Comparing US State Data Privacy Laws (Updated for 2025)
Maintaining consumer data privacy is a significant concern for businesses across the United States. Unlike many other countries, the U.S. does not have a single, overarching federal law governing data privacy rights. Instead, businesses must navigate a complex patchwork of state-level legislation.
This guide provides a clear comparison of the most significant state data privacy laws, updated to reflect changes and new legislation taking effect in 2025 and 2026.
Key Concepts: Opt-In vs. Opt-Out
When comparing data privacy laws, it’s crucial to understand the difference between “opt-in” and “opt-out” provisions.
Opt-In: The default rule is that a business must obtain a consumer’s explicit consent before collecting, processing, or selling their data. This places the burden of consent on the business.
Opt-Out: The default rule allows businesses to collect and process data without explicit consent. However, they must provide a clear mechanism for consumers to decline or “opt-out” of the sale or certain types of processing of their data.
Fundamental Consumer Data Privacy Rights
Most comprehensive state privacy laws recognize a set of core consumer rights, including:
Right to Access: The right to confirm whether a company is processing their personal data and to access that data.
Right to Correction: The right to request that inaccurate personal data be corrected.
Right to Deletion: The right to have their personal data deleted by the company.
Right to Opt-Out: The right to opt out of the sale of personal data, targeted advertising, and certain profiling activities.
Right to Portability: The right to obtain a copy of their personal data in a usable, machine-readable format to transfer to another company.
An Overview of Major State Privacy Laws
The following table provides a high-level overview of key state laws, including their effective dates and notable provisions.
| California | California Consumer Privacy Act (CCPA) | 2020 (updated 2023) | Opt-out model. Strongest right of action for data breaches. |
| Colorado | Colorado Privacy Act (CPA) | July 1, 2023 | Opt-out model. Requires data protection assessments for high-risk activities. |
Connecticut | Connecticut Data Privacy Act (CTDPA) | July 1, 2023 | Opt-out model. Stronger rules on sensitive data. |
| Utah | Utah Consumer Privacy Act (UCPA) | Dec. 31, 2023 | Opt-out model. Lower enforcement penalties compared to other states. |
| Virginia | Virginia Consumer Data Protection Act (VCDPA) | Jan. 1, 2023 | Opt-out model. No private right of action. |
| Texas | Texas Data Privacy & Security Act (TDPSA) | July 1, 2024 | Opt-out model. Has a unique threshold based on targeting Texas residents. |
| Oregon | Oregon Consumer Privacy Act (OCPA) | July 1, 2024 | Opt-out model. Has a broader definition of sensitive data. |
| Delaware | Delaware Personal Data Privacy Act (DPDPA) | Jan. 1, 2025 | Opt-in consent required for targeted advertising to minors under 18. |
| New Jersey | New Jersey Data Privacy Law (NJDPL) | Jan. 15, 2025 | Shorter 15-day window for opt-out requests. |
| Tennessee | Tennessee Information Protection Act (TIPA) | July 1, 2025 | Unique affirmative defense for businesses with a written privacy program. |
The Federal Landscape: Why There’s Still No Single Law
While there have been significant legislative efforts, such as the proposed American Data Privacy and Protection Act (ADPPA), the United States still lacks a comprehensive federal privacy law. The ADPPA and other attempts failed to pass in recent years due to complex political and legal challenges. This ongoing gridlock means businesses must continue to navigate the state-by-state patchwork for the foreseeable future.
The Future of US Data Privacy
The legal landscape is not static. Several states have passed laws that will take effect in the coming years, while new bills are being proposed regularly. One consistent trend is the increased focus on children’s data privacy and biometric information. Some states are also implementing stricter consent requirements for sensitive data and universal opt-out mechanisms.
While a comprehensive federal law remains a topic of debate, its passage is unlikely to erase the complex state-by-state framework. Therefore, businesses must adopt a forward-looking strategy that anticipates these changes and builds a robust, adaptable compliance program.
How Crowley Law Can Help Your Business
Navigating these evolving legal requirements can be challenging and time-consuming. An incorrect interpretation or an outdated policy can expose your business to significant risks. Our team of skilled attorneys at Crowley Law keeps abreast of every change in the law and can help you identify areas where your business needs to take action to ensure compliance.