U.S. State Comprehensive Privacy Laws
An Interactive Tool
As more and more states jump into the “comprehensive” privacy law fray, it is becoming harder and harder to keep track of the different –yet overlapping- elements of these laws. This interactive website is a tool that aims to fill that gap for businesses as they review and assess these laws.
Discover More
State Overviews
California
Colorado
Connecticut
Delaware
Florida
Indiana
Iowa
Montana
Oregon
Tennessee
Texas
Utah
Virginia
Eye on Privacy Law Blog
Effective Date
Scope
Exemptions
Required Notices
Consumer Choices
Consumer Rights
Sensitive Information
Profiling
Data Protection Assessments
Vendor Contracts
Financial Incentives / Loyalty Programs
Record-Keeping
State Privacy Laws - The Basics
click each topic to learn more
Effective Dates
The first step for a business to consider is whether a privacy law is effective in the state where they operate or interact with consumers. State law effective dates are:
January 1, 2023: California, Virginia
July 1, 2023: Colorado, Connecticut
December 31, 2023: Utah
July 1, 2024: Florida, Oregon, and Texas
October 1, 2024: Montana
January 1, 2025: Delaware, Iowa, Nebraska, New Hampshire
January 15, 2025: New Jersey
July 31, 2025: Minnesota
Scope
Not all companies will be subject to these laws. What should companies think about?
Do business in the state
Revenue thresholds
&
Meet thresholds
•
•
$25 million: California,* Tennessee and Utah (*this is one of two ways for the law to apply)
$1 billion: Florida
Number of individuals' information processed thresholds
•
•
•
•
175,000: Tennessee
100,000: California, Colorado, Indiana, Iowa, Kentucky, Minnesota New Jersey, Oregon, Utah, and Virginia
50,000: Montana
35,000: Delaware, Maryland,
New Hampshire, Rhode Island
Or revenue from selling personal information
•
•
•
10,000 residents: Delaware, Maryland, New Hampshire, Rhode Island
25,000 residents: Colorado, Connecticut, Indiana, Iowa, Kentucky, Minnesota, Montana, New Jersey, Oregon, Tennessee, Virginia
50% of revenue from selling PII: California
But Florida
(narrow applicability)
•
•
•
50% of revenue from online ad sales
Operate smart speaker with voice command
Ap store operator with 250,000+ apps
Exemptions
Certain entities or types of information may be exempted from the state privacy law. For instance, some entities or information are already regulated under federal laws. Below are some of the types of entities or information that are exempt from the new state laws.
click each exemption to reveal exempt states
Healthcare Service Providers
CO, CT, FL, IN, IA, KY, MT, NE, NH, RI, TN, TX, UT, VA
Financial Service Providers
CO, CT, DE, FL, IN, IA, KY, MD, MN**, MT, NE, NH, NJ, OR**, RI, TN, TX, UT, VA
State or Government Agencies
CT, DE, FL, IN, KY, MD, MN, MT, NE, NH, NJ OR, RI, TN, TX, UT, VA
Native Tribes
MN, UT
Non-profits
CA, CT, DE*, FL, IN, IA, KY, MT, NE, NH, OR*, RI, TN, TX, UT, VA
National Securities Association or Registered Futures Associations
CO, CT, DE, MD, MN, MT, NH, RI
Insurance Companies
NJ, OR, RI, TN
Higher Education Institutes
CA, CO, CT, FL, IN, IA, KY, MD, MN, MT, NE, NH, RI, TN, TX, UT, VA
Public Utilities
CO, IN, KY, NE, TX
Air Carriers
CO, UT
HIPAA-Regulated Information
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, UT, VA
GLBA-Regulated Information
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, UT, VA
FERPA-Regulated Information
CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, OR, RI, TN, TX, UT, VA
FCRA-Regulated Information
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, UT, VA
Drivers Privacy Protection Act-Regulated Information
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, OR, RI, TN, TX, UT, VA
Farm Credit Act-Regulated Information
CA, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, RI, TN, TX, UT, VA
Information Maintained for Employment Records
CO
Information Collected with a Third-Party Benefit Provider
CA, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, OR, RI, TN, TX, VA
*Only non-profits dedicated exclusively to preventing and addressing insurance crimes
** Financial service entities defined under state law, rather than GLBA
Practices
Industries
Offices
About Us
Learn More!
Required Notices
One of the obligations for business under state laws is provided notice to consumers. Listed below at a high level is the type of content that the law requires be included. (Of course, check the laws themselves for more detail!).
For each, click to see what state requires the listed content.
