Get Demo

US State Privacy Laws in 2025: The Complete Map

US State Privacy Laws in 2025 explained for US organizations — clear, practical guidance to respect consumer privacy rights. Learn the essentials with CyberS

📅 Published: June 2026 🔐 Cybersecurity • US Privacy • USA ⏱️ 2,200 words

As of 2025, the United States lacks a single federal comprehensive privacy law, but a rapidly expanding patchwork of 15+ state-level comprehensive consumer privacy acts now governs how organizations collect, process, and share personal data — with more than a dozen additional states set to enact their own laws in the next two years. This complete map breaks down every active US state privacy law in 2025, including scope, consumer rights, enforcement mechanisms, and compliance obligations for organizations operating across state lines.

Key Takeaways: 15 states now have comprehensive privacy laws in effect or with enforcement dates in 2025 (California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, Virginia). All state laws grant core rights including access, deletion, correction, and opt-out of sale/sharing. California, Colorado, and Connecticut have the most stringent enforcement regimes. No state law preempts others — organizations must comply with every law applicable to their data subjects.

What Are US State Privacy Laws in 2025?

US state privacy laws in 2025 are state-level consumer data protection statutes that grant residents rights over their personal information and impose obligations on businesses that collect, process, or share that data. Unlike the European Union's GDPR, the United States has no single federal privacy law as of early 2025 (the proposed American Data Privacy and Protection Act, ADPPA, remains stalled in Congress). Instead, states have independently enacted their own comprehensive privacy acts, creating a compliance landscape that requires organizations to map their obligations state by state.

These laws share a common structure — inspired largely by the California Consumer Privacy Act (CCPA/CPRA) — but vary significantly in thresholds, covered data categories, consumer rights, and enforcement penalties. The Office of the Attorney General in each state typically serves as the primary enforcement authority, though several states now grant a private right of action for specific violations.

Complete Map: Active US State Privacy Laws in 2025

The following table maps every state with a comprehensive privacy law active or with enforcement beginning in 2025. Laws listed are general consumer privacy statutes; sector-specific laws (HIPAA, GLBA, FERPA) are not included but remain in effect alongside state privacy law where exemptions apply.

State
Law
Effective/Enforcement Date
Revenue Threshold
Private Right of Action
California
CCPA/CPRA (Civil Code §§1798.100–199)
Jan 1, 2020 (CCPA); Jan 1, 2023 (CPRA amendments)
$25M gross revenue; or buys/sells personal data of 100K+ residents; or derives 50%+ revenue from sharing personal data
Yes (breaches)
Colorado
Colorado Privacy Act (CPA) — C.R.S. §6-1-1301
July 1, 2023; enforcement began Jan 1, 2024
$25M+ revenue; and processes data of 100K+ consumers; or sells data of 25K+ consumers
Limited (after 2025 rulemaking)
Connecticut
Connecticut Data Privacy Act (CTDPA) — C.G.S. §42-515
July 1, 2023; enforcement began July 1, 2024
$25M+ revenue; and processes data of 100K+ consumers; or sells data of 25K+ consumers
No
Delaware
Delaware Personal Data Privacy Act (DPDPA)
Enforcement begins Jan 1, 2025
$25M+ revenue; and processes data of 35K+ consumers; or derives 20%+ revenue from data sale and processes 10K+ consumers
No
Indiana
Indiana Consumer Data Protection Act (INCDPA)
Enforcement begins Jan 1, 2026
$25M+ revenue; and processes data of 100K+ consumers; or sells data of 25K+ consumers
No
Iowa
Iowa Consumer Data Protection Act (ICDPA)
Jan 1, 2025
Processes data of 100K+ consumers; or sells data of 25K+ consumers (no revenue threshold)
No
Kentucky
Kentucky Consumer Data Protection Act (KCDPA)
Enforcement begins Jan 1, 2026
$25M+ revenue; and processes data of 100K+ consumers; or sells data of 25K+ consumers
No
Maryland
Maryland Online Data Privacy Act (MODPA)
Enforcement begins Oct 1, 2025
$25M+ revenue; and processes data of 35K+ consumers; or derives 20%+ revenue from data sale and processes 10K+ consumers
Yes (breaches and violations)
Minnesota
Minnesota Consumer Data Privacy Act (MCDPA)
Enforcement begins July 1, 2025
$25M+ revenue; and processes data of 100K+ consumers; or sells data of 25K+ consumers
No
Montana
Montana Consumer Data Privacy Act (MTCDPA)
Enforcement begins Oct 1, 2025
$25M+ revenue; and processes data of 100K+ consumers; or sells data of 25K+ consumers
No
Nebraska
Nebraska Data Privacy Act (NDPA)
Enforcement begins July 1, 2025
$25M+ revenue; and processes data of 100K+ consumers; or sells data of 25K+ consumers
No
New Hampshire
New Hampshire Privacy Act (NHPA)
Enforcement begins Jan 1, 2025
$25M+ revenue; and processes data of 35K+ consumers; or sells data of 10K+ consumers
No
New Jersey
New Jersey Data Privacy Act (NJDPA)
Enforcement begins Jan 16, 2025
No revenue threshold; processes data of 100K+ consumers; or sells data of 25K+ consumers
No
Oregon
Oregon Consumer Privacy Act (OCPA)
Enforcement begins July 1, 2025
$25M+ revenue; and processes data of 100K+ consumers; or sells data of 25K+ consumers
No
Tennessee
Tennessee Information Protection Act (TIPA)
Enforcement begins July 1, 2025
$25M+ revenue; and processes data of 100K+ consumers; or sells data of 25K+ consumers
No
Texas
Texas Data Privacy and Security Act (TDPSA)
Enforcement begins July 1, 2024; AG enforcement ongoing 2025
Any revenue; processes data of 100K+ consumers; or sells data of 25K+ consumers
No
Utah
Utah Consumer Privacy Act (UCPA) — Utah Code §13-61-101
Dec 31, 2023; enforcement began Jan 1, 2025
$25M+ revenue; and processes data of 100K+ consumers; or sells data of 25K+ consumers
No
Virginia
Virginia Consumer Data Protection Act (VCDPA) — Va. Code §59.1-575
Jan 1, 2023
$25M+ revenue; and processes data of 100K+ consumers; or sells data of 25K+ consumers
No

