The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most stringent and comprehensive US state privacy law, but it is no longer the only one: as of mid-2025, at least 12 other states have enacted comprehensive privacy laws—including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCPA), Iowa (ICDPA), Indiana (INCDPA), Tennessee (TIPA), Florida (FDBPR), and Delaware (DPDPA)—each with distinct scopes, consumer rights, and enforcement mechanisms that create a compliance patchwork for any organization processing personal data across state lines. Understanding the key differences between the CCPA/CPRA and these other US state privacy laws is essential for legal, compliance, and security teams aiming to operationalize privacy obligations efficiently without assuming one-size-fits-all applicability.
What Is the CCPA/CPRA, and Why Are Other State Laws Different?
The CCPA, effective January 1, 2020, and strengthened by the CPRA (effective January 1, 2023), grants California residents a broad set of consumer rights—including the right to know, delete, correct, opt out of the sale or sharing of personal information, and limit the use of sensitive personal information. The CPRA also established the California Privacy Protection Agency (CPPA) as an independent enforcement body. In contrast, laws such as Virginia’s VCDPA (effective January 1, 2023) and Colorado’s CPA (effective July 1, 2023) follow a similar framework but differ in thresholds, consumer rights details, enforcement authority, and specific exemptions. No two state laws are identical, and the differences can significantly affect compliance strategy.
Key Takeaway: The CCPA/CPRA is the baseline for US privacy, but it is not the uniform standard. Organizations must comply with each applicable state law individually, and a CCPA-compliant program does not automatically satisfy Virginia, Colorado, or Texas requirements—especially around opt-out signals, sensitive data processing, and data protection assessments.
How Do Consumer Rights Compare Across US State Privacy Laws?
While all comprehensive US state privacy laws grant core consumer rights, the nuances matter:
- Right to know / access: All laws provide a right to confirm whether a business processes personal data and to access that data. The CCPA/CPRA additionally requires disclosure of the specific pieces of personal information collected (a broader right than most other states).
- Right to delete: Universal across all state laws, but exceptions vary. For example, the CCPA/CPRA has exceptions for legal compliance, security, and certain business operations; the Colorado CPA has a similar but not identical list.
- Right to correct inaccurate data: Mandated by CCPA/CPRA, Colorado CPA, Connecticut CTDPA, Oregon OCPA, Montana MCPA, Texas TDPSA, and Delaware DPDPA. Notably, Virginia VCDPA and Utah UCPA do not include a correction right as of 2025.
- Right to opt out of sale and targeted advertising: All laws include opt-out rights, but definitions of “sale” differ. The CCPA/CPRA defines “sale” broadly, including any disclosure for monetary or other valuable consideration, and also separately defines “sharing” for cross-context behavioral advertising. Other states like Virginia define “sale” more narrowly as the exchange for monetary consideration—a significant difference.
- Sensitive data processing: The CPRA introduced specific rules for sensitive personal information (e.g., precise geolocation, health data, genetic data, racial or ethnic origin). Colorado, Connecticut, Oregon, Montana, Texas, Delaware, and others also require opt-in consent for sensitive data processing (typically with a right to limit or withdraw). Virginia and Utah require consent for sensitive data but do not require a separate “limit the use of sensitive personal information” right like California’s.
- Right to opt out via universal signal: The CCPA/CPRA explicitly requires businesses to honor global privacy control (GPC) signals. Colorado, Connecticut, Oregon, Montana, Texas, and Delaware also require recognition of a universal opt-out signal (not necessarily GPC but an “easily accessible” mechanism). Virginia and Utah do not mandate universal signal recognition, though Virginia encourages it.
What Are the Thresholds for Applicability? Who Must Comply?
Business coverage thresholds vary significantly. The CCPA/CPRA applies to for-profit entities that do business in California and meet one or more of the following: (1) annual gross revenue over $25 million; (2) buy, sell, or share the personal information of 100,000 or more California residents, households, or devices; or (3) derive 50% or more of annual revenue from selling or sharing consumers’ personal information. This broad “device-based” threshold captures companies that may not have direct consumer relationships.
Other state thresholds differ in key ways:
- Revenue thresholds: Virginia VCDPA applies to businesses that process the data of 100,000+ consumers or derive 50%+ of revenue from selling data (25,000+ consumers). No revenue minimum. Colorado CPA applies if the business processes data of 100,000+ consumers or derives revenue from selling data and processes data of 25,000+ consumers. No revenue floor. Texas TDPSA applies to businesses with annual gross revenue over $25 million and processes the data of 100,000+ Texas households/devices, regardless of revenue from sale. Utah UCPA applies if a business has an annual revenue over $25 million and processes 100,000+ consumers, or derives 50%+ of revenue from selling data and processes 25,000+ consumers (with a $25M revenue floor). Oregon OCPA applies to businesses that process 100,000+ consumers (or that sell data and process 25,000+ consumers), with no revenue threshold. Montana MCPA follows a similar pattern. Iowa ICDPA has the highest threshold: the business must process 100,000+ consumers and derive over 50% of revenue from selling data (or process 25,000+ consumers if no revenue from sale). Indiana INCDPA thresholds mirror Virginia. Delaware DPDPA applies to businesses that process the data of 35,000+ consumers (no revenue criterion) or derive 20%+ of revenue from data sales and process 10,000+ consumers.
- Employee and B2B data: The CCPA/CPRA originally exempted employee and business-to-business (B2B) data, but those exemptions expired January 1, 2023, for employees and January 1, 2024, for B2B (though HR data is partially exempted). Virginia VCDPA exempts employee data (excluding HR contexts). Colorado CPA does not exempt employee data. Connecticut CTDPA exempts employee data. Utah UCPA exempts employee data. Oregon OCPA does not exempt employee data. Remove. Montana, Iowa, Indiana, Tennessee, and Delaware have varying degrees of employee/B2B exemptions—always check the latest statutory language.
