Data Privacy by Location
Navigating Global Regulations
California
The California Consumer Privacy Act (CCPA) has been in effect since January 1, 2020, and it protects CA residents' rights with respect to their personal data. The California Privacy Rights Act (CPRA), effective as of January 1, 2023, expands the scope of the CCPA. Together, they protect California residents' rights of access in a portable manner, correction, and deletion, along with the ability to opt out of select processes for sensitive data, sales, and automated decisions. The Acts also require regular risk assessments and prohibit discrimination against indiviudals for exercising rights granted to them by the Acts. The CCPA and CPRA apply to for-profit businesses in California with gross annual revenue over $25,000,000, those that process data pertaining to at least 100,000 CA residents, or those that derive at least 50% of their revenue from the sale of residents' data. If a data breach occurs, eligible organizations must notify impacted parties as soon as possible and without reasonable delay, and the California Attorney General must be notified if at least 500 people are impacted.
Request a ConsultationColorado
The Colorado Privacy Act (CPA), effective as of July 1, 2023, protects CO residents' right to privacy regarding their personal data. Organizations must ensure residents have access to their personal data in a portable format, along with the ability to correct or delete information. Colorado residents can opt out of processing for targeted advertising, along with sales and some automated decision-making regarding their data. Organizations must conduct risk assessments to ensure these rights are upheld and cannot discriminate against residents for exercising them. The CPA applies to both for-profit and non-profit entities that operate in Colorado or deliver goods or services to individuals in the state, so long as they process data belonging to 100,000 state residents in a calendar year or derive revenue or other incentives from the sale of 25,000 or more residents If a data breach occurs, eligible organizations must provide notice to all impacted parties without unreasonable delay and no later than 30 days after recognizing the incident They must also provide notice to the Colorado Attorney General.
Request a ConsultationEurope
The General Data Protection Regulation (GDPR) has been in effect since May 25, 2018. It protects the privacy rights of data subjects in the European Union. It ensures transparency in communication and accessible modalities for data subjects to exercise their rights, which include: information about and access to personal data; rectification and erasure, including restrictions on select processes; and opting out of automated decision-making. Data processors and controllers must ensure privacy by design and default, and they may need to appoint a Data Protection Officer (DPO) or implement risk assessments and other measures, per the discretion of the EU Member State or other entity designated as their supervisory authority. The GDPR applies to organizations based in the EU that process personal data, along with organizations outside of the EU that process the personal data of EU residents, offer goods or services to them, or monitor the behavior of EU residents. If a data breach occurs, the data controller is responsible for providing notification to their supervisory authority no more than 72 hours after becoming aware of the incident. The notice must include the nature of the breach, its likely consequences, and what measures are being taken to mitigate them, among other details.
Request a ConsultationConnecticut
The Connecticut Data Privacy Act (CTDPA), effective as of July 1, 2023, protects the data privacy rights of CT residents. It grants the rights of access to personal data in portable formats, along with corrections to and deletions of personal data. CT residents can opt out of processes for targeted advertising and sales of their personal data, along with some automated decisions regarding their data. Organizations must conduct risk assessmenta related to these rights and cannot discriminate against Connecticut residents for exercising rights granted by the CTDPA. The CDTPA applies to entities conducting business in the state of producing goods and services targeted toward Connecticut residents if they process the data of 100,000 or more residents or 25,000 or more residents while deriving at least 25% of revenue from the sale of such data. When a data breach occurs, eligible entities must notify impacted parties without unreasonable delay and no later than 60 days after discovering the incident - or sooner, per applicable federal mandates. Notification must also be provided to the Connecticut
Request a ConsultationUtah
The Utah Consumer Privacy Act (UCPA), effective as of December 1, 2023, protects Utah residents' data privacy rights. Utah residents have the right to access their personal data in a portable manner, and they have the right to delete information about them. They can also opt out of sales regarding their personal data, along with processes related to targeted advertising. Organizations cannot discriminate against UT residents for exercising any of these rights. The UCPA applies to entities that conduct business in Utah or market goods or services to its residents and meet certain revenue and data processing thresholds. Namely, eligible entities have an annual revenue of at leat $25,000,000 that process the personal data of 100,000 or more state residents or that derive at least 50% of their revenue fromm personal data sales and process the personal data of at least 25,000 residents. If a data breach occurs, these entities must notify the impacted parties as soon as possible and without unreasonable delay.
