Which US states have a comprehensive consumer privacy law?

California led with the CCPA (as amended by the CPRA), and roughly twenty states have since enacted comprehensive consumer privacy statutes. Coverage thresholds and consumer rights vary by state — see the comparison table for each jurisdiction.

Can consumers sue a business for violating a state privacy law?

In most states, no — the comprehensive privacy laws are enforced by the state attorney general or a dedicated privacy agency, not by private plaintiffs. California is the main exception, allowing a narrow private right of action for certain data breaches.

50-State Law Survey

State Consumer Privacy Laws by US Jurisdiction

A side-by-side comparison of how each US state regulates consumer personal information — who is covered, what a compliant privacy policy must contain, whether consumers can sue, and who enforces the law. Each row links to the full practice note for that jurisdiction. This is legal research, not legal advice.

State Consumer Privacy Laws by US Jurisdiction — 20 jurisdictions. Open a row for details, or follow a link to the full practice note.
Jurisdiction	Summary	Main law	Privacy policy required?	Last reviewed
California	If your business meets a CCPA threshold, you must post a CCPA-compliant privacy policy, honor consumer rights and opt-out signals, put statutory terms in your vendor contracts, and maintain reasonable security — or face CPPA/AG enforcement and, after a breach, consumer suits.	Cal. Civ. Code § 1798.100 et seq. (CCPA, as amended by the CPRA)	yes	Jun 3, 2026
Who does it cover? For-profit businesses doing business in California that meet a threshold — e.g., over $25,000,000 in annual gross revenue (CPI-adjusted to $26,625,000 for 2025–2026) Can consumers sue? Narrow — data breaches only (§ 1798.150) Who enforces it? California Privacy Protection Agency (CPPA) and the Attorney General
Colorado	If you do business in Colorado and meet the 100,000-consumer (or 25,000 plus data-sale) threshold — nonprofits included — the CPA requires a privacy notice, a universal opt-out mechanism, processor contracts, and consent to process sensitive data, enforced by the Attorney General with no consumer lawsuits and no cure period.	Colo. Rev. Stat. §§ 6-1-1301 et seq. (Colorado Privacy Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 4, 2026
Who does it cover? Controllers doing business in Colorado (or targeting Coloradans) that control or process the data of 100,000+ consumers a year, or 25,000+ while deriving revenue from selling data — nonprofits included; no revenue floor Can consumers sue? No — the statute bars any private right of action Who enforces it? Colorado Attorney General and district attorneys
Connecticut	If you meet the 100,000-consumer (or 25,000 plus data-sale) threshold in Connecticut, the CTDPA requires a privacy notice, recognition of universal opt-out signals, processor contracts, and consent for sensitive data — enforced by the Attorney General, with no consumer lawsuits and a cure period that expired at the end of 2024.	Conn. Gen. Stat. §§ 42-515 et seq. (Connecticut Data Privacy Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 4, 2026
Who does it cover? Persons doing business in Connecticut (or targeting residents) that control or process the data of 100,000+ consumers a year, or 25,000+ while deriving 25%+ of gross revenue from selling data — no revenue floor; nonprofits exempt Can consumers sue? No — the statute bars any private right of action Who enforces it? Connecticut Attorney General (exclusive)
Delaware	If you control or process the data of 35,000 Delaware residents (or 10,000 plus a fifth of revenue from selling data), the DPDPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Department of Justice, whose temporary right-to-cure expired at the end of 2025, with no consumer lawsuits.	Del. Code tit. 6 §§ 12D-101 et seq. (Delaware Personal Data Privacy Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 6, 2026
Who does it cover? Persons doing business in Delaware (or targeting residents) that control or process the data of 35,000+ consumers a year, or 10,000+ while deriving more than 20% of gross revenue from selling data — no revenue floor, and only insurance-crime nonprofits are exempt Can consumers sue? No — enforcement belongs solely to the Delaware Department of Justice Who enforces it? Delaware Department of Justice (exclusive)
Indiana	If you meet the 100,000-consumer (or 25,000 plus majority-data-sale) threshold in Indiana, the INCDPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General with a permanent 30-day cure period and no consumer lawsuits. Its broad entity-level exemptions (nonprofits, HIPAA entities, higher education, utilities) keep many organizations out entirely.	Ind. Code §§ 24-15 et seq. (Indiana Consumer Data Protection Act), effective January 1, 2026	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 6, 2026
Who does it cover? Persons doing business in Indiana (or targeting residents) that control or process the data of 100,000+ Indiana consumers a year, or 25,000+ while deriving over 50% of gross revenue from selling data — no revenue floor, and entity-level exemptions for nonprofits, HIPAA covered entities, higher education, GLBA institutions, and public utilities Can consumers sue? No — enforcement is exclusively the Attorney General's Who enforces it? Indiana Attorney General (exclusive)
