The US state privacy law landscape has transformed dramatically since California enacted the California Consumer Privacy Act (CCPA) in 2018. As of November 2025, 20 states have enacted comprehensive consumer privacy laws, creating a complex patchwork of requirements that privacy professionals must navigate. For CIPP/US exam candidates, this is particularly critical: the 2024-2025 exam blueprint increased state privacy law questions from 9-15 to 17-21 questions, making it the most heavily weighted topic on the exam.
This comprehensive guide breaks down every state privacy law you need to know, their key requirements, and the critical differences that appear on the CIPP/US exam.
- 1. The US Privacy Patchwork: An Overview
- 2. California (CCPA/CPRA) - The Gold Standard
- 3. Pioneer States: Virginia, Colorado, Connecticut, Utah
- 4. All 20 State Laws: Complete Breakdown
- 5. Consumer Rights Comparison
- 6. Applicability Thresholds
- 7. Key Differences & Exam Focus Areas
- 8. Effective Dates Timeline
- 9. CIPP/US Exam Tips
1. The US Privacy Patchwork: An Overview
Unlike the European Union's General Data Protection Regulation (GDPR), which provides a unified framework across member states, the United States has taken a sectoral and state-by-state approach to privacy regulation. In the absence of comprehensive federal privacy legislation, states have stepped in to fill the gap, resulting in what privacy professionals often call the "privacy patchwork."
As of November 2025, 20 states have enacted comprehensive consumer privacy laws. By January 2025, approximately 40% of US consumers had rights under their states' privacy lawsβa number that grew to nearly 50% by mid-2025.
The growth of state privacy laws has been exponential:
- 2018: California passes CCPA (effective January 2020)
- 2020: California voters approve CPRA amendments
- 2021: Virginia and Colorado pass comprehensive laws
- 2022: Utah and Connecticut join the list
- 2023: Seven states pass laws (Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas)
- 2024: Seven more states pass laws (Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, Rhode Island)
- 2025: Eight states amended existing laws; no new comprehensive laws enacted
2. California (CCPA/CPRA) - The Gold Standard
California remains the most important state privacy law for CIPP/US exam candidates. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most comprehensive and strictly enforced state privacy law in the United States.
Applicability Thresholds (Updated January 2025)
The CCPA applies to for-profit businesses that collect California consumers' personal information and meet any one of the following thresholds:
- Revenue threshold: Annual gross revenue exceeding $26,625,000 (adjusted for CPI from $25 million)
- Data threshold: Buy, sell, or share personal information of 100,000 or more California residents or households annually
- Revenue from data: Derive 50% or more of annual revenue from selling or sharing California consumers' personal information
California is the only state that applies its privacy law to employee data and B2B contacts. All other state laws exempt employment and business-to-business data. This is a frequently tested distinction.
Consumer Rights Under CCPA/CPRA (LOCKD)
π Limit
Right to limit use and disclosure of sensitive personal information
π« Opt-Out
Right to opt out of sale AND sharing of personal information
βοΈ Correct
Right to correct inaccurate personal information
π Know
Right to know what personal information is collected and how it's used
ποΈ Delete
Right to delete personal information collected
π¦ Portability
Right to data portability in a usable format
California Privacy Protection Agency (CPPA)
California is the only state with a dedicated privacy enforcement agency. The CPPA has full rulemaking authority, investigation powers, and can levy civil penalties up to $2,500 per violation (or $7,988 per intentional violation as of 2025). California eliminated its mandatory cure period under CPRA.
September 2025 Regulations
On September 23, 2025, the CPPA finalized significant new regulations:
- Automated Decision-Making Technology (ADMT): Pre-use notices, opt-out rights, and access requests required by January 1, 2027
- Risk Assessments: Required for high-risk processing activities
- Cybersecurity Audits: Annual independent audits with phased compliance starting April 1, 2028
3. Pioneer States: Virginia, Colorado, Connecticut, Utah
ποΈ Virginia - VCDPA Effective Jan 1, 2023
Threshold: 100,000+ Virginia consumers OR 25,000+ consumers with 50%+ revenue from data sales
Key Features: Uses GDPR terminology (controller/processor); entity-level GLBA exemption; 30-day cure period (AG discretion after 2025 amendments); enforced by Virginia AG
ποΈ Colorado - CPA Effective July 1, 2023
Threshold: 100,000+ Colorado consumers OR 25,000+ consumers with revenue from data sales. No revenue threshold.
