U.S. State Privacy Acts: Which Apply to Your Organization (2023, 2024, 2025 and 2026)

As technology advances and more businesses adopt digital processes, the conversation around data privacy evolves. In response, various privacy acts are introduced with the goal of providing improved protection for consumer data. While privacy laws are not new, 2025 will be a particularly significant year, with several new privacy acts set to go into effect, with more new bills possibly passed throughout the year.

Now in effect:

California
Colorado
Connecticut
Virginia
Utah
Tennessee
Texas
Oregon
Montana
Delaware
Iowa
Nebraska (new law, effective January 1, 2025)
New Hampshire
New Jersey (effective January 15, 2025)

New bills passed in 2023 and 2024, effective 2025-2026

1 July 2025
Oregon	Oregon Privacy Act (Nonprofits)
31 July 2025
Minnesota	Minnesota Consumer Data Privacy Act (HF 4757)
1 October 2025
Maryland	Maryland Online Data Privacy Act (SB 541)
1 January 2026
Indiana	Indiana Consumer Data Protection (IDCP)
Kentucky	Kentucky Consumer Data Privacy Act (HB 15)
Rhode Island	Rhode Island Data Transparency and Privacy Protection Act (H 7787)

Read on to learn more about the consumer privacy acts going into effect in 2023 through 2026 and how you can prepare your business.

What Is a State Comprehensive Consumer Privacy Law?

A comprehensive consumer privacy law is not a state’s data breach notification law. All 50 states and 4 territories in the U.S. have data breach notification laws on the books. Under breach notice laws, organizations that have security incidents that expose personal information, they must notify state residents and/or state Attorneys General or other government agencies. Generally, breach notice laws only address post-security incident requirements; they do not impose obligations to maintain specific security and privacy programs.

On the other hand, comprehensive consumer privacy laws all have the same goal—to protect the privacy of consumers’ personal information and ensure consumers understand their rights in their personal information when handled by a business.

These laws vary from state to state but are designed to give consumers more control over their personal information and hold businesses accountable for safeguarding that information and notifying consumers about collection and handling practices. Some key provisions of privacy laws include requirements for data security, data breach notification and consumers’ opt-out rights.

A well-known example - the first U.S. comprehensive consumer privacy law - is the California Consumer Privacy Act of 2018 (CCPA) of 2018 as amended or reenacted by Proposition 24, also known as the California Privacy Rights Act of 2020 (CPRA). CCPA, which went into effect on January 1, 2020, requires businesses to disclose what personal data they collect and why, and to whom businesses sell personal data. In addition, businesses must allow consumers to opt out of having their data sold and may request that their data be corrected or deleted. Subject to a few exemptions discussed below, the law applies to all businesses that collect or process the personal data of Californians, regardless of whether the businesses are based in California or elsewhere.

In recent years, there has been a growing movement in favor of these laws, with many states proposing them in response to concerns about businesses' mishandling of personal data. Five states have passed similar laws thus far. As the demand for personal data protection becomes increasingly widespread in the U.S., and in the absence of a federal law pre-empting state laws, it’s likely that more states will pass these types of laws to protect the privacy of their citizen-consumers.

* Please note that the state privacy laws for – California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia – define “consumers” as only state residents.

A cybersecurity and privacy lawyer can help you navigate compliance with consumer privacy laws, learn more now.

New State Consumer Privacy Laws in 2025

It’s vital to find out ahead of time if new privacy laws will impact your business, so you can make any necessary preparations. Below, we reveal which companies are impacted by each of the laws effective in 2025.

Iowa Consumer Data Protection Act (HF 2506)

The Iowa Consumer Data Protection Act (HF 2506) (signed into law March 28, 2023; effective January 1, 2025) applies to organizations that meet both of these criteria:

Conducts business in Iowa or targets state residents
In the prior year, met one or more of the following thresholds:
1. Controls or processes the personal data of 100,000 or more consumers*, or
2. (i) Received more than 50 percent of its gross revenue from the sale of personal information AND (ii) Controls or processes the personal information of 25,000 or more consumers*.

