Privacy regulations in the United States have expanded dramatically by 2025. What began as a single state law in California has grown to include 19 states with varying requirements. Each state has created its own approach to consumer opt-out rights.
This expansion reflects growing public concern about data privacy. It also shows increasing regulatory attention to how businesses handle consumer information. Understanding the differences between these regulations is crucial for effective compliance.
California
Virginia
Colorado
Connecticut
Utah
Texas
Nevada
Tennessee
Minnesota
Maryland
Delaware
Iowa
Nebraska
New Hampshire
New Jersey
Definition of Personal Information
Definition of "Sale"
Definition of Targeted Advertising
Definition of Profiling
Definition of Sensitive Data
Data Sale Opt-Out Requirements
Targeted Advertising Opt-Out Requirements
Data Sharing Opt-Outs (California-Specific)
Profiling Opt-Outs
Website Mechanisms
Universal Opt-Out Signals
Timing Requirements
The California Delete Act (SB 362) & DROP
Anti-Deceptive Interface Provisions
California pioneered comprehensive consumer privacy rights in the United States. The California Consumer Privacy Act (CCPA), enhanced by the California Privacy Rights Act (CPRA), created a robust framework. Many other states have used it as inspiration.
Key features of California's framework include:
The California model has influenced other states while maintaining unique elements. This makes compliance particularly important for businesses operating in the nation's largest state economy.
Virginia's Consumer Data Protection Act took effect in January 2023. It differs from California in several key aspects:
Virginia's approach balances consumer privacy with business practicality. It has created a framework that many other states have followed.
Colorado implemented a privacy framework with several distinctive features:
Colorado's requirement that businesses recognize universal opt-out mechanisms presents a significant technical challenge. This requirement has influenced how many businesses approach privacy compliance across all states.
Connecticut closely follows Colorado's model with these key elements:
Connecticut's approach combines elements from several other state frameworks while adding unique protections for state residents.
Utah's Consumer Privacy Act takes a more business-friendly approach:
Texas adopted a hybrid approach with the Texas Data Privacy and Security Act:
Texas exempts specific industries from certain requirements to protect consumers while supporting business growth.
Nevada implemented a narrower law focused specifically on online sales:
Nevada's early entry into privacy regulation focuses primarily on online data sales rather than comprehensive privacy protections.
Tennessee's law employs a tiered approach to business compliance, balancing regulatory requirements with business capabilities:
Tiered Compliance Thresholds: Obligations are based on specific data processing volumes and revenue.
Virginia-Style Framework: Heavily influenced by the VCDPA model regarding consumer rights.
Safe Harbor Provisions: Offers legal protections for businesses that maintain a written privacy program that reasonably conforms to NIST standards.
Focused Consumer Rights: Includes the right to access, correct, delete, and obtain a copy of personal data.
Limited "Sale" Definition: Restricted primarily to monetary exchanges.
Tennessee balances consumer privacy with practical scalability for mid-sized businesses.
Minnesota combines robust opt-out rights with specific data security requirements, emphasizing both consumer choice and protection:
AI & Profiling Rights: Includes a unique "Right to Question" automated results used in profiling.
Broad Scope of "Sale": Covers the exchange of data for monetary or other valuable consideration (similar to California).
Mandatory Universal Opt-Out: Requires businesses to honor browser-based privacy signals (GPC).
Inventory Requirements: Obligates businesses to maintain a data inventory to fulfill consumer requests effectively.
Stricter Retention Rules: Mandates that personal data not be kept longer than necessary for the purpose it was collected.
Minnesota’s approach is one of the more comprehensive "non-California" models, with a heavy focus on data governance.
Maryland's approach is currently one of the strictest in the nation, emphasizing transparency and aggressive data minimization:
Strict Data Minimization: Prohibits collecting more data than is "reasonably necessary" to provide a requested product or service.
Anti-Discrimination Provisions: Strong language preventing the use of personal data to discriminate against consumers.
Heightened Sensitive Data Protections: Strict limitations on the sale of sensitive personal information.
Universal Opt-Out Support: Legally requires recognition of universal opt-out mechanisms.
