0
A map of the United States, with pins pushed into various areas as if indicating places visited.

An overview of the twenty (and counting!) US state comprehensive privacy laws

California, CCPA, Resource, State Privacy Laws, United States
[Last updated: Mar. 27, 2026] Since 2018, US state legislative bodies have shown no signs of slowing their efforts to pass comprehensive privacy laws. While these laws often mirror one another, they also often differ in notable and material ways. This creates a complicated patchwork of obligations and requirements for businesses navigating the data ecosystem, because operating nationwide may require formulating a compliance approach broad enough to satisfy all of the different US state comprehensive privacy laws. The first step to formulating compliance efforts is to determine which laws apply, and that requires analyzing each law’s threshold for applicability and effective date. To assist with this first step, the following list provides a brief overview of the current US state comprehensive privacy laws. Please note that this list does not include each law’s exemptions and exceptions.

CALIFORNIA

Law: The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 Applies to: For-profit entities that, jointly or alone, collect and control the processing of California residents’ personal information and meet at least one of the following criteria:
  • Annual gross revenue in preceding calendar year that exceeds $26,625,000.
  • Annually buys, sells, or shares personal information of 100,000 or more California residents or households.
  • Derives 50% or more of annual revenue from selling or sharing California residents’ personal information.
Effective date: January 1, 2020 Enforcement authorities: Dual enforcement shared between the California Attorney General and the California Privacy Protection Agency, with a limited private right of action for certain data breaches. Enforcement date: July 1, 2023

COLORADO

Law: The Colorado Privacy Act Applies to: Entities that conduct business in Colorado or produce / deliver commercial products or services intentionally targeted to Colorado residents and satisfy one of the following criteria:
  • Controls or processes personal data of 100,000 or more Colorado residents during a calendar year.
  • Controls or processes personal data of 25,000 or more Colorado residents and derives revenue or receives a discount on the price of goods or services from the sale of personal data.
Effective date: July 1, 2023 Enforcement authorities: Both the Colorado Attorney General and district attorneys are empowered to enforce the law. Enforcement date: July 1, 2023

CONNECTICUT

Law: The Connecticut Data Privacy Act Applies to: For-profit entities that conduct business in Connecticut or produce products or services targeted to Connecticut residents and during preceding calendar year satisfied one of the following criteria:
  • Controlled or processed personal data of 35,000 or more Connecticut residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction);
  • Controlled or processed any amount of sensitive data of Connecticut residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or
  • Offered for sale any amount of personal data of Connecticut residents.
Effective date: July 1, 2023 Enforcement authorities: Connecticut Attorney General Enforcement date: July 1, 2023

DELAWARE

Law: The Personal Data Privacy Act Applies to: Entities that conduct business in Delaware or produce products / services targeted to Delaware residents and satisfy one of the following criteria:
  • Control or process personal data of 35,000 or more Delaware residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 10,000 or more Delaware residents and derive more than 20% of gross revenue from the sale of personal data.
Effective date: January 1, 2025 Enforcement authorities: Delaware Department of Justice Enforcement date: January 1, 2025

FLORIDA

Law: The Florida Digital Bill of Rights Applies to: For-profit entities (with an annual gross revenue in excess of $1 billion) that conduct business in Florida and that, jointly or alone, collect and control the processing of personal data about Florida residents, and satisfy one of the following criteria:
  • Derives 50% or more of its global gross annual revenue from the sale of advertisements online, including targeted advertising.
  • Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computer service that uses hands-free verbal activation (but not including vehicle-integrated speakers or software operated by a motor vehicle manufacturer or subsidiary thereof).
  • Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download or install.
Effective date: July 1, 2024 Enforcement authorities: Florida Attorney General Enforcement date: July 1, 2024

INDIANA

Law: The Indiana Consumer Data Protection Act Applies to: For-profit entities that conduct business in Indiana or produce products / services targeted to Indiana residents and during a calendar year satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Indiana residents.
  • Control or process personal data of 25,000 or more Indiana residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2026 Enforcement authorities: Indiana Attorney General Enforcement date: January 1, 2026

