top of page

US State Data Privacy Legislation Tracker

Source: Iapp.Org

Date: June 30, 2025


This tool tracks comprehensive US state privacy bills to help our members stay informed of the changing state privacy landscape. The tracker only includes bills intended to be comprehensive approaches to governing the use of personal information.


State-level momentum for comprehensive privacy bills is at an all-time high. The IAPP Westin Research Center actively tracks the proposed and enacted comprehensive privacy bills from across the U.S. to help our members stay informed of the changing state privacy landscape. This information is compiled into a chart, map and a directory with information specific to states with enacted laws. The IAPP additionally hosts a US State Privacy topic page, which regularly updates with the latest state privacy news and resources, and a US State AI Governance Legislation Tracker, which tracks US state cross-sectoral laws with direct application to the use of AI systems in the private sector.


If you are aware of a comprehensive bill absent from the tracker, please share it with us at research@iapp.org.

For more information on the IAPP's stance concerning which state privacy laws are considered comprehensive, view the text in the below dropdown.

State Law Tracking

As state privacy legislation grows in number and complexity, questions arise with respect to those bills that occupy the fuzzy gray area between comprehensive and not — namely, Florida's Digital Bill of Rights and Washington state's My Health My Data Act.


As defined in the tracker, a bill is not considered comprehensive if "it does not qualify due to its scope, coverage, rights or purpose."


A bill is narrow in scope if it applies only to a specific set of data types, like financial or health data, or data subjects, like children. A bill is narrow in coverage if its applicability includes only a single industry, like the automotive industry, or if its thresholds apply, in practice, to only a handful of companies. A bill is narrow in rights if it is targeted at providing only one or two consumer data rights, such as deletion or correction.


For further information, this full-length article outlines the IAPP's current stance. The IAPP may adjust this position in the future in light of new information, bills, stakeholders or member feedback. The IAPP will annually reassess its position on the definition of "comprehensive" to best stay current with state legislation trends.


State privacy law chart

Comprehensive consumer privacy bills


This chart tracks U.S. state comprehensive consumer privacy bills across the legislative process, identifying and mapping out fourteen provisions that commonly appear in comprehensive privacy laws. If a bill includes a provision, an "X" is placed in the corresponding column. The provisions are broken into two categories — consumer rights and business obligations — and are described more fully in the chart. Although many of the proposed bills will fail to become law, comparing the key provisions helps break down how privacy is developing in the U.S.


The chart only includes bills intended to be comprehensive approaches to governing the use of personal information. If a bill does not appear on the chart, it does not qualify due to its scope, coverage or rights. Industry-specific, information-specific and narrowly scoped bills, e.g., data security bills, are not included. The IAPP additionally published an article providing further details on the scope of bills included in this tracker.

Previous versions of this chart are available for 2018-19, 2020, 2021, 2022, 2023 and 2024.


US State Privacy Legislation Tracker 2025


State privacy law report

This report is limited to comprehensive U.S. state privacy laws enacted as of June 2024.

The US State Comprehensive Privacy Laws Report analyzes the scope, applicability, exemptions, consumer rights, business obligations, rulemaking activities, enforcement duties and key definitions for comprehensive state privacy laws. The report sketches the contours of the nationwide portrait of privacy regulation that has emerged, while highlighting the idiosyncrasies of each state law that constitutes the U.S. privacy regime patchwork. Overall, this report aims to keep privacy professionals informed about all the comprehensive privacy bills that have become law, the rights they offer to consumers and the obligations they require from regulated entities.


This report does not update as frequently as the map, chart and state law directory, and it only includes enacted state comprehensive privacy laws as of the last update.


State privacy law directory and key dates

This section contains information specific to each state with enacted privacy laws, including links to legislation and key dates. Please note that particular dates and deadlines should always be verified.


Full Timeline of Key Dates

2018

18 June 2018

  • California: CCPA signed into law.

3 Nov. 2020

  • California: CPRA approved by a majority of voters.

2020

1 Jan. 2020

  • California: CCPA went into effect.

1 July 2020

  • California: CCPA went into effect.

2021

2 March 2021

  • Virginia: Signed into law.

7 July 2021

  • Colorado: Signed into law.

2022

24 March 2022

  • Utah: Signed into law.

10 May 2022

  • Connecticut: Signed into law.

1 Jan. 2022

  • California: CPRA look-back period began.

2023

1 Jan. 2023

  • California: CPRA effective date.

  • Virginia: Effective date.

29 March 2023

  • Iowa: Signed into law.

1 May 2023

  • Indiana: Signed into law.

11 May 2023

  • Tennessee: Signed into law.

19 May 2023

  • Montana: Signed into law.

18 June 2023

  • Texas: Signed into law.

1 July 2023

  • Colorado, Connecticut: Went into effect.

  • Colorado: Data protection assessment requirements apply to processing activities created or generated after this date.

18 July 2023

  • Oregon: Signed into law.

11 Sept. 2023

  • Delaware: Signed into law.

31 Dec. 2023

  • Utah: Went into effect.

2024

16 Jan. 2024

  • New Jersey: Signed into law.

6 March 2024

  • New Hampshire: Signed into law.

9 Feb. 2024

  • California: California Privacy Protection Agency able to enforce updated regulations from the CPRA.

4 April 2024

  • Kentucky: Signed into law.

17 April 2024

  • Nebraska: Signed into law.

9 May 2024

  • Maryland: Signed into law.

24 May 2024

  • Minnesota: Signed into law.

25 June 2024

  • Rhode Island: Enacted via transmission without signature.

1 July 2024

  • Connecticut: Requirement to allow minors or their guardians to unpublish a minor’s social media account went into effect.

  • Colorado: Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals went into effect.

  • Oregon, Texas: Went into effect.

