U.S. state data privacy laws: What you need to know

Updated with information on new privacy laws in Louisiana and Vermont.

Table of Contents

    Spy on Any Website

    Get traffic data and keyword intel on competitors instantly.

    Updated with information on new privacy laws in Louisiana and Vermont.

    Data privacy regulation is an issue with broad, national bipartisan support. Red states like Texas and Tennessee, and Blue states like California and Colorado, are among the many states that now have laws governing the handling of consumers’ personal information. Despite this, Congress has failed to pass a much-needed national law.

    Each one of those laws is a different headache for marketers to deal with. These laws have some similarities. They give consumers the right to access, delete, and opt out of the sale of their personal information (PI). However, there are also important differences in their scope, definitions, and requirements. 

    Even so, as more states adopt these laws, some may adopt data protections that differ widely from those already in place. Pity the poor MOps people who must deal with that.

    Here is a list of state data privacy laws currently in effect, followed by a list of states whose data laws are not yet in effect. They include brief descriptions of who they apply to and the requirements for each. We are not lawyers, so please carefully review each state’s law to ensure compliance when operating in those jurisdictions.

    States with data privacy laws in effect

    STATELAWWENT INTO EFFECT
    CaliforniaCalifornia Consumer Privacy Act1/1/2020
    VirginiaVirginia Consumer Data Protection Act1/1/2023
    ColoradoColorado Privacy Act7/1/2023
    ConnecticutConnecticut Data Privacy Act 7/1/2023
    UtahUtah Consumer Privacy Act 12/31/2023
    Oregon Oregon Consumer Privacy Act7/1/2024
    MontanaMontana Consumer Data Privacy Act10/1/2024
    IowaIowa Consumer Data Protection Act1/1/2025
    DelawareDelaware Personal Data Privacy Act1/1/2025
    New HampshireNew Hampshire Consumer Data Protection Act1/1/2025
    TexasTexas Data Privacy and Security Act1/1/2025
    New JerseyNew Jersey Consumer Data Privacy Act1/16/2025
    MinnesotaMinnesota Consumer Data Privacy Act6/24/2025
    TennesseeTennessee Data Protection Act7/1/2025
    MarylandMaryland Online Data Privacy Act10/1/2025
    NebraskaNebraska Data Privacy Act10/1/2025
    IndianaIndiana Consumer Data Protection Act1/1/2026
    KentuckyKentucky Consumer Data Protection Act1/1/2026
    Rhode IslandRhode Island Data Transparency and Privacy Protection Act1/1/2026

    California Consumer Privacy Act  

    Businesses it applies to:

    • Annual gross revenue of at least $25 million in the preceding calendar year.
    • Buy, sell, or share PI of 100,000+ consumers or households.
    • Gets 50%+ of annual revenues from selling or sharing consumers’ PI.

    Requires businesses to: 

    • Let consumers opt out of PI sales.
    • Let consumers limit the processing of sensitive PI.
    • Implement data minimization and purpose limitation principles.
    • Provide consumers with a privacy notice.
    • Ensure that your service providers comply with the law.
    • Establish a data retention period.

    California’s Delete Request and Opt-Out Platform

    California’s Delete Request and Opt-Out Platform (DROP) — a first-of-its-kind statewide system — officially launched on January 1, 2026, allowing residents to submit a single request to have their personal information deleted from more than 500 registered data brokers at once. Under the state’s Delete Act, data brokers will be required to begin processing these deletion requests by August 1, 2026, and must regularly check the DROP system, which could reduce the amount of personal data circulating online and curb spam, scam contacts, and unauthorized profiling. The platform operationalizes California’s expanding privacy protections by centralizing and simplifying what was once a fragmented and time-consuming deletion process, forcing data brokers to overhaul their handling of consumer information or face compliance challenges.

    10X your SEO with Semrush for Enterprise.

    The world’s most powerful SEO platform, purpose-built for Enterprise.