IOWA

Law: The Iowa Consumer Data Protection Act Applies to: For-profit entities that conduct business in Iowa or produce products / services targeted to Iowa residents and during a calendar year satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Iowa residents.
  • Control or process personal data of 25,000 or more Iowa residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2025 Enforcement authorities: Iowa Attorney General Enforcement date: January 1, 2025

KENTUCKY

Law: The Kentucky Consumer Data Protection Act Applies to: For-profit entities that conduct business in Kentucky or produce products / services targeted to Kentucky residents and during a calendar year satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Kentucky residents.
  • Control or process personal data of 25,000 or more Kentucky residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2026 Enforcement authorities: Kentucky Attorney General Enforcement date: January 1, 2026

MARYLAND

Law: Maryland Online Data Privacy Act of 2024 Applies to: Entities that conduct business in Maryland or produce products / services targeted to Maryland residents and satisfy one of the following criteria:
  • Control or process personal data of 35,000 or more Maryland residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 10,000 or more Maryland residents and derive more than 20% of gross revenue from the sale of personal data.
Effective date: October 1, 2025

(However, the law will not have any effect on or application to processing activities prior to April 1, 2026.)

Enforcement authorities: Maryland Attorney General Enforcement date: October 1, 2025

MINNESOTA

Law: The Minnesota Consumer Data Privacy Act Applies to: Entities that conduct business in Minnesota or produce products / services targeted to Minnesota residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Minnesota residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 25,000 or more Minnesota residents and derive more than 25% of gross revenue from the sale of personal data.
Effective date: July 31, 2025 Enforcement authorities: Minnesota Attorney General Enforcement date: July 31, 2025

MONTANA

Law: The Montana Consumer Data Privacy Act Applies to: For-profit entities that conduct business in Montana or produce products / services targeted to Montana residents and satisfy one of the following criteria:
  • Control or process personal data of 25,000 or more Montana residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 15,000 or more Montana residents and derive more than 25% of gross revenue from the sale of personal data.
Effective date: October 1, 2024 (spooky season!) Enforcement authorities: Montana Attorney General Enforcement date: October 1, 2024

NEBRASKA

Law: Nebraska Data Privacy Act Applies to: For-profit entities that:
  • Conduct business in Nebraska or produce products / services consumed by Nebraska residents;
  • Process or engage in the sale of personal data; and
  • Are not a small business as defined by the US Small Business Administration.
Effective date: January 1, 2025 Enforcement authorities: Nebraska Attorney General. Enforcement date: January 1, 2025

NEW HAMPSHIRE

Law: An Act Relative to the Expectation of Privacy Applies to: For-profit entities that conduct business in New Hampshire or produce products / services targeted to New Hampshire residents and satisfy one of the following criteria:
  • Control or process personal data of 35,000 or more New Hampshire residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 10,000 or more New Hampshire residents and derive more than 25% of gross revenue from the sale of personal data.
Effective date: January 1, 2025 Enforcement authorities: New Hampshire Attorney General. Enforcement date: January 1, 2025

NEW JERSEY

Law: Senate Bill 332 Applies to: Entities that conduct business in New Jersey or produce products / services targeted to New Jersey residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more New Jersey residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 25,000 or more New Jersey residents and derive revenue, or receive a discount on the price of any goods or services, from the sale of personal data.
Effective date: January 15, 2025 Enforcement authorities: New Jersey Attorney General. Enforcement date: January 15, 2025

OKLAHOMA

Law: Oklahoma Consumer Data Privacy Act Applies to: For-profit entities that conduct business in Oklahoma or produce products / services targeted to Oklahoma residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Oklahoma residents.
  • Control or process personal data of 25,000 or more Oklahoma residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2027 Enforcement authorities: Oklahoma Attorney General Enforcement date: January 1, 2027 (with a 30-day cure period)

