Resource Center / Tools and Trackers / US State Privacy Legislation Tracker
US State Privacy Legislation Tracker
This tool tracks comprehensive US state privacy bills to help our members stay informed of the changing state privacy landscape. The tracker only includes bills intended to be comprehensive approaches to governing the use of personal information.
Last Updated: 18 November 2024
Contributor:
Navigate Tracker
State-level momentum for comprehensive privacy bills is at an all-time high. The IAPP Westin Research Center actively tracks the proposed and enacted comprehensive privacy bills from across the U.S. to help our members stay informed of the changing state privacy landscape. This information is compiled into a chart, map and a directory with information specific to states with enacted laws. The IAPP additionally hosts a "US State Privacy topic page, which regularly updates with the latest state privacy news and resources, and a US State AI Governance Legislation Tracker, which tracks US state cross-sectoral laws with direct application to the use of AI systems in the private sector.
If you are aware of a comprehensive bill absent from the tracker, please share it with us at research@iapp.org.
For more information on the IAPP's stance concerning which state privacy laws are considered comprehensive, view the text in the below dropdown.
-
expand_more
Scope of state law tracking
As state privacy legislation grows in number and complexity, questions arise with respect to those bills that occupy the fuzzy gray area between comprehensive and not — namely, Florida's Digital Bill of Rights and Washington state's My Health My Data Act.
As defined in the tracker, a bill is not considered comprehensive if "it does not qualify due to its scope, coverage, rights or purpose."
A bill is narrow in scope if it applies only to a specific set of data types, like financial or health data, or data subjects, like children. A bill is narrow in coverage if its applicability includes only a single industry, like the automotive industry, or if its thresholds apply, in practice, to only a handful of companies. A bill is narrow in rights if it is targeted at providing only one or two consumer data rights, such as deletion or correction.
For further information, this full-length article outlines the IAPP's current stance. The IAPP may adjust this position in the future in light of new information, bills, stakeholders or member feedback. The IAPP will annually reassess its position on the definition of "comprehensive" to best stay current with state legislation trends.
Comprehensive consumer privacy bills
This chart tracks U.S. state comprehensive consumer privacy bills across the legislative process, identifying and mapping out fourteen provisions that commonly appear in comprehensive privacy laws. If a bill includes a provision, an "X" is placed in the corresponding column. The provisions are broken into two categories — consumer rights and business obligations — and are described more fully in the chart. Although many of the proposed bills will fail to become law, comparing the key provisions helps break down how privacy is developing in the U.S.
The chart only includes bills intended to be comprehensive approaches to governing the use of personal information. If a bill does not appear on the chart, it does not qualify due to its scope, coverage or rights. Industry-specific, information-specific and narrowly scoped bills, e.g., data security bills, are not included. The IAPP additionally published an article providing further details on the scope of bills included in this tracker.
Previous versions of this chart are available for 2018-19, 2020, 2021, 2022 and 2023.
State privacy law map
This map tracks the status of statutes and bills that are enacted or in the legislative process.
State privacy law report
This report is limited to comprehensive U.S. state privacy laws enacted as of June 2024.
The US State Comprehensive Privacy Laws Report analyzes the scope, applicability, exemptions, consumer rights, business obligations, rulemaking activities, enforcement duties and key definitions for comprehensive state privacy laws. The report sketches the contours of the nationwide portrait of privacy regulation that has emerged, while highlighting the idiosyncrasies of each state law that constitutes the U.S. privacy regime patchwork. Overall, this report aims to keep privacy professionals informed about all the comprehensive privacy bills that have become law, the rights they offer to consumers and the obligations they require from regulated entities.
This report does not update as frequently as the map, chart and state law directory, and it only includes enacted state comprehensive privacy laws as of the last update.
State privacy law directory and key dates
This section contains information specific to each state with enacted privacy laws, including links to legislation and key dates. Please note that particular dates and deadlines should always be verified.
-
expand_more
Legend of state comprehensive privacy laws
- California: California Consumer Privacy Act, as amended by the California Privacy Rights Act
- California: California Consumer Privacy Act regulations
- Colorado: Colorado Privacy Act
- Colorado: Colorado Privacy Act rules
- Connecticut: Connecticut Data Privacy Act
- Delaware: Delaware Personal Data Privacy Act
- Indiana: Indiana Consumer Data Protection Act
- Iowa: Iowa Consumer Data Protection Act
- Kentucky: Kentucky Consumer Data Protection Act
- Maryland: Maryland Online Data Privacy Act
- Minnesota: Minnesota Consumer Data Privacy Act
- Montana: Montana Consumer Data Privacy Act
- Nebraska: Nebraska Data Privacy Act
- New Hampshire: New Hampshire Senate Bill 255
- New Jersey: New Jersey Senate Bill 332
- Oregon: Oregon Consumer Privacy Act
- Rhode Island: Rhode Island Data Transparency and Privacy Protection Act
- Tennessee: Tennessee Information Protection Act
- Texas: Texas Data Privacy and Security Act
- Utah: Utah Consumer Privacy Act
- Virginia: Virginia Consumer Data Protection Act
-
expand_more
Full timeline of key dates
2018
18 June 2018
- California: CCPA signed into law.