  • New Hampshire, Oregon, Tennessee: Data protection assessment requirements apply to processing activities created or generated after this date.

1 Oct. 2024

  • Connecticut: Obligations for data controllers that provide online services, products, or features to minors went into effect.

  • Montana: Went into effect.

2025

1 Jan. 2025

  • Colorado: Mandatory notice of violation and right to cure period expires.

  • Connecticut, Texas: Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.

  • Connecticut: Mandatory right to cure period expires. Attorney general has discretion to grant cure period.

  • Delaware, Iowa, Nebraska and New Hampshire: Go into effect.

  • Montana: Data protection assessment requirements apply to processing activities created or generated after this date.

  • Montana, New Hampshire: Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.

  • Minnesota: Data protection assessment requirements apply to processing activities created or generated after this date.

  • Texas: Authorized agent provisions go into effect.

15 Jan. 2025

  • New Jersey: Goes into effect.

1 July 2025

  • Colorado: Obligations regarding the collection and processing of biometric data go into effect.

  • Delaware: Data protection assessment requirements apply to processing activities created or generated after this date.

  • Oregon: Goes into effect date for 501(c)3 tax exempt organizations.

  • Tennessee: Goes into effect.

31 July 2025

  • Minnesota: Goes into effect.

1 Oct. 2025

  • Colorado: Obligations for data controllers that provide online services, products, or features to minors go into effect.

  • Maryland: Goes into effect.

  • Maryland: Data protection assessment requirements apply to processing activities created or generated after this date.

  • Maryland: Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.

31 Dec. 2025

  • Delaware, New Hampshire: Mandatory right to cure period expires. Attorneys general have discretion to grant cure period.

  • Indiana: Data protection assessment requirements apply to processing activities created or generated after this date.

2026

1 Jan. 2026

  • Delaware: Requirement to honor universal opt-out signals goes into effect.

  • Indiana, Kentucky, Rhode Island: Go into effect.

  • Minnesota: Mandatory right to cure period expires.

  • Oregon: Mandatory right to cure period expires. Requirement to allow consumer to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.

  • Rhode Island: Data protection assessment requirements apply to processing activities created or generated after this date.

1 April 2026

  • Montana: Mandatory right to cure period expires.

1 June 2026

  • Kentucky: Data protection assessment requirements apply to processing activities created or generated after this date.

2027

1 April 2027

  • Maryland: Optional 60 day right to cure period expires.

2029

31 July 2029:

  • Minnesota: Goes into effect for postsecondary institutions regulated by the Minnesota Office of Higher Education.

Kentucky

Comprehensive privacy law

Key dates

4 April 2024

  • Signed into law.

1 Jan. 2026

  • Goes into effect.

1 June 2026

  • Data protection assessment requirements apply to processing activities created or generated after this date.

Maryland

Comprehensive privacy law

Key dates

9 May 2024

  • Signed into law.

1 Oct. 2025:

  • Goes into effect.

  • Data protection assessment requirements apply to processing activities created or generated after this date.

  • Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.

1 April 2027

  • Optional 60-day right to cure period expires.

Minnesota

Comprehensive privacy law

Key dates

24 May 2024

  • Signed into law.

1 Jan. 2025

  • Data protection assessment requirements apply to processing activities created or generated after this date.

31 July 2025

  • Goes into effect.

1 Jan. 2026

  • Mandatory right to cure period expires.

31 July 2029

  • Goes into effect for postsecondary institutions regulated by the Minnesota Office of Higher Education.

Montana

Comprehensive privacy law

Key dates

19 May 2023

  • Signed into law.

1 Jan. 2024

  • Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals went into effect.

1 Oct. 2024

  • Went into effect.

1 Jan. 2025

  • Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.

  • Data protection assessment requirements apply to processing activities created or generated after this date.

1 April 2026

  • Mandatory right to cure period expires.

Nebraska

Comprehensive privacy law

Key dates

17 April 2024

  • Signed into law.

1 Jan. 2025

  • Goes into effect.

New Hampshire

Comprehensive privacy law

Key dates

6 March 2024

  • Signed into law.

1 July 2024

  • Data protection assessment requirements apply to processing activities created or generated after this date.

1 Jan. 2025

  • Goes into effect.

  • Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.

31 Dec. 2025

  • Mandatory right to cure period expires. Attorneys general have discretion to grant cure period.

New Jersey

Comprehensive privacy law

Key dates

16 Jan. 2024

  • Signed into law.

15 Jan. 2025

  • Goes into effect.

Oregon

Comprehensive privacy law

Key dates

18 July 2023

  • Signed into law.

1 July 2024

  • Went into effect.

  • Data protection assessment requirements apply to processing activities created or generated after this date.

1 July 2025

  • Goes into effect for for 501(c)3 tax exempt organizations.

Rhode Island

Comprehensive privacy law

Key dates

25 June 2024

  • Enacted via transmission without signature.

1 Jan. 2026

  • Goes into effect.

  • Data protection assessment requirements apply to processing activities created or generated after this date.

Tennessee

Comprehensive privacy law

Key dates

11 May 2023

  • Signed into law.

1 July 2024

  • Data protection assessment requirements apply to processing activities created or generated after this date.

1 July 2025

  • Goes into effect.

Texas

Comprehensive privacy law

Key dates

18 June 2023

  • Signed into law.

1 July 2024

  • Went into effect.

1 Jan. 2025

  • Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.

  • Authorized agent provisions go into effect.

Utah

Comprehensive privacy law

Key dates

24 March 2022

  • Signed into law.

31 Dec. 2023

  • Went into effect.

Virginia

Comprehensive privacy law

Key dates

2 March 2021

  • Signed into law.

1 Jan. 2023

  • Went into effect.


bottom of page