OREGON

Law: Senate Bill 619 Applies to: Entities that conduct business in Oregon or produce products / services targeted to Oregon residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Oregon residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 25,000 or more Oregon residents and derive more than 25% of gross revenue from the sale of personal data.
Effective date: July 1, 2024 Enforcement authorities: Oregon Attorney General Enforcement date: July 1, 2024

RHODE ISLAND

Law: The Rhode Island Transparency and Privacy Protection Act Applies to: For-profit entities that conduct business in Rhode Island or produce products / services targeted to Rhode Island residents and satisfy one of the following criteria:
  • Control or process personal data of 35,000 or more Rhode Island residents (excluding personal data controller or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 10,000 or more Rhode Island residents and derive more than 20% of gross revenue from the sale of personal data.
Effective date: January 1, 2026 Enforcement authorities: Rhode Island Attorney General Enforcement date: January 1, 2026

TENNESSEE

Law: The Tennessee Information Protection Act Applies to: For-profit entities (with revenue in excess of $25 million) that conduct business in Tennessee producing products / services targeted to Tennessee residents and satisfy one of the following criteria:
  • Control or process personal data of 175,000 or more Tennessee residents.
  • Control or process personal data of 25,000 or more Tennessee residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: July 1, 2025 Enforcement authorities: Tennessee Attorney General Enforcement date: July 1, 2025

TEXAS

Law: The Texas Data Privacy and Security Act Applies to: For-profit entities that conduct business in Texas or produce products / services targeted to Texas residents and satisfy all of the following criteria:
  • Control or process personal data of Texas residents.
  • Are not a small business as defined by the US Small Business Administration.
(However, the law imposes limited restrictions on for-profit entities that are classified as small businesses by the US Small Business Administration.) Effective date: July 1, 2024 Enforcement authorities: Texas Attorney General Enforcement date: July 1, 2024

UTAH

Law: The Utah Consumer Privacy Act Applies to: For-profit entities (with annual revenue in excess of $25 million) that conduct business in Utah or produce products / services targeted to Utah residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Utah residents during a calendar year.
  • Control or process personal data of 25,000 or more Utah residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: December 31, 2023 Enforcement authorities: Utah Attorney General and the Department of Commerce’s Division of Consumer Protection Enforcement date: December 31, 2023

VIRGINIA

Law: The Virginia Consumer Data Protection Act Applies to: For-profit entities that conduct business in Virginia or produce products / services targeted to Virginia residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Virginia residents during a calendar year.
  • Control or process personal data of 25,000 or more Virginia residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2023 Enforcement authorities: Virginia Attorney General Enforcement date: January 1, 2023
0
Flag of California, depicting a large brown bear beside a red star, above the words "California Republic."

CPRA regulations finalized and effective immediately

California, CCPA, State Privacy Laws, United States
[Update: On March 30, 2023, the California Chamber of Commerce filed suit against the California Privacy Protection Agency, arguing that the amended regulations should not enter force until once year following finalization of the regulations. The court agreed, holding that enforcement cannot occur until one year after the regulations were finalized, thereby pushing the enforcement date from March 29, 2023, to March 29, 2024. The case is being appealed, but it is not expected to be finalized until after the new enforcement date.]
On March 30, 2023, the California Privacy Protection Agency (the Agency) announced that its first rulemaking package for the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), was approved by the California Office of Administrative Law (OAL).[1] Approval by the OAL marks the completion of the rulemaking process, thereby making the regulations effective immediately. “This is a major accomplishment, and a significant step forward for Californians’ consumer privacy. I’m deeply grateful to the Agency Board and staff for their tireless work on the regulations, and to the public for their robust engagement in the rulemaking process,” CPPA Board Chair Jennifer Urban said in a statement.[2] The regulations build upon and clarify provisions within the CPRA, which amended and expanded the CCPA. For example, the regulations allow businesses to offer a “Your Privacy Choices” mechanism on a website’s homepage instead of a “Do Not Sell or Share My Personal Information” mechanism. The regulation had originally been scheduled for completion for July 1, 2022, but due to insufficient staffing and resources, the Agency announced an extended delay to the process.[3] This delay of almost a year left businesses and privacy professionals scrambling, because the CPRA came into effect on January 1, 2023, yet many of its provisions were unclear. Now, finalization begets clarity. That said, the Agency’s enforcement efforts will begin July 1, 2023, which gives little time to comply with the regulations. The Agency has indicated a soft initial approach to enforcement though. Section 7301(b) of the finalized regulation state that the Agency may “consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.” While this leaves some breathing room, it does not alleviate non-compliance in all instances, and businesses should move to finalize compliance with these regulations. The final regulations, although effective immediately, will not be published publicly until they are processed, which is expected to happen next week. The final regulations will be made available here: https://cppa.ca.gov/regulations/consumer_privacy_act.html
[1] https://cppa.ca.gov/announcements/ (announcement on March 30, 2023) [2] Id. [3] https://iapp.org/news/a/cpra-regulations-delayed-past-july-1-deadline-expected-q3-or-q4/
0
Social media apps on the screen of an smartphone device.

