US State Privacy Laws — Comparison Matrix
Every US state consumer privacy law, side-by-side. Effective dates, broker response deadlines, cure periods, private rights of action, penalties, and which rights are granted. Updated monthly as new laws take effect. Click any row for the state-specific deletion guide.
Comprehensive state privacy laws
These 20 states grant residents broad rights to delete, access, correct, and opt-out of the sale of personal data. Each law is enforced by the state AG (or CPPA in California).
| State | Law | Effective | Response | PRA | Guide |
|---|---|---|---|---|---|
| California | CCPA/CPRA | 2020-01-01 | 45d | — | View → |
| Virginia | VCDPA | 2023-01-01 | 45d | — | View → |
| Colorado | CPA | 2023-07-01 | 45d | — | View → |
| Connecticut | CTDPA | 2023-07-01 | 45d | — | View → |
| Utah | UCPA | 2023-12-31 | 45d | — | View → |
| Texas | TDPSA | 2024-07-01 | 45d | — | View → |
| Florida | FDBR | 2024-07-01 | 45d | — | View → |
| Oregon | OCPA | 2024-07-01 | 45d | — | View → |
| Montana | MTCDPA | 2024-10-01 | 45d | — | View → |
| New Hampshire | NHDPA | 2025-01-01 | 45d | — | View → |
| Iowa | ICDPA | 2025-01-01 | 90d | — | View → |
| Nebraska | NBDPA | 2025-01-01 | 45d | — | View → |
| New Jersey | NJDPA | 2025-01-15 | 45d | — | View → |
| Tennessee | TIPA | 2025-07-01 | 45d | — | View → |
| Minnesota | MCDPA | 2025-07-31 | 45d | — | View → |
| Maryland | MODPA | 2025-10-01 | 45d | — | View → |
| Delaware | DPDPA | 2026-01-01 | 45d | — | View → |
| Indiana | INCDPA | 2026-01-01 | 45d | — | View → |
| Kentucky | KCDPA | 2026-01-01 | 45d | — | View → |
| Rhode Island | RIDTPPA | 2026-01-01 | 45d | — | View → |
PRA = Private Right of Action. None of the comprehensive state privacy laws grant a general PRA. Illinois BIPA (biometric only), California CCPA (breaches only), and Washington MHMDA (health data only) offer narrow PRAs outside these comprehensive laws.
States without comprehensive laws
These 30 states have not passed comprehensive consumer privacy laws as of April 2026. Residents rely on narrower statutes (Illinois BIPA, Washington MHMDA) and cross-state CCPA leverage against national data brokers.
Key concepts
Response deadline
The time a business has to respond to a deletion request. 45 days is standard under CCPA and most peer laws, with a one-time 45-day extension allowed with notice. Iowa (ICDPA) is the outlier at 90 days.
Cure period
A grace period during which a business may remedy a violation before enforcement. California sunset its cure period in 2023; Colorado and Connecticut sunset in 2025. Texas, Indiana, Kentucky, and Tennessee still have cure periods.
Universal opt-out mechanism
Browser-level opt-out signals like Global Privacy Control (GPC). California, Colorado, Connecticut, Oregon, New Hampshire, and New Jersey legally require businesses to honor GPC as an opt-out signal.
Private right of action
The ability to sue directly rather than relying on AG enforcement. None of the comprehensive state privacy laws grant a general PRA. Illinois BIPA (biometric), California CCPA (breaches), and Washington MHMDA (health) offer narrow PRAs.
Notable distinguishing features by law
California (CCPA/CPRA)
First US state law. Only state with a dedicated privacy agency (CPPA). Operates a public Data Broker Registry. Will launch a universal deletion mechanism (Delete Act) in August 2026.
Maryland (MODPA)
Strictest US privacy law. Outright bans the sale of sensitive personal data. Lowest consumer thresholds (35,000+).
Minnesota (MCDPA)
Strongest automated-decision transparency rights. Includes a right to question profiling decisions and demand human review.
New Jersey (NJDPA + Daniel's Law)
Birthplace of Daniel's Law. Provides expedited 10-business-day removal for judges, prosecutors, and law enforcement.
Tennessee (TIPA)
Only state with a NIST Privacy Framework safe harbor defense.
Nebraska (NBDPA)
Broadest scope — applies to any non-small-business without consumer-count thresholds.
Oregon (OCPA)
Covers nonprofits. Most peer laws exempt them.
Iowa (ICDPA)
Weakest consumer rights — no correction, no profiling opt-out, 90-day response window.
Rhode Island (RIDTPPA)
Requires data brokers to publicly disclose data categories and sources.
Put the laws to work
Opt out of 200+ brokers in 15 minutes
Whichever state you\u2019re in, OfflistMe drafts deletion emails with the correct legal citations. Send them from your own inbox. No account, no ID upload, no subscription.
Start for $2 →FAQ: US privacy laws
How many US states have comprehensive consumer privacy laws?+
As of April 2026, 20 US states have passed comprehensive consumer privacy laws. Alabama has also passed a comprehensive bill and awaits governor signature. Pennsylvania and Louisiana are advanced to cross-chamber consideration. California was first (CCPA, 2020); Maryland's MODPA (effective October 2025) is currently considered the strictest.
What is the strictest US state privacy law?+
Maryland's Online Data Privacy Act (MODPA), effective October 2025, is widely regarded as the strictest. It outright bans the sale of sensitive personal data, imposes hard data-minimization limits, has the lowest consumer thresholds (35,000+ consumers), and no cure period.
Which states have a private right of action for privacy violations?+
Only three US states grant a private right of action for privacy violations: Illinois (BIPA, biometric data only), California (CCPA, security breaches only), and Washington (My Health My Data Act). Most other state privacy laws are enforced exclusively by the state Attorney General with no individual right to sue.
Do I need to be a resident of a state to use its privacy law?+
Yes — state privacy laws grant rights to residents of that state. However, most national data brokers maintain a single unified CCPA-compliant workflow and honor deletion requests from any US resident regardless of state, because maintaining state-specific workflows is operationally costly.
What is a "cure period" and which states still have one?+
A cure period is a statutory grace period during which a business may remedy a privacy-law violation before the AG can fine them. California's cure period sunset in 2023; Colorado and Connecticut sunset in January 2025. Texas, Indiana, Kentucky, Tennessee, and several other states still have active cure periods (typically 30-60 days).