handling of consumer information or face compliance challenges.

Your customers search everywhere. Make sure your brand shows up.

The SEO toolkit you know, plus the AI visibility data you need.

Start Free Trial
Get started with

Semrush One Logo

@media (max-width: 768px) {
.headline-responsive {
font-size: 30px !important;
line-height: 1.3 !important;
}
}

Virginia Consumer Data Protection Act

Applies to businesses that:

  • Control or process PI of at least 100,000 Virginia residents, or
  • Control or process PI of at least 25,000 Virginia consumers and derive 50%+ of gross revenue from the sale of PI in a calendar year.

Requires businesses to:

  • Allow consumers to opt out of the sale of PI.
  • Provide consumers with a privacy notice.
  • Have data processing agreements in place with your data processors.
  • Conduct a Privacy Impact Assessment of processing activities.

Collection of data about consumers’ reproductive or sexual health prohibited

The Act now prohibits the collection, disclosure, sale, or dissemination of consumers’ reproductive or sexual health information without consent. 

The updated law has a broad definition of “reproductive or sexual health information,” which includes any “information relating to the past, present, or future reproductive or sexual health of an individual” connected with a consumer transaction. 

The act covers:

  • Efforts to find or access information, services, or supplies related to reproductive or sexual health
  • Use or purchase of birth control, contraceptives, or medications related to reproductive health, including abortion pills
  • Health details such as diagnoses, STDs, pregnancy status, menstruation, ovulation, sexual activity, ability to conceive, or unprotected sex
  • Treatments or surgeries related to reproductive or sexual health, including abortions
  • Bodily functions, symptoms, or measurements linked to menstruation or pregnancy, like hormone levels, cramps, discharge, or body temperature
  • Any reproductive or sexual health information that’s inferred or predicted from unrelated data, like algorithmic or proxy-based insights

Colorado Privacy Act

Applies to businesses that:

  • Have 100,000 Colorado consumers+ during a year, or
  • Have 25,000+ Colorado consumers and generate revenue from the sale of PI, potentially through a discount on goods or services.

Requires businesses to: 

  • Provide consumers with ways to opt out of the sales of PI, targeted advertising, and profiling.
  • Provide consumers with a privacy notice.
  • Conduct a data protection impact assessment where there is a risk to consumers.

Connecticut Data Privacy Act

Applies to businesses that:

  • Process data collected from 35,000 (down from 100,000) Connecticut consumers, excluding PI, controlled or processed solely to complete a payment transaction, or
  • Process the data of 25,000+ Connecticut consumers and derive at least 25% of their gross revenue from selling PI.

NEW threshold activities that are not subject to any numerical minimums:

  • Controlling or processing Connecticut residents’ sensitive data (excluding personal data controlled or processed solely for the purpose of completing a payment transaction).
  • Offering Connecticut residents’ personal data for sale in trade or commerce.

Requires businesses to: 

  • Allow consumers to opt out of the processing of sensitive PI.
  • Collect and process only the minimum amount of data necessary.
  • Provide consumers with a privacy notice.
  • Conduct data protection assessments where the processing may pose a risk.

NEW rights/opt-outs and privacy notice requirements

  • Rights related to derived/inferred data and profiling: The updated law expands access to include inferences about the individual derived from personal data and whether the personal data is being used for profiling to make a decision that produces legal or similarly significant effects about the consumer. Consumers now have the right to contest profiling decisions.
  • Disclosure of large language model training: Companies must disclose whether they collect, use or sell personal data for the purpose of training large language models.

Increased protections for minors

  • A company cannot process the personal data of anyone it actually knows or willfully disregards is a minor (defined as under 18) unless the processing is reasonably necessary for the company’s service. And even if that standard is met, the law requires that minors’ data only be processed for the purpose disclosed at the time of collection and only for as long as is reasonably necessary. Controllers also cannot collect precise geolocation data from minors unless the data is strictly necessary for the service and the company indicates this at the time of collection.
  • Bans on targeted advertising and personal data sales: Companies are prohibited from processing minors’ personal data for targeted advertising or selling minors’ personal data. These are outright bans that cannot be circumvented, for example, by obtaining (parental) consent to process minors’ data in these ways.

Utah Consumer Privacy Act

Applies to businesses that:

  • Have annual revenue of $25 million+, and
  • Control or process the PI of 100,000+ Utah residents over a calendar year, and/or
  • Derive 50%+ of gross revenue from the sale of PI and/or
  • Control or process the PI of 25,000+ Utah residents.

Requires businesses to:

  • Provide consumers with mechanisms to opt out of the sale of PI or from targeted advertising.
  • Have processing agreements in place.
  • Provide consumers with a privacy notice.