Categories of personal information and purposes of processing
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, UT, VA
If sensitive information will be processed
CA, CO, FL, MD, MN, NE, OR, TX
If sensitive or biometric data will be sold
FL, TX
If information will be shared and categories of those third parties
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, TN, TX, UT, VA
Consumers’ rights, and how to exercise them
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, TN, TX, UT, VA
How to appeal a decision
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, TN, TX, VA
How to opt out of certain processing
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, TN, TX, UT, VA
Date policy was last updated (CalOPPA also requires effective date)
CA, CO, MN, NJ
Contact information for questions or concerns
CA, CO, CT, DE, MD, MN, MT, NH, NJ, OR, RI
Consumer Choices
Under state comprehensive laws, consumers need to be given certain choices. What types of choices will vary depending on the jurisdiction. (see the left side). But, remember that there are choices that exist outside of these laws. (see the right side).
Sale
Choice Under Comprehensive Laws
Targeted Advertising
(that creates legal or significantly similar impact)
Profiling
Opt-in: VA, CO, CT, DE, FL, IN, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX
Opt-out: CA, IA, UT
Sensitive information processing
But Don’t Forget Choice Under Other Laws!
Sending text ads
Opt-in under TCPA, state laws
Opt-out under CAN-SPAM
Sending emails
Opt-in under IL law (and others)
Biometric gathering
And so much more...
Consumer Rights
Under state comprehensive laws, consumers have a variety of rights. These include right of access, correction, deletion, and portability. Specific requirements apply when providing these rights. As you plan for your approach, keep in mind:
Access Right
ALL
Correction
ALL but IA and UT
Deletion
ALL
Portability
ALL
Exceptions
click each exception to reveal which states apply
Disproportionate effort
CA
Technically infeasible/impossible
CA, CO, IA, KY, MD, MT, TN, UT
Unable to verify identity
CA, CO, CT, DE, FL, IN, IA, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, UT, VA
Good faith, reasonable belief that request is fraudulent or abusive
CO, CT, DE, IA, MN, MT, NH, NJ, OR, RI, UT
Any conflict with federal or state law
CO
Manifestly unfounded, excessive, or repetitive
CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, RI, TN, TX, UT, VA
Sensitive Information
States have different definitions of what constitutes sensitive information. For example:
Race
click each sensitive information definition to reveal which states need consent
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, UT, VA
Religion
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, UT, VA
Sexual Orientation
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, UT, VA
Citizenship/
Immigration
status
CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, UT, VA
Medical history or condition
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, UT, VA
Biometric data
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, RI, TN, TX, UT, VA
Transgender or non-binary status
DE, MD, NJ, OR
Specific
geo-location data
CA, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, UT, VA
Financial account login, email contents, SSNs
CA, NJ
For most, need consent
What is required?
CO, CT, DE, FL, IN, KY, MD, MN, MT, NH, NJ, OR, RI, TN, TX, VA
CA, IA, UT
Others say give opt out (CA, IA, UT)
Profiling
Profiling in general refers to automated processing performed on personal information to evaluate, analyze, or predict personal aspects of person’s economic situation, behavior, location, and movements. State definitions of “profiling” vary. States that engage in profiling that produces legal or significantly similar outcomes must perform a data protection assessment.
What is "Profiling"?
click each state emblem to view definition
California
Automated processing of personal information…to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Colorado
Connecticut
Solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, [health records, Indiana] personal preferences, interests, reliability, behavior, location, or movements.
Indiana
Florida
Montana
Automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, [demographic characteristics, Delaware], personal preferences, interests, reliability, behavior, location, or movements.
Delaware
Oregon
Virginia
solely automated processing performed on personal information to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Tennessee
Texas
Data Protection Assessments
For those organizations that have an obligation to conduct a DPA, what things should they keep in mind?
Must be documented
All
(except IA
and UT)
Identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing
All
(except IA
and UT)
Identify mitigating safeguards
All
(except CA, IA and UT)
Use of
de-identified data
All
(except CA, IA and UT)
Reasonable expectations of consumers
All
(except CA, IA and UT)
Context of the processing and the relationship between the controller, consumer, other stakeholders
All
(except CA, IA and UT)
Available to the AG upon request
Provide to CPPA (CA), provide to AG (CO)
Provide DPA to AG pursuant to a civil investigative demand or that is relevant to an AG investigation or enforcement
CT, DE, FL, IN, IA, MT, OR, TN, TX, UT, VA
AG may evaluate the DPA for compliance with the law
CO, CT, DE, IN, IA MT, OR, TN, UT, VA
Does not waive attorney-client privilege
All
(except CA, IA and UT)
DPAs are confidential and not open to public inspection
CO, CT, DE, IN, IA, MT, OR, TN, TX, UT, VA
A single DPA may address a comparable set of processing operations that include similar activities
All
(except CA, IA and UT)
Record of data protection assessment must be kept for 5 years
Oregon
(except IA and UT)
Record of the data protection assessment must be kept for 3 years
Colorado
(except IA and UT)
A DPA conducted for the purpose of compliance with any other law or regulation may constitute compliance with the requirements of this section if the assessment has a reasonably comparable scope and effect.