Iowa	If you meet the 100,000-consumer (or 25,000 plus majority-data-sale) threshold in Iowa, the ICDPA requires a privacy notice, processor contracts, and notice plus an opportunity to opt out before processing sensitive data — but not opt-in consent or a universal opt-out signal — enforced by the Attorney General with a 90-day cure period and no consumer lawsuits.	Iowa Code §§ 715D.1 et seq. (Iowa Consumer Data Protection Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 5, 2026
Who does it cover? Persons conducting business in Iowa (or targeting residents) that, in a calendar year, control or process the data of 100,000+ consumers, or 25,000+ while deriving over 50% of gross revenue from selling data — no revenue floor; nonprofits, government, GLBA and HIPAA entities, and higher-education institutions exempt Can consumers sue? No — enforcement is exclusively the Attorney General's Who enforces it? Iowa Attorney General (exclusive)
Kentucky	If you meet the 100,000-consumer (or 25,000 plus majority-data-sale) threshold in Kentucky, the KCDPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General with a permanent 30-day cure period and no consumer lawsuits.	KRS 367.3611 to 367.3629 (Kentucky Consumer Data Protection Act), effective January 1, 2026	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 6, 2026
Who does it cover? Persons doing business in Kentucky (or targeting residents) that control or process the data of 100,000+ consumers a year, or 25,000+ while deriving over 50% of gross revenue from selling data — no revenue floor; nonprofits and higher-education institutions exempt Can consumers sue? No — enforcement is exclusively the Attorney General's Who enforces it? Kentucky Attorney General (exclusive)
Maryland	If you meet the 35,000-consumer (or 10,000 plus 20%-data-sale) threshold in Maryland, MODPA requires a detailed privacy notice and processor contracts, limits sensitive-data collection to what is strictly necessary, and bans the sale of sensitive data and of a minor's data outright — enforced by the Attorney General, with a cure period that sunsets for violations after April 1, 2027 and no consumer lawsuits.	Md. Code Ann., Com. Law §§ 14-4701 et seq. (Maryland Online Data Privacy Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents, including detailed third-party disclosures	Jun 6, 2026
Who does it cover? Persons doing business in Maryland (or targeting residents) that, in the prior calendar year, controlled or processed the data of 35,000+ consumers, or 10,000+ consumers while deriving more than 20% of gross revenue from selling data — a low threshold with only a narrow nonprofit carve-out Can consumers sue? No — enforcement is exclusively the Attorney General's Consumer Protection Division Who enforces it? Maryland Attorney General, Consumer Protection Division (exclusive)
Minnesota	If you control or process the data of 100,000+ Minnesota consumers (or 25,000+ plus over 25% of revenue from data sales), the MCDPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — plus a uniquely strict list-of-third-parties right and profiling-reevaluation rights. The Attorney General enforces it; there are no consumer lawsuits, and the 30-day cure period has already expired.	Minn. Stat. §§ 325M.10–325M.21 (Minnesota Consumer Data Privacy Act), effective July 31, 2025	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 6, 2026
Who does it cover? Legal entities doing business in Minnesota (or targeting residents) that control or process the data of 100,000+ consumers a year (excluding payment-only data), or 25,000+ while deriving over 25% of gross revenue from selling data — no general nonprofit exemption; small businesses exempt except they still cannot sell sensitive data without consent Can consumers sue? No — enforcement is exclusively the Attorney General's Who enforces it? Minnesota Attorney General (exclusive)
Montana	If you meet the 25,000-consumer (or 15,000 plus over-25%-data-sale) threshold in Montana, the MCDPA requires a privacy notice, opt-in consent to process sensitive data, recognition of a universal opt-out preference signal, and processor contracts — enforced by the Attorney General, with no consumer lawsuits and, since the 2025 amendments, no general right to cure before penalties of up to $7,500 per violation.	Mont. Code Ann. §§ 30-14-2801 et seq. (codified short title Consumer Data Privacy Act; commonly the Montana Consumer Data Privacy Act, or MCDPA)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 5, 2026
Who does it cover? Persons doing business in Montana (or targeting residents) that control or process the data of 25,000+ consumers, or 15,000+ while deriving over 25% of gross revenue from selling data — no revenue floor; state agencies, higher-education institutions, GLBA banks, HIPAA covered entities, and insurers are exempt Can consumers sue? No — enforcement is exclusively the Attorney General's Who enforces it? Montana Attorney General (exclusive)
Nebraska	If you do business in Nebraska (or serve its residents), process or sell personal data, and are not a federal small business, the Data Privacy Act requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General with a 30-day cure period and no consumer lawsuits.	Neb. Rev. Stat. §§ 87-1101 et seq. (Nebraska Data Privacy Act, effective Jan. 1, 2025)	Yes — a reasonably accessible and clear privacy notice with statutorily fixed contents	Jun 6, 2026
