Summary
Each state-level data privacy law in the United States has its own effective date and compliance thresholds involving operational data processing and/or revenue. We’ve assembled this information for all current US state-level data privacy laws to support data privacy compliance across the US.
The United States does not have a single federal data privacy law. So companies must contend with a patchwork of federal and state-level laws, as well as industry-specific laws, like those regulating healthcare and the financial sector.
While there are similarities among all the US state-level data privacy laws passed to date, each has unique details and requirements regarding when it comes into effect — eight will enter into force in 2025 — and the thresholds that require companies to comply.
We’ve created an easily referenced table to help you determine which state data privacy laws you may need to comply with based on your operations and the states in which your company does business.
| State and regulation | Effective date | Gross revenue threshold (USD) | Consumers whose personal data is processed annually (in state) | Data sale or sharing and/or other thresholds |
| California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) Overview Regulation text | 1 January 2020 | $26.2M | 100,000 | Derives 50% or more of annual revenues from selling or sharing consumers’ personal information |
| Colorado Privacy Act (CPA) Overview Regulation text | 1 July 2023 | N/A | 100,000 | Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 or more consumers |
| Connecticut Data Privacy Act (CTDPA) Overview Regulation text | 1 July 2023 | N/A | 35,000 | Derives more than 25% of gross revenue from sale of personal data and controls or processes personal data of not less than 25,000 consumers |
| Delaware Personal Data Privacy Act (DPDPA) Overview Regulation text | 1 January 2025 | N/A | 35,000 | Derives over 20% of gross revenue from sale of personal data and controls or processes personal data of not less than 10,000 consumers |
| Florida Digital Bill of Rights (FDBR) Overview Regulation text | 1 July 2024 | $1B (Plus one additional threshold) | N/A | Derives at least 50% of gross revenues from the sale of online ads, or operates a smart speaker with integrated virtual assistant, or operates an app store with at least 250,000 available apps |
| Indiana Consumer Data Protection Act (INCDPA) Overview Regulation text | 1 January 2026 | N/A | 100,000 | Derives over 50% of gross revenue from sale of personal data and controls or processes personal data of at least 25,000 consumers |
| Iowa Consumer Data Protection Act (ICDPA) Overview Regulation text | 1 January 2025 | N/A | 100,000 | Derives over 50% of gross revenue from sale of personal data and controls or processes personal data of 25,000 or more consumers |
| Kentucky Consumer Data Protection Act (KCDPA) Overview Regulation text | 1 January 2026 | N/A | 100,000 | Derives over 50% of gross revenue from sale of personal data and controls or processes personal data of at least 25,000 consumers |
| Maryland Online Data Privacy Act (MODPA) Overview Regulation text | 1 October 2025 | N/A | 35,000 | Derives more than 20% of gross revenue from sale of personal data and controls or processes personal data of not less than 10,000 consumers |
| Minnesota Consumer Data Privacy Act (MCDPA) Overview Regulation text | 31 July 2025 | N/A | 100,000 | Derives over 25% of gross revenue from sale of personal data and controls or processes personal data of 25,000 or more consumers |
| Montana Consumer Data Privacy Act (MTCDPA) Overview Regulation text | 1 October 2024 | N/A | 25,000 | Derives more than 25% of gross revenue from sale of personal data and controls or processes personal data of not less than 25,000 consumers |
| Nebraska Data Privacy Act (NDPA) Overview Regulation text | 1 January 2025 | N/A | N/A | Processes or engages in sale of personal data and is not a small business as defined by US Small Business Administration |
| New Hampshire Data Privacy Act (NHDPA) Overview Regulation text | 1 January 2025 | N/A | 35,000 | Derives more than 25% of gross revenue from sale of personal data and controls or processes personal data of not less than 10,000 consumers |
| New Jersey Privacy Act (NJDPA) Overview Regulation text | 15 January 2025 | N/A | 100,000 | Derives revenue or receives a discount on the price of goods or services from the sale of personal data and controls or processes personal data of 25,000 or more consumers |
| Oregon Consumer Privacy Act (OCPA) Overview Regulation text | 1 July 2024 | N/A | 100,000 | Derives 25% or more of annual gross revenue from sale of personal data and controls or processes personal data of 25,000 or more consumers |
| Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) Overview Regulation text | 1 January, 2026 | N/A | 35,000 | Derives more than 20% of gross revenue from sale of personal data and controls or processes personal data of not less than 10,000 customers |
| Tennessee Information Protection Act (TIPA) Overview Regulation text | 1 July 2025 | $25M (Plus one additional threshold) | 175,000 | Derives over 50% of gross revenue from sale of personal data and controls or processes personal data of 25,000 or more consumers |
| Texas Data Privacy and Security Act (TDPSA) Overview Regulation text | 1 July 2024 | N/A | N/A | Processes or engages in sale of personal data and is not a small business as defined by US Small Business Administration |
| Utah Consumer Privacy Act (UCPA) Overview Regulation text | 31 December 2023 | $25M (Plus one additional threshold) | 100,000 | Derives over 50% of gross revenue from sale of personal data and controls or processes personal data of 25,000 or more consumers |
| Virginia Consumer Data Protection Act (VCDPA) Overview Regulation text | 1 January 2023 | N/A | 100,000 | Derives over 50% of gross revenue from sale of personal data and controls or processes personal data of at least 25,000 consumers |
Stay in the loop
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.