All
(except CA,
IA and UT)
A DPA conducted for the purpose of compliance with any other law or regulation that is not comparable in scope and effect may submit that assessment with a supplement that contains any additional information required by this jurisdiction.
Colorado
(except IA
and UT)
click each requirement to reveal states that apply
*is not exhaustive
Vendor Contracts
State privacy laws also place obligations on vendors or service providers. When your business is sharing personal information with another entity then there must be certain contract provisions in place.
Requirements of the contract include:
click each requirement to reveal applied states
Instruct on how data is to be processed, and the nature and purpose of the processing
Indicate the type of personal data to be processed and duration of the processing
Obligate confidentiality
Obligate the deletion or return of data at the conclusion of processing
Give proof of ongoing legal compliance
Cooperate with assessments and audits
Engaging subcontractors require written contract
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, UT, VA
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, UT, VA
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, UT, VA
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, VA
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, VA
CA, CO, CT, DE, FL, IN, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, VA
CA, CO, CT, DE, FL, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR*, RI, TN, TX, UT, VA
* Requires a contract but does not specify “written”
Financial Incentives / Loyalty Programs
Businesses sometimes offer incentives in exchange for personal information. This is frequently found in loyalty programs where consumers sign up for discounts or special offers. California also regulates financial incentives. Businesses will have certain obligations if offering a program that is viewed as a financial incentive. These obligations may include notification and consent, among others.
What is a “financial incentive”?
Program, benefit, or other offering, including payments to consumers, for the collection, retention, sale, or sharing of personal information. Price or service differences are types of financial incentives. (CA)
Summary of price difference, material terms (CA)
How incentive is "reasonably related to value of their data" (CA)
List of partners (CO)
How to opt-in and opt-out (CA)
Categories of PII collected that will be sold or processed for targeted advertising (CO)
Why deleting the information will mean can no longer participate (explain why, don't just state) (CO)
Right to withdraw (CA)
Categories of third parties that will receive PII (CO)
Why need sensitive information for program benefit (CO)
Notice Contents
Record-Keeping
These two checklists can help when thinking about the obligations that exist in these laws on the record keeping front.
Consumer rights requests (for 24 months in CA, CO)
Deletion requests to ensure data is not sold or used for any other purpose (All except IA and UT)
Opt-out request and response
Date, nature of request, manner request was made, date of response, and basis for denial (CA, CO)
Annual metrics for the number of consumer requests and opt-out requests they’ve received, how they were processed and the results (CA)
What to Record?
Keep in a readable format (CO)
Use reasonable security procedures and practices
Use retained information only as necessary to review for compliance purposes
What is the Process?
CCPA Regulations
Colorado Privacy Act Regulations
click each state to learn more
** Financial service entities defined under state law, rather than GLBA
*Only non-profits dedicated exclusively to preventing and addressing insurance crimes
• Can't make people create account to verify
• Can deny in good faith if fraudulent
• Process within 15 days
As always, check the laws as in some cases exceptions apply.
Automated processing of personal information…to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
CCPA Regulations
California
CCPA Statute
Colorado
Colorado Regulations
Colorado Statute
Automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Connecticut
Connecticut Statute
Automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Delaware
Deleware Statute
Automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, demographic characteristics, personal preferences, interests, reliability, behavior, location, or movements.
Indiana
Indiana Statute
Solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, health records, personal preferences, interests, reliability, behavior, location, or movements.
Florida
Florida Statute
Solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Montana
Montana Statute
Solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Oregon
Oregon Statute
Automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Tennessee
Tennessee Statute
Solely automated processing performed on personal information to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Texas
Texas Statute
Solely automated processing performed on personal information to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Virginia
Virginia Statute
Automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
What To Look At
Identify and weigh the benefits of the processing activity against risks to consumer
Identify mitigating safeguards
Identify if processing sensitive information
Assessment Contents
Summarize processing activity
Categorize information processed, specific types of information processed, and context of processing, etc.
Operational aspects of processing, sources of data, technologies used, operational details (planned uses)
Categorize third parties who get information
Risks to consumers' rights (data security, IP, UDAAP, negative outcomes, etc.)
Safeguard measures
How benefits outweigh risks
Keep records for as long as processing happens and 3 years after concludes
Miscellaneous
Assessment should be genuine, thoughtful, involve stakeholders
Will need to submit assessment on a "regular basis" or on request depending on state
Conduct before processing
Update and review
July 1, 2025: Tennessee
Conducts business or produces goods/services in the state; sells or processes personal data; small businesses are exempt: TX, NE
October 1, 2025: Maryland
January 1, 2026: Indiana, Kentucky, Rhode Island
Kentucky
Maryland
Minnesota
Nebraska
New Hampshire
New Jersey
List all third parties to whom the business sells (or may sell) the customers' information
RI
Rhode Island