Thresholds vary widely.
From no threshold (TX, NE) to $25M revenue + consumer counts (UT, TN). Most states use 100,000 consumers as the trigger.
Coverage
The laws
behind the score.
Major active US state privacy laws, plus GDPR and PIPEDA. Your diagnostic flags obligations based on detected storefront signals — click any jurisdiction for thresholds, requirements, and penalties.
/ US state laws · sorted by effective date
CA
CCPA/CPRA
California
The most comprehensive US state privacy law. Grants consumers rights to know, delete, correct, and opt-out...
VA
VCDPA
Virginia
Provides consumers with rights to access, correct, delete, and opt-out of data processing for targeted...
CO
CPA
Colorado
Similar to VCDPA with additional requirement to honor universal opt-out mechanisms. Requires clear...
CT
CTDPA
Connecticut
Closely modeled after CPA. Requires recognition of universal opt-out signals and provides strong consumer rights.
UT
UCPA
Utah
Most business-friendly of the early state privacy laws. Requires both revenue threshold AND consumer...
TX
TDPSA
Texas
Applies to any business that processes personal data and is not a 'small business' under the SBA...
OR
OCPA
Oregon
Includes non-profit organizations (unique among state privacy laws). Broad definition of sensitive data...
MT
MCDPA
Montana
Lower consumer threshold (50K) reflecting Montana's smaller population. Otherwise similar to the Virginia model.
IA
ICDPA
Iowa
Business-friendly law similar to Utah. No data minimization requirement. 90-day cure period is the longest...
DE
DPDPA
Delaware
One of the lowest thresholds among state privacy laws (35K consumers). Strong consumer protections with...
NE
NDPA
Nebraska
No consumer or revenue thresholds - applies to all businesses operating in Nebraska that process personal...
NH
NHPA
New Hampshire
Low threshold similar to Delaware. Standard Virginia-model privacy law with universal opt-out requirement.
NJ
NJDPA
New Jersey
Strong consumer protections with financial incentive disclosure requirements. Broad sensitive data definition.
TN
TIPA
Tennessee
Requires both $25M revenue AND consumer threshold. Includes affirmative defense for businesses with...
MN
MNCDPA
Minnesota
Includes unique profiling protections and broad sensitive data definition. First state to include data...
MD
MODPA
Maryland
One of the strongest state privacy laws. Prohibits sale of sensitive data entirely. Strict data...
IN
INCDPA
Indiana
Standard Virginia-model law with standard thresholds and consumer rights.
KY
KCDPA
Kentucky
Virginia-model law. Standard consumer rights and business obligations.
RI
RIDTPPA
Rhode Island
Low threshold law with standard privacy rights. Applies to businesses processing data of 35K+ Rhode Island...
Comparison
Key differences for e-commerce.
Universal opt-out signals.
CA, CO, CT, DE, MD, MN, NE, NH, NJ, and TX require or are phasing in recognition of universal opt-out signals such as GPC.
Cure periods are shrinking.
Range from none (CA) to 90 days (IA). Many sunset provisions are temporary — what's a cure period today won't be one tomorrow.
Children's data is heightened.
CA, CT, DE, MD, NJ, MN have additional protections for minors. Some require opt-in consent for certain processing, sale, or targeted advertising involving minors; some require parental consent depending on age and data type.
Law database last updated April 2026. ClearConsent reviews and updates supported coverage as new legislation comes into effect.
See yours
Run a scan against these laws.
A real browser, the privacy laws that apply to your traffic, one number. Free on the home page — no sign-up required.
Run the diagnostic