Request a ConsultationCanada
The Personal Information Protection and Electronic Documents Act (PIPEDA) has been in effect since January 1, 2011, protecting the data privacy of Canadian citizens. Organizations must uphold 10 principles to ensure personal data processing is appropriate. They must remain accountable for data processes; identify the purposes for collection; garner consent for data processing; limit processing to stated purposes; ensure accuracy of records; install safeguards to protect data; be transparent about processes related to data; provide access to data subjectsl and entertain individuals' challenges regarding organizational compliance. PIPEDA applies to all private-sector organizations operating in Canada that process personal data pertaining to Canadian residents as part of their commercial activities. It also apploes to organizations that process data crossing privincial or national borders, regardless of where the entity is based. If a breach occurs and an eligible entity deems it to pose a Real Risk of Significant Harm (RROSH) to impacted parties, they must notify them as soon as possible.
Request a ConsultationDelaware
Delaware's privacy framework is expanding with the Delaware Personal Data Privacy Act (DPDPA), taking effect January 1, 2025. It grants residents rights to access, correct, delete, and obtain a copy of their personal data. Businesses must provide clear privacy notices, allow users to opt out of targeted advertising and sales, and conduct data protection assessments for high-risk processing. The DPDPA applies to entities controlling or processing personal data of 35,000+ consumers or 10,000+ consumers if they derive over 20% of gross revenue from data sales. It includes a 60-day cure period for violations until December 31, 2025.
Request a ConsultationIndiana
Indiana's Consumer Data Protection Act (ICDPA), effective January 1, 2026, provides consumers the right to access, delete, and correct personal data and opt out of targeted advertising and sales. The law mandates that businesses publish a privacy policy and obtain consent for processing sensitive data. ICDPA applies to entities processing data of at least 100,000 consumers or 25,000 consumers and deriving over 50% revenue from sales. It emphasizes risk-based data management and requires reasonable safeguards to protect consumer information.
Request a ConsultationIowa
The Iowa Consumer Data Protection Act (ICDPA), effective January 1, 2025, offers rights to access, delete, and obtain copies of personal data. While it doesn't include the right to correct data, it does let consumers opt out of data sales. It applies to entities processing personal data of 100,000+ Iowans or 25,000+ if they derive over 50% of revenue from selling personal data. The law also requires clear privacy notices and limits data collection to what's necessary for stated purposes.
Request a ConsultationKentucky
Kentucky has yet to enact a comprehensive data privacy law as of 2025, but businesses operating in the state should prepare for eventual legislation by adopting best practices aligned with existing state-level frameworks like Virginia or Colorado. Transparency, consumer control, and data minimization are expected foundational principles. In the absence of specific regulations, businesses should adhere to industry standards and ensure strong breach notification procedures, especially given the growing national trend toward privacy enforcement.
Request a ConsultationMaryland
The Maryland Online Data Privacy Act of 2024 (MODPA) will go into effect on October 1, 2025. It provides strong consumer rights, including access, deletion, correction, portability, and opt-outs for targeted advertising, profiling, and sales. MODPA applies to businesses processing data of 35,000+ consumers or 10,000+ with over 20% revenue from data sales. It features strict limits on secondary data use and mandates data minimization. Maryland's law is notable for its focus on protecting minors and high-risk processing.
Request a ConsultationMinnesota
As of 2025, Minnesota does not yet have a comprehensive consumer privacy law in place. However, the state enforces several sector-specific privacy laws and data breach notification statutes. Organizations should proactively adopt privacy frameworks aligned with national standards and prepare for future legislation by emphasizing transparency, accountability, and user rights.
Request a ConsultationMontana
The Montana Consumer Data Privacy Act (MCDPA), effective October 1, 2024, grants rights such as access, deletion, correction, and data portability. It also allows residents to opt out of data sales and targeted advertising. The law applies to controllers processing data of 50,000+ consumers or 25,000+ if deriving over 25% of gross revenue from data sales. MCDPA mandates data protection assessments and clear privacy notices.
Request a ConsultationNebraska
Nebraska does not currently have a dedicated consumer privacy law, but its data breach notification law requires organizations to inform affected individuals if personal data is exposed. Businesses should follow privacy practices similar to those outlined in states like Colorado or Virginia to stay compliant and build consumer trust.
Request a ConsultationNew Hampshire
The New Hampshire Data Privacy Act (NHDPA) is scheduled to take effect on January 1, 2025. It provides rights to access, delete, correct, and obtain personal data, as well as opt-outs from sales and targeted advertising. The law applies to entities processing data of 35,000+ consumers or 10,000+ consumers with over 25% revenue from selling data. It includes obligations around consent for sensitive data and conducting data protection assessments.
