Side-by-side comparison of CCPA, VCDPA, CPA, CTDPA, UCPA, and 10+ state privacy laws. Covers consumer thresholds, opt-out mechanisms, cure periods, and...
Overview
As of late 2024, over a dozen U.S. states have enacted comprehensive consumer privacy laws. This guide provides a side-by-side comparison to help organizations understand multi-state compliance requirements.
Enacted State Privacy Laws Timeline
| State |
Law |
Signed |
Effective |
Status |
| California |
CCPA/CPRA |
2018/2020 |
Jan 2020/Jan 2023 |
Active |
| Virginia |
VCDPA |
Mar 2021 |
Jan 2023 |
Active |
| Colorado |
CPA |
Jul 2021 |
Jul 2023 |
Active |
| Connecticut |
CTDPA |
May 2022 |
Jul 2023 |
Active |
| Utah |
UCPA |
Mar 2022 |
Dec 2023 |
Active |
| Iowa |
ICDPA |
Mar 2023 |
Jan 2025 |
Pending |
| Indiana |
ICDPA |
May 2023 |
Jan 2026 |
Pending |
| Tennessee |
TIPA |
May 2023 |
Jul 2025 |
Pending |
| Texas |
TDPSA |
Jun 2023 |
Jul 2024 |
Active |
| Oregon |
OCPA |
Jul 2023 |
Jul 2024 |
Active |
| Montana |
CDPA |
May 2023 |
Oct 2024 |
Active |
| Delaware |
DPDPA |
Sep 2023 |
Jan 2025 |
Pending |
| New Jersey |
NJDPA |
Jan 2024 |
Jan 2025 |
Pending |
| New Hampshire |
NHDPA |
Mar 2024 |
Jan 2025 |
Pending |
Applicability Thresholds Comparison
Consumer Data Thresholds
| State |
Primary Threshold |
Secondary Threshold |
| California |
100,000 consumers/households |
No secondary |
| Virginia |
100,000 consumers |
25,000 + 50% revenue from data |
| Colorado |
100,000 consumers |
25,000 + any revenue from data |
| Connecticut |
100,000 consumers |
25,000 + 25% revenue from data |
| Utah |
100,000 consumers |
25,000 + 50% revenue from data |
| Texas |
N/A (SBA definition) |
Small business + data sales |
| Oregon |
100,000 consumers |
25,000 + 25% revenue from data |
| Montana |
50,000 consumers |
25,000 + 25% revenue from data |
| Delaware |
35,000 consumers |
10,000 + 20% revenue from data |
Revenue Thresholds
| State |
Revenue Requirement |
| California |
$25 million annual gross revenue |
| Utah |
$25 million annual revenue |
| Texas |
Not a "small business" per SBA |
| All Others |
No revenue threshold |
Consumer Rights Comparison
| Right |
CA |
VA |
CO |
CT |
UT |
TX |
OR |
MT |
DE |
| Access |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
| Correct |
✓ |
✓ |
✓ |
✓ |
✗ |
✓ |
✓ |
✓ |
✓ |
| Delete |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
| Portability |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
| Opt-Out Sale |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
| Opt-Out Targeted Ads |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
| Opt-Out Profiling |
✓ |
✓ |
✓ |
✓ |
✗ |
✓ |
✓ |
✓ |
✓ |
| Third-Party List |
✗ |
✗ |
✗ |
✗ |
✗ |
✗ |
✓ |
✗ |
✓ |
Key Insight: Utah is the only state without a right to correct. Oregon and Delaware uniquely require disclosure of specific third-party names.
Operational Requirements Comparison
Response Timelines
| State |
Initial Response |
Extension |
Appeal Response |
| California |
45 days |
+45 days |
N/A |
| Virginia |
45 days |
+45 days |
45 days |
| Colorado |
45 days |
+45 days |
45 days |
| Connecticut |
45 days |
+45 days |
60 days |
| Utah |
45 days |
+45 days |
N/A |
| Texas |
45 days |
+45 days |
60 days |
| Oregon |
45 days |
+45 days |
45 days |
| Montana |
45 days |
+45 days |
60 days |
| Delaware |
45 days |
+45 days |
60 days |
Data Protection Assessments Required
| State |
DPA Required |
Risk Categories |
| California (CPRA) |
Yes |
High-risk processing |
| Virginia |
Yes |
Targeted ads, sales, profiling, sensitive data |
| Colorado |
Yes |
Targeted ads, sales, profiling, sensitive data |
| Connecticut |
Yes |
Targeted ads, sales, profiling, sensitive data |
| Utah |
No |
N/A |
| Texas |
Yes |
Targeted ads, sales, profiling, sensitive data |
| Oregon |
Yes |
Targeted ads, sales, profiling, sensitive data |
| Montana |
Yes |
Targeted ads, sales, profiling, sensitive data |
| Delaware |
Yes |
Targeted ads, sales, profiling, sensitive data |
Key Insight: Utah is the only state that does not require data protection assessments.