Non-profit organizations, employee information and B2B information are exempt from the act.

Delaware Personal Data Privacy Act (PDPA) (S.B. 619)

The Delaware Personal Data Privacy Act (PDPA) (S.B. 619) (passed June 30, 2023; effective January 1, 2025) applies to an organization that conducts business in Delaware, or targets state residents with products or services.

At least 35,000 consumers* (except personal data handled solely for payment transactions), or
At least 10,000 consumers* and derived > 20% gross revenue comes from the sale of personal data.

New Hampshire (SB 255)

New Hampshire’s SB 255 (effective January 1, 2025) applies to organizations that meet both of the following criteria:

Conducts business in New Hampshire or produces products or serves targeted to state residents
Meets one or more of these thresholds:
- Controls or processes the personal data of 35,000 or more consumers* in a calendar year, or
- (i) Controls or processes the personal information of 10,000 or more consumers* AND (ii) Derives more than 25 percent of gross revenue from the sale of personal data

State political subdivisions, bodies, authorities, boards, bureaus, commissions, districts or agencies, nonprofit organizations, institutions of higher education, national securities association, financial institutions, covered entities or business associates, protected health information, patient-identifying information and identifiable private information for specific purposes are exempt from this law.

Nebraska Data Privacy Act (LB 1074)

The Nebraska Data Privacy Act (effective January 1, 2025) applies to a person that meet all of the following criteria:

Conducts business in Nebraska or produces products or services targeted to residents of the state;
Processes or engages in the sale of personal data; AND
Is not a small business as defined under the deferral Small Business Act, except to the extent that section 18 of this act applies.

Exemptions include data such as protected health information under HIPAA, health records, patient identifying information, identifiable private information related to human subjects research, information created under the Health Care Quality Improvement Act, patient safety work product, deidentified health care information, and data collected for public health activities, creditworthiness, driver's privacy, educational records, or farm credit activities. It also exempts entities such as state agencies, political subdivisions, financial institutions, covered entities governed by HIPAA, nonprofit organizations, institutions of higher education, electric and natural gas suppliers, and certain utilities.

New Jersey Data Privacy Law

The New Jersey Data Privacy Law (effective January 15, 2025) applies to businesses that meet the following criteria:

Conduct business in New Jersey or targets state residents
During a calendar year, control or process either:
- The personal data of at least 100,000 consumers* (not including personal data processed only for the purpose of completing a transaction), or
- (i) The personal data of 25,000 New Jersey consumers* AND (ii) derive revenue or gets discounts from the sale of personal data.

Non-profit organizations are exempt from the act.

Minnesota Consumer Data Privacy Act (HF 4757)

The Minnesota Consumer Privacy Act (effective July 31, 2025) applies to organizations that meet both of the following criteria:

Conducts business in Minnesota or produces products or services targeted to residents of the state
In a calendar year, met one of more of the following thresholds:

A. Controls or processes the personal data of 100,000 or more consumers* in a calendar year, or
B. (i) Controls or processes the personal data of 25,000 or more consumers* AND (ii) derives over 25% of gross revenue from the sale of personal data.

Exemptions include government entities, federally recognized Indian tribes, and certain health-related data such as protected health information under HIPAA, health records, patient safety work product, and de-identified health data. It also excludes data regulated by federal laws like the Gramm-Leach-Bliley Act, Driver's Privacy Protection Act, and the Family Educational Rights and Privacy Act. Other exemptions include personal data related to credit reports, insurance, and employment, as well as small businesses, nonprofits detecting insurance fraud, and air carriers regulated under the Airline Deregulation Act. Data collected for public health purposes, emergency contact information, benefits administration, or in compliance with COPPA is also excluded.