Comprehensive Disclosure Requirements: Necessitates clear, granular reporting on third-party data sharing.
Maryland’s law represents a shift toward "Privacy by Default," placing a higher burden on businesses to justify data collection.
January 2025 marked a significant expansion of privacy regulations with five new state laws taking effect:
Delaware's Personal Data Privacy Act closely follows Virginia's model with:
Iowa implemented a business-friendly approach to privacy:
Nebraska's Consumer Data Privacy Act features:
The New Hampshire Information Privacy Act implemented:
New Jersey's privacy law became effective January 15, featuring:
Effective January 1, 2026, Indiana’s privacy law mirrors the Virginia model with a focus on business-friendly compliance:
Applicability Thresholds: Applies to businesses controlling data of 100,000+ Indiana residents (or 25,000 if 50% of revenue comes from data sales).
30-Day Right to Cure: Provides a permanent window for businesses to fix alleged violations before facing Attorney General enforcement.
Response Timelines: Mandates a 45-day window for responding to consumer requests, with a possible 45-day extension.
Limited Sensitive Data Scope: Definition of "sensitive" data is narrower than California, focusing on specific health diagnoses and identifiers.
No Rulemaking Authority: The Attorney General cannot create new administrative rules, providing more regulatory stability for businesses.
Effective January 1, 2026, Kentucky became the 15th state to adopt a comprehensive privacy framework:
Monetary "Sale" Definition: Limits the definition of a data "sale" strictly to exchanges for monetary consideration.
Permanent Right to Cure: Includes a 30-day period to remedy violations with no expiration date for this provision.
DPIA Requirements: Starting June 1, 2026, businesses must conduct and document Data Protection Impact Assessments for high-risk processing.
Consumer Rights Suite: Grants the right to access, correct, delete, and obtain a portable copy of personal data.
Profiling Opt-Outs: Allows consumers to opt out of automated decision-making for legal or significant life effects.
Effective January 1, 2026, Rhode Island’s law is one of the more transparent and stringent for data brokers and service providers:
Specific Third-Party Disclosures: Uniquely requires businesses to identify the actual names of third parties to whom data is sold, not just categories.
No Right to Cure: Unlike Indiana and Kentucky, Rhode Island does not provide a grace period to fix violations before penalties apply.
Lower Thresholds: Applies to businesses controlling data of 35,000+ residents (or 10,000 if 20% of revenue comes from sales).
Intentional Disclosure Penalties: Imposes fines between $100 and $500 per disclosure for intentional violations.
Conspicuous Policy Requirements: Mandates that privacy notices be placed in "another conspicuous location" if not clearly visible on the homepage.
Most state privacy laws define personal information broadly. Personal information includes any data that names a person, describes them, or connects to them or their home.
This includes:
The broad definition covers more than traditional personally identifiable information (PII). This creates broader compliance obligations.
How states define "sale" creates significant differences in compliance requirements:
California considers it a 'sale' when businesses exchange personal information for money or other benefits.
These states limit "sale" to exchanges of personal information for monetary consideration only, excluding many data-sharing arrangements.
These states follow California's broader approach. They include valuable non-monetary considerations, capturing more data-sharing activities.
These definitions require businesses to carefully track how they share consumer data and implement state-specific compliance measures.
Targeted advertising generally refers to displaying advertisements based on personal data obtained from a consumer's activities over time and across different websites or applications.
Key elements include:
All major state privacy laws now allow consumers to opt out of targeted advertising. The specific definitions and implementation requirements vary by state.
Profiling involves the automated processing of personal data to evaluate, analyze, or predict aspects of an individual's behavior, preferences, interests, or characteristics.
Colorado and Connecticut let consumers stop automated decisions about important matters like:
State laws generally define sensitive data as categories requiring special protection, including:
Most state privacy laws require explicit consent for processing sensitive data. This creates additional compliance obligations beyond standard opt-out requirements.
All comprehensive state privacy laws provide consumers the right to opt out of sales of their personal information. Practical implementation varies based on how each state defines "sale."
Example scenarios affected by varying definitions:
These differences significantly impact compliance strategies across states.
