US State Privacy Law Tracker

California Consumer Privacy Act (CCPA)

Thresholds

The CCPA/CPRA applies to for-profit institutions that “do business in California,” collect and process personal information about California residents, and meet one of three thresholds:

1. had $25M in annual gross revenues as of January 1 in the preceding calendar year, or
2. buy, sell, or share the personal information of 100,000 California consumers or households, or
3. derives 50% or more of its revenues from selling or sharing consumers’ personal information.

Exemptions

The CCPA does not have entity-level exemptions. It is possible that some types of data used for particular purposes may be exempt, but the law does not blanketly carve out certain businesses or types of businesses. If one of the thresholds applies to an organization, the CCPA applies to that organization.

Cure Period

Prior to January 1, 2023, businesses were given the opportunity to cure any violations within 30 days after being notified of alleged noncompliance. There is no longer a cure period. Instead, it is up to the discretion of the California AG and California Privacy Protection Agency.

Under the CCPA, California residents have been empowered with the private right to action. This means consumers have the ability to personally take an organization to court and pursue civil legal claims against them for violating the law. If and when a consumer believes that their rights have been infringed upon, the CPPA has streamlined this process by creating an official CPPA Complaint Form. Complaints may also trigger investigations.

Response Time Frames

For Data Subject Rights Requests, businesses must respond to requests within 45 calendar days from submission. They can extend that deadline by another 45 days (90 days total from data submitted) with notification and adequate reason for extension.

Businesses must keep in mind that requests to Opt Out are subject to a 15-business day compliance period, which cannot be extended.

Businesses that receive an opt-out request will have 15-business days to stop selling the consumer’s personal information. If the business sells the consumer’s personal information during the time between receipt and processing of the request, it must also notify the third parties to whom it sold the personal information that the consumer has exercised the right to opt out and direct those third parties not to further sell that consumer’s information.

For more details on the California Act, download the Complete US Privacy Law Tracker white paper.

Virginia Consumer Data Privacy Act (VCDPA)

Thresholds

Entities conducting business in Virginia must satisfy one of two thresholds to fall within the statute’s scope, and both thresholds address a minimum number of affected consumers. Entities must control or process:

1. the personal data of at least 100,000 consumers in a calendar year, or
2. the personal data of at least 25,000 consumers, while deriving over 50 percent of gross revenue from the sale of that data.

Exemptions

The Virginia Act has broader exemptions than the CCPA. Among the entities that are exempt include:

• Agencies of the state
• Certain governmental entities
• Higher education institutions
• Non-profits
• Political bodies
• Small businesses

Information subject to other federal laws is exempt from the VCDPA. This includes personal information that are covered by regulations, such as:

• Children’s Online Privacy Protection Act (COPPA)
• Fair Credit Reporting Act (FCRA)
• Family Educational Rights and Privacy Act (FERPA)
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)

Also exempt from the VCDPA are information collected about a controller’s employees or independent contractors used in relation to their respective roles. Excepted data includes that which is required to:

• Act at a consumer’s request or for a consumer’s safety or security
• Comply with the law
• Conduct research in the public interest or internal research to improve products and services
• Credit information
• Defend legal claims
• Perform internal operations that can be reasonably anticipated by the consumer

The VCDPA also has established categories of information regulated by HIPAA:

• Health records
• Information relating to human research subjects
• Protected Health Information (PHI)

Finally, the Act limits secondary liability. This means that if a controller or processor disclosed personal information to a third-party controller or processor and is in compliance with the VCDPA, it will not be found to have violated the law even if the third-party recipient violates the law.

Cure Period

Prior to initiating an action, the attorney general must provide a controller or processor with 30 days’ written notice identifying the specific provisions alleged to have been, or that are being, violated. If within the 30-day period the controller or processor cures the noticed violation and provides the attorney general an express written statement that the alleged violations have been cured and that no further violations shall occur, no action shall be initiated against the controller or processor.

Response Time Frames

The VCDPA does not specify different compliance time periods based on type of request. Rather, under the VCDPA, a controller has 45 days to respond to any type of consumer request. Like the CCPA, the controller may extend for one additional 45-day period when “reasonably necessary,” provided it notifies the consumer within the original window and provides an explanation for the extension. There is no explicit ruling for exercising the 45-day extension based on authentication.

