US State Privacy Law Tracker
A regularly updated reference of state-level consumer privacy laws across the United States.
Privacy law in the United States does not follow a single federal standard because states set different thresholds, rights, and enforcement structures. This tracker is maintained through a monitored source.
Last reviewed April 2026.
| Statute and review note | Status | Threshold | Enforcement | Private Action | Cure Period | ||
|---|---|---|---|---|---|---|---|
| California | Official statute and regulator materials. Reviewed Apr 2026. | Effective | Jan 1, 2023 | Annual gross revenue over $26.625 million, or buys, sells, or shares the personal information of 100,000 consumers or households, or gets 50% or more of annual revenue from selling or sharing personal information | Attorney General, CPPA | Limited private action for certain data breaches | No general cure period; 30 days for limited breach claims |
| Colorado | Official statute and attorney general materials. Reviewed Apr 2026. | Effective | Jul 1, 2023 | Controls or processes personal data of 100,000 consumers, or 25,000 consumers and gets revenue from selling personal data | Attorney General | No | No automatic cure period after Jan 1, 2025 |
| Connecticut | Official statute and attorney general materials. Reviewed Apr 2026. | Effective | Jul 1, 2023 | Controls or processes personal data of 100,000 consumers, or 25,000 consumers and gets more than 25% of gross revenue from selling personal data; no threshold applies to consumer health data controllers | Attorney General | No | No automatic cure period after Jan 1, 2025 |
| Delaware | Official statute and attorney general materials. Reviewed Apr 2026. | Effective | Jan 1, 2025 | Controls or processes personal data of 35,000 consumers, or 10,000 consumers and gets more than 20% of gross revenue from selling personal data | Attorney General (DOJ) | No | No automatic cure period after Jan 1, 2026 |
| Florida | Official statute and state enforcement materials. Reviewed Apr 2026. | Effective | Jul 1, 2024 | More than $1 billion in global gross annual revenue, plus an ad-tech, smart-speaker, or app-store trigger in the statute | Department of Legal Affairs | No | Not specified |
| Indiana | INPA Official statute and attorney general materials. Reviewed Apr 2026. | Effective | Jan 1, 2026 | Controls or processes personal data of 100,000 consumers, or 25,000 consumers and gets more than 50% of gross revenue from selling personal data | Attorney General | No | 30-day cure period |
| Iowa | ICDPA Official statute and attorney general materials. Reviewed Apr 2026. | Effective | Jan 1, 2025 | Controls or processes personal data of 100,000 consumers, or 25,000 consumers and gets more than 50% of gross revenue from selling personal data | Attorney General | No | 90-day cure period |
| Kentucky | KCDPA Official statute and attorney general materials. Reviewed Apr 2026. | Effective | Jan 1, 2026 | Controls or processes personal data of 100,000 consumers, or 25,000 consumers and gets more than 50% of gross revenue from selling personal data | Attorney General | No | 30-day cure period |
| Maryland | MODPA Official statute and attorney general materials. Reviewed Apr 2026. | Effective | Oct 1, 2025 | Controls or processes personal data of 35,000 consumers, or 10,000 consumers and gets more than 20% of gross revenue from selling personal data | Attorney General (Division of Consumer Protection) | No | 60 days (sunsets Apr 2027) |
| Minnesota | MCDPA Official statute and attorney general materials. Reviewed Apr 2026. | Effective | Jul 31, 2025 | Controls or processes personal data of 100,000 consumers, or 25,000 consumers and gets more than 25% of gross revenue from selling personal data | Attorney General | No | No automatic cure period after Jan 31, 2026 |
| Montana | MCDPA Official statute and attorney general materials. Reviewed Apr 2026. SB 297 revised applicability thresholds effective Oct 1, 2025. | Effective | Oct 1, 2024 | Controls or processes personal data of 25,000 consumers, or 15,000 consumers and gets more than 25% of gross revenue from selling personal data | Attorney General | No | No automatic cure period after Apr 1, 2026 |
| Nebraska | NDPA Official statute and attorney general materials. Reviewed Apr 2026. | Effective | Jan 1, 2025 | Conducts business in Nebraska or targets Nebraska residents, processes or sells personal data, and is not a small business | Attorney General | No | 30-day cure period |
| New Hampshire | NHPA Official statute and attorney general materials. Reviewed Apr 2026. | Effective | Jan 1, 2025 | Controls or processes personal data of 35,000 consumers, or 10,000 consumers and gets more than 25% of gross revenue from selling personal data | Attorney General | No | 60-day cure period |