Sensitive Data Categories
Standard Categories (All States)
- Racial or ethnic origin
- Religious beliefs
- Health diagnosis/condition
- Sexual orientation
- Genetic data
- Biometric data (for identification)
- Precise geolocation
State-Specific Additions
| Category |
States Covering |
| Citizenship/Immigration |
All except CA (implicit) |
| Known Child Data |
VA, CO, CT, TX, OR, MT, DE |
| National Origin |
OR only |
| Transgender/Nonbinary Status |
OR only |
| Union Membership |
CA only |
Unique Features by State
California (CCPA/CPRA)
- Private right of action for data breaches
- Universal opt-out signal recognition (GPC)
- California Privacy Protection Agency (dedicated enforcement)
- No nonprofit exemption
- Broadest "sale" and "sharing" definitions
Virginia (VCDPA)
- First Virginia-model law (template for others)
- Nonprofit exemption
- Most balanced controller-processor framework
- No universal opt-out requirement
Colorado (CPA)
- Universal opt-out mechanism required (GPC mandate)
- Appeals process required
- District attorney enforcement option
- Strong rulemaking authority
Connecticut (CTDPA)
- Loyalty program provisions
- Dark patterns prohibition
- Lower revenue threshold (25%)
- Extended appeal response time (60 days)
Utah (UCPA)
- Most business-friendly
- Permanent cure period (no sunset)
- No right to correct
- No DPA requirements
- $25M revenue floor
Texas (TDPSA)
- No explicit revenue threshold
- SBA small business definition
- Second-largest state population
- Small business loses exemption if selling sensitive data
Oregon (OCPA)
- Nonprofit coverage (first state)
- Right to specific third-party names
- Expanded sensitive data (national origin, transgender status)
- Limited employee data exemption
Montana (CDPA)
- Lowest population state with comprehensive law
- 50,000 consumer threshold (lowest non-revenue threshold)
- 60-day cure period (longest)
Delaware (DPDPA)
- Lowest thresholds (35,000/10,000 consumers)
- Lowest revenue percentage (20%)
- Right to specific third-party names
- Highest per-violation penalty ($10,000)
Cure Period Comparison
| State |
Cure Period |
Sunset Date |
| California |
None |
N/A |
| Virginia |
30 days |
January 1, 2025 |
| Colorado |
60 days |
January 1, 2025 |
| Connecticut |
60 days |
December 31, 2024 |
| Utah |
30 days |
Permanent |
| Texas |
30 days |
None specified |
| Oregon |
30 days |
January 1, 2026 |
| Montana |
60 days |
None specified |
| Delaware |
60 days |
December 31, 2025 |
Penalties Comparison
| State |
Maximum Per Violation |
Enhanced Penalties |
| California |
$7,500 |
$7,500 for minors' data |
| Virginia |
$7,500 |
- |
| Colorado |
$20,000 |
Willful violations |
| Connecticut |
$5,000 |
CUTPA damages |
| Utah |
$7,500 |
- |
| Texas |
$7,500 |
Intentional violations |
| Oregon |
$7,500 |
- |
| Montana |
$7,500 |
- |
| Delaware |
$10,000 |
Highest standard |
Multi-State Compliance Strategy
Baseline Compliance (Covers Most States)
Implementing these practices satisfies requirements across most state laws:
- Privacy Notice with all required disclosures
- Consumer Rights Portal supporting access, correct, delete, portability
- Opt-Out Mechanisms for sale, targeted advertising, profiling
- Sensitive Data Consent opt-in framework
- Data Protection Assessments for high-risk processing
- 45-Day Response workflows with extension capability
- Appeals Process for denied requests
- Processor Contracts with required terms
- Reasonable Security practices
State-Specific Additions
| Requirement |
States |
Action |
| Universal Opt-Out (GPC) |
CA, CO |
Implement GPC detection |
| Third-Party Lists |
OR, DE |
Track specific sharing partners |
| Nonprofit Compliance |
OR |
Include nonprofits in scope |
| Loyalty Program Rules |
CT |
Review rewards program terms |
| No Right to Correct |
UT |
Can simplify for Utah-only |
Exemption Planning
Entity-Level Exemptions
| Entity Type |
Exempt In |
| Nonprofits |
VA, CO, CT, UT, TX, MT, DE (not OR) |
| HIPAA Entities |
All states |
| GLBA Entities |
All states |
| Government |
All states |
| Higher Education |
Most states |
Data-Level Exemptions
| Data Type |
Exempt In |
| Employment Data |
All states (with limitations in OR) |
| B2B Contacts |
All states |
| Publicly Available |
All states |
| De-identified Data |
All states |
Resources
State-Specific Compliance Guides
Conclusion
The U.S. state privacy law landscape continues to expand, with each new law building on established models while introducing unique requirements. Organizations operating nationally should:
- Implement baseline compliance covering common requirements
- Layer state-specific features for California (universal opt-out), Colorado (GPC), Oregon (nonprofit, third-party lists), and others
- Monitor thresholds across all applicable states
- Track cure period sunsets to ensure ongoing compliance flexibility
- Plan for emerging state laws following similar patterns
A unified compliance program addressing the most stringent requirements across states provides the most efficient path to comprehensive coverage.