Maryland Online Data Privacy Act (SB 541)

The Maryland Online Consumer (effective October 1, 2025) applies to organizations that meet both of the following criteria:

Conducts business in Maryland or produces products or services targeted to residents of the state
During the previous calendar year, met one of more of the following thresholds:

A. Controls or processes the personal data of 35,000 or more consumers* in a calendar year, or
B. (i) Controls or processes the personal data of 10,000 or more consumers* AND (ii) derives over 20% of gross revenue from the sale of personal data.

Exemptions include data regulated by HIPAA, patient-identifying information under 42 U.S.C. § 290DD–2, and data used for human subjects research under federal guidelines. It also exempts patient safety work product, public health information under HIPAA, creditworthiness data regulated by the Fair Credit Reporting Act, data under the Driver’s Privacy Protection Act, educational records governed by FERPA, and data collected under the Farm Credit Act. Additionally, employee data within the context of employment, emergency contact information, and insurance-related data regulated under the Insurance Article are excluded. Finally, state and political bodies, financial institutions, and nonprofit organizations assisting law enforcement or first responders are also exempt.

State Consumer Privacy Laws Passed in 2023 and 2024, Effective in 2026

Indiana Consumer Data Protection law (SB 5)

The Indiana Consumer Data Protection law (passed April 13, 2023; effective January 1, 2026) applies to organizations that meet these criteria:

Conducts business in Indiana or targets state residents
In the prior year, met one or more of the following thresholds:
1. Controls or processes the personal data of 100,000 or more consumers*, or
2. (i) Received more than 50 percent of its gross revenue from the sale of personal information AND (ii) Controls or processes the personal information of 25,000 or more consumers*.

Non-profit organizations, employee information and B2B information are exempt from the act.

Under Indiana law, riverboat casinos are expressly allowed to use facial recognition technology in their operations.

Kentucky Consumer Data Privacy Act (HB 15)

The Kentucky Consumer Data Privacy Act (effective January 1, 2026) applies to organizations that meet both of the following criteria:

Conducts business in Kentucky or produces products or services targeted to residents of the Commonwealth
In a calendar year, met one of more of the following thresholds:

A. Controls or processes the personal data of 100,000 or more consumers* in a calendar year, or
B. (i) Controls or processes the personal data of 25,000 or more consumers* AND (ii) derives over 50% of gross revenue from the sale of personal data.

Exemptions include city and state agencies, financial institutions under the Gramm-Leach-Bliley Act, HIPAA-covered entities and associates, nonprofits, higher education institutions, small telephone utilities, Tier III CMRS providers, and municipally-owned utilities not selling or sharing personal data. It also excludes data governed by HIPAA, federal laws like the Fair Credit Reporting Act, Driver’s Privacy Protection Act, and Family Educational Rights and Privacy Act, as well as de-identified health data, patient-identifying information, employment-related data, and personal data collected under the Combat Methamphetamine Epidemic Act of 2005.

Rhode Island Data Transparency and Privacy Protection Act (H 7787)

The Rhode Island Data Transparency and Privacy Protection Act (effective January 1, 2026) applies to for-profit entities that meet both of the following criteria:

Conducts business in Rhode Island or produces products or services targeted to residents of the state
During the previous calendar year, met one of more of the following thresholds:

The exemptions in this chapter include personal data such as protected health information under HIPAA, patient-identifying information, identifiable private information for human research subjects, information created for the Health Care Quality Improvement Act, patient safety work product, de-identified health care data, personal data used in public health activities, and personal information regulated by the Fair Credit Reporting Act, the Driver's Privacy Protection Act, the Family Educational Rights and Privacy Act, and the Farm Credit Act. It also exempts data processed in the course of employment, emergency contact information, benefits administration, and personal data related to the Airline Deregulation Act. The chapter also exempts entities like commercial websites or internet service providers conducting business in Rhode Island, state bodies, political subdivisions, nonprofit organizations, institutions of higher education, financial institutions, covered entities under HIPAA, and certain data subjects as defined by federal laws.