Oregon Consumer Privacy Act

Applies to businesses that:

  • Control or process PI of 100,000+ Oregon consumers, or
  • Control or process the PIs of 25,000+ Oregon consumers and derive 25%+ of gross revenue by selling the data.

Requires businesses to:

  • Provide access to, and correct, delete, and receive PI.
  • Provide a list of the “specific third parties” to whom a controller discloses PI.
  • Right to request the deletion of “derived data.”
  • Obtain consent to process sensitive data.
  • Obtain affirmative consent to profile adolescent data.
  • Let consumers opt out of targeted advertising, data sales, and significant profiling decisions.
  • Provide a privacy notice to consumers.

Montana Consumer Data Privacy Act

Applies to businesses that:

  • Control or process the PI of at least 25,000 (down from 50,000) Montana residents, or
  • Control or process the PI of at least 15,000 (down from 25,000) Montana consumers and derive more than 25% (down from 50%) of their gross revenue from the sale of personal data.

Requires businesses to:

  • Respond to consumers’ requests.
  • Enable consumers to opt out of data sales.
  • Recognize universal opt-out mechanisms.
  • Serve consumers with a privacy notice and a privacy policy.
  • Obtain explicit consent before collecting sensitive data.
  • Conduct data protection impact assessments for processing sensitive data, selling data, or using data for targeted advertising and/or profiling.

Additional rights/opt-outs and privacy notice requirements

  • If a company sells or processes personal data for targeted advertising, it must disclose this in its privacy notice and provide consumers with the ability to opt out.
  • Additional privacy requirements include requiring companies to provide a privacy notice in each language in which they provide products and services, and in a manner that is reasonably accessible and usable to individuals with disabilities.

Enforcement powers and penalties: The Montana attorney general can now issue civil investigative demands and is no longer required to offer an opportunity to cure before bringing an enforcement action. There is now a penalty of up to $7,500 per violation.

Increased protections for minors

  • Applies to any company that offers an online service, product, or feature to a consumer, the controller actually knows, or willfully disregards, is a minor (defined as under 18).
  • Companies are required to use “reasonable care” to avoid a “heightened risk of harm to minors.” The updates do not constitute an age-verification requirement, but they do impose additional consent requirements and data-use restrictions for minors. Additionally, if there is a heightened risk of harm to minors, the company must also conduct a data protection assessment.

Iowa Data Privacy Act

Applies to businesses that:

  • Control or process the PI of 100,000+ Iowa consumers, or
  • Control or process the PI of 25,000+ Iowa consumers and derive 50%+  of gross revenue by selling the data.

Requires businesses to:

  • Limit data processing to specified purposes.
  • Provide consumers with a privacy notice.
  • Allow consumers to opt out of the sale of PI.
  • Respond to consumer requests for access, deletion, portability, opt-out, and others
  • Have written contracts with service providers.
  • Ensure that data is safe.

Texas Data Privacy and Security Act

Applies to businesses that:

  • Process of engaging in the sale of PI, and
  • Are not excluded as a small business, according to the Small Business Administration.

Requires businesses to:

  • Allow opting out of the sale of PI.
  • Honor consumer requests.
  • Obtain explicit consent for the processing of sensitive data.
  • Conduct data protection impact assessments.
  • Have written contracts with service providers.

Delaware Personal Data Privacy Act

Applies to businesses that:

  • Control or process PI of 35,000 Delaware consumers, or
  • Derive 20%+ of revenue from selling data of 10,000 Delaware consumers.

Requires businesses to:

  • Limit the collection of PI to what is adequate, relevant, and reasonably necessary.
  • Obtain consent to process sensitive data.
  • Honor consumer requests.
  • Allow consumers to opt out of processing through an opt-out preference signal.
  • Provide a privacy notice to consumers.
  • Conduct data protection assessments.
See the complete picture of your search visibility.

Track, optimize, and win in Google and AI search from one platform.

Start Free Trial
Get started with

Semrush One Logo

@media (max-width: 768px) {
.headline-responsive {
font-size: 30px !important;
line-height: 1.3 !important;
}
}

New Hampshire Consumer Data Privacy Act

Applies to businesses that:

  • Control or process PI of at least 35,000 unique consumers, excluding PI controlled or processed solely to complete a payment transaction; or
  • Control or process PI of at least 10,000 unique consumers and derive 25%+ of gross revenue from the sale of PI.

Requires businesses to:

  • Provide consumers with the same privacy protections as in other states.

New Jersey Consumer Data Privacy Act

Applies to businesses that:

  • Control or process the PI of 100,000+ New Jersey consumers, excluding data processed solely to complete a payment transaction; or
  • Control or process the PI of 25,000+ New Jersey consumers, and the controller derives revenue or receives a discount on the price of any goods or services from the sale of PI.