California’s Social Media Transparency Law

California, Social Media, United States

Disclosure Obligations, Hate Speech & AG Reports

Legislators across the United States have been grappling with how to regulate social media companies. In Texas, the 5th Circuit upheld a law limiting how social media platforms can moderate content.[1] In Florida, a brief was filed asking the U.S. Supreme Court to reverse the 11th Circuit’s decision to strike down a law preventing how social media platforms can moderate users.[2] Now, with Governor Newsom signing AB 587 into law, California joins the legislative efforts. Effective January 1, 2024, AB 587 imposes new disclosure and reporting obligations on companies operating social media platforms. A social media platform falls under the law if:
  • The company operating the platform generated at least one hundred million in gross revenue during the preceding calendar year;[3]
  • The platform is a “public or semipublic internet-based service or application”[4] with users “in California;”[5]
  • A substantial function of the platform is to connect users to allow them to “interact socially” with each other in the platform;[6] and
  • Users can:
    • construct “public or semipublic” profiles for the purpose of signing in and using the platform;[7]
    • populate a list of other users with whom they share a social connection within the platform;[8] and
    • post content viewable by other users.[9]
In addition, the law does not apply to services or applications for which user interactions are limited to direct messages, commercial transactions, or consumer reviews of products, sellers, services, events, or places, or any combination thereof.[10] Disclosure Obligations A covered social media platform must disclose to users the existence and contents of the platform’s terms of service.[11] In addition, the terms of service must disclose:
  • Permitted user behavior and activities on the platform, and activities that may subject the user or their content to negative actions;[12]
  • Potential negative actions that may be taken, such as removal, demonetization, deprioritization, or banning;[13]
  • Contact information for asking questions about the terms of service;[14] and
  • A process by which users can flag content, groups, or other users believed to be violating the terms of service.[15]
These disclosure obligations should feel familiar to businesses already operating in the social media industry. The more onerous requirements stem from the law’s reporting obligations to the California AG. Reporting Obligations to the California AG A covered social media company, on a “semiannual basis,” must provide the California AG with a “terms of service report.”[16] As part of this report, the company must detail whether it defines the following categories of content in its terms of service:
  • Hate speech or racism.
  • Extremism or radicalization.
  • Disinformation or misinformation.
  • Harassment.
  • Foreign political interference.
Interestingly, the law is written so as not to require a covered company to define these categories of content; rather, it merely requires disclosure of whether the company does so. That said, much of what the law requires as part of the report to the AG pertains to the company’s actions taken in response to content falling within one of the above categories. For example, the company must disclose any existing policies intended to address the above categories of content,[17] and the total number of content items flagged for belonging to one of those categories.[18] Failure to submit a report as required can result in a civil penalty of $15,000 per violation per day. So, while the law appears not to require defining the above categories, it seems unlikely that a company can provide a conforming report – and therefore avoid the penalty – without defining what constitutes hate speech, harassment, and so forth. But this raises an important compliance question: how should a company define these categories? And could a company violate the law if, say, they define misinformation or foreign political interference in a way that does not comport with the California AG’s expectations? Given the current legal challenges facing other social media laws across the country, the law will likely be challenged on First Amendment grounds, so time will tell whether the law survives long enough to answer these questions. In the meantime, companies should consider how to navigate the growing state laws either requiring or forbidding moderation of user activities and content.
[1] https://www.politico.com/news/2022/09/16/5th-circuit-upholds-texas-law-forbidding-social-media-censorship-again-00057316. [2] https://www.axios.com/2022/09/21/florida-supreme-court-social-media-law. [3] AB 587, 22680. [4] 22675(e). This excludes services or applications meant to facilitate communication between employees or affiliates within a business or enterprise, so long as the service or platform restricts access to those categories of users. 22675(c). [5] 22675(e). The law provides no guidance on what it means for a user to be “in California,” but the bill’s legislative introduction uses the language “consumers residing in California.” [6] 22675(e)(1)(A). And while the law does not define “interact[ing] socially,” services or platforms that provide “email or direct messaging” services do not satisfy this requirement on that basis alone. 22675(e)(1)(B). [7] 22675(e)(2)(A). Again, this exempts services or platforms in which employees or affiliates can create profiles, when that service or platform restricts access only to those categories of users. 22675(c). [8] 22675(e)(2)(B). [9] 22675(e)(2)(C). [10] 22681. [11] 22676(a). [12] 22675(f). [13] 22676(b)(3). [14] 22676(b)(1). [15] 22676(b)(2). [16] 22677(a). [17] 22677(a)(4)(A). [18] 22677(a)(5)(A)(i).
0
A close-up picture of code.

