The 20-state landscape
As of 2026, twenty US states have enacted comprehensive consumer privacy laws. Each law is different — and those differences matter for your compliance strategy. This guide puts them all side by side so you can quickly understand what each state requires.
Quick reference table
| State | Law | Effective | Consumer Threshold | Revenue Threshold | Cure Period | Max Penalty |
|---|---|---|---|---|---|---|
| California | CCPA/CPRA | Jan 2020 | 100,000 | $26.6M | None | $7,988/violation |
| Virginia | VCDPA | Jan 2023 | 100,000 | None | 30 days (permanent) | $7,500 |
| Colorado | CPA | Jul 2023 | 100,000 | None | Expired Jan 2025 | $20,000 |
| Connecticut | CTDPA | Jul 2023 | 100,000 | None | Expired Dec 2024 | $25,000 |
| Utah | UCPA | Dec 2023 | 100,000 | $25M | 30 days | $7,500 |
| Iowa | ICDPA | Jan 2025 | 100,000 | None | 90 days (permanent) | $7,500 |
| Montana | MTCDPA | Oct 2024 | 50,000 | None | Expired Apr 2026 | $7,500 |
| Texas | TDPSA | Jul 2024 | None | None* | 30 days (permanent) | $7,500 |
| Oregon | OCPA | Jul 2024 | 100,000 | None | Expired Jan 2026 | $7,500 |
| Florida | FDBR | Jul 2024 | None | $1B | None | $50,000 |
| Delaware | DPDPA | Jan 2025 | 35,000 | None | Expired Dec 2025 | $10,000 |
| New Jersey | NJDPA | Jan 2025 | 100,000 | None | None | Varies |
| New Hampshire | NHPA | Jan 2025 | 35,000 | None | 60 days | Varies |
| Nebraska | NDPA | Jan 2025 | None | None* | 30 days | $7,500 |
| Tennessee | TIPA | Jul 2025 | 175,000 | $25M | 60 days (permanent) | $7,500 |
| Minnesota | MNCDPA | Jul 2025 | 100,000 | None | 30 days | Varies |
| Maryland | MODPA | Oct 2025 | 35,000 | None | None | Varies |
| Indiana | INCDPA | Jan 2026 | 100,000 | None | 30 days (permanent) | $7,500 |
| Kentucky | KCDPA | Jan 2026 | 100,000 | None | 30 days (permanent) | $7,500 |
| Rhode Island | RIDTPPA | Jan 2026 | 35,000 | None | None | Varies |
*Texas and Nebraska apply to non-small businesses regardless of specific consumer count or revenue thresholds.
Thresholds: who's covered
Broadest coverage (most businesses affected):
- Texas and Nebraska have no specific consumer count or revenue thresholds. If you're not a small business and process personal data from residents of these states, you're likely covered.
- California combines a $26.6M revenue threshold with a 100,000 consumer count, but either one triggers coverage.
Lowest consumer thresholds:
- Delaware, New Hampshire, Maryland, Rhode Island: 35,000 consumers
- Montana: 50,000 consumers
Narrowest coverage:
- Florida: Requires $1 billion in annual global revenue PLUS additional criteria. Most e-commerce businesses are not covered.
- Tennessee: Requires $25M revenue AND 175,000 consumers (both must be met).
- Utah: Requires $25M revenue AND 100,000 consumers.
Cure periods: time to fix
A cure period gives you time to fix a violation before the AG can pursue enforcement. This is critical for businesses that are working toward compliance but haven't fully arrived.
No cure period (immediate enforcement):
California, New Jersey, Maryland, Rhode Island
Expired cure periods (no longer available):
Colorado (expired Jan 2025), Connecticut (expired Dec 2024), Montana (expired Apr 2026), Oregon (expired Jan 2026), Delaware (expired Dec 2025)
Active cure periods:
- Iowa: 90 days (permanent — the most generous)
- Tennessee: 60 days (permanent)
- New Hampshire: 60 days
- Virginia, Texas, Indiana, Kentucky, Nebraska, Minnesota: 30 days
- Utah: 30 days
Consumer rights comparison
All 20 states provide: Right to access, right to delete, right to opt out of targeted advertising/data sales
Right to correct: Available in all states except Utah and Iowa
Right to portability: Available in all 20 states
Universal opt-out recognition required:
California, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, Nebraska, New Hampshire, Minnesota (10 states as of 2026)
Not required: Virginia, Utah, Iowa, Indiana, Tennessee, Florida, New Jersey, Maryland, Kentucky, Rhode Island
Penalties comparison
Highest per-violation penalties:
- Florida: $50,000 per violation
- Connecticut: $25,000 per violation
- Colorado: $20,000 per violation
- Delaware: $10,000 per violation
Standard penalty ($7,500/violation):
Virginia, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Nebraska, Kentucky
California (unique structure):
$7,988 per intentional violation, $2,663 per unintentional, plus $200/day compounding for DELETE Act violations
Unique features by state
California: Only state with a dedicated privacy enforcement agency (CPPA). ADMT rules. DELETE Act DROP platform.
Texas: Broadest applicability. $1B+ enforcement settlement. Most active AG enforcement program.
Maryland: Strictest data minimization — processing must be "reasonably necessary and proportionate."
Rhode Island: Must disclose identity of ALL third parties receiving sold data (unique requirement).
Tennessee: NIST framework affirmative defense — businesses with conforming privacy programs have a defense against enforcement.
Oregon: Prohibits sale of children's data (under 16) and precise geolocation data (within 1,750 feet).
Montana: Lowest consumer threshold (50,000) among states with a threshold.
Iowa: Longest cure period (90 days, permanent). No DPA requirement. Most business-friendly law.
How to approach multi-state compliance
Rather than complying with each state individually, most businesses take a "highest common denominator" approach:
Meet the strictest requirements. If you comply with California and Maryland, you'll meet or exceed most other states' requirements.
Implement universal opt-out. Required by 10 states and likely to become standard. Just do it everywhere.
Default to all consumer rights. Grant access, correction, deletion, portability, and opt-out rights to all customers regardless of state.
Conduct DPAs. Required by most states. Document your targeted advertising, data sales, and profiling activities once and update as needed.
Track cure periods. Know which states still offer a cure period and which don't. Prioritize compliance in no-cure states.
Monitor for changes. Laws are actively being amended, cure periods are expiring, and new states are passing laws every legislative session.
Stay on top of changes like these — BriefStack monitors all 20 state privacy laws and delivers what matters to your inbox daily.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.