Who Must Comply with US State Privacy Laws in 2025?

Organizations subject to state privacy laws generally include any for-profit entity (and in some states like California and Colorado, non-profits) that meet the applicable revenue or data processing thresholds. The core test across most laws: does the business control or process the personal data of a specified number of state residents? However, thresholds vary by state:

Exemptions apply to data already covered by HIPAA, GLBA, FERPA, and the Fair Credit Reporting Act (FCRA); employee and business-to-business (B2B) data exemptions exist under several state laws but are being phased out (California's CPRA ended the B2B exemption in 2023).

What Consumer Rights Do US State Privacy Laws Grant?

Every active state privacy law in 2025 grants residents the following core rights, though the scope and response timelines differ:

How Does Enforcement Work Under US State Privacy Laws?

Enforcement patterns differ significantly across states, creating a critical risk consideration for compliance strategies:

Attorney General Enforcement (All States)

Every state privacy law grants the state Attorney General (AG) exclusive or primary enforcement authority. The AG investigates violations, issues cure periods where applicable, and can seek civil penalties. Maximum fines range from $2,500 per violation (Virginia, Utah) up to $7,500 per intentional violation (California CPRA). The California Privacy Protection Agency (CPPA) — created by the CPRA — independently enforces alongside the California AG.

Private Right of Action

Three states currently provide a private right of action (PRA):

What Are the Most Stringent State Privacy Laws in 2025?

While all state laws share a common core, three stand out as the most expansive and enforcement-ready:

How Can Organizations Comply with Multiple State Privacy Laws in 2025?

Given the patchwork — no single federal preemption — organizations must adopt a data-mapping-first compliance strategy. The core steps:

1

Conduct a Comprehensive Data Inventory

Map every data collection point, processing purpose, and third-party sharing arrangement across your organization. Identify which data subjects reside in each covered state. Use a data mapping tool that supports all 15+ state law definitions of "personal data" — these vary (e.g., California includes inferred data; others do not).

2

Determine Applicable Law for Each Data Subject

Apply the correct state law based on the consumer's residence, not the business's location. A business in Texas that processes data of California, Colorado, and Virginia residents must comply with all three laws. Use geolocation or self-certification mechanisms to determine applicable state coverage.

3

Build a Unified Consumer Rights Infrastructure

Deploy a central request management platform that handles access, deletion, correction, and opt-out requests under all applicable state laws. Each state has different response timelines (30 days in some; 45 days in others), so a smart routing engine that applies the shortest deadline per request is essential.

4

Update Privacy Notices and Consent Mechanisms

Every state requires a clear privacy notice that discloses categories of data collected, purposes, sharing practices, and consumer rights. California, Colorado, and Connecticut require opt-out mechanisms (e.g., "Do Not Sell/Share My Personal Information" links). Colorado's CPA requires opt-out of profiling for automated decision-making.

