State Privacy Law Portal
Join IA

State Privacy Law Portal

Essential compliance guidance for navigating the expanding landscape of U.S. state privacy and data security laws.

State

Privacy Law Portal

In the face of an ever-growing patchwork of U.S. state comprehensive consumer privacy and data security laws with which the insights industry must contend, the Insights Association provides compliance information spinning out from this hub.

Jump to a state: CA CO CT DE IN IA KY MD MN MT NE NH NJ OR RI TN TX UT VA WA

Connecticut Data Privacy Act (CTDPA)

Indiana Consumer Data Protection Act

The Indiana Consumer Data Protection Act takes effect January 1, 2026. The law does not allow for regulations, but the Indiana AG can issue guidance, model forms and language, etc.

Indiana's comprehensive state privacy law is finally coming into effect on January 1, 2026. The AG provides some guidance.

Iowa Consumer Data Protection Act

The Iowa Consumer Data Protection Act, the state’s comprehensive consumer privacy law enforced by the state Attorney General and offering a 90 day right to cure violations, came into effect on January 1, 2025.

Kentucky Consumer Data Protection Act (KCDPA)

The Kentucky Consumer Data Protection Act (KDCPA) is mostly modeled on Virginia's original privacy law, providing the usual range of consumer rights, with a key carveout for pseudonymous data. KCDPA is enforced by the state Attorney General (AG), and allows a 30-day right to cure violations.

Maryland Online Data Privacy Act (MODPA)

The Maryland Online Data Privacy Act (MODPA) came into effect October 1, 2025, with a lower threshold of applicability than most states, and some particularly challenging prohibitions and requirements.

The Maryland Age-Appropriate Design Code Act (AKA, the Maryland Kids Code) came into effect on October 1, 2024, broadly restricting how businesses collect and process the data of children under the age of 18 online and requiring them to design products/services in the “best interests of children.”

Minnesota Consumer Data Privacy Act

A new comprehensive privacy law in Minnesota took effect on July 31, 2025, covering for-profit companies and nonprofit organizations, and enforced by the state Attorney General.

Montana Consumer Data Privacy Act

Montana’s comprehensive state consumer privacy law, the Montana Consumer Data Privacy Act, came into effect October 1, 2024.

Amendments to the Montana Consumer Data Privacy Act (MCDPA) lowered the applicability threshold, extended the law to nonprofits, added minors privacy restrictions, built out private notice requirements and access restrictions, and eliminated the 60-day right to cure violations.

Nebraska Data Privacy Act

The Nebraska Data Privacy Act, the state’s new comprehensive state privacy law, took effect January 1, 2025.

New Hampshire Consumer Data Privacy Act

The New Hampshire Data Privacy Act, a new comprehensive state consumer data privacy law, came into effect on January 1, 2025.

New Jersey Data Privacy Act

The New Jersey Data Privacy Act, the state’s new comprehensive consumer privacy law covering businesses, nonprofits, and higher education institutions, came into effect on January 15, 2025.

The New Jersey Division of Consumer Affairs released a set of Frequently Asked Questions (FAQs) to provide further guidance to companies.

Oregon Consumer Privacy Act

Oregon's comprehensive state privacy law, covering both for-profit and non-profit entities, also includes extensive data security requirements.

Oregon law requires some insights companies, particularly sample providers, to register as “data brokers” in the state’s new registry.

Oregon law severely restricts the collection, use and sharing of personal health information, if related to tracking COVID-19, for any other purpose.

The Oregon Attorney General (AG) released a report on enforcement of the state’s comprehensive privacy law.

Oregon Attorney General Ellen Rosenblum (D) released guidance for companies that Oregon's "Unlawful Trade Practices Act, Consumer Privacy Act, and Equality Act, among others, all have roles to play” in regulating and restricting artificial intelligence (AI).

The June 3, 2025 law amended Oregon’s privacy law to prohibit the sale of precise location data, or personal data pertaining to a minor under 16 years of age.

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), coming into effect on January 1, 2026, offers the usual range of consumer privacy rights and requirements, some confusing terminology choices, and a specific wrinkle in demands for privacy disclosures to consumers that may cause trouble for insights companies.

Tennessee Information Protection Act

The Tennessee Information Protection Act, enforced by the state Attorney General, includes a right to cure violations (that does not sunset) and provides a safe harbor for compliance with certain privacy programs.

Texas Data Privacy and Security Act

The Texas Data Privacy and Security Act, the state’s new comprehensive consumer privacy and data security law, is enforced by the Texas AG, and has a 30 day right to cure violations.

A June 18, 2023 law established a data broker registry and required in-depth information security programs for data brokers.

In advance of the Texas Data Privacy and Security Act coming into effect, the state attorney general (AG) launched a new privacy enforcement team.

The Texas Attorney General (AG) has detailed major actions taken by his office to enforce the Texas Data Privacy and Security Act, providing useful compliance information for insights companies and organizations covered by the law.

Only several months into Texas’ comprehensive consumer data privacy law taking effect, the state Attorney General (AG) is letting companies know they’d better be in compliance.

2025 amendments to Texas’ data broker registry law add to a data broker’s notice requirements and clarify the definition of a data broker.

IA welcomed a recent law in Texas giving small and medium-sized businesses a safe harbor from liability for data security breaches if they have a cybersecurity program that conforms to standards like ISO 27001, the payment card industry standards, or the requirements of HIPAA or the Gramm Leach Bliley Act.

Utah Consumer Privacy Act

The Utah Consumer Privacy Act is enforced by the state Attorney General and includes a 30-day right to cure violations.

A March 27, 2025 law added a correction right to the Utah Consumer Privacy Act. It also has a bunch of provisions only relevant to large social media companies, such as requiring social media data portability.

The Cybersecurity Affirmative Defense Act provides an affirmative defense against data security breach litigation if a breached company abides by the right data security standards, like ISO 27001.

Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act will impact many in the insights industry, even those not located in-state, since personal data of Virginia residents is regularly collected, processed and shared for legitimate purpose by insights companies and organizations.

Virginia’s comprehensive consumer data privacy law was updated by the legislature before coming into effect, adding a small exemption for data brokers, and some other miscellaneous changes.

Virginia Expands Kids Privacy Provisions in VCDPAA new law expands privacy requirements for covered companies dealing with kids under the age of 13 in the Virginia Consumer Data Protection Act (VCDPA). It limits processing of kids’ data, expands impact assessment requirements, and limits collecting geolocation data on kids.

A recent analysis of the first year of consumer complaints under the Virginia Consumer Data Protection Act (and the VCDPA’s 2022 amendments) provides early indications of consumer concerns and potential enforcement interest.

A new law prohibits collection, use and sharing of personal reproductive or sexual health information without consent, in connection with consumer transactions. Violations are punishable via private lawsuits.

Washington My Health My Data Act

The Washington My Health My Data Act is a comprehensive opt in privacy law, ostensibly focused on consumer health information, but written quite broadly. It is enforced by the state Attorney General and private lawsuits.

The Washington My Health My Data Act will be enforced by the state Attorney General and easy (and extensive) private lawsuits.

This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.

  • Back to top