Key Features: AG has rulemaking authority; universal opt-out mechanism required since July 2024; cure period expired January 2025; detailed DPA requirements; 2025 amendments strengthened minor protections
π Connecticut - CTDPA Effective July 1, 2023
Threshold: 100,000+ consumers (drops to 35,000 in 2026) OR 25,000+ consumers with 25%+ revenue from data sales
Key Features: Strong children's protections; universal opt-out required; 2025 amendments (SB 1295) add online safety requirements effective July 2026
β°οΈ Utah - UCPA Effective Dec 31, 2023
Threshold: $25M+ revenue AND (100,000+ consumers OR 25,000+ with 50%+ revenue from data sales)
Key Features: Most business-friendly; NO right to correction; NO data protection assessments; permanent 30-day cure period; no universal opt-out requirement
Utah is the outlier: It's the only comprehensive state privacy law that does NOT require data protection assessments and does NOT provide a right to correction.
4. All 20 State Laws: Complete Breakdown
Laws Already in Effect (November 2025)
π Texas TDPSA July 1, 2024
Threshold: All businesses NOT classified as small business under federal SBA. One of three states (with Nebraska, Minnesota) exempting small businesses.
π² Oregon OCPA July 1, 2024
Threshold: 100,000+ consumers OR 25,000+ with 25%+ revenue from data sales. Unique: Includes transgender/nonbinary status and crime victim status as sensitive data. Nonprofits NOT exempt as of July 2025.
π€ Montana Oct 1, 2024
Threshold: 50,000+ consumers OR 25,000+ with revenue from data sales. Lower threshold than most states.
ποΈ Delaware DPDPA Jan 1, 2025
Threshold: 35,000+ consumers OR 10,000+ with revenue from data sales. Does NOT exempt nonprofits or higher education.
π½ Iowa ICDPA Jan 1, 2025
Threshold: 100,000+ consumers OR 25,000+ with 50%+ revenue from data sales. Very business-friendly; no right to correct third-party data; no DPA requirement.
πΎ Nebraska NDPA Jan 1, 2025
Threshold: All businesses NOT classified as small business under SBAβno consumer threshold. Broad definition of "sale" like California.
π New Hampshire NHPA Jan 1, 2025
Threshold: 35,000+ consumers OR 10,000+ with 25%+ revenue from data sales.
ποΈ New Jersey NJDPA Jan 15, 2025
Threshold: 100,000+ consumers OR 25,000+ with revenue from data sales. Does NOT exempt nonprofits; includes financial credentials as sensitive data; no FERPA exemption.
Laws Effective Later in 2025
πΈ Tennessee TIPA July 1, 2025
Threshold: $25M+ revenue AND (175,000+ consumers OR 25,000+ with 50%+ revenue from data sales). Highest consumer threshold. NIST framework affirmative defense available.
π² Minnesota MCDPA July 31, 2025
Threshold: 100,000+ consumers OR 25,000+ with 25%+ revenue (small businesses exempt). Unique: Right to question profiling decisions; right to obtain list of specific third parties; does NOT exempt nonprofits; only data-level GLBA exemption.
π¦ Maryland MODPA Oct 1, 2025
Threshold: 35,000+ consumers OR 10,000+ with 20%+ revenue from data sales. Most restrictive law: Complete ban on selling sensitive data (no consent exception); "strictly necessary" standard for sensitive data collection; expanded sensitive data categories; does NOT exempt nonprofits.
Laws Effective in 2026
π Kentucky Jan 1, 2026
100,000+ consumers OR 25,000+ with 50%+ revenue from data sales. Permanent 30-day cure period.