For more details on the Virginia Act, download the Complete US Privacy Law Tracker white paper.

Colorado Privacy Act (CPA)

Thresholds

There is no applicable revenue threshold. “Consumers” are defined in the CPA to include Colorado residents acting in their individual or household contexts. The CPA excludes individuals acting in a commercial or employment context, job applicants, and beneficiaries of someone acting in an employment context from its definition of “consumer.” “Personal data” under the CPA is defined to mean “information that is linked or reasonably linkable to an identified or identifiable individual.”

The CPA is similar to the VCDPA and CCPA but includes a few notable differences. The CPA applies to any controller that:

• “Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and
  • controls or processes the personal data of at least 100,000 consumers or more during a calendar year; or
  • derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.”

The CPA’s requirements will not extend to de-identified data or publicly available information.

Exemptions

As is the case with most U.S. states, certain types of personal information is covered by different laws across different industries, on state and federal level. These include:

• Children’s Online Privacy Protection Act (COPPA)
• Fair Credit Reporting Act (FCRA)
• Family Educational Rights and Privacy Act (FERPA)
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)

There are also exempt data types that include de-identified personal data, employee data including job applicant data, and personal information collected for commercial or B2B purposes.

Unlike California and Virginia, the CPA does not provide exemptions for non-profit organizations. The CPA applies to all entities that meet the thresholds set forth by the law.

Cure Period

Initially, the CPA requires the AG or district attorneys to issue a notice of violation and allow entities 60 days to cure the alleged violation. However, the right to cure will sunset on January 1, 2025.

Response Time Frames

Like other states, the general time frame for controllers to respond to a Data Subject Rights Request is 45 days, with an additional 45-day extension if they are able to show reasonably necessary. And like California, upon receiving an Opt-Out request, businesses must cease processing consumer’s personal information for targeted advertising, the sale of personal information, or profiling within 15 days of receipt. Third parties must also cease processing data within that same timeframe.

For more details on the Colorado Act, download the Complete US Privacy Law Tracker white paper.

Connecticut Data Privacy Act (CTDPA)

Thresholds

The CTDPA’s protections apply to ‘consumers’ defined as individuals who are residents of Connecticut. However, the CTDPA’s definition of ‘consumer’ does not include individuals acting in a commercial or employment context.

With respect to data controllers and organizations, the CTDPA’s scope extends to entities that:

• conduct business in Connecticut, or produce products or services that are targeted to Connecticut residents; and
• during the preceding calendar year, either:
  • processed the personal data of at least 100,000 consumers; or
  • processed the personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

Similarly, to other US state privacy laws, the CTDPA includes some exceptions regarding its applicability. Certain entities, including, for example, state and local government entities, non-profits, higher education institutions, and entities subject to the Gramm-Leach-Bliley Act of 1999 (‘GLBA’) and to the Health Insurance Portability and Accountability Act of 1996 (‘HIPAA’), do not fall under its scope.

Exemptions

The CTDPA explicitly excludes the following entities and certain types of personal information maintained in compliance with them:

• State and local governments
• Nonprofit organizations
• Financial institutions subject to the Gramm-Leach-Bliley Act (“GLBA”)
• National securities associations registered under the Securities Exchange Act of 1934
• Entities subject to the Health Insurance Portability and Accountability Act (“HIPAA”)
• The Fair Credit Report Act
• Higher education institutions

Cure Period

Violations of the CTDPA come with a hefty price tag, with entities or individuals that fail to comply subject to civil penalties up to $5,000 per violation. However, the Act includes a 60-day cure period to remedy violations. Much longer than other states. But this right to cure will sunset on December 31, 2024. Making the hefty fine that much more significant.

Response Time Frames

Controllers are obligated to respond to a consumer’s request “without undue delay.” A controller must respond to a consumer’s requests no later than 45 days after receipt of the request. The controller may extend the response period by an additional 45 days if reasonably necessary.

For more details on the Connecticut Act, download the Complete US Privacy Law Tracker white paper.