Request a ConsultationNew Jersey
New Jersey's Data Privacy Act (NJDPA), effective January 15, 2025, mirrors other state laws in granting rights to access, correct, delete, and opt out of the sale or use of personal data for advertising. It mandates transparency in privacy policies and consent for sensitive data processing. NJDPA applies to businesses processing 100,000+ consumers’ data or 25,000+ with over 50% revenue from data sales.
Request a ConsultationOregon
Oregon’s Consumer Privacy Act (OCPA), effective July 1, 2024, applies to businesses handling data of 100,000+ consumers or 25,000+ consumers deriving over 25% of revenue from data sales. It grants residents rights to access, delete, correct, and port their data, along with opt-out rights for profiling, data sales, and targeted ads. OCPA has strict protections for sensitive data and requires user consent before collection.
Request a ConsultationRhode Island
Rhode Island has introduced legislation for a consumer data privacy law but has not enacted one as of 2025. In the meantime, the state enforces strict data breach notification requirements. Organizations should proactively implement privacy standards and prepare for eventual regulations similar to other states.
Request a ConsultationTennessee
The Tennessee Information Protection Act (TIPA), effective July 1, 2025, provides residents with rights to access, correct, delete, and obtain personal data, and to opt out of data sales and targeted ads. TIPA introduces a "reasonable conformity" standard for data security practices. It applies to businesses processing data of 100,000+ consumers or 25,000+ consumers if they derive more than 50% of revenue from selling data.
Request a ConsultationTexas
The Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, grants Texans the rights to access, correct, delete, and obtain copies of their personal data. The law also includes opt-outs for targeted advertising, data sales, and profiling. TDPSA applies broadly to businesses conducting operations in Texas, with no minimum data threshold, and mandates robust data governance and consumer consent mechanisms for sensitive data.
Request a ConsultationVirginia
Virginia’s Consumer Data Protection Act (CDPA), effective since January 1, 2023, gives consumers rights to access, correct, delete, and port their data, as well as opt out of data sales and targeted advertising. The CDPA applies to businesses processing data of 100,000+ consumers or 25,000+ with over 50% revenue from selling personal data. It requires clear privacy notices, data protection assessments, and accountability mechanisms.
Request a ConsultationNorth America
California
California
The California Consumer Privacy Act (CCPA) has been in effect since January 1, 2020, and it protects CA
residents' rights with respect to their personal data. The California Privacy Rights Act (CPRA), effective as of
January 1, 2023, expands the scope of the CCPA. Together, they protect California residents' rights of access in a
portable manner, correction, and deletion, along with the ability to opt out of select processes for sensitive data,
sales, and automated decisions. The Acts also require regular risk assessments and prohibit discrimination
against indiviudals for exercising rights granted to them by the Acts.
The CCPA and CPRA apply to for-profit businesses in California with gross annual revenue over $25,000,000,
those that process data pertaining to at least 100,000 CA residents, or those that derive at least 50% of their
revenue from the sale of residents' data. If a data breach occurs, eligible organizations must notify impacted
parties as soon as possible and without reasonable delay, and the California Attorney General must be notified if at
least 500 people are impacted.
Colorado
Colorado
The Colorado Privacy Act (CPA), effective as of July 1, 2023, protects CO residents' right to privacy regarding their
personal data. Organizations must ensure residents have access to their personal data in a portable format, along with
the ability to correct or delete information. Colorado residents can opt out of processing for targeted advertising,
along with sales and some automated decision-making regarding their data. Organizations must conduct risk assessments
to ensure these rights are upheld and cannot discriminate against residents for exercising them.
The CPA applies to both for-profit and non-profit entities that operate in Colorado or deliver goods or services to
individuals in the state, so long as they process data belonging to 100,000 state residents in a calendar year or
derive revenue or other incentives from the sale of 25,000 or more residents If a data breach occurs, eligible
organizations must provide notice to all impacted parties without unreasonable delay and no later than 30 days
after recognizing the incident They must also provide notice to the Colorado Attorney General.
Connecticut
Connecticut
The Connecticut Data Privacy Act (CTDPA), effective as of July 1, 2023, protects the data privacy rights of CT residents.
It grants the rights of access to personal data in portable formats, along with corrections to and deletions of
personal data. CT residents can opt out of processes for targeted advertising and sales of their personal data, along
with some automated decisions regarding their data. Organizations must conduct risk assessmenta related to these rights
and cannot discriminate against Connecticut residents for exercising rights granted by the CTDPA.
