Privacy Laws We Track
21 laws trackedComprehensive overview of all 21 tracked privacy laws — 19 US state laws plus international regulations. Click any law for full details.
CAN
PIPEDA
Canada
Canada's federal privacy law governing how private-sector organizations collect, use, and disclose personal information in the course of commercial ac...
Effective 2000-01-01
EU
GDPR
European Union
The world's most comprehensive data protection regulation. Applies to any business that offers goods or services to EU residents or monitors their beh...
Effective 2018-05-25
CA
CCPA/CPRA
California
The most comprehensive US state privacy law. Grants consumers rights to know, delete, correct, and opt-out of sale/sharing of personal information. Re...
Effective 2020-01-01
50,000+ consumers
VA
VCDPA
Virginia
Provides consumers with rights to access, correct, delete, and opt-out of data processing for targeted advertising and sale of personal data. Requires...
Effective 2023-01-01
100,000+ consumers
CO
CPA
Colorado
Similar to VCDPA with additional requirement to honor universal opt-out mechanisms. Requires clear affirmative consent for sensitive data.
Effective 2023-07-01
100,000+ consumers
CT
CTDPA
Connecticut
Closely modeled after CPA. Requires recognition of universal opt-out signals and provides strong consumer rights.
Effective 2023-07-01
100,000+ consumers
UT
UCPA
Utah
Most business-friendly of the early state privacy laws. Requires both revenue threshold AND consumer threshold. Opt-out model for sensitive data rathe...
Effective 2023-12-31
100,000+ consumers
TX
TDPSA
Texas
Applies to any business that processes personal data and is not a 'small business' under the SBA definition. No consumer threshold. Very broad applica...
Effective 2024-07-01
No threshold
OR
OCPA
Oregon
Includes non-profit organizations (unique among state privacy laws). Broad definition of sensitive data including transgender/non-binary status.
Effective 2024-07-01
100,000+ consumers
MT
MCDPA
Montana
Lower consumer threshold (50K) reflecting Montana's smaller population. Otherwise similar to the Virginia model.
Effective 2024-10-01
50,000+ consumers
IA
ICDPA
Iowa
Business-friendly law similar to Utah. No data minimization requirement. 90-day cure period is the longest among state laws.
Effective 2025-01-01
100,000+ consumers
DE
DPDPA
Delaware
One of the lowest thresholds among state privacy laws (35K consumers). Strong consumer protections with universal opt-out requirement.
Effective 2025-01-01
35,000+ consumers
NE
NDPA
Nebraska
No consumer or revenue thresholds - applies to all businesses operating in Nebraska that process personal data. Broad scope similar to Texas.
Effective 2025-01-01
No threshold
NH
NHPA
New Hampshire
Low threshold similar to Delaware. Standard Virginia-model privacy law with universal opt-out requirement.
Effective 2025-01-01
35,000+ consumers
NJ
NJDPA
New Jersey
Strong consumer protections with financial incentive disclosure requirements. Broad sensitive data definition.
Effective 2025-01-15
100,000+ consumers
TN
TIPA
Tennessee
Requires both $25M revenue AND consumer threshold. Includes affirmative defense for businesses with privacy programs conforming to NIST frameworks.
Effective 2025-07-01
25,000+ consumers
MN
MNCDPA
Minnesota
Includes unique profiling protections and broad sensitive data definition. First state to include data inventorying requirements.
Effective 2025-07-31
100,000+ consumers
MD
MODPA
Maryland
One of the strongest state privacy laws. Prohibits sale of sensitive data entirely. Strict data minimization. Strong children's protections (under 18)...
Effective 2025-10-01
35,000+ consumers
IN
INCDPA
Indiana
Standard Virginia-model law with standard thresholds and consumer rights.
Effective 2026-01-01
100,000+ consumers
KY
KCDPA
Kentucky
Virginia-model law. Standard consumer rights and business obligations.
Effective 2026-01-01
100,000+ consumers
RI
RIDTPPA
Rhode Island
Low threshold law with standard privacy rights. Applies to businesses processing data of 35K+ Rhode Island consumers.
Effective 2026-01-01
35,000+ consumers
Key Differences for E-commerce
- Thresholds vary widely: From no threshold (TX, NE) to $25M revenue + consumer counts (UT, TN)
- Universal opt-out: CA, CO, CT, DE, MD, MN, NE, NH, NJ, TX require honoring GPC/universal opt-out signals
- Sensitive data: Most states require opt-in consent; UT uses opt-out; MD prohibits sale entirely
- Cure periods: Range from none (CA) to 90 days (IA). Many are temporary and will expire
- Children's data: CA, CT, DE, MD, NJ, MN have heightened protections for minors