Utah Consumer Privacy Act (UCPA)

Thresholds

UCPA will only apply to businesses with annual revenue of $25 million or greater. The UCPA will apply to for-profit businesses that conduct business in Utah or produce products or services targeted to Utah consumers, and either:

1. control or process the personal data of 100,000 or more Utah consumers, or
2. derive more than 50% of the entity’s gross revenue from the sale of personal data and control or process the personal data of at least 25,000 Utah consumers.

Utah residents acting in a commercial or employment context are excluded from the definition of “consumer.” The Act also contains a long list of exemptions similar to that of the VCDPA.

Exemptions

The UCPA includes both data-specific and entity-level exemptions, and does not apply to information and organizations that is already subject to the following regulations:

• Health Insurance Portability and Accountability Act (HIPAA)
• Gramm-Leach-Bliley Act (GLBA)
• Fair Credit Reporting Act (FCRA)
• Driver’s Privacy Protection Act (DPPA)
• Family Educational Rights and Privacy Act (FERPA)
• Farm Credit Act (FCA)

Entities that are also exempt:

• institutions of higher education
• nonprofit organizations
• government organizations and contractors
• Indigenous tribes
• air carriers

Cure Period

If a business is found to be in violation of the law, the attorney general of Utah will provide written notice and a 30-day cure period. Currently there is no sunset to this provision.

Response Time Frames

Although limited, consumers still have rights they can exercise. Controllers must specify a means by which consumers can submit a request. They must respond within a reasonable period of time, within 45 days, with a 45-day extension if reasonably necessary. This includes for Opt-outs response time.

The UCPA uses the opt-out model, which means that personal data can be collected, sold, or used for targeted advertising without requiring consumers’ consent, unless the data belongs to a child. In that consent must be obtained from a parent or legal guardian.

For more details on the Utah Act, download the Complete US Privacy Law Tracker white paper.

Texas Data Privacy and Security Act (TDPSA)

Thresholds

The TDPSA has no specific thresholds based on annual revenue or volume of personal data processed. Instead, The TDPSA applies to entities that:

1. Conduct business in Texas or produce products or services consumed by Texas residents;
2. process or engage in the sale of personal data; and
3. are not a “small businesses” as defined by the Small Business Administration (SBA).

Companies may find that determining whether they qualify as a “small business” under SBA regulations is surprisingly complicated. The SBA does not have a single definition for a “small business.” Instead, definitions of “small business” by the SBA vary widely from one industry vertical to the next. To properly assess whether a business qualifies as “small,” the SBA offers a “Size Standards Tool” utilizing economic activity measurements based on the North American Industrial Classification System (NAICS).

Exemptions

Like many state data privacy laws, the TDPSA contains entity-level, data-specific, and employment-related exemptions. Additionally, the TDPSA only protects consumers acting in an individual or household capacity, meaning it is also not applicable in B2B contexts.

Cure Period

30-day cure period with no sunset. The cure period is a permanent feature of the TDSPA.

Response Time Frames

A controller must respond to consumer requests within 45 days, with an extension of an additional 45 days if reasonably necessary.

Do Not Sell and Opt-Out will also have 45-day response time. When opt out takes effect on January 1, 2025, controllers must permit consumers to exercise those opt-out rights using global technologies such as a link in the footer of their website, a browser extension or setting, or a global setting on an electronic device.

For more details on the Texas Act, download the Complete US Privacy Law Tracker white paper.

Montana Consumer Data Privacy Act (MTCDPA)

Thresholds

The MTCDPA applies to companies that conduct business in Montana or target products or services to Montana residents that:

• Control or process the personal data of not less than 50,000 Montana residents, excluding personal data controlled or processed solely for purposes of completing a payment transaction; or
• Control or process the personal data of not less than 25,000 Montan residents and derive more than 25 percent of gross revenue from the sale of personal data.

Exemptions

Consistent with most other state data privacy laws, the MTCDPA contains entity-level, data-specific, and employment-related exemptions.

Cure Period

The Montana attorney general must give businesses notice and the opportunity to cure an alleged violation within 60 days of receiving the notice. Organizations must fix the issues and take steps to prevent recurrence.

If a controller cures the alleged violation within the allotted 60-day cure period and provides an express written statement to the attorney general confirming the alleged violations were corrected, then the attorney general may not initiate an action against the controller.

Response Time Frames

A controller must respond to consumer requests within 45 days, with an extension of an additional 45 days if reasonably necessary.