    Request demo

    Virginia Consumer Data Protection Act

    Applies to businesses that:

    • Control or process PI of at least 100,000 Virginia residents, or
    • Control or process PI of at least 25,000 Virginia consumers and derive 50%+ of gross revenue from the sale of PI in a calendar year.

    Requires businesses to:

    • Allow consumers to opt out of the sale of PI.
    • Provide consumers with a privacy notice.
    • Have data processing agreements in place with your data processors.
    • Conduct a Privacy Impact Assessment of processing activities.

    Collection of data about consumers’ reproductive or sexual health prohibited

    The Act now prohibits the collection, disclosure, sale, or dissemination of consumers’ reproductive or sexual health information without consent. 

    The updated law has a broad definition of “reproductive or sexual health information,” which includes any “information relating to the past, present, or future reproductive or sexual health of an individual” connected with a consumer transaction. 

    The act covers:

    • Efforts to find or access information, services, or supplies related to reproductive or sexual health
    • Use or purchase of birth control, contraceptives, or medications related to reproductive health, including abortion pills
    • Health details such as diagnoses, STDs, pregnancy status, menstruation, ovulation, sexual activity, ability to conceive, or unprotected sex
    • Treatments or surgeries related to reproductive or sexual health, including abortions
    • Bodily functions, symptoms, or measurements linked to menstruation or pregnancy, like hormone levels, cramps, discharge, or body temperature
    • Any reproductive or sexual health information that’s inferred or predicted from unrelated data, like algorithmic or proxy-based insights

    Colorado Privacy Act

    Applies to businesses that:

    • Have 100,000 Colorado consumers+ during a year, or
    • Have 25,000+ Colorado consumers and generate revenue from the sale of PI, potentially through a discount on goods or services.

    Requires businesses to: 

    • Provide consumers with ways to opt out of the sales of PI, targeted advertising, and profiling.
    • Provide consumers with a privacy notice.
    • Conduct a data protection impact assessment where there is a risk to consumers.

    Connecticut Data Privacy Act

    Applies to businesses that:

    • Process data collected from 35,000 (down from 100,000) Connecticut consumers, excluding PI, controlled or processed solely to complete a payment transaction, or
    • Process the data of 25,000+ Connecticut consumers and derive at least 25% of their gross revenue from selling PI.

    NEW threshold activities that are not subject to any numerical minimums:

    • Controlling or processing Connecticut residents’ sensitive data (excluding personal data controlled or processed solely for the purpose of completing a payment transaction).
    • Offering Connecticut residents’ personal data for sale in trade or commerce.

    Requires businesses to: 

    • Allow consumers to opt out of the processing of sensitive PI.
    • Collect and process only the minimum amount of data necessary.
    • Provide consumers with a privacy notice.
    • Conduct data protection assessments where the processing may pose a risk.

    NEW rights/opt-outs and privacy notice requirements

    • Rights related to derived/inferred data and profiling: The updated law expands access to include inferences about the individual derived from personal data and whether the personal data is being used for profiling to make a decision that produces legal or similarly significant effects about the consumer. Consumers now have the right to contest profiling decisions.
    • Disclosure of large language model training: Companies must disclose whether they collect, use or sell personal data for the purpose of training large language models.

    Increased protections for minors

    • A company cannot process the personal data of anyone it actually knows or willfully disregards is a minor (defined as under 18) unless the processing is reasonably necessary for the company’s service. And even if that standard is met, the law requires that minors’ data only be processed for the purpose disclosed at the time of collection and only for as long as is reasonably necessary. Controllers also cannot collect precise geolocation data from minors unless the data is strictly necessary for the service and the company indicates this at the time of collection.
    • Bans on targeted advertising and personal data sales: Companies are prohibited from processing minors’ personal data for targeted advertising or selling minors’ personal data. These are outright bans that cannot be circumvented, for example, by obtaining (parental) consent to process minors’ data in these ways.