State Consumer Privacy Laws in 2023 and 2024

California Privacy Rights Act of 2020 (Amends CCPA)

The California Privacy Rights Act (effective January 1, 2023) applies to the same entities as CCPA, which includes for-profit entities that collect or process California residents’ personal data regardless of whether the businesses are located in California. As of January 1, 2021, businesses subject to CCPA and CPRA include companies that meet one or more of the following conditions:

Companies with prior year annual revenue over $25 million.
Companies buying, selling, or sharing the personal information of 100,000 or more consumers* or households.
Companies deriving 50% or more of their annual revenue from selling or sharing consumers’* personal information

Non-profit organizations are not subject to CCPA + CPRA. As of January 1, 2023, employee and business-to-business (B2B) personal information are no longer exempt.

Colorado Privacy Act (SB21-190) and Rules

The Colorado Privacy Act with the companion rules from the Colorado AG’s office (effective July 1, 2023) applies to organizations that meet both the following criteria:

Conducts business in Colorado or produces or delivers commercial products or services intentionally targeted to state residents.
Meets one or more of these thresholds:

Controls or processes the personal data of 100,000 or more consumers* in a calendar year, or
(i) Generates revenue (or obtains discounts) from selling personal data AND (ii) Controls or processes the personal data of 25,000 or more consumers*

Unlike the other states’ privacy laws, there is no exemption for non-profit organizations. However employee and business-to-business (B2B) personal information are exempt from the act.

The Privacy Act Rules supplement the Act and are designed to help businesses comply. Key topics covered include requirements for communications with consumers, consumer personal data rights, universal opt-out mechanisms and duties of controllers.

Connecticut Personal Privacy and Online Monitoring Act (Public Act No. 22-15)

Public Act No. 22-15, the Connecticut act concerning personal data privacy and online monitoring comes into effect July 1, 2023, and applies to organizations that meet both these criteria:

Conducts business in Connecticut or produces commercial products or services targeted to state residents.
Met one or more of these thresholds during the past calendar year:
1. Controlled or processed the personal data of 100,000 or more consumers* (excluding personal data collected from payment transactions), or
2. (i) Derived more than 25 percent of gross revenue from the sale of personal data AND (ii) Controlled or processed the personal information of 25,000 or more consumers*

Non-profit organizations, employee information and B2B personal information are exempt from the act.

Utah Consumer Privacy Act (SB 227)

The Utah Consumer Privacy Act (effective December 31, 2023) is applicable to organizations that conduct business in Utah or provide products or services targeted to state residents and also meet both the following criteria:

Annual revenue is $25 million or higher
Meets one or more of these thresholds:

Controls or processes the personal data of 100,000 or more consumers* in a calendar year, or
(i) Receives more than 50 percent of its gross revenue from the sale of personal information AND (ii) Controls or processes the personal information of 25,000 or more consumers*

Under the act, consumers do not have the right to correct inaccuracies, and no opt-in consent is required to process sensitive data. Non-profit organizations, employee information and B2B information are exempt from the act.

Virginia Consumer Data Protection Act (SB 1392)

The Virginia Consumer Data Protection Act (effective January 1, 2023) applies to organizations that meet both these criteria:

Conducts business in Virginia or targets state residents with products or services
Meets one or more of the following thresholds:
1. Controls or processes the personal data of 100,000 or more consumers* in a calendar year, or
2. (i) Receives more than 50 percent of its gross revenue from the sale of personal information AND (ii) Controls or processes the personal information of 25,000 or more consumers*

Non-profit organizations, employee information and B2B information are exempt from the act.