The CDTPA applies to entities conducting business in the state of producing goods and services targeted
toward Connecticut residents if they process the data of 100,000 or more residents or 25,000 or more residents
while deriving at least 25% of revenue from the sale of such data. When a data breach occurs, eligible entities
must notify impacted parties without unreasonable delay and no later than 60 days after discovering the incident
- or sooner, per applicable federal mandates. Notification must also be provided to the Connecticut
Utah
Utah
The Utah Consumer Privacy Act (UCPA), effective as of December 1, 2023, protects Utah residents' data privacy rights.
Utah residents have the right to access their personal data in a portable manner, and they have the right to delete
information about them. They can also opt out of sales regarding their personal data, along with processes related to
targeted advertising. Organizations cannot discriminate against UT residents for exercising any of these rights.
The UCPA applies to entities that conduct business in Utah or market goods or services to its residents
and meet certain revenue and data processing thresholds. Namely, eligible entities have an annual
revenue of at leat $25,000,000 that process the personal data of 100,000 or more state residents or that derive
at least 50% of their revenue fromm personal data sales and process the personal data of at least 25,000 residents.
If a data breach occurs, these entities must notify the impacted parties as soon as possible and without
unreasonable delay.
Canada
Canada
The Personal Information Protection and Electronic Documents Act (PIPEDA) has been in effect since January
1, 2011, protecting the data privacy of Canadian citizens. Organizations must uphold 10 principles to
ensure personal data processing is appropriate. They must remain accountable for data processes; identify the
purposes for collection; garner consent for data processing; limit processing to stated purposes; ensure
accuracy of records; install safeguards to protect data; be transparent about processes related to data; provide
access to data subjectsl and entertain individuals' challenges regarding organizational compliance.
PIPEDA applies to all private-sector organizations operating in Canada that process personal data pertaining
to Canadian residents as part of their commercial activities. It also apploes to organizations that process data
crossing privincial or national borders, regardless of where the entity is based. If a breach occurs and an
eligible entity deems it to pose a Real Risk of Significant Harm (RROSH) to impacted parties, they must notify
them as soon as possible.
Delaware
Delaware
Delaware's privacy framework is expanding with the Delaware Personal Data Privacy Act (DPDPA), taking effect January 1, 2025. It grants residents rights to access, correct, delete, and obtain a copy of their personal data. Businesses must provide clear privacy notices, allow users to opt out of targeted advertising and sales, and conduct data protection assessments for high-risk processing.
The DPDPA applies to entities controlling or processing personal data of 35,000+ consumers or 10,000+ consumers if they derive over 20% of gross revenue from data sales. It includes a 60-day cure period for violations until December 31, 2025.
Indiana
Indiana
Indiana's Consumer Data Protection Act (ICDPA), effective January 1, 2026, provides consumers the right to access, delete, and correct personal data and opt out of targeted advertising and sales. The law mandates that businesses publish a privacy policy and obtain consent for processing sensitive data.
ICDPA applies to entities processing data of at least 100,000 consumers or 25,000 consumers and deriving over 50% revenue from sales. It emphasizes risk-based data management and requires reasonable safeguards to protect consumer information.
Iowa
Iowa
The Iowa Consumer Data Protection Act (ICDPA), effective January 1, 2025, offers rights to access, delete, and obtain copies of personal data. While it doesn't include the right to correct data, it does let consumers opt out of data sales.
It applies to entities processing personal data of 100,000+ Iowans or 25,000+ if they derive over 50% of revenue from selling personal data. The law also requires clear privacy notices and limits data collection to what's necessary for stated purposes.
Kentucky
Kentucky
Kentucky has yet to enact a comprehensive data privacy law as of 2025, but businesses operating in the state should prepare for eventual legislation by adopting best practices aligned with existing state-level frameworks like Virginia or Colorado. Transparency, consumer control, and data minimization are expected foundational principles.
In the absence of specific regulations, businesses should adhere to industry standards and ensure strong breach notification procedures, especially given the growing national trend toward privacy enforcement.
Maryland
Maryland
The Maryland Online Data Privacy Act of 2024 (MODPA) will go into effect on October 1, 2025. It provides strong consumer rights, including access, deletion, correction, portability, and opt-outs for targeted advertising, profiling, and sales.
MODPA applies to businesses processing data of 35,000+ consumers or 10,000+ with over 20% revenue from data sales. It features strict limits on secondary data use and mandates data minimization. Maryland's law is notable for its focus on protecting minors and high-risk processing.