    Utah Consumer Privacy Act

    Applies to businesses that:

    • Have annual revenue of $25 million+, and
    • Control or process the PI of 100,000+ Utah residents over a calendar year, and/or
    • Derive 50%+ of gross revenue from the sale of PI and/or
    • Control or process the PI of 25,000+ Utah residents.

    Requires businesses to:

    • Provide consumers with mechanisms to opt out of the sale of PI or from targeted advertising.
    • Have processing agreements in place.
    • Provide consumers with a privacy notice.

    Oregon Consumer Privacy Act

    Applies to businesses that:

    • Control or process PI of 100,000+ Oregon consumers, or
    • Control or process the PIs of 25,000+ Oregon consumers and derive 25%+ of gross revenue by selling the data.

    Requires businesses to:

    • Provide access to, and correct, delete, and receive PI.
    • Provide a list of the “specific third parties” to whom a controller discloses PI.
    • Right to request the deletion of “derived data.”
    • Obtain consent to process sensitive data.
    • Obtain affirmative consent to profile adolescent data.
    • Let consumers opt out of targeted advertising, data sales, and significant profiling decisions.
    • Provide a privacy notice to consumers.

    Montana Consumer Data Privacy Act

    Applies to businesses that:

    • Control or process the PI of at least 25,000 (down from 50,000) Montana residents, or
    • Control or process the PI of at least 15,000 (down from 25,000) Montana consumers and derive more than 25% (down from 50%) of their gross revenue from the sale of personal data.

    Requires businesses to:

    • Respond to consumers’ requests.
    • Enable consumers to opt out of data sales.
    • Recognize universal opt-out mechanisms.
    • Serve consumers with a privacy notice and a privacy policy.
    • Obtain explicit consent before collecting sensitive data.
    • Conduct data protection impact assessments for processing sensitive data, selling data, or using data for targeted advertising and/or profiling.

    Additional rights/opt-outs and privacy notice requirements

    • If a company sells or processes personal data for targeted advertising, it must disclose this in its privacy notice and provide consumers with the ability to opt out.
    • Additional privacy requirements include requiring companies to provide a privacy notice in each language in which they provide products and services, and in a manner that is reasonably accessible and usable to individuals with disabilities.

    Enforcement powers and penalties: The Montana attorney general can now issue civil investigative demands and is no longer required to offer an opportunity to cure before bringing an enforcement action. There is now a penalty of up to $7,500 per violation.

    Increased protections for minors

    • Applies to any company that offers an online service, product, or feature to a consumer, the controller actually knows, or willfully disregards, is a minor (defined as under 18).
    • Companies are required to use “reasonable care” to avoid a “heightened risk of harm to minors.” The updates do not constitute an age-verification requirement, but they do impose additional consent requirements and data-use restrictions for minors. Additionally, if there is a heightened risk of harm to minors, the company must also conduct a data protection assessment.

    Iowa Data Privacy Act

    Applies to businesses that:

    • Control or process the PI of 100,000+ Iowa consumers, or
    • Control or process the PI of 25,000+ Iowa consumers and derive 50%+  of gross revenue by selling the data.

    Requires businesses to:

    • Limit data processing to specified purposes.
    • Provide consumers with a privacy notice.
    • Allow consumers to opt out of the sale of PI.
    • Respond to consumer requests for access, deletion, portability, opt-out, and others
    • Have written contracts with service providers.
    • Ensure that data is safe.

    Texas Data Privacy and Security Act

    Applies to businesses that:

    • Process of engaging in the sale of PI, and
    • Are not excluded as a small business, according to the Small Business Administration.

    Requires businesses to:

    • Allow opting out of the sale of PI.
    • Honor consumer requests.
    • Obtain explicit consent for the processing of sensitive data.
    • Conduct data protection impact assessments.
    • Have written contracts with service providers.

    Delaware Personal Data Privacy Act

    Applies to businesses that:

    • Control or process PI of 35,000 Delaware consumers, or
    • Derive 20%+ of revenue from selling data of 10,000 Delaware consumers.