The California Age-Appropriate Design Code

California, Children, United States
***Update: On September 15, 2022, Governor Newsom signed AB 2273, establishing the California Age-Appropriate Design Code Act. Who It Covers, What It Requires & How It Compares to the UK Effective July 1, 2024, the California Age-Appropriate Design Code imposes obligations on businesses [1] that provide an “online service, product, or feature” that is “likely to be accessed by children.” [2] Children are defined as California residents [3] “who are under 18 years of age.” [4] The law provides factors for whether an online service, product, or feature (S/P/F) is “likely to be accessed” by California residents under the age of 18: [5]
  • It is directed to children as defined by COPPA. [6]
  • It is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children, or it is substantially similar to an online S/P/F that meets this factor.
  • It displays advertisements marketed to children.
  • It has design elements known to be of interest to children, including games, cartoons, music, and celebrities who appeal to children.
  • Based on internal research, a significant amount of the audience is children.
An online S/P/F is defined by what it is not, and the definition notably exempts the “delivery or use of a physical product.” [7] This exemption diverts from the UK version of the law, which covers “connected toys and devices.” [8] Compared to the UK’s Common-Sense Approach The US version of the law provides no guidance on what it means for a “significant number of children” to “routinely access[]” the online S/P/F. However, the law makes clear in its legislative findings that covered businesses may look to guidance and innovation in response to the UK version when developing US-covered online S/P/F. [9] ICO states that the term “likely to be accessed by” is purposefully broad, covering “services that children [are] using in reality,” not just those services specifically targeting children. [10] However, ICO recognizes that the term is not so broad as to “cover all services that children could possibly access.” [11] The key difference is whether it is “more probable than not” that an online S/P/F will be accessed by children, and businesses should take a “common sense approach to this question.” [12] To illustrate this point:
  • If an online S/P/F is the kind “you would not want children to use in any case,” then the business should focus on preventing children from accessing the online S/P/F, rather than making it child friendly. [13]
  • If a business’s common-sense analysis reveals that children make up a “substantive and identifiable user group” routinely accessing the online S/P/F, then the “likely to be accessed” definition will apply. [14]
  • If that analysis does not reveal such a group yet causes the business to “think that children will want to use it,” then the business “should conform to the [law’s] standards.” [15]
  • If a business decides that the online S/P/F is not likely to be accessed by children, the business should “document and support” the reasons for such a determination, and incorporate such evidence as “market research, current evidence on user behaviour, the user base of similar or existing service,” and more. [16]
While this does not specify a threshold for what constitutes a “significant number of children,” it does demonstrate ICO’s view on the breadth of the law’s application. In sum, businesses should make a common-sense determination — based on actual evidence (e.g., internal or market) — as to whether it is more probable than not for a substantive and identifiable user group of children to either routinely access or want to access the online S/P/F. Top 3 Pain Points for Businesses If a business makes such a determination and finds that their online S/P/F is covered by the law, the business must take several steps to ensure compliance. We identified the following as among the more onerous steps that must be taken.
  1. Data Protection Impact Assessments & Risk Mitigation Plans