Montana Consumer Data Protection Act (SB 0384)

The Montana Consumer Data Protection Act (SB 0384) (effective October 1, 2024) applies to organizations that meet both these criteria:

Conducts business in Montana or targets state residents with products or services
Meets one or more of the following thresholds:
1. Controls or processes the personal data of 50,000 or more consumers* in a calendar year, (excluding personal data collected for payment transactions), or
2. (i) Receives more than 50 percent of its gross revenue from the sale of personal information AND (ii) Controls or processes the personal information of 25,000 or more consumers*

Non-profit organizations, employee information and B2B information are exempt from the Act.

Tennessee Information Protection Act (HB 1181)

The Tennessee Information Protection Act (HB 1181) (effective July 1, 2024) applies to organizations that meet both these criteria:

Conducts business in Tennessee or targets state residents with products or services
Meets one or more of the following thresholds:
1. Controls or processes the personal data of 100,000 or more consumers* in a calendar year, or
2. (i) Receives more than 50 percent of its gross revenue from the sale of personal information AND (ii) Controls or processes the personal information of 25,000 or more consumers*

Non-profit organizations, employee information and B2B information are exempt from the act.

TIPA requires a written privacy program that conforms to the NIST Privacy Framework (PF).

Texas Data Privacy and Security Act

The Texas Data Privacy and Security Act (effective July 1, 2024) applies to a person who meets all of the following criteria:

Conducts business in Texas or produces a product or service consumed by residents of Texas
Processes or engages in the sale of personal data, and
Is not a small business as defined by the United States Small Business Administration, except when Section 541.107 applies to a person described by this subdivision.

People exempt from the Texas Data Privacy and Security Act are the following:

A state agency or a political subdivision of Texas
A financial institution or data subject to Title V, Gramm-Leach-Bliley Act
A covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 C.F.R. Parts 160 and 164, established under the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), and the Health Information Technology for Economic and Clinical Health Act (Division A, Title XIII, and Division B, Title IV, Pub. L. No. 111-5)
A nonprofit organization
A higher education institution, or
An electric utility, a power generation company, or a retail electric provider

Oregon Privacy Act, Senate Bill 619

The Oregon Privacy Act (Signed into law July 18, 2023, effective July 1, 2024, except for non-profit entities the law is effective a year later, July 1, 2025). AG enforcement will not begin until July 1, 2026.

The Oregon Privacy Act applies to organizations who

Conduct business in Oregon, or that provide products or services to residents Oregon, and
That meet one of the following thresholds during a calendar year, control or process either:
1. The personal data of 100,000 or more consumers*, or
2. The personal data of 25,000 or more consumers*, while getting 25% or more of the person’s annual gross revenue from selling personal data.

How a Cyber Lawyer Can Help You Manage Compliance

One of the most critical and often overlooked aspects of running a business is compliance with applicable laws and regulations. There are an array of rules to adhere to, and trying to ensure compliance with moving targets and keep up with changes can be a full-time job in itself. State privacy laws join an increasingly complex set of regulations in the United States. Organizations that are not currently subject to the jurisdiction of a state may still need to address compliance. That's where cyber lawyers come in.

Cyber lawyers focus their practice on the area of law that governs securing electronic information and transactions. They stay abreast of the latest legal requirements and can advise you on your requirements and assess your business’ risk, as well as identify steps you need to take to ensure compliance. In addition, they can help streamline the compliance process by identifying efficiencies and automating tasks where possible.

This frees up your time so you can remain focused on running your business operations. By outsourcing compliance to a cyber lawyer, you can have peace of mind knowing your legal obligations are being managed by an expert.

From IR planning to tabletop exercises, a cyber law attorney can help your business!

Why Choose ZeroDay Law

ZeroDay Law is a results-oriented law firm specializing in cybersecurity and privacy law. It provides incident response planning, high-quality legal services, and agile strategic thinking. Equipped with global technical experience, proven methodologies and the latest technologies, ZeroDay Law’s legal experts build lasting relationships with clients to ensure resiliency now and in the future.

Learn more about our services or contact us today to talk with our team of legal experts.