    Requires businesses to:

    • Limit the collection of PI to what is adequate, relevant, and reasonably necessary.
    • Obtain consent to process sensitive data.
    • Honor consumer requests.
    • Allow consumers to opt out of processing through an opt-out preference signal.
    • Provide a privacy notice to consumers.
    • Conduct data protection assessments.
    Unlock your $1M+ organic growth engine.

    Everything enterprise teams need to grow visibility across search and AI.

    Learn more

    New Hampshire Consumer Data Privacy Act

    Applies to businesses that:

    • Control or process PI of at least 35,000 unique consumers, excluding PI controlled or processed solely to complete a payment transaction; or
    • Control or process PI of at least 10,000 unique consumers and derive 25%+ of gross revenue from the sale of PI.

    Requires businesses to:

    • Provide consumers with the same privacy protections as in other states.

    New Jersey Consumer Data Privacy Act

    Applies to businesses that:

    • Control or process the PI of 100,000+ New Jersey consumers, excluding data processed solely to complete a payment transaction; or
    • Control or process the PI of 25,000+ New Jersey consumers, and the controller derives revenue or receives a discount on the price of any goods or services from the sale of PI.

    Requires businesses to:

    • Collect only the minimum amount of data necessary for processing purposes and process it for adequate purposes;
    • Collect consent for the processing of sensitive or children’s data and provide mechanisms for revoking consent;
    • Obtain consent for processing the data of a child for purposes of targeted advertising, the sale of the consumer’s PI, or profiling, where the controller has actual knowledge or willfully disregards that the consumer is at least 13 years of age but younger than 17 years of age;
    • Inform consumers about the processing, including its purposes.
    • Implement administrative, technical, and physical data security measures;
    • Conduct a data protection impact assessment where necessary, 
    • Ensure they have written agreements with service providers for data processing.
    • Confirm whether a controller processes the consumer’s PI and accesses such PI, trade secrets excluded;
    • Correct inaccuracies in PI on request.
    • Delete PI on request.
    • Data portability.
    • Let consumers opt out of processing PI for targeted advertising or for the sale of data.

    Minnesota Data Privacy Act

    Applies to businesses that:

    • Control or process PI of at least 100,000 unique Minnesota consumers; or
    • Control or process personal data of 25,000 unique Minnesota consumers and derive over 25% of gross revenue from the sale of PI.

    Requires businesses to:

    • Let consumers opt out of processing PI for targeted advertising or for the sale of data. is processing and providing access to someone’s data, unless confirming and granting access would require the company to reveal a trade secret.
    • Correct inaccuracies in personal data when requested.
    • Delete personal data when requested.
    • Provide a copy of the personal data processed by the company, in an accessible format, upon request.
    • Let consumers opt out of processing PI for targeted advertising or for the sale of data.
    • Provide a list of third parties to whom the company has disclosed the personal data.

    Tennessee Information Protection Act

    Applies to businesses that:

    • Exceeds $25 million in annual revenue, and
      Control or process PI of 175,000+ Tennessee consumers, and/or
    • Control or process the PI of 25,000+ Tennessee consumers and derive at least 50% of gross revenue from selling the data.

    Requires businesses to:

    • Provide consumers with a privacy notice and a privacy policy.
    • Honor consumer requests to know, access, delete, and others.
    • Process the data only for the purposes for which it was collected.
    • Allow consumers to opt out of the sale of their data.
    • Have written contracts with service providers.

    Maryland Online Data Privacy Act

    Bans the sale of personal data. Companies can only collect, process, or share personal data that is “strictly necessary to provide or maintain a specific product or service requested by the consumer.”

    Applies to businesses that:

    • Process the data of 35,000+ consumers, or
    • Process data for 10,000+ consumers and derive 20%+ of its revenue from data sales.