Who does it cover? Persons that conduct business in Nebraska or produce a product or service consumed by Nebraska residents, that process or sell personal data, and that are not a small business under the federal Small Business Act — no consumer-count or revenue threshold; state agencies, GLBA, HIPAA, nonprofits, and higher-education institutions exempt Can consumers sue? No — the Act cannot be construed as a basis for a private right of action Who enforces it? Nebraska Attorney General (exclusive)
New Hampshire	If you meet the 35,000-consumer (or 10,000 plus majority-share-of-revenue-from-data-sale) threshold in New Hampshire, ch. 507-H requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General with no consumer lawsuits and a cure period that became discretionary on January 1, 2026.	N.H. Rev. Stat. Ann. ch. 507-H (New Hampshire Privacy Act), effective January 1, 2025	Yes — a clear and meaningful privacy notice in a reasonably accessible format with statutorily fixed contents	Jun 6, 2026
Who does it cover? Persons doing business in New Hampshire (or targeting residents) that in a one-year period control or process the data of 35,000+ unique consumers (excluding payment-only data), or 10,000+ consumers while deriving more than 25% of gross revenue from selling data — no revenue floor; nonprofits, higher education, and GLBA- and HIPAA-regulated entities exempt Can consumers sue? No — enforcement is exclusively the Attorney General's Who enforces it? New Hampshire Attorney General (exclusive)
New Jersey	If you meet the 100,000-consumer (or 25,000 plus any data-sale revenue) threshold in New Jersey, the NJDPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General as an unlawful practice under the Consumer Fraud Act, with no consumer lawsuits and a cure period that sunsets after the law's first 18 months.	N.J.S.A. 56:8-166.4 et seq. (New Jersey Data Privacy Act), effective January 15, 2025	Yes — a reasonably accessible, clear, and meaningful notice with seven statutorily fixed contents	Jun 6, 2026
Who does it cover? Controllers doing business in New Jersey (or targeting residents) that control or process the data of 100,000+ consumers a year (excluding payment-only data), or 25,000+ while deriving any revenue or a discount from selling data — no revenue floor, and no exemption for nonprofits Can consumers sue? No — enforcement is exclusively the Attorney General's Who enforces it? New Jersey Attorney General, through the Division of Consumer Affairs (exclusive)
Oregon	If you meet the 100,000-consumer (or 25,000 plus 25%-data-sale-revenue) threshold in Oregon, the OCPA requires a privacy notice with prescribed contents, opt-in consent to process sensitive data, recognition of a universal opt-out signal, and processor contracts — enforced by the Attorney General with civil penalties up to $7,500 per violation, no consumer lawsuits, and no general right to cure after January 1, 2026.	Or. Rev. Stat. §§ 646A.570–646A.589 (Oregon Consumer Privacy Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 5, 2026
Who does it cover? Persons doing business in Oregon (or targeting residents) that, in a calendar year, control or process the personal data of 100,000+ consumers, or 25,000+ while deriving 25% or more of annual gross revenue from selling personal data — no dollar revenue floor; nonprofits covered; GLBA financial institutions, insurers, and public bodies are exempt at the entity level, while HIPAA-regulated health data is exempt only at the data level (so HIPAA-covered businesses still comply for non-exempt data) Can consumers sue? No — enforcement is exclusively the Attorney General's Who enforces it? Oregon Attorney General (exclusive)
Pennsylvania	Pennsylvania has not enacted a comprehensive consumer-privacy law, so there are no general data-rights, notice-at-collection, consent, or processor-contract duties under state law. The operative state statute is the Breach of Personal Information Notification Act, which requires notice of a data breach without unreasonable delay and is enforced solely by the Attorney General. Everything else in a Pennsylvania-facing privacy program comes from the federal and sectoral overlay — FTC Act § 5, GLBA, HIPAA, and COPPA — so build to those and to the Breach Act, and the program auto-upgrades if Pennsylvania later enacts an omnibus law. One state-law exposure does demand attention now — Pennsylvania's all-party-consent wiretap statute (WESCA) has become the basis for website session-replay and tracking-pixel class actions, so obtain visitor consent before running third-party tracking.	Pennsylvania Breach of Personal Information Notification Act, 73 P.S. §§ 2301 et seq. — Pennsylvania has no comprehensive consumer-privacy law; the Breach Act plus a federal and sectoral overlay is the operative framework	No comprehensive Pennsylvania statute mandates a consumer privacy policy or fixes its contents; contents are driven by FTC Act § 5 (a policy that misstates practices is deceptive), the UTPCPL, and the GLBA, HIPAA, and COPPA rules where the business is in scope	Jun 7, 2026