5

Automate Ongoing Compliance Monitoring

Manual compliance for 15+ state laws is unsustainable. Use a compliance automation platform like CyberSilo Compliance Standards Automation to map controls, track state law changes, and generate evidence for audits. The platform supports all state privacy laws alongside other frameworks (HIPAA, PCI DSS, SOC 2) to unify your compliance program.

What Changes Are Coming to US State Privacy Laws Beyond 2025?

The legislative pace is accelerating. As of early 2025, bills are active in at least 10 additional states (including Florida, Georgia, Illinois, Michigan, New York, North Carolina, Ohio, Pennsylvania, South Carolina, and Washington). Several trends are shaping the 2025–2026 landscape:

Is Your Organization Ready for the State Privacy Law Patchwork?

The complexity of 15+ state privacy laws — each with different thresholds, rights, and enforcement mechanisms — demands an automated, unified compliance approach. CyberSilo's Compliance Standards Automation platform helps US organizations map controls, manage consumer requests, and stay ahead of regulatory changes. Get a compliance assessment tailored to your multi-state obligations.

How Does CyberSilo Support US State Privacy Law Compliance?

CyberSilo's Compliance Standards Automation platform is designed specifically for the US regulatory patchwork. Our solution helps security and compliance teams at regulated organizations in the United States navigate the overlapping requirements of CCPA/CPRA, CPA, CTDPA, VCDPA, and all other active state privacy laws alongside federal frameworks like HIPAA, GLBA, and PCI DSS v4.0.1.

Key capabilities for state privacy law compliance include:

CyberSilo also provides US cybersecurity compliance services that include state privacy law readiness assessments, control mapping workshops, and remediation planning — ideal for CISOs and Privacy Officers who need to demonstrate compliance to regulators and auditors.

Reduce Compliance Noise — Automate Your State Privacy Obligations

Manual compliance with 15+ state privacy laws is costly and error-prone. CyberSilo's platform automates the most complex tasks: data mapping, consumer request management, and policy updates. Contact our security team for a demo tailored to your state coverage map.

Our Conclusion & Recommendation

The 2025 state privacy law landscape in the United States is the most complex compliance environment since the CCPA took effect in 2020. With 15+ active laws, no federal preemption, and aggressive enforcement from California, Colorado, and Connecticut Attorneys General, organizations that treat privacy compliance as a one-time checklist are exposing themselves to significant legal and financial risk. The data-mapping-first approach — combined with automated control management — is the only scalable strategy for multi-state operations.

We recommend that CISOs, Privacy Officers, and GRC leads conduct an immediate assessment of their data subject population to determine which states' laws apply, then deploy a compliance automation platform like CyberSilo Compliance Standards Automation to unify state privacy obligations with existing federal and sectoral compliance programs. This integrated approach reduces overhead, improves audit readiness, and builds a defensible privacy program that can scale as additional states enact their own laws — likely reaching 25+ states by 2027.

Start Your Compliance Assessment Today

CyberSilo's team of privacy and security professionals can map your obligations across all applicable states and recommend a unified compliance architecture. Contact our team for a no-obligation discussion.

📰 More from CyberSilo

Latest Articles

Stay ahead of evolving cyber threats with our expert insights

Privacy Compliance for US Online Retailers (CCPA & State Laws)
SIEM
Jun 23, 2026 ⏱ 17 min

Privacy Compliance for US Online Retailers (CCPA & State Laws)

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on privacy compliance for us online retailers (ccpa & s

Read Article
Holiday Season Cyber Threats for Retailers
SIEM
Jun 23, 2026 ⏱ 10 min

Holiday Season Cyber Threats for Retailers

Holiday Season Cyber Threats for Retailers explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentia

Read Article
eCommerce Privacy in Canada: PIPEDA & Law 25
SIEM
Jun 23, 2026 ⏱ 10 min

eCommerce Privacy in Canada: PIPEDA & Law 25

See how CyberSilo helps you strengthen your security posture for Canadian organizations. Practical guidance on ecommerce privacy in canada with expert support.

Read Article
Cybersecurity Compliance for US Schools and Universities
SIEM
Jun 23, 2026 ⏱ 15 min

Cybersecurity Compliance for US Schools and Universities

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on cybersecurity compliance for us schools and universi

Read Article
Protecting Student Data: FERPA and COPPA for EdTech
SIEM
Jun 23, 2026 ⏱ 14 min

Protecting Student Data: FERPA and COPPA for EdTech

Protecting Student Data explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with CyberSilo.

Read Article
Ransomware in K-12 and Higher Ed: Defense Strategies
SIEM
Jun 23, 2026 ⏱ 11 min

Ransomware in K-12 and Higher Ed: Defense Strategies

Ransomware in K-12 and Higher Ed explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with Cy

Read Article
✅ Link copied!