3 Nov. 2020
- California: CPRA approved by a majority of voters.
2020
1 Jan. 2020
- California: CCPA went into effect.
1 July 2020
- California: CCPA went into effect.
2021
2 March 2021
- Virginia: Signed into law.
7 July 2021
- Colorado: Signed into law.
2022
24 March 2022
- Utah: Signed into law.
10 May 2022
- Connecticut: Signed into law.
1 Jan. 2022
- California: CPRA look-back period began.
2023
1 Jan. 2023
- California: CPRA effective date.
- Virginia: Effective date.
29 March 2023
- Iowa: Signed into law.
1 May 2023
- Indiana: Signed into law.
11 May 2023
- Tennessee: Signed into law.
19 May 2023
- Montana: Signed into law.
18 June 2023
- Texas: Signed into law.
1 July 2023
- Colorado, Connecticut: Went into effect.
- Colorado: Data protection assessment requirements apply to processing activities created or generated after this date.
18 July 2023
- Oregon: Signed into law.
11 Sept. 2023
- Delaware: Signed into law.
31 Dec. 2023
- Utah: Went into effect.
2024
16 Jan. 2024
- New Jersey: Signed into law.
6 March 2024
- New Hampshire: Signed into law.
9 Feb. 2024
- California: California Privacy Protection Agency able to enforce updated regulations from the CPRA.
4 April 2024
- Kentucky: Signed into law.
17 April 2024
- Nebraska: Signed into law.
9 May 2024
- Maryland: Signed into law.
24 May 2024
- Minnesota: Signed into law.
25 June 2024
- Rhode Island: Enacted via transmission without signature.
1 July 2024
- Connecticut: Requirement to allow minors or their guardians to unpublish a minor’s social media account went into effect.
- Colorado: Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals went into effect.
- Oregon, Texas: Went into effect.
- New Hampshire, Oregon, Tennessee: Data protection assessment requirements apply to processing activities created or generated after this date.
1 Oct. 2024
- Connecticut: Obligations for data controllers that provide online services, products, or features to minors went into effect.
- Montana: Went into effect.
2025
1 Jan. 2025
- Colorado: Mandatory notice of violation and right to cure period expires.
- Connecticut, Texas: Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.
- Connecticut: Mandatory right to cure period expires. Attorney general has discretion to grant cure period.
- Delaware, Iowa, Nebraska and New Hampshire: Go into effect.
- Montana: Data protection assessment requirements apply to processing activities created or generated after this date.
- Montana, New Hampshire: Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.
- Minnesota: Data protection assessment requirements apply to processing activities created or generated after this date.
- Texas: Authorized agent provisions go into effect.
15 Jan. 2025
- New Jersey: Goes into effect.
1 July 2025
- Colorado: Obligations regarding the collection and processing of biometric data go into effect.
- Delaware: Data protection assessment requirements apply to processing activities created or generated after this date.
- Oregon: Goes into effect date for 501(c)3 tax exempt organizations.
- Tennessee: Goes into effect.
31 July 2025
- Minnesota: Goes into effect.
1 Oct. 2025
- Colorado: Obligations for data controllers that provide online services, products, or features to minors go into effect.
- Maryland: Goes into effect.
- Maryland: Data protection assessment requirements apply to processing activities created or generated after this date.
- Maryland: Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.
31 Dec. 2025
- Delaware, New Hampshire: Mandatory right to cure period expires. Attorneys general have discretion to grant cure period.
- Indiana: Data protection assessment requirements apply to processing activities created or generated after this date.
2026
1 Jan. 2026
- Delaware: Requirement to honor universal opt-out signals goes into effect.
- Indiana, Kentucky, Rhode Island: Go into effect.
- Minnesota: Mandatory right to cure period expires.
- Oregon: Mandatory right to cure period expires. Requirement to allow consumer to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.
- Rhode Island: Data protection assessment requirements apply to processing activities created or generated after this date.
1 April 2026
- Montana: Mandatory right to cure period expires.
1 June 2026
- Kentucky: Data protection assessment requirements apply to processing activities created or generated after this date.
2027
1 April 2027
- Maryland: Optional 60 day right to cure period expires.
2029
31 July 2029:
- Minnesota: Goes into effect for postsecondary institutions regulated by the Minnesota Office of Higher Education.
-
expand_more
California
Comprehensive privacy laws
- California Consumer Privacy Act, as amended by the California Privacy Rights Act
- California Consumer Privacy Act regulations
Key dates
18 June 2018
- CCPA signed into law.
1 Jan. 2020
- CCPA went into effect.
1 July 2020
- CCPA enforced.
1 Jan. 2022
- CPRA look-back period began.
9 Feb. 2024
- California Privacy Protection Agency able to enforce updated regulations from the CPRA.
-
expand_more
Colorado
Comprehensive privacy law
Key dates
7 July 2021
- Signed into law.
1 July 2023
- Went into effect.