Who does it cover? Any entity — a sole proprietorship, partnership, corporation, association, or other group, for profit or not — doing business in Pennsylvania that maintains, stores, or manages computerized personal information of Pennsylvania residents; no revenue or consumer-volume threshold Can consumers sue? Not under the Breach Act — the Attorney General has exclusive UTPCPL enforcement authority; but Pennsylvania's all-party-consent wiretap law (WESCA, 18 Pa.C.S. § 5725) provides a private cause of action that drives website session-replay class actions Who enforces it? Pennsylvania Office of Attorney General
Rhode Island	If your commercial website sells Rhode Island customers' personal information, RIDTPPA requires an information-sharing-practices notice; meeting the 35,000-customer (or 10,000-plus-20%-data-sale) threshold adds opt-in consent for sensitive data and binding processor contracts — all enforced by the Attorney General, with no consumer lawsuits.	R.I. Gen. Laws ch. 6-48.1 (Rhode Island Data Transparency and Privacy Protection Act), effective January 1, 2026	Yes — a commercial website or ISP that collects, stores, and sells customers' personal information must conspicuously disclose data categories, the third parties it sells to, and a contact mechanism	Jun 6, 2026
Who does it cover? Two tracks: any commercial website or internet service provider that collects, stores, and sells customers' personal information must post information-sharing disclosures; the broader controller duties reach for-profit entities that control or process the data of 35,000+ Rhode Island customers, or 10,000+ while deriving over 20% of gross revenue from data sales. Financial institutions, GLBA/HIPAA data, nonprofits, and government bodies are exempt. Can consumers sue? No — the statute expressly forbids any private right of action; the Attorney General is the sole enforcer Who enforces it? Rhode Island Attorney General (sole enforcement authority)
Tennessee	If you exceed the $25 million revenue floor and meet Tennessee's large consumer-volume tests, TIPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General with a 60-day cure period and no consumer lawsuits, and uniquely offering an affirmative defense to businesses that maintain a written privacy program conforming to the NIST privacy framework.	Tenn. Code Ann. §§ 47-18-3301 et seq. (Tennessee Information Protection Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 6, 2026
Who does it cover? Persons doing business in Tennessee (or targeting residents) that exceed $25 million in revenue AND either process the information of 175,000+ consumers a year, or 25,000+ while deriving over 50% of gross revenue from selling personal information — a high entry bar; nonprofits, government, GLBA, HIPAA, and higher-education entities exempt Can consumers sue? No — enforcement is exclusively the Attorney General's Who enforces it? Tennessee Attorney General and Reporter (exclusive)
Texas	If you do business in Texas and are not an SBA small business, the TDPSA requires a specific privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced solely by the Attorney General, with no consumer lawsuits.	Tex. Bus. & Com. Code ch. 541 (Texas Data Privacy and Security Act)	Yes — a reasonably accessible and clear notice with statutorily fixed contents	Jun 4, 2026
Who does it cover? Anyone who does business in Texas (or sells products/services to Texans), processes or sells personal data, and is not a small business as defined by the U.S. Small Business Administration — no revenue or data-volume threshold Can consumers sue? No — the statute bars any private right of action Who enforces it? Texas Attorney General (exclusive)
Utah	The UCPA covers only larger businesses ($25M+ revenue plus a volume threshold). Covered controllers must post a privacy notice, give notice and an opt-out before processing sensitive data, sign processor contracts, and honor opt-outs — enforced by the Attorney General after a 30-day cure, with no consumer lawsuits.	Utah Code §§ 13-61-101 et seq. (Utah Consumer Privacy Act)	Yes — a reasonably accessible and clear notice with statutorily fixed contents	Jun 4, 2026
Who does it cover? Controllers or processors doing business in Utah (or targeting Utahns) with $25,000,000+ annual revenue that also process the data of 100,000+ consumers a year, or 25,000+ while deriving 50%+ of revenue from selling data Can consumers sue? No — enforcement is exclusively the Attorney General's Who enforces it? Utah Attorney General (after Division of Consumer Protection investigation)
Virginia	If you meet the 100,000-consumer (or 25,000 plus majority-data-sale) threshold in Virginia, the VCDPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General with a permanent 30-day cure period and no consumer lawsuits.	Va. Code §§ 59.1-575 et seq. (Virginia Consumer Data Protection Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 4, 2026
Who does it cover? Persons doing business in Virginia (or targeting residents) that control or process the data of 100,000+ consumers a year, or 25,000+ while deriving over 50% of gross revenue from selling data — no revenue floor; nonprofits exempt Can consumers sue? No — enforcement is exclusively the Attorney General's Who enforces it? Virginia Attorney General (exclusive)