All major state laws let consumers stop companies from using their data for targeted ads.
Implementation typically requires:
California addresses targeted advertising within its "sharing" concept. Other states make it a distinct opt-out category.
California's CPRA uniquely established "sharing" as a specific opt-out category:
Sephora paid $1.2 million because they ignored customer opt-out requests. This shows regulatory seriousness about this requirement.
States like Colorado and Connecticut extend opt-out rights to include automated decision-making:
State privacy laws specify how businesses must implement opt-out mechanisms:
Most states require:
California specifically requires that business home pages prominently display a "Do Not Sell or Share My Personal Information" link.
A significant trend is the requirement to honor universal opt-out mechanisms.
In 2026, honoring Global Privacy Control (GPC) has shifted from a recommended best practice to a mandatory technical requirement across 12 states.
Mandatory Recognition: As of January 1, 2026, businesses must honor GPC signals in California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas.
Visible Confirmation (New for 2026): California now requires businesses to display a visible notification to the user (e.g., a badge or banner stating "Opt-Out Request Honored") once a GPC signal is detected. Background processing alone is no longer compliant.
Joint Enforcement Sweeps: The Attorneys General of California, Colorado, and Connecticut have initiated coordinated "sweeps" to identify and penalize websites that fail to technically detect universal signals.
Technical Implementation: Compliance requires your site to automatically detect the navigator.globalPrivacyControl browser variable and suppress all "sale" or "sharing" pixels (such as Meta or Google Ads) without requiring a manual click from the user.
Lead-Gen Risk: If a user with GPC enabled submits a lead form, their data cannot be "sold" or "shared" with third parties for marketing purposes, regardless of whether they checked a consent box, as the browser signal acts as a preemptive opt-out.
These requirements mean businesses must automatically implement technical solutions to detect and honor browser-based privacy signals.
State and federal regulations specify how quickly businesses must honor opt-out requests. For lead-gen and sales teams, it is critical to distinguish between general data privacy requests and telemarketing opt-outs:
The Federal 10-Day Rule (TCPA): As of April 11, 2025, the FCC’s "Revocation of Consent" rule is in full effect. Businesses must honor "Do Not Call" and SMS opt-out requests within 10 business days. This federal mandate now supersedes the more lenient 30-day window previously allowed.
State Privacy Timelines (45 Days): Most state laws (like California’s CCPA or Indiana’s ICDPA) still allow 45 days to process general requests, such as a request to delete data or opt out of data "sales" that aren't related to direct calling/texting.
Extensions: For state-level privacy requests, a 45-day extension is often available with consumer notice. However, there is no extension for the 10-day federal marketing opt-out.
Clarification Messages: Under the new federal rule, you may send one final text to clarify the scope of an opt-out (e.g., "Do you want to stop all messages or just marketing?"). If the consumer doesn't reply, you must treat it as a total opt-out and stop all communications within the 10-day window.
A major provision of the FCC’s recent order has been delayed, giving businesses more time to adjust their backend systems:
The "Stop-One, Stop-All" Rule: This requires a single opt-out request to apply globally across all "unrelated" lines of business within a company.
New Deadline: On January 6, 2026, the FCC extended the waiver for this provision until January 31, 2027.
Current Status: Until 2027, companies may continue to manage opt-outs on a per-category or per-business-unit basis, provided they offer a clear way for consumers to choose specific categories.
As of January 1, 2026, California has launched the Delete Request and Opt-out Platform (DROP). This "one-click" system allows residents to request that all registered data brokers delete their personal information simultaneously.
Who is affected? Any company meeting California’s broad "Data Broker" definition—which often includes lead providers and data enrichment services.
Key Deadline: While the platform is live for consumers now, data brokers must begin retrieving and processing these requests every 45 days starting August 1, 2026.
The Risk: Non-compliance carries administrative fines of $200 per request, per day.
Several states prohibit using deceptive interfaces to undermine privacy choices:
See also:
–Telemarketing Call Time Restrictions by State
Disclaimer: This guide provides general information about privacy regulations and does not constitute legal advice.