ποΈ Rhode Island Jan 1, 2026
35,000+ consumers OR 10,000+ with revenue from data sales. Lower penalties ($500/violation).
ποΈ Indiana Jan 1, 2026
100,000+ consumers OR 25,000+ with 50%+ revenue from data sales.
5. Consumer Rights Comparison
| Right | All 20 States | Notable Exceptions |
|---|---|---|
| Right to Access/Know | β Yes | β |
| Right to Delete | β Yes | Iowa limits for third-party data |
| Right to Correct | Most states | β Utah and Iowa do NOT provide |
| Right to Portability | β Yes | β |
| Right to Opt-Out of Sale | β Yes | Definition of "sale" varies |
| Right to Opt-Out of Targeted Ads | β Yes | β |
| Right to Opt-Out of Profiling | Most states | β Iowa does NOT provide |
| Right to Question Profiling | Minnesota only | β Minnesota uniquely provides |
| Right to Third-Party List | OR, MN, DE, MD | OR/MN: specific parties; DE/MD: categories |
6. Applicability Thresholds Quick Reference
| State | Revenue | Consumer Threshold | Data Sales Alternative |
|---|---|---|---|
| California | $26.625M+ | 100,000+ | 50%+ revenue |
| Tennessee | $25M+ | 175,000+ | 25,000+ with 50%+ |
| Utah | $25M+ | 100,000+ | 25,000+ with 50%+ |
| Montana | None | 50,000+ | 25,000+ with revenue |
| Maryland | None | 35,000+ | 10,000+ with 20%+ |
| TX, NE, MN | Small business exemption (SBA definition) | ||
| Colorado | No revenue thresholdβapplies to all meeting consumer threshold | ||
7. Key Differences & Exam Focus Areas
Private Right of Action
Only California provides a limited private right of action for data breaches. All other states rely on AG enforcement only.
Cure Periods
- No cure period: California
- Expired/AG discretion: Colorado (Jan 2025), Connecticut (July 2025), Virginia (2025)
- Permanent: Utah, Kentucky, Iowa (30 days); Tennessee (60 days)
Nonprofit Exemptions
These states do NOT exempt nonprofits: Colorado, Delaware, Maryland, Minnesota, New Jersey, Oregon
GLBA Exemptions
- Entity-level: Virginia, Colorado, Connecticut, Utah, most others (entire institution exempt)
- Data-level only: California, Minnesota (only GLBA-covered data exempt)
Universal Opt-Out Mechanisms
Required: CA, CO, CT, DE, MD, MN, MT, NE, NH, NJ, OR, TX
Not required: Utah, Iowa, Tennessee, Kentucky
Data Protection Assessments
Required: All states except Utah and Iowa
8. Effective Dates Timeline
9. CIPP/US Exam Tips for State Privacy Laws
- California distinctions: Only state with dedicated agency (CPPA), private right of action, employee/B2B coverage, no cure period
- Utah outliers: No right to correction, no DPAs, permanent cure period
- Iowa limitations: No right to correct third-party data, no profiling opt-out, no DPAs
- Threshold variations: Tennessee (175,000), Montana (50,000), small business exemptions (TX, NE, MN)
- Nonprofit coverage: Know which states do NOT exempt nonprofits (CO, DE, MD, MN, NJ, OR)
- Minnesota's unique right: Right to question profiling decisions
- Maryland's strictness: Ban on sensitive data sales, "strictly necessary" standard
Ready to Test Your State Privacy Law Knowledge?
Practice with 200+ CIPP/US exam questions covering all 20 state privacy laws, including scenario-based questions testing threshold applicability and key distinctions.
Additional Resources
- CCPA & CPRA Complete Guide
- CIPP/US Exam Domains Complete Breakdown
- FTC Privacy Enforcement 2024-2025
- Complete CIPP/US Study Guide 2025
- IAPP US State Privacy Legislation Tracker: iapp.org
- California Privacy Protection Agency: cppa.ca.gov