| New Jersey | NJDPA Official statute and regulator materials. Reviewed Apr 2026. | Effective | Jan 15, 2025 | Controls or processes personal data of 100,000 consumers, or 25,000 consumers and gets revenue or a discount from selling personal data | Attorney General (Division of Consumer Affairs) | No | 30 days (through Jul 15, 2026) |
| Oklahoma | Official bill history and bill summaries. Reviewed Apr 2026. Signed Mar 20, 2026. Effective Jan 1, 2027. | Enacted | Jan 1, 2027 | Controls or processes personal data of 100,000 consumers, or 25,000 consumers and gets more than 50% of gross revenue from selling personal data | Attorney General | No | 30-day cure period |
| Oregon | OCPA Official statute and attorney general materials. Reviewed Apr 2026. | Effective | Jul 1, 2024 | Controls or processes personal data of 100,000 consumers, or 25,000 consumers and gets 25% or more of gross revenue from selling personal data | Attorney General | No | No automatic cure period after Jan 1, 2026 |
| Tennessee | TIPA Official statute and attorney general materials. Reviewed Apr 2026. | Effective | Jul 1, 2025 | Annual revenue over $25 million, and controls or processes personal information of 175,000 consumers, or 25,000 consumers and gets more than 50% of gross revenue from selling personal information | Attorney General | No | 60-day cure period |
| Texas | Official statute and attorney general materials. Reviewed Apr 2026. | Effective | Jul 1, 2024 | Conducts business in Texas or targets Texas residents, processes personal data, and is not a small business under SBA standards | Attorney General | No | 30-day cure period |
| Utah | UCPA Official statute and attorney general materials. Reviewed Apr 2026. | Effective | Dec 31, 2023 | Annual revenue of $25 million or more, and controls or processes personal data of 100,000 consumers, or 25,000 consumers and gets more than 50% of gross revenue from selling personal data | Attorney General | No | 30-day cure period |
| Virginia | VCDPA Official statute and attorney general materials. Reviewed Apr 2026. | Effective | Jan 1, 2023 | Controls or processes personal data of 100,000 consumers, or 25,000 consumers and gets more than 50% of gross revenue from selling personal data | Attorney General | No | 30-day cure period |
Showing 20 of 20 tracked laws
How this tracker maps to your Privacy Policy
Most state requirements are handled inside your main Privacy Policy language. Separate standalone state notices are generated only when needed by the current workflow.
- Separate notice outputs currently cover California Notice at Collection and Washington consumer health data notice scenarios.
- Other tracked state rows still matter because they drive disclosure, rights, and opt-out language inside the main Privacy Policy and cookie/privacy workflows.
- The tracker is a legal-monitoring reference, not a promise that every state gets its own standalone notice page.
Additional Disclosure and Notice Laws
Not every privacy law fits neatly into the omnibus-state table above. Some laws change how a privacy page is posted, how targeted advertising choices are described, or when a separate notice has to be published alongside the main Privacy Policy. These laws are often where online businesses miss the page-level details.
CPRA
The CPRA adds California duties around sharing, sensitive personal information, retention, correction, and privacy choices.
CalOPPA
CalOPPA requires a conspicuously posted website privacy policy, Do Not Track disclosure, and clear website disclosures.
Nevada Online Privacy Notice Law
Nevada requires a public notice and a sale opt out path for covered operators.
Washington My Health My Data Act
Washington can require a separate consumer health data notice and a prominent homepage link.
Recent state privacy guides
These guides reflect the latest state level changes that can alter privacy policy drafting, opt out paths, and rights workflows for online businesses.
Florida Digital Bill of Rights
Florida applies to a narrow set of large controllers, and the page has to match the rights workflow when it does apply.
Texas Data Privacy and Security Act
Texas can require specific notice text and a clear opt out path when data sales, targeted advertising, or sensitive data are in scope.
Colorado Privacy Act
Colorado requires a clear opt out path for targeted advertising and recognition of universal opt out signals.
Connecticut Data Privacy Act
Connecticut matters when a product involves AI training, minors, or location data.
Delaware Personal Data Privacy Act
Delaware can make one privacy page carry older website disclosures and newer omnibus-law rights disclosures.
Oklahoma Computer Data Privacy Act
Oklahoma signed a comprehensive privacy law in March 2026, and covered businesses have until January 1, 2027 to prepare.
Washington My Health My Data Act
Washington can require a separate consumer health data notice and a prominent homepage link.