For more details on the Montana Act, download the Complete US Privacy Law Tracker white paper.

Iowa Consumer Data Privacy Act (ICDPA)

Thresholds

The Iowa law applies to persons conducting business in Iowa or producing products or services targeted to Iowa consumers that either:

1. Control or process personal data of at least 100,000 Iowan consumers.
2. Derive over 50% of revenue from selling the personal data of at least 25,000 Iowan consumers.

Notably, the ICDPA does not include a minimum annual revenue threshold. Small businesses that may have avoided being subject to other state’s privacy laws because they do not meet those statutes’ revenue thresholds may still be subject to the ICDPA and should carefully evaluate whether they meet either of the above criteria.

Exemptions

Iowa’s data exemptions to be familiar as well. Information exempted from the Iowa privacy law includes personal data covered by existing federal privacy and protections laws.

Cure Period

A 90-Day Cure Period – the ICDPA provides a 90-day cure period for alleged violations (the longest cure period of any U.S. privacy law).

Response Time Frames

90 days to respond to verifiable consumer requests. And an additional 45-day extension when reasonably necessary (again, the longest response time frame of any U.S. privacy law – a potential maximum of 135 days).

For more details on the Iowa Act, download the Complete US Privacy Law Tracker white paper.

Tennessee Information Protection Act (TIPA)

Thresholds

The TIPA applies to entities conducting business in Tennessee, and any business (“controllers”) that offers products or services targeted to Tennessee residents, that exceeds $25 million in annual revenue and either:

1. Controls personal information of at least 175,000 Tennessee residents; or
2. Controls personal information of at least 25,000 Tennessee residents while deriving more than 50% of its gross revenue from the sale of personal information.

Exemptions

Information exempted from the Tennessee act includes personal data covered by existing federal privacy and protections laws.

Cure Period

60-Day Cure Period – The TIPA’s 60-day cure period is the second longest of all of the U.S. privacy laws, second to Iowa.

Response Time Frames

Controllers in Tennessee are required to respond to a consumer’s request for personal information within 45 days of receipt. Extensions allow an additional 45 days if reasonably necessary.

For more details on the Tennessee Act, download the Complete US Privacy Law Tracker white paper.

Indiana Consumer Data Protection Act (ICDPA)

Thresholds

The ICDPA applies to entities that conduct business in the state or produce products or services targeted at Indiana residents. These entities must control or process the personal data of either:

1. 100,000 consumers, or
2. 25,000 consumers while deriving over 50% of their gross revenue from the sale of personal data.

Exemptions

Information exempted from the Indiana act includes personal data covered by existing federal privacy and protections laws.

Cure Period

Controllers in Indiana are required to respond to a consumer’s request for personal information within 45 days of receipt. Extensions allow an additional 45 days if reasonably necessary.

Response Time Frames

Controllers in Indiana are required to respond to a consumer’s request for personal information within 45 days of receipt. Extensions allow an additional 45 days if reasonably necessary.

For more details on the Indiana Act, download the Complete US Privacy Law Tracker white paper.

Oregon Consumer Privacy Act (OCPA)

Thresholds

The OCPA applies to entities who conduct business in Oregon or who provide products or services to Oregon residents and that during a calendar year:

1. Control or process the personal data of 100,000 or more Oregon residents (other than personal data controlled or processed solely for the purpose of completing a payment transaction); or
2. Controls or processes the personal data of 25,000 or more consumers while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.

These thresholds are the same as under the Colorado Privacy Act and, unlike some other state privacy laws, do not include an initial threshold based on an entity’s annual revenue.

Exemptions

The Oregon act is unique to other U.S. privacy laws. Exemptions are similar to Colorado and Connecticut, however had notable exceptions to common exemptions.

Cure Period

The Attorney General of Oregon has the power to investigate violations of data protection laws and can issue a notice to businesses, granting them a 30-day cure period to address the violations. Failure to remedy the violations within the specified 30-day period can result in fines of up to $7,500 per violation.

Response Time Frames

Controllers in Oregon are required to respond to a consumer’s request for personal information within 45 days of receipt. Extensions allow an additional 45 days if reasonably necessary.

For more details on the Oregon Act, download the Complete US Privacy Law Tracker white paper.