    Require businesses to:

    • Allow consumers to
      • Know what PI is being used.
      • Access PI being used.
      • Delete PI being used.
      • Opt out of the sale of data or processing for targeted advertising or profiling.

    Nebraska Data Privacy Act 

    Applies to businesses that:

    • Process of engaging in the sale of PI, and
    • Are not excluded as a small business, according to the Small Business Administration.

    Requires businesses to:

    • Allow consumers to
      • Know what PI is being used.
      • Access PI is being used.
      • Delete PI is being used.
      • Opt out of the sale or processing of data for targeted advertising.
    • Implement technical and organizational safeguards to protect the data.
    • Respond to consumer requests promptly

    Indiana Data Privacy Law

    Applies to businesses that:

    • Control or process the PI of 100,000+ Indiana consumers, or
    • Control or process the PI of 25,000+ Indiana consumers and derive 50%+ of gross revenue by selling the data.

    Requires businesses to:

    • Allow consumers to opt out of the sale of PI.
    • Provide consumers with a comprehensive privacy notice.
    • Conduct a data impact assessment in the case of targeted advertising.
    • Limit data processing to the intended purposes.
    • Obtain explicit consent for the processing of sensitive PI.

    Kentucky Consumer Data Protection Act

    Applies to businesses that:

    • Process the data of 100,000+ Kentucky residents, or
    • Process the data of 25,000+ Kentucky residents and derive 50%+ of profits from the sale of PI.

    Requires businesses to:

    • Allow consumers to
      • Know what PI is being used.
      • Access PI is being used.
      • Delete PI is being used.
      • Opt out of the sale of data or processing for targeted advertising.
    • Implement technical and organizational safeguards to protect the data.
    • Respond to consumer requests promptly.
    • Conduct data protection impact assessments for high-risk processing.

    Rhode Island Data Transparency and Privacy Protection Act

    Applies to businesses that:

    • Conduct business in Rhode Island or produce products or services targeted to the residents of Rhode Island
    • “Control or process” the personal data of at least 35,000 Rhode Island residents or 10,000 Rhode Island residents and derive over 20% of gross revenue from the sale of personal data.

    Requires businesses to:

    • Clearly explain what data is collected, why it is processed, and to whom it is shared or sold.
    • Establish mechanisms for consumers to access, correct, delete, or obtain a copy of their personal data.
    • Obtain consent before processing “sensitive” data and allow opt-outs for targeted advertising and data sales.
    • Conduct and document assessments for high-risk data processing activities, including profiling and targeted advertising.
    • Implement reasonable administrative, technical, and physical safeguards to secure personal data.
    • Ensure contracts with processors include specific, compliant provisions regarding data handling and confidentiality.

    Violations can result in penalties of up to $10,000 per violation.

    States whose data privacy laws are not yet in effect:

    Oklahoma Data Protection Act

    Applies to businesses that:

    Conduct business in Oklahoma or produce products or services targeted at residents, provided the business meets one of the following thresholds during a calendar year:

    • It controls or processes the personal data of at least 100,000 Oklahoma consumers; or
    • It controls or processes the personal data of at least 25,000 Oklahoma consumers and derives more than 50% of gross revenue from the sale of personal data.

    Requires businesses to:

    • Provide a clear, accessible privacy policy detailing the categories of personal data processed, the purposes for processing, and the third parties with whom data is shared.
    • Provide a clear, conspicuous method for consumers to opt out of the sale of their personal data or its use for targeted advertising.
    • Conduct and document data protection assessments for high-risk activities, including targeted advertising, profiling, and the sale of personal data.
    • Limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes.
    • Respond to consumer requests (e.g., access, delete, correct) within 45 days, with a 30-day “right to cure” period provided before enforcement actions.
    • Obtain affirmative consent before processing sensitive data.

