In recent years—and months—many new states have passed consumer data privacy laws. These new laws share some similarities with the California Consumer Privacy Act and with each other, but every state law has some unique aspects that set it apart.

This article will give you a brief overview of what these laws have in common and some of the key ways they differ.

What do state privacy laws have in common?

Each state’s consumer data privacy laws work a little bit differently, which can cause headaches for organizations that have to comply with multiple laws. The good news is they all have a few key similarities that businesses can use as the foundation of a compliant privacy program. 

  1. State privacy laws generally only apply to organizations that process data from a large number of state residents (who the laws refer to as “consumers”). This means if your organization doesn’t have very much data related to residents of a given state, it likely doesn’t have to comply with that state’s privacy law.
  2. The laws generally apply to the same type of consumer data (which the laws refer to as “Personal Data” or “Personal Information”). Personal Data is any information that identifies, relates to, describes, or is capable of being associated with a consumer. This is an extremely broad definition that encompasses almost any type of information a business might maintain about consumers, subject to limited exceptions outlined in the laws themselves.
  3. These laws all require organizations to create a notice outlining their privacy practices and provide it to consumers before the organization collects their data. What has to go into a notice varies slightly among states, but all notices require a basic explanation of the types of data an organization collects and what the organization does with that data.
  4. Every state grants its residents the right to make certain requests that affect what an organization does with their data. While these rights aren’t all the same among states, every state allows consumers to (1) know what data an organization has collected about them, (2) direct an organization to delete that data (subject to certain exceptions), (3) direct an organization not to sell their data, and (4) direct an organization not to share their data with anyone else for the purpose of targeted advertising.

What are some key distinctions among the state privacy laws?

Unfortunately, aside from these main similarities, there are a lot of differences between privacy laws in the various states, especially in terms of the requirements they place on organizations that have to comply.

The table below highlights some key differences in those requirements. It doesn’t address every single difference, just a few that organizations should keep in mind when designing their privacy program or trying to bring their existing program into compliance with a new law.

You can find a brief summary of each requirement in the list beneath the table, and you can click on the corresponding links in the list for more information.


*Washington and Nevada have also passed privacy laws in 2023, but they focus entirely on health data and so are very different in scope from the laws discussed in this article. Click here for more information on Washington’s law, the “My Health My Data Act.”

**The text of California’s privacy law requires businesses to conduct these assessments, but California hasn’t yet provided details on what they should look like or when they need to be conducted. As such, many businesses have chosen to wait until the requirement is clarified before conducting these assessments.

***Both Oregon’s and Delaware’s laws have been passed by their respective state legislatures, but they have not been signed into law as of the date of this article.

  • Applies to Employee/Job Applicant Data—Most consumer privacy laws don’t cover data that organizations obtain from individuals in an employment context (i.e. they don’t apply to data gathered from employees, contractors, or job applicants). California’s law breaks the mold by treating employee data like consumer data and granting employees the right to make the same privacy requests available to consumers.
  • Risk Assessments—Risk Assessments (“Data Protection Assessments” in some states) are evaluations that assess the benefits and potential harms associated with a given processing activity. The states indicated by checkmarks require organizations to conduct Assessments and document their findings whenever they engage in risky processing activities. 
  • Opt-Out Preference Signals—Opt-Out Preference Signals are automated signals sent by a consumer (usually through an internet browser or browser extension) that communicate that consumer’s desire to opt-out of certain uses of their personal data (such as selling data or sharing it for targeted advertising). The states indicated by check marks will require organizations to recognize these signals and process them as requests to opt-out. Due to delays in enforcement, none of the states currently require organizations to recognize opt-out preference signals, but they will begin doing so between March 29, 2024 and January 1, 2026.
  • Consent to Process Sensitive Data—The states indicated by check marks require organizations to obtain consent from a given consumer before processing any Sensitive Data related to that individual. The definition of “Sensitive Data” varies between states, but see Virginia’s definition for an example of the type of data that is included. 
  • Right to Appeal—If an organization denies a consumer’s request to exercise one of the rights granted by a given state law (e.g. if an organization determines that a request is subject to an exception in a given law), the states indicated by check marks grant that consumer the right to appeal the organization’s decision. 
  • Right to Limit the Use of Sensitive Information—California grants consumers the right to direct organizations to stop using their Sensitive Information (“Sensitive Data” in other states) for any reason other than a few limited purposes, like fulfilling a consumer’s order or providing them with services they requested.

Effective dates & enforcement

While twelve states have passed consumer privacy laws to date, only four of those laws are currently in effect, with the rest set to kick in between December 31, 2023 and January 1, 2026. The table below lays out the effective date for each law along with who is responsible for enforcement and the penalties that organizations could face for failing to comply. 

California Consumer Privacy Act:

  • Effective Date: January 1, 2020 (amendments effective January 1, 2023)
  • Enforced By: California Privacy Protection Agency
  • Penalties: Up to $2,500 per violation, and up to $7,500 if the violation is willful or involves children’s data
Virginia Consumer Data Protection Act:

  • Effective Date: January 1, 2023
  • Enforced By: Virginia Attorney General
  • Penalties: Up to $7,500 per violation plus attorney’s fees
Colorado Privacy Act (CPA):

  • Effective Date: July 1, 2023
  • Enforced By: Colorado Attorney General
  • Penalties: Up to $20,000 per violation, and up to $50,000 if the violation involves elderly persons’ data
Connecticut Data Privacy Act:

  • Effective Date: July 1, 2023
  • Enforced By: Connecticut Attorney General
  • Penalties: Up to $5,000 per willful violation
Utah Consumer Privacy Act (UCPA):

  • Effective Date: December 31, 2023
  • Enforced By: Utah Attorney General
  • Penalties: Actual damages caused to Utah residents plus up to $7,500 per violation
Texas Data Privacy and Security Act:

  • Effective Date: July 1, 2024
  • Enforced By: Texas Attorney General
  • Penalties: Up to $5,000 per willful violation
Oregon Consumer Privacy Act:

  • Effective Date: July 1, 2024
  • Enforced By: Oregon Attorney General
  • Penalties: Up to $7,500 per violation
Montana Consumer Data Privacy Act:

  • Effective Date: October 1, 2024
  • Enforced By: Montana Attorney General
  • Penalties: Not specified in the Act, but Montana law provides for penalties of up to $10,000 per willful violation in similar contexts
Iowa Consumer Data Protection Act:

  • Effective Date: January 1, 2025
  • Enforced By: Iowa Attorney General
  • Penalties: Up to $7,500 per violation
Delaware Personal Data Privacy Act:

  • Effective Date: January 1, 2025
  • Enforced By: Delaware Department of Justice
  • Penalties: Up to $10,000 per willful violation
Tennessee Information Protection Act:

  • Effective Date: July 1, 2025
  • Enforced By: Tennessee Attorney General
  • Penalties: Up to $7,500 per violation plus attorney’s fees. Penalties can be tripled for knowing or willful violations
Indiana Consumer Data Protection Act:

  • Effective Date: January 1, 2026
  • Enforced By: Indiana Attorney General
  • Penalties: Up to $7,500 per violation

 

SixFifty can help

SixFifty’s All-US Privacy helps organizations comply with every privacy law in the United States. Businesses can easily and effectively generate the customized legal documents written by top legal experts and required by varying privacy laws around the country. As new laws pass, we update our tools to include them so your documents are always up to date.

If you’d like to make informed decisions surrounding data privacy and ensure compliance in a rapidly changing landscape, schedule a demo with SixFifty today.