Which US states have a comprehensive consumer privacy law?

California led with the CCPA (as amended by the CPRA), and roughly twenty states have since enacted comprehensive consumer privacy statutes. Coverage thresholds and consumer rights vary by state — see the comparison table for each jurisdiction.

Can consumers sue a business for violating a state privacy law?

In most states, no — the comprehensive privacy laws are enforced by the state attorney general or a dedicated privacy agency, not by private plaintiffs. California is the main exception, allowing a narrow private right of action for certain data breaches.

50-State Law Survey

State Consumer Privacy Laws by US Jurisdiction

A side-by-side comparison of how each US state regulates consumer personal information — who is covered, what a compliant privacy policy must contain, whether consumers can sue, and who enforces the law. Each row links to the full practice note for that jurisdiction. This is legal research, not legal advice.

State Consumer Privacy Laws by US Jurisdiction — 9 jurisdictions. Open a row for details, or follow a link to the full practice note.
Jurisdiction	Summary	Main law	Privacy policy required?	Last reviewed
California	If your business meets a CCPA threshold, you must post a CCPA-compliant privacy policy, honor consumer rights and opt-out signals, put statutory terms in your vendor contracts, and maintain reasonable security — or face CPPA/AG enforcement and, after a breach, consumer suits.	Cal. Civ. Code § 1798.100 et seq. (CCPA, as amended by the CPRA)	yes	Jun 3, 2026
Who does it cover? For-profit businesses doing business in California that meet a threshold — e.g., over $25,000,000 in annual gross revenue (CPI-adjusted to $26,625,000 for 2025–2026) Can consumers sue? Narrow — data breaches only (§ 1798.150) Who enforces it? California Privacy Protection Agency (CPPA) and the Attorney General
Colorado	If you do business in Colorado and meet the 100,000-consumer (or 25,000 plus data-sale) threshold — nonprofits included — the CPA requires a privacy notice, a universal opt-out mechanism, processor contracts, and consent to process sensitive data, enforced by the Attorney General with no consumer lawsuits and no cure period.	Colo. Rev. Stat. §§ 6-1-1301 et seq. (Colorado Privacy Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 4, 2026
Who does it cover? Controllers doing business in Colorado (or targeting Coloradans) that control or process the data of 100,000+ consumers a year, or 25,000+ while deriving revenue from selling data — nonprofits included; no revenue floor Can consumers sue? No — the statute bars any private right of action Who enforces it? Colorado Attorney General and district attorneys
Connecticut	If you meet the 100,000-consumer (or 25,000 plus data-sale) threshold in Connecticut, the CTDPA requires a privacy notice, recognition of universal opt-out signals, processor contracts, and consent for sensitive data — enforced by the Attorney General, with no consumer lawsuits and a cure period that expired at the end of 2024.	Conn. Gen. Stat. §§ 42-515 et seq. (Connecticut Data Privacy Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 4, 2026
Who does it cover? Persons doing business in Connecticut (or targeting residents) that control or process the data of 100,000+ consumers a year, or 25,000+ while deriving 25%+ of gross revenue from selling data — no revenue floor; nonprofits exempt Can consumers sue? No — the statute bars any private right of action Who enforces it? Connecticut Attorney General (exclusive)
Iowa	If you meet the 100,000-consumer (or 25,000 plus majority-data-sale) threshold in Iowa, the ICDPA requires a privacy notice, processor contracts, and notice plus an opportunity to opt out before processing sensitive data — but not opt-in consent or a universal opt-out signal — enforced by the Attorney General with a 90-day cure period and no consumer lawsuits.	Iowa Code §§ 715D.1 et seq. (Iowa Consumer Data Protection Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 5, 2026
Who does it cover? Persons conducting business in Iowa (or targeting residents) that, in a calendar year, control or process the data of 100,000+ consumers, or 25,000+ while deriving over 50% of gross revenue from selling data — no revenue floor; nonprofits, government, GLBA and HIPAA entities, and higher-education institutions exempt Can consumers sue? No — enforcement is exclusively the Attorney General's Who enforces it? Iowa Attorney General (exclusive)