Who Enforces These Laws and Is There a Private Right of Action?
A critical difference with the CCPA/CPRA is the private right of action (PRA) for data breaches. The CCPA grants California residents a private right to sue if a business fails to implement reasonable security measures and a breach of certain categories of personal information occurs (e.g., Social Security numbers, driver’s license numbers, account credentials). No other state privacy law provides a similar private right of action as of 2025—though some states (Texas, for example) have broader data breach notification statutes that may allow private claims under other legal theories.
Compliance Note: The absence of a private right of action in other states does not mean lower risk: AG enforcement penalties can reach $7,500 per intentional violation (CCPA/CPRA), $20,000 per violation (Texas TDPSA), and up to $25,000 per violation (Colorado CPA). Multi-state enforcement actions can be financially devastating.
What Are the Data Protection Assessment Requirements?
The CPRA introduced mandatory data protection assessments for processing of sensitive personal information and for certain high-risk activities (e.g., targeted advertising, profiling). Colorado, Connecticut, Oregon, Montana, Texas, Delaware, and Virginia all require data protection assessments for processing activities that present a heightened risk of harm—typically involving targeted advertising, sale of data, profiling, and sensitive data processing. The specific criteria and triggers vary, but the trend is clear: assessments are a compliance baseline, not just a CCPA/CPRA exception. Contracts with processors (service providers, contractors, third parties) are required under all laws, with the CPRA having the most detailed contractual obligations including audit rights, use limitations, and cross-context behavioral advertising restrictions.
How CyberSilo Helps You Manage Multi-State Privacy Compliance
Operationalizing compliance with the CCPA/CPRA and a growing number of other US state privacy laws requires a flexible, automated framework that can track evolving regulatory requirements, map them to your data processing activities, and enforce controls across systems. CyberSilo’s Compliance Standards Automation platform provides a unified compliance engine that allows your organization to:
- Map obligations from each applicable state law to specific data inventory records, data flows, and processing purposes.
- Automatically generate privacy impact assessments (PIA) and data protection assessments (DPA) using structured templates aligned to CPRA, VCDPA, CPA, CTDPA, and TDPSA requirements.
- Manage consumer rights requests (access, deletion, correction, opt-out, portability) through a single, auditable workflow that routes the request to the correct business unit and data system.
- Enforce universal opt-out signal recognition (GPC, Colorado Opt-Out mechanism) across your digital properties with policy-as-code integration.
- Monitor and report on compliance posture across all applicable state regimes with continuous evidence collection and executive dashboards.
For deeper guidance on managing the complete US state privacy law landscape, our US cybersecurity compliance services team provides tailored playbooks, gap assessments, and managed privacy operations. Explore how CyberSilo’s compliance automation capability—purpose-built for the multi-state reality—can reduce the operational burden of privacy compliance while minimizing regulatory risk.
Ready to Operationalize Multi-State Privacy Compliance?
From CCPA/CPRA to Texas TDPSA and beyond, CyberSilo helps your legal, privacy, and security teams stay ahead of the patchwork. Let’s assess your current compliance posture and build a unified, automated program.
What Are the Key Deadlines and Upcoming Changes in 2025-2026?
The compliance timeline is accelerating. By mid-2025, nearly all state laws are now effective or in effect; however, several important developments are pending:
- Texas TDPSA: Effective July 1, 2024, but AG enforcement began earlier. A private right of action is being debated for 2025-2026.
- Oregon OCPA: Effective July 1, 2024, with extended cure period ending 2025.
- Montana MCPA: Effective October 1, 2024, with no cure period.
- Delaware DPDPA: Effective January 1, 2025, with 60-day cure period.
- Iowa ICDPA: Effective January 1, 2025, with 90-day cure period.
- Tennessee TIPA: Effective July 1, 2025, with cure period.
- Indiana INCDPA: Effective January 1, 2026, with 30-day cure period.
- New York & other omnibus proposals: Several states (New York, New Jersey, Pennsylvania, Maine, New Hampshire, etc.) are actively considering comprehensive privacy bills that may differ substantially from the CCPA model. We expect 20+ total states to have comprehensive privacy laws by end of 2026.
Businesses should adopt a privacy program that is jurisdiction-agnostic at the control level while remaining jurisdiction-aware at the obligation mapping level—an approach that US state privacy compliance services from CyberSilo can accelerate.
Don’t Let the Privacy Patchwork Slow You Down
Automate obligation mapping, rights processing, and assessment generation for every US state law that applies to your business. Our Compliance Standards Automation platform is built for this.
Our Conclusion & Recommendation
For CISOs, privacy officers, and legal counsel at organizations that process personal data from multiple US states, the key takeaway is clear: the CCPA/CPRA is the most consumer-protective and detailed state law, but it is not the universal compliance key. Differences in thresholds, consumer rights (especially correction and universal opt-out), enforcement authority, and data processing assessment requirements mean that a CCPA-only compliance program leaves your organization exposed to risk in Texas, Colorado, Oregon, and more. The patchwork will only grow more complex as additional states enact laws and existing laws are amended.
CyberSilo’s Compliance Standards Automation platform enables your organization to operationalize multi-state privacy obligations efficiently, with automated obligation mapping, rights request orchestration, assessment generation, and continuous compliance monitoring. We recommend scheduling a compliance assessment to review your current privacy program against the full landscape of applicable US state laws—and to identify gaps before regulators do.
Assess Your Multi-State Privacy Readiness Today
Our team will map your data processing activities to every applicable US state law, identify gaps, and deliver a prioritized remediation plan. No boilerplate—just practical, actionable compliance support.
