Essential compliance guidance for navigating the expanding landscape of U.S. state privacy and data security laws.
Overview of major state privacy laws that came into effect starting in 2023.
Key focus areas to make privacy and data security compliance achievable for insights organizations.
Summary of additional state privacy laws that became effective mid-2024.
Jump to a state: CA CO CT DE IN IA KY MD MN MT NE NH NJ OR RI TN TX UT A WA
A separate portal dedicated to CCPA/CPRA, and related consumer privacy and data security laws/regulations.
Colorado Governor Jared Polis (D) signed the Colorado Privacy Act into law on July 7, 2021.
New rules for implementing the Colorado Privacy Act (CPA) are available for insights professionals to get into compliance.
The Colorado Attorney General (AG) updated the rules implementing the Colorado Privacy Act (CPA) twice in 2025.
A law signed April 17, 2024 adds biological and neural data to the Colorado Privacy Act.
A law signed on May 31, 2024 adds "enhanced protections” for when the data of a minor under age 18 “is processed and there is a heightened risk of harm to minors." It applies much more broadly than the existing Colorado Privacy Act and its regulations, and is based on Connecticut’s minors privacy law.
A law signed on May 31, 2024 adds specific requirements for collecting, retaining, processing or using someone’s biometric data.
A 2025 law in Colorado revised the definition of precise geolocation data in the Colorado Privacy Act (CPA) and required prior consent for the sale of sensitive data.
The Connecticut Data Privacy Act was signed into law on May 10, 2022. It is enforced by the Connecticut Attorney General.
A June 26, 2023 law expands the state’s comprehensive consumer data privacy law to specifically cover consumer health data immediately, with new provisions on minors’ data privacy coming into effect in 2024.
A June 7, 2023 law requires state contractors to comply with the Connecticut Data Privacy Act (CTDPA).
2025 amendments dramatically expand the reach and complexity of the Connecticut Data Privacy Act (CTDPA).
A Connecticut Attorney General report on the first six months of enforcing the Connecticut Data Privacy Act (CTDPA) provides some useful compliance guidance (and warnings) for the state comprehensive privacy law, while highlighting areas that the regulator wants to dramatically expand.
A July 7, 2021 law, supported by IA, prohibits punitive damages in data breach tort litigation if a breached company abides by the right data security standards, like ISO 27001.
Delaware’s comprehensive state privacy law, the Delaware Personal Data Privacy Act (DPDPA), took effect January 1, 2025.
A July 1, 2014 law requires commercial entities to safely destroy documents containing personally identifying information.
The Delaware Online Privacy Protection Act (DOPPA) prohibits marketing or advertising certain products or services deemed harmful to children and requires internet service providers (ISPs) who collect personally identifiable information (PII) from Delaware residents for commercial purposes to conspicuously post a privacy policy on their website or application.
Delaware requires notification in case of a breach of security of state residents’ data.
The Indiana Consumer Data Protection Act takes effect January 1, 2026. The law does not allow for regulations, but the Indiana AG can issue guidance, model forms and language, etc.
Indiana's comprehensive state privacy law is finally coming into effect on January 1, 2026. The AG provides some guidance.
The Iowa Consumer Data Protection Act, the state’s comprehensive consumer privacy law enforced by the state Attorney General and offering a 90 day right to cure violations, came into effect on January 1, 2025.
The Kentucky Consumer Data Protection Act (KDCPA) is mostly modeled on Virginia's original privacy law, providing the usual range of consumer rights, with a key carveout for pseudonymous data. KCDPA is enforced by the state Attorney General (AG), and allows a 30-day right to cure violations.
The Maryland Online Data Privacy Act (MODPA) came into effect October 1, 2025, with a lower threshold of applicability than most states, and some particularly challenging prohibitions and requirements.
The Maryland Age-Appropriate Design Code Act (AKA, the Maryland Kids Code) came into effect on October 1, 2024, broadly restricting how businesses collect and process the data of children under the age of 18 online and requiring them to design products/services in the “best interests of children.”
A new comprehensive privacy law in Minnesota took effect on July 31, 2025, covering for-profit companies and nonprofit organizations, and enforced by the state Attorney General.
Montana’s comprehensive state consumer privacy law, the Montana Consumer Data Privacy Act, came into effect October 1, 2024.
Amendments to the Montana Consumer Data Privacy Act (MCDPA) lowered the applicability threshold, extended the law to nonprofits, added minors privacy restrictions, built out private notice requirements and access restrictions, and eliminated the 60-day right to cure violations.
This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.