- Data protection assessment requirements apply to processing activities created or generated after this date.
1 July 2024
- Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals went into effect.
1 Jan. 2025
- Notice of violation and right to cure period expires.
1 July 2025
- Obligations regarding the collection and processing of biometric data go into effect.
1 Oct. 2025
- Obligations for data controllers that provide online services, products, or features to minors go into effect.
-
expand_more
Connecticut
Comprehensive privacy law
Key dates
10 May 2022
- Signed into law.
1 July 2023
- Went into effect.
1 July 2024
- Requirement to allow minors or their guardians to unpublish a minor’s social media account went into effect.
1 Oct. 2024
- Obligations for data controllers that provide online services, products, or features to minors went into effect.
1 Jan. 2025
- Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.
1 Jan. 2025
- Mandatory right to cure period expires. Attorney general has discretion to grant cure period.
-
expand_more
Delaware
Comprehensive privacy law
Key dates
11 Sept. 2023
- Signed into law.
1 Jan. 2025
- Goes into effect.
1 July 2025
- Data protection assessment requirements apply to processing activities created or generated after this date.
31 Dec. 2025
- Mandatory right to cure period expires. Attorneys general have discretion to grant cure period.
1 Jan. 2026
- Requirement to honor universal opt-out signals goes into effect.
-
expand_more
Indiana
Comprehensive privacy law
Key dates
1 May 2023
- Signed into law.
31 Dec. 2025
- Data protection assessment requirements apply to processing activities created or generated after this date.
1 Jan. 2026
- Goes into effect.
-
expand_more
Iowa
Comprehensive privacy law
Key dates
29 March 2023
- Signed into law.
1 Jan. 2025
- Goes into effect.
-
expand_more
Kentucky
Comprehensive privacy law
Key dates
4 April 2024
- Signed into law.
1 Jan. 2026
- Goes into effect.
1 June 2026
- Data protection assessment requirements apply to processing activities created or generated after this date.
-
expand_more
Maryland
Comprehensive privacy law
Key dates
9 May 2024
- Signed into law.
1 Oct. 2025:
- Goes into effect.
- Data protection assessment requirements apply to processing activities created or generated after this date.
- Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.
1 April 2027
- Optional 60-day right to cure period expires.
-
expand_more
Minnesota
Comprehensive privacy law
Key dates
24 May 2024
- Signed into law.
1 Jan. 2025
- Data protection assessment requirements apply to processing activities created or generated after this date.
31 July 2025
- Goes into effect.
1 Jan. 2026
- Mandatory right to cure period expires.
31 July 2029
- Goes into effect for postsecondary institutions regulated by the Minnesota Office of Higher Education.
-
expand_more
Montana
Comprehensive privacy law
Key dates
19 May 2023
- Signed into law.
1 Jan. 2024
- Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals went into effect.
1 Oct. 2024
- Went into effect.
1 Jan. 2025
- Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.
- Data protection assessment requirements apply to processing activities created or generated after this date.
1 April 2026
- Mandatory right to cure period expires.
-
expand_more
Nebraska
Comprehensive privacy law
Key dates
17 April 2024
- Signed into law.
1 Jan. 2025
- Goes into effect.
-
expand_more
New Hampshire
Comprehensive privacy law
Key dates
6 March 2024
- Signed into law.
1 July 2024
- Data protection assessment requirements apply to processing activities created or generated after this date.
1 Jan. 2025
- Goes into effect.
- Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.
31 Dec. 2025
- Mandatory right to cure period expires. Attorneys general have discretion to grant cure period.
-
expand_more
New Jersey
Comprehensive privacy law
Key dates
16 Jan. 2024
- Signed into law.
15 Jan. 2025
- Goes into effect.
-
expand_more
Oregon
Comprehensive privacy law
Key dates
18 July 2023
- Signed into law.
1 July 2024
- Went into effect.
- Data protection assessment requirements apply to processing activities created or generated after this date.
1 July 2025
- Goes into effect for for 501(c)3 tax exempt organizations.
-
expand_more
Rhode Island
Comprehensive privacy law
Key dates
25 June 2024
- Enacted via transmission without signature.
1 Jan. 2026
- Goes into effect.
- Data protection assessment requirements apply to processing activities created or generated after this date.
-
expand_more
Tennessee
Comprehensive privacy law
Key dates
11 May 2023
- Signed into law.
1 July 2024
- Data protection assessment requirements apply to processing activities created or generated after this date.
1 July 2025
- Goes into effect.
-
expand_more
Texas
Comprehensive privacy law
Key dates
18 June 2023
- Signed into law.
1 July 2024
- Went into effect.
1 Jan. 2025
- Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.
- Authorized agent provisions go into effect.
-
expand_more
Utah
Comprehensive privacy law
Key dates
24 March 2022
- Signed into law.
31 Dec. 2023
- Went into effect.
-
expand_more
Virginia
Comprehensive privacy law
Key dates
2 March 2021
- Signed into law.
1 Jan. 2023
- Went into effect.
-
expand_more
Additional state privacy resources
-
expand_more
Previous contributors to this tracker