Montana	If you meet the 25,000-consumer (or 15,000 plus over-25%-data-sale) threshold in Montana, the MCDPA requires a privacy notice, opt-in consent to process sensitive data, recognition of a universal opt-out preference signal, and processor contracts — enforced by the Attorney General, with no consumer lawsuits and, since the 2025 amendments, no general right to cure before penalties of up to $7,500 per violation.	Mont. Code Ann. §§ 30-14-2801 et seq. (codified short title Consumer Data Privacy Act; commonly the Montana Consumer Data Privacy Act, or MCDPA)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 5, 2026
Who does it cover? Persons doing business in Montana (or targeting residents) that control or process the data of 25,000+ consumers, or 15,000+ while deriving over 25% of gross revenue from selling data — no revenue floor; state agencies, higher-education institutions, GLBA banks, HIPAA covered entities, and insurers are exempt Can consumers sue? No — enforcement is exclusively the Attorney General's Who enforces it? Montana Attorney General (exclusive)
Oregon	If you meet the 100,000-consumer (or 25,000 plus 25%-data-sale-revenue) threshold in Oregon, the OCPA requires a privacy notice with prescribed contents, opt-in consent to process sensitive data, recognition of a universal opt-out signal, and processor contracts — enforced by the Attorney General with civil penalties up to $7,500 per violation, no consumer lawsuits, and no general right to cure after January 1, 2026.	Or. Rev. Stat. §§ 646A.570–646A.589 (Oregon Consumer Privacy Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 5, 2026
Who does it cover? Persons doing business in Oregon (or targeting residents) that, in a calendar year, control or process the personal data of 100,000+ consumers, or 25,000+ while deriving 25% or more of annual gross revenue from selling personal data — no dollar revenue floor; nonprofits covered; GLBA financial institutions, insurers, and public bodies are exempt at the entity level, while HIPAA-regulated health data is exempt only at the data level (so HIPAA-covered businesses still comply for non-exempt data) Can consumers sue? No — enforcement is exclusively the Attorney General's Who enforces it? Oregon Attorney General (exclusive)
Texas	If you do business in Texas and are not an SBA small business, the TDPSA requires a specific privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced solely by the Attorney General, with no consumer lawsuits.	Tex. Bus. & Com. Code ch. 541 (Texas Data Privacy and Security Act)	Yes — a reasonably accessible and clear notice with statutorily fixed contents	Jun 4, 2026
Who does it cover? Anyone who does business in Texas (or sells products/services to Texans), processes or sells personal data, and is not a small business as defined by the U.S. Small Business Administration — no revenue or data-volume threshold Can consumers sue? No — the statute bars any private right of action Who enforces it? Texas Attorney General (exclusive)
Utah	The UCPA covers only larger businesses ($25M+ revenue plus a volume threshold). Covered controllers must post a privacy notice, give notice and an opt-out before processing sensitive data, sign processor contracts, and honor opt-outs — enforced by the Attorney General after a 30-day cure, with no consumer lawsuits.	Utah Code §§ 13-61-101 et seq. (Utah Consumer Privacy Act)	Yes — a reasonably accessible and clear notice with statutorily fixed contents	Jun 4, 2026
Who does it cover? Controllers or processors doing business in Utah (or targeting Utahns) with $25,000,000+ annual revenue that also process the data of 100,000+ consumers a year, or 25,000+ while deriving 50%+ of revenue from selling data Can consumers sue? No — enforcement is exclusively the Attorney General's Who enforces it? Utah Attorney General (after Division of Consumer Protection investigation)
Virginia	If you meet the 100,000-consumer (or 25,000 plus majority-data-sale) threshold in Virginia, the VCDPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General with a permanent 30-day cure period and no consumer lawsuits.	Va. Code §§ 59.1-575 et seq. (Virginia Consumer Data Protection Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 4, 2026
Who does it cover? Persons doing business in Virginia (or targeting residents) that control or process the data of 100,000+ consumers a year, or 25,000+ while deriving over 50% of gross revenue from selling data — no revenue floor; nonprofits exempt Can consumers sue? No — enforcement is exclusively the Attorney General's Who enforces it? Virginia Attorney General (exclusive)