    Goes into effect January 1, 2027

    Alabama Personal Data Protection Act 

    Applies to businesses that:

    • Conduct business in Alabama or produce products or services that target Alabama residents, and either
      • Process or control the personal data of more than 25,000 residents, excluding personal data processed or controlled solely for the purpose of completing a payment transaction;
      • Or derive over 25% of their gross revenue from the sale of personal data, regardless of the number of consumers.

    Requires businesses to:

    • Provide clear, accessible privacy policies detailing what data is processed, why it is processed, and what is shared with third parties.
    • Establish mechanisms for consumers to access, delete, and correct their personal data.
    • Allow consumers to opt out of the sale of their personal data, targeted advertising, and profiling.
    • Collect only the data that is adequate, relevant, and reasonably necessary for the disclosed purposes.
    • Implement reasonable administrative, technical, and physical security measures to protect consumer data.
    • Obtain consent to process sensitive data (e.g., biometric data, precise geolocation) and to target consumers under 16.
    • Maintain compliant contracts with third-party processors.

    Goes into effect March 30, 2027.

    Louisiana Data Privacy Act

    Applies to businesses operating in Louisiana that meet at least one of these conditions:

    • Have annual gross revenue over $25 million.
    • Process personal data of 75,000+ consumers.
    • Derive 50% or more of revenue from selling personal data.

    Requires businesses to:

    • Post privacy notices detailing data collection, use, and sharing practices.
    • Get affirmative consent for processing “sensitive data”.
    • Honor universal opt-out mechanisms.
    • Perform data protection assessments for high-risk processing.
    • Implement reasonable security measures.
    • Utilize contracts with data processors.
    • Enable residents to access, correct, or delete data.

    Goes into effect January 1, 2027.

    Vermont Data Privacy and Online Surveillance Act

    Applies to businesses that:

    • Control or process the personal data of at least 35,000 Vermont consumers.
    • Control or process the sensitive data of at least 3,000 Vermont consumers.
    • Sell or offer for sale the personal data of at least 3,000 Vermont consumers.

    The consumer health data provisions of the law apply to any entity that conducts business in Vermont or targets residents, regardless of the data volume or processing thresholds listed above.

    Requires businesses to:

    • Facilitate consumer requests to access, correct, delete, or obtain a portable copy of their personal data. Consumers also have the right to obtain a list of specific third parties to whom their personal data has been sold.
    • Obtain explicit, affirmative opt-in consent before processing sensitive data. The law broadly defines sensitive data to include neural data, financial account credentials, government-issued IDs, and transgender/nonbinary status.
    • Provide clear mechanisms for consumers to opt out of targeted advertising, profiling, and the sale of personal data.
    • Ensure that employees and contractors do not access consumer health data unless they are bound by a strict duty of confidentiality. The law also explicitly prohibits geofencing within 1,850 feet of any healthcare, mental health, or reproductive health facility.
    • Explicitly disclose within privacy policies whether the business collects, uses, or sells personal data to train large language models (LLMs) or artificial intelligence.
    • Perform formal data protection assessments for any processing activities that present a heightened risk of consumer harm.
    • Establish mandatory, binding data processing contracts with all third-party data processors and vendors.

    Goes into effect January 1, 2028.


    MarTech is owned by Semrush. We remain committed to providing high-quality coverage of marketing topics. Unless otherwise noted, this page’s content was written by either an employee or a paid contractor of Semrush Inc.

    Constantine von Hoffman
    Senior Editor, MarTech

    Constantine von Hoffman is senior editor of MarTech. A veteran journalist, Con has covered business, finance, marketing and tech for CBSNews.com, Brandweek, CMO, and Inc. He has been city editor of the Boston Herald, news producer at NPR, and has written for Harvard Business Review, Boston Magazine, Sierra, and many other publications. He has also been a professional stand-up comedian, given talks at anime and gaming conventions on everything from My Neighbor Totoro to the history of dice and boardgames, and is author of the magical realist novel John Henry the Revelator. He lives in Boston with his wife, Jennifer, and either too many or too few dogs.

    View Author Profile