Requires businesses to:

  • Collect only the minimum amount of data necessary for processing purposes and process it for adequate purposes;
  • Collect consent for the processing of sensitive or children’s data and provide mechanisms for revoking consent;
  • Obtain consent for processing the data of a child for purposes of targeted advertising, the sale of the consumer’s PI, or profiling, where the controller has actual knowledge or willfully disregards that the consumer is at least 13 years of age but younger than 17 years of age;
  • Inform consumers about the processing, including its purposes.
  • Implement administrative, technical, and physical data security measures;
  • Conduct a data protection impact assessment where necessary, 
  • Ensure they have written agreements with service providers for data processing.
  • Confirm whether a controller processes the consumer’s PI and accesses such PI, trade secrets excluded;
  • Correct inaccuracies in PI on request.
  • Delete PI on request.
  • Data portability.
  • Let consumers opt out of processing PI for targeted advertising or for the sale of data.

Minnesota Data Privacy Act

Applies to businesses that:

  • Control or process PI of at least 100,000 unique Minnesota consumers; or
  • Control or process personal data of 25,000 unique Minnesota consumers and derive over 25% of gross revenue from the sale of PI.

Requires businesses to:

  • Let consumers opt out of processing PI for targeted advertising or for the sale of data. is processing and providing access to someone’s data, unless confirming and granting access would require the company to reveal a trade secret.
  • Correct inaccuracies in personal data when requested.
  • Delete personal data when requested.
  • Provide a copy of the personal data processed by the company, in an accessible format, upon request.
  • Let consumers opt out of processing PI for targeted advertising or for the sale of data.
  • Provide a list of third parties to whom the company has disclosed the personal data.

Tennessee Information Protection Act

Applies to businesses that:

  • Exceeds $25 million in annual revenue, and
    Control or process PI of 175,000+ Tennessee consumers, and/or
  • Control or process the PI of 25,000+ Tennessee consumers and derive at least 50% of gross revenue from selling the data.

Requires businesses to:

  • Provide consumers with a privacy notice and a privacy policy.
  • Honor consumer requests to know, access, delete, and others.
  • Process the data only for the purposes for which it was collected.
  • Allow consumers to opt out of the sale of their data.
  • Have written contracts with service providers.

Maryland Online Data Privacy Act

Bans the sale of personal data. Companies can only collect, process, or share personal data that is “strictly necessary to provide or maintain a specific product or service requested by the consumer.”

Applies to businesses that:

  • Process the data of 35,000+ consumers, or
  • Process data for 10,000+ consumers and derive 20%+ of its revenue from data sales.

Require businesses to:

  • Allow consumers to
    • Know what PI is being used.
    • Access PI being used.
    • Delete PI being used.
    • Opt out of the sale of data or processing for targeted advertising or profiling.

Nebraska Data Privacy Act 

Applies to businesses that:

  • Process of engaging in the sale of PI, and
  • Are not excluded as a small business, according to the Small Business Administration.

Requires businesses to:

  • Allow consumers to
    • Know what PI is being used.
    • Access PI is being used.
    • Delete PI is being used.
    • Opt out of the sale or processing of data for targeted advertising.
  • Implement technical and organizational safeguards to protect the data.
  • Respond to consumer requests promptly

Indiana Data Privacy Law

Applies to businesses that:

  • Control or process the PI of 100,000+ Indiana consumers, or
  • Control or process the PI of 25,000+ Indiana consumers and derive 50%+ of gross revenue by selling the data.

Requires businesses to:

  • Allow consumers to opt out of the sale of PI.
  • Provide consumers with a comprehensive privacy notice.
  • Conduct a data impact assessment in the case of targeted advertising.
  • Limit data processing to the intended purposes.
  • Obtain explicit consent for the processing of sensitive PI.

Kentucky Consumer Data Protection Act

Applies to businesses that:

  • Process the data of 100,000+ Kentucky residents, or
  • Process the data of 25,000+ Kentucky residents and derive 50%+ of profits from the sale of PI.

Requires businesses to:

  • Allow consumers to
    • Know what PI is being used.
    • Access PI is being used.
    • Delete PI is being used.
    • Opt out of the sale of data or processing for targeted advertising.
  • Implement technical and organizational safeguards to protect the data.
  • Respond to consumer requests promptly.
  • Conduct data protection impact assessments for high-risk processing.

Rhode Island Data Transparency and Privacy Protection Act

Applies to businesses that:

  • Conduct business in Rhode Island or produce products or services targeted to the residents of Rhode Island
  • “Control or process” the personal data of at least 35,000 Rhode Island residents or 10,000 Rhode Island residents and derive over 20% of gross revenue from the sale of personal data.