Before offering any new online S/P/F likely to be accessed by children, the business must complete a Data Protection Impact Assessment (DPIA) for it and maintain DPIA documentation for as long as the online S/P/F is likely to be accessed by children. [17] Businesses must biennially review all DPIAs. Businesses must further document any risk of material detriment to children that arises from data management practices identified in the DPIA and create a timed plan to mitigate or eliminate the risk before the online S/P/F is accessed by children. [18]
  1. Estimate Age of Child Users or Treat All Consumers as Children
Covered businesses must estimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business or apply the privacy and data protections afforded to children to all consumers. [19] The law provides no further guidance on how one makes such an estimation, but ICO published guidance for the UK version. [20]
  1. High Privacy & Tracking Signals as Default Settings for Children
Covered businesses must configure all default privacy settings provided to children by the online S/P/F to settings that offer a “high level of privacy,” unless the business can demonstrate a compelling reason that a different setting is in the best interests of children. [21] If the online S/P/F allows a parent, guardian, or other consumer to track the child’s location, it must also provide an “obvious signal” to the child when the child is being tracked or monitored. [22]
[1] The law applies to “businesses” as defined by the California Consumer Privacy Act (CCPA), 1798.140(c). [2] 1798.99.31(a). [3] The law incorporates the CCPA’s definition for “consumer,” 1798.140(g). [4] 1798.99.30(b)(1). [5] 1798.99.30(b)(4). [6] Which means:
  • A commercial website or online service that is targeted to children; or
  • That portion of a commercial website or online service is targeted to children. 15 U.S.C. § 6501(10)(A).
[7] 1798.99.30(b)(5), which also exempts broadband internet access service and telecommunications service. [8] According to ICO, connected toys and devices are “children’s toys and other devices which are connected to the internet. They are physical products which are supported by functionality provided through an internet connection.” https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-a-code-of-practice-for-online-services/14-connected-toys-and-devices. [9] AB 2273, Sec. 1(d). [10] https://ico.org.uk/media/for-organisations/guide-to-data-protection/key-data-protection-themes/age-appropriate-design-a-code-of-practice-for-online-services-2-1.pdf, at 17. [11] Id. [12] Id, at 17-18. [13] Id, at 18. [14] Id. [15] Id. [16] Id. [17] The eight DPIA requirements can be found at 1798.99.31(a)(1)(B). [18] 1798.99.31(a)(2). [19] 1798.99.31(a)(5). [20] These methods include the user self-declaring their age, AI algorithms establishing a user’s age, third-party verification services, confirmation from a known adult account holder, hard identifiers (e.g., passports or similar documents), or some form of technical measures. https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-a-code-of-practice-for-online-services/3-age-appropriate-application. [21] 1798.99.31(a)(6). [22] 1798.99.31(a)(8).
0
A map of the United States.

And Then There Were Five…

California, United States

In July of 2021, Colorado joined California and Virginia, and became the third U.S. state with a comprehensive consumer privacy law. The Colorado Privacy Act is set to take effect in July 2023.

Hot on its heels, and within just two months of each other, first Utah in March of 2022, now Connecticut in May of 2022, passed privacy bills which will become effective in 2023.

So far, California remains the only state which allows for a private right of action in connection with its privacy bill. For more information, please see our comparison of the current U.S. state consumer privacy laws below.

For our unofficial redline of the CPRA, click here.

Follow these links for the official text of the CPRACPACTDPAUCPA, and VCDPA.

To view and download a PDF version of this chart, click here.

1 2 3 4