Comparing State Privacy Laws

Staying on top of the ever-evolving landscape of state privacy laws continues to get more challenging. Legislatures across the country have debated their own versions of a privacy law. To date, the following states have passed a law:

• California (California Privacy Rights Act)
• Utah (Utah Consumer Privacy Act)
• Colorado (Colorado Privacy Act)
• Virginia (Virginia Consumer Data Protection Act)
• Connecticut (Connecticut Data Privacy Act)
• Iowa (Iowa Privacy Bill)
• Indiana (Indiana Privacy Bill)
• Montana (Montana Consumer Data Privacy Act)
• Tennessee (Tennessee Information Protection Act)
• Delaware (Delaware Personal Data Privacy Act)
• Texas (Texas Data Privacy and Security Act)
• Oregon (Oregon Consumer Privacy Act)
• New Jersey (New Jersey Privacy Bill)
• New Hampshire (New Hampshire Privacy Bill)
• Kentucky (Kentucky Consumer Data Privacy Act)
• Nebraska (Nebraska Data Privacy Act)
• Maryland (Maryland Online Data Privacy Act)
• Minnesota (Minnesota Consumer Data Privacy Act)
• Rhode Island (Rhode Island Data Transparency and Privacy Protection Act)

The state laws that are on the books are not carbon copies of each other. There are significant differences involving cure times, private right of action, applicability thresholds, and more. To help you better understand your organization’s obligations and risks in each state, we are providing this side-by-side comparison of the laws.

Effective dates

State	Effective data
California	Operative January 1, 2023, Enforceable July 1, 2023
Colorado	July 1, 2023
Connecticut	July 1, 2023
Delaware	January 1, 2025
Indiana	January 1, 2026
Iowa	January 1, 2025
Kentucky	January 1, 2026
Maryland	October 1, 2025
Minnesota	July 31, 2025
Montana	October 1, 2024
Nebraska	January 1, 2025
New Hampshire	January 1, 2025
New Jersey	January 16, 2025
Oregon	July 1, 2024
Rhode Island	January 1, 2026
Tennessee	July 1, 2025
Texas	July 1, 2024
Utah	December 31, 2023
Virginia	January 1, 2023

Fines

State	Fines
California	$2,500-$7,500 per violation
Colorado	Up to $20,000 per violation
Connecticut	Up to $5,000 per violation
Delaware	Not specified
Indiana	Up to $7,500 per violation
Iowa	Up to $7,500 per violation
Kentucky	Up to $7,500 per violation
Maryland	Not specified
Minnesota	Up to $7,500 per violation
Montana	Not specified
Nebraska	Up to $7,500 per violation
New Hampshire	Not specified
New Jersey	Not specified
Oregon	Up to $7,500 per violation
Rhode Island	Not specified
Tennessee	Up to $15,000 per violation
Texas	Up to $7,500 per violation
Utah	Up to $7,500 per violation
Virginia	Up to $7,500 per violation

Cure Period

A cure period is the amount of time to remedy a violation after its discovery before a fine is issued. California is the only state without a cure period, increasing the risk of a fine.

State	Cure Period
California	No right to cure
Colorado	60 days (expires in 2025)
Connecticut	60 days (expires in 2025)
Delaware	60 days (expires December 31, 2025)
Indiana	30 days
Iowa	90 days
Kentucky	30 days
Maryland	60 days (expires on April 1, 2027)
Minnesota	30 days (expires January 1, 2026)
Montana	60 days (expires in 2026)
Nebraska	30 days
New Hampshire	60 days (expires December 31, 2025)
New Jersey	30 days (expires in July 2026)
Oregon	30 days (expires January 1, 2026)
Rhode Island	No right to cure
Tennessee	60 days
Texas	30 days
Utah	30 days
Virginia	30 days

Applicability Thresholds

The thresholds that determine if the privacy laws apply to your organization vary by state.