Minnesota
Minnesota
As of 2025, Minnesota does not yet have a comprehensive consumer privacy law in place. However, the state enforces several sector-specific privacy laws and data breach notification statutes. Organizations should proactively adopt privacy frameworks aligned with national standards and prepare for future legislation by emphasizing transparency, accountability, and user rights.
Montana
Montana
The Montana Consumer Data Privacy Act (MCDPA), effective October 1, 2024, grants rights such as access, deletion, correction, and data portability. It also allows residents to opt out of data sales and targeted advertising.
The law applies to controllers processing data of 50,000+ consumers or 25,000+ if deriving over 25% of gross revenue from data sales. MCDPA mandates data protection assessments and clear privacy notices.
Nebraska
Nebraska
Nebraska does not currently have a dedicated consumer privacy law, but its data breach notification law requires organizations to inform affected individuals if personal data is exposed. Businesses should follow privacy practices similar to those outlined in states like Colorado or Virginia to stay compliant and build consumer trust.
New Hampshire
New Hampshire
The New Hampshire Data Privacy Act (NHDPA) is scheduled to take effect on January 1, 2025. It provides rights to access, delete, correct, and obtain personal data, as well as opt-outs from sales and targeted advertising.
The law applies to entities processing data of 35,000+ consumers or 10,000+ consumers with over 25% revenue from selling data. It includes obligations around consent for sensitive data and conducting data protection assessments.
New Jersey
New Jersey
New Jersey's Data Privacy Act (NJDPA), effective January 15, 2025, mirrors other state laws in granting rights to access, correct, delete, and opt out of the sale or use of personal data for advertising. It mandates transparency in privacy policies and consent for sensitive data processing.
NJDPA applies to businesses processing 100,000+ consumers’ data or 25,000+ with over 50% revenue from data sales.
Oregon
Oregon
Oregon’s Consumer Privacy Act (OCPA), effective July 1, 2024, applies to businesses handling data of 100,000+ consumers or 25,000+ consumers deriving over 25% of revenue from data sales.
It grants residents rights to access, delete, correct, and port their data, along with opt-out rights for profiling, data sales, and targeted ads. OCPA has strict protections for sensitive data and requires user consent before collection.
Rhode Island
Rhode Island
Rhode Island has introduced legislation for a consumer data privacy law but has not enacted one as of 2025. In the meantime, the state enforces strict data breach notification requirements. Organizations should proactively implement privacy standards and prepare for eventual regulations similar to other states.
Tennessee
Tennessee
The Tennessee Information Protection Act (TIPA), effective July 1, 2025, provides residents with rights to access, correct, delete, and obtain personal data, and to opt out of data sales and targeted ads. TIPA introduces a "reasonable conformity" standard for data security practices.
It applies to businesses processing data of 100,000+ consumers or 25,000+ consumers if they derive more than 50% of revenue from selling data.
Texas
Texas
The Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, grants Texans the rights to access, correct, delete, and obtain copies of their personal data. The law also includes opt-outs for targeted advertising, data sales, and profiling.
TDPSA applies broadly to businesses conducting operations in Texas, with no minimum data threshold, and mandates robust data governance and consumer consent mechanisms for sensitive data.
Virginia
Virginia
Virginia’s Consumer Data Protection Act (CDPA), effective since January 1, 2023, gives consumers rights to access, correct, delete, and port their data, as well as opt out of data sales and targeted advertising.
The CDPA applies to businesses processing data of 100,000+ consumers or 25,000+ with over 50% revenue from selling personal data. It requires clear privacy notices, data protection assessments, and accountability mechanisms.
Europe
Europe
The General Data Protection Regulation (GDPR) has been in effect since May 25, 2018. It protects the privacy rights
of data subjects in the European Union. It ensures transparency in communication and accessible modalities for
data subjects to exercise their rights, which include: information about and access to personal data; rectification
and erasure, including restrictions on select processes; and opting out of automated decision-making. Data processors
and controllers must ensure privacy by design and default, and they may need to appoint a Data Protection Officer (DPO)
or implement risk assessments and other measures, per the discretion of the EU Member State or other entity designated
as their supervisory authority.
The GDPR applies to organizations based in the EU that process personal data, along with organizations outside of the
EU that process the personal data of EU residents, offer goods or services to them, or monitor the behavior of EU residents.
If a data breach occurs, the data controller is responsible for providing notification to their supervisory authority no
more than 72 hours after becoming aware of the incident. The notice must include the nature of the breach, its likely
consequences, and what measures are being taken to mitigate them, among other details.