Requires businesses to:

  • Clearly explain what data is collected, why it is processed, and to whom it is shared or sold.
  • Establish mechanisms for consumers to access, correct, delete, or obtain a copy of their personal data.
  • Obtain consent before processing “sensitive” data and allow opt-outs for targeted advertising and data sales.
  • Conduct and document assessments for high-risk data processing activities, including profiling and targeted advertising.
  • Implement reasonable administrative, technical, and physical safeguards to secure personal data.
  • Ensure contracts with processors include specific, compliant provisions regarding data handling and confidentiality.

Violations can result in penalties of up to $10,000 per violation.

States whose data privacy laws are not yet in effect:

Oklahoma Data Protection Act

Applies to businesses that:

Conduct business in Oklahoma or produce products or services targeted at residents, provided the business meets one of the following thresholds during a calendar year:

  • It controls or processes the personal data of at least 100,000 Oklahoma consumers; or
  • It controls or processes the personal data of at least 25,000 Oklahoma consumers and derives more than 50% of gross revenue from the sale of personal data.

Requires businesses to:

  • Provide a clear, accessible privacy policy detailing the categories of personal data processed, the purposes for processing, and the third parties with whom data is shared.
  • Provide a clear, conspicuous method for consumers to opt out of the sale of their personal data or its use for targeted advertising.
  • Conduct and document data protection assessments for high-risk activities, including targeted advertising, profiling, and the sale of personal data.
  • Limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes.
  • Respond to consumer requests (e.g., access, delete, correct) within 45 days, with a 30-day “right to cure” period provided before enforcement actions.
  • Obtain affirmative consent before processing sensitive data.

Goes into effect January 1, 2027

Alabama Personal Data Protection Act 

Applies to businesses that:

  • Conduct business in Alabama or produce products or services that target Alabama residents, and either
    • Process or control the personal data of more than 25,000 residents, excluding personal data processed or controlled solely for the purpose of completing a payment transaction;
    • Or derive over 25% of their gross revenue from the sale of personal data, regardless of the number of consumers.

Requires businesses to:

  • Provide clear, accessible privacy policies detailing what data is processed, why it is processed, and what is shared with third parties.
  • Establish mechanisms for consumers to access, delete, and correct their personal data.
  • Allow consumers to opt out of the sale of their personal data, targeted advertising, and profiling.
  • Collect only the data that is adequate, relevant, and reasonably necessary for the disclosed purposes.
  • Implement reasonable administrative, technical, and physical security measures to protect consumer data.
  • Obtain consent to process sensitive data (e.g., biometric data, precise geolocation) and to target consumers under 16.
  • Maintain compliant contracts with third-party processors.

Goes into effect March 30, 2027.

Louisiana Data Privacy Act

Applies to businesses operating in Louisiana that meet at least one of these conditions:

  • Have annual gross revenue over $25 million.
  • Process personal data of 75,000+ consumers.
  • Derive 50% or more of revenue from selling personal data.

Requires businesses to:

  • Post privacy notices detailing data collection, use, and sharing practices.
  • Get affirmative consent for processing “sensitive data”.
  • Honor universal opt-out mechanisms.
  • Perform data protection assessments for high-risk processing.
  • Implement reasonable security measures.
  • Utilize contracts with data processors.
  • Enable residents to access, correct, or delete data.

Goes into effect January 1, 2027.

Vermont Data Privacy and Online Surveillance Act

Applies to businesses that:

  • Control or process the personal data of at least 35,000 Vermont consumers.
  • Control or process the sensitive data of at least 3,000 Vermont consumers.
  • Sell or offer for sale the personal data of at least 3,000 Vermont consumers.

The consumer health data provisions of the law apply to any entity that conducts business in Vermont or targets residents, regardless of the data volume or processing thresholds listed above.

Requires businesses to:

  • Facilitate consumer requests to access, correct, delete, or obtain a portable copy of their personal data. Consumers also have the right to obtain a list of specific third parties to whom their personal data has been sold.
  • Obtain explicit, affirmative opt-in consent before processing sensitive data. The law broadly defines sensitive data to include neural data, financial account credentials, government-issued IDs, and transgender/nonbinary status.
  • Provide clear mechanisms for consumers to opt out of targeted advertising, profiling, and the sale of personal data.
  • Ensure that employees and contractors do not access consumer health data unless they are bound by a strict duty of confidentiality. The law also explicitly prohibits geofencing within 1,850 feet of any healthcare, mental health, or reproductive health facility.
  • Explicitly disclose within privacy policies whether the business collects, uses, or sells personal data to train large language models (LLMs) or artificial intelligence.
  • Perform formal data protection assessments for any processing activities that present a heightened risk of consumer harm.
  • Establish mandatory, binding data processing contracts with all third-party data processors and vendors.

Goes into effect January 1, 2028.

The post U.S. state data privacy laws: What you need to know appeared first on MarTech.



Fonte ==> Istoé

Relacionados