State	Applicability Thresholds
California	Has annual revenue of $25 million or more Controls or possesses the data of 100,000 or more California residents Derives 50% or more of its revenue from the sale of personal data
Colorado	Controls or possesses the data of 100,000 or more Colorado residents Derives any revenue from the sale of data for 25,000 or more Colorado residents
Connecticut	Controls or possesses the data of 100,000 or more Connecticut residents Derives 25% of its revenue from the sale of data for 25,000 or more Connecticut residents
Delaware	Controlled or processed the personal data of not less than 35,000 Delaware residents. Controlled or processed the personal data of not less than 10,000 Delaware residents and derived more than 20% of their gross revenue from the sale of personal data.
Indiana	Controls or process personal data on at least 100,000 consumers (Indiana residents) Derives more than 50% of their revenue from selling the data of 25,000 consumers
Iowa	Controls or process personal data on at least 100,000 consumers (Iowa residents) Derives more than 50% of their revenue from selling the data of 25,000 consumers
Kentucky	Controls or process personal data on at least 100,000 Kentucky consumers Control or process the personal data of 25,000 or more consumers and derive more than 50% of their gross revenue from the sale of personal data
Maryland	Controls or processes personal data on at least 35,000 consumers, excluding data for the sole purpose of completing payment transactions Controls or processes the data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data
Minnesota	Controls or processes the data of at least 100,000 consumers, excluding data for the sole purpose of completing payment transactions Controls or processes the data of at least 25,000 consumers and derived more than 25% of its gross revenue from the sale of personal data
Montana	Controls or process personal data on at least 50,000 consumers (Montana residents) Derives more than 25% of their revenue from selling the data of 25,00 consumers
Nebraska	Conducts business in Nebraska or produces a product or service consumed by Nebraska residents Processes or engages in the sale of personal data Is not a small business as determined under the federal Small Business Act
New Hampshire	Control or process the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction Control or process the personal data of not less than 10,000 unique consumers and derive more than 25% of their gross revenue from the sale of personal data
New Jersey	Control or process the personal data of 100,000 or more New Jersey consumers (excluding data used solely to complete a payment transaction) Control or process the personal data of 25,000 or more New Jersey consumers and derive revenue or receive a discount on the price of any good or service from the sale of data.
Oregon	Controls or processes the personal data of not less than 100,000 Oregon residents. Controlled or processed the personal data of not less than 25,000 residents and derived more than 25% of their gross revenue from the sale of personal data.
Rhode Island	Control or process the personal data of 35,000 or more Rhode Island consumers (excluding data used solely to complete a payment transaction)/li> Control or process the personal data of 10,000 or more consumers and derive more than 20% of their gross revenue from the sale of personal data.
Tennessee	Controls or process personal data on at least 100,000 consumers (Tennessee residents) Derives more than 50% of their revenue from selling the data of 25,000 consumers
Texas	Conducts business in Texas or produce a product or service consumed by Texas residents.
Utah	Has more than $25 million in annual revenue and meets one or more of the following criteria: Controls or possesses the data of 100,000 or more Utah residents Derives 50% or more of its revenue from the sale of data for more than 25,000 Utah residents
Virginia	Controls or possesses the data of 100,000 or more Virginia residents Derives 50% or more of its revenue from the sale of data for more than 25,000 Virginia residents

Exemptions

There are some key exemptions that apply to state privacy laws, most notably for the Gramm-Leach-Biley-Act (GLBA) and HIPAA. For all existing state laws, data that is covered under GLBA or HIPAA is exempt. In certain cases, an entire entity that falls under the GLBA or HIPAA umbrella is exempt.

State	GLBA	HIPAA
California	Data	Data
Colorado	Data & Entity	Data
Connecticut	Data & Entity	Data & Entity
Delaware	Data & Entity	Data
Indiana	Data & Entity	Data & Entity
Iowa	Data & Entity	Data & Entity
Kentucky	Data & Entity	Data & Entity
Maryland	Data & Entity	Data & Entity
Minnesota	Data	Data
Montana	Data & Entity	Data & Entity
Nebraska	Data & Entity	Data & Entity
New Hampshire	Data & Entity	Data & Entity
New Jersey	Data & Entity	Data
Oregon	Data	Data
Rhode Island	Data & Entity	Data & Entity
Tennessee	Data & Entity	Data & Entity
Texas	Data & Entity	Data & Entity
Utah	Data & Entity	Data & Entity
Virginia	Data & Entity	Data & Entity

Sale Definitions and Opt-out Considerations

What is considered a “sale” of data varies between the states. States with a broad definition consider the exchange of monetary or other valuable consideration a “sale.” States with a traditional definition consider a “sale” to be the exchange of data for money.

In each state, organizations must allow people to opt out of targeted advertising. In California, organizations must also provide the option to opt out of having their data shared.

State	Sale Definition	Opt-out
California	Broad	Sale and Sharing
Colorado	Broad	Sale and Targeted Advertising
Connecticut	Broad	Sale and Targeted Advertising
Delaware	Traditional	Sale and Targeted Advertising
Indiana	Traditional	Sale and Targeted Advertising
Iowa	Traditional	Sale and Targeted Advertising
Kentucky	Traditional	Sale and Targeted Advertising
Maryland	Traditional	Sale and Targeted Advertising
Minnesota	Traditional	Sale and Targeted Advertising
Montana	Traditional	Sale and Targeted Advertising
Nebraska	Traditional	Sale and Targeted Advertising
New Hampshire	Traditional	Sale and Targeted Advertising
New Jersey	Broad	Sale and Targeted Advertising
Oregon	Traditional	Sale and Targeted Advertising
Rhode Island	Traditional	Sale and Targeted Advertising
Tennessee	Traditional	Sale and Targeted Advertising
Texas	Traditional	Sale and Targeted Advertising
Utah	Traditional	Sale and Targeted Advertising
Virginia	Traditional	Sale and Targeted Advertising

Other California Considerations

The CPRA does not exempt business-to-business or employee data, the other state laws do.

Also included in the CPRA is the private right of action which authorizes consumers to file lawsuits for breaches. Damages from a private right of action suite can range from $100-$750 per consumer per incident. Breaches often include hundreds or thousands of personal records, so the private right of action exposes organizations to large financial risks.

For a more in-depth exploration of state privacy laws watch our Current State of Privacy Laws webinar.

CompliancePoint has a team of privacy professionals that can help your organization stay in compliance with all state laws and avoid risk. Contact us today at connect@compliancepoint.com to learn more about how we can help you.