Which US states have a comprehensive consumer privacy law?

California led with the CCPA (as amended by the CPRA), and roughly twenty states have since enacted comprehensive consumer privacy statutes. Coverage thresholds and consumer rights vary by state — see the comparison table for each jurisdiction.

Can consumers sue a business for violating a state privacy law?

In most states, no — the comprehensive privacy laws are enforced by the state attorney general or a dedicated privacy agency, not by private plaintiffs. California is the main exception, allowing a narrow private right of action for certain data breaches.

50-State Law Survey

State Consumer Privacy Laws by US Jurisdiction

A side-by-side comparison of how each US state regulates consumer personal information — who is covered, what a compliant privacy policy must contain, whether consumers can sue, and who enforces the law. Each row links to the full practice note for that jurisdiction. This is legal research, not legal advice.

← Back to the practice note

State Consumer Privacy Laws by US Jurisdiction — 51 jurisdictions. Open a row for details, or follow a link to the full practice note.
Jurisdiction	Law coverage	Summary	Main law	Privacy policy required?	Last reviewed
Alabama	No comprehensive law^*	Alabama's new Personal Data Protection Act takes effect May 1, 2027 with an unusually low consumer-count trigger but a sweeping under-500-employee exemption; until then, compliance means the 2018 Data Breach Notification Act, the Deceptive Trade Practices Act, and the federal overlay.	Alabama Personal Data Protection Act, Ala. Act No. 2026-552 (HB 351, effective May 1, 2027 — not yet codified); operative today, the Alabama Data Breach Notification Act of 2018, Ala. Code §§ 8-38-1 to 8-38-12, enforced through the Alabama Deceptive Trade Practices Act	Yes from May 1, 2027 — a reasonably accurate, clear, and meaningful privacy notice with six statutorily listed items; outside sector-specific Alabama privacy statutes, no generally applicable Alabama consumer-privacy statute fixes privacy-policy contents today, but a policy that misstates practices is actionable under FTC Act § 5 and the ADTPA	Jun 11, 2026
Who does it cover? From May 1, 2027 — businesses operating in Alabama (or targeting Alabama residents) that control or process personal data of more than 25,000 consumers or derive more than 25% of gross revenue from selling personal data; businesses with fewer than 500 employees (nonprofits under 100) are exempt unless they sell personal data Can consumers sue? Limited path Privacy policy rule No state policy checklist^* Lawsuit detail The APDPA contains no express private right of action and authorizes Attorney General enforcement after notice and cure; the breach act expressly states that a violation does not establish a private cause of action; the ADTPA carries only a narrow individual remedy with a statutory class-action bar Who enforces it? Alabama Attorney General Future effective law Alabama Personal Data Protection Act effective 2027-05-01 (Law coverage: Comprehensive law; Privacy policy rule: Policy contents fixed by law; Sensitive-data consent: Consent required first) — Current buckets stay on Alabama's breach-notification and ADTPA baseline until the APDPA takes effect.
Alaska	No comprehensive law	Alaska has not enacted a comprehensive consumer-privacy law, so there are no general data-rights, notice-at-collection, consent, or processor-contract duties under state law. The operative law covered here is Article 1 of the Personal Information Protection Act, which requires breach notice in the most expeditious time possible and makes a violation an unfair trade practice — but caps private damages at $500 of actual economic loss. The Genetic Privacy Act is the sharp edge of Alaska law, conditioning DNA collection on informed written consent and backing that with $5,000 or $100,000 statutory damages. Everything else in this Alaska-facing program note comes from the federal and sectoral overlay — FTC Act § 5, GLBA, HIPAA, and COPPA — so build to those plus the breach statute, and the program upgrades rather than restarts if Alaska enacts an omnibus law later.	Alaska Personal Information Protection Act Article 1, AS 45.48.010–.090 — breach notification plus a deemed unfair-trade-practice enforcement bridge; Alaska has no comprehensive consumer-privacy law	No Alaska statute mandates a general consumer privacy policy or fixes its contents; contents are driven by FTC Act § 5 (a policy that misstates practices is deceptive) and by GLBA, HIPAA, and COPPA where the business is in scope	Jun 11, 2026
Who does it cover? Any covered person — a person doing business, a governmental agency, or a person with more than 10 employees — that owns or licenses personal information on Alaska residents; no revenue or consumer-volume threshold Can consumers sue? Limited path Privacy policy rule No state policy checklist Lawsuit detail Yes, but tightly capped — a breach-notice violation is an unfair trade practice under AS 45.50.471, with private damages limited to actual economic damages not exceeding $500; the Genetic Privacy Act (AS 18.13) separately allows $5,000 or $100,000 statutory damages Who enforces it? Alaska Attorney General (Department of Law); the Department of Administration enforces breach-notice violations by state agencies Future effective law —
Arizona	Specific data types only	Arizona has no comprehensive consumer-privacy law — despite a circulating vendor claim, none took effect on January 1, 2026 — so the operative state framework is the 45-day breach-notification statute, the Consumer Fraud Act, and the 2021 Genetic Information Privacy Act for DNA testing companies.	A.R.S. §§ 18-551 to 18-552 (data-breach notification) plus the Consumer Fraud Act, A.R.S. §§ 44-1521 et seq. — Arizona has no comprehensive consumer-privacy law; sectoral statutes and a federal overlay are the operative framework	No Arizona statute requires a commercial privacy policy — the only state mandates cover state-agency websites and direct-to-consumer genetic testing companies; contents are otherwise driven by FTC Act § 5 and Consumer Fraud Act deception risk	Jun 11, 2026
Who does it cover? Any person conducting business in Arizona that owns, maintains, or licenses computerized personal information of Arizona residents — no revenue or consumer-volume threshold; the Genetic Information Privacy Act adds duties for direct-to-consumer genetic testing companies Can consumers sue? No Privacy policy rule Policy required only for specific data Lawsuit detail Not under the breach statute or the Genetic Information Privacy Act — both are Attorney General-enforced; other consumer theories, including Consumer Fraud Act or common-law claims, remain fact-specific and untested for pure privacy claims Who enforces it? Arizona Attorney General Future effective law —
Arkansas	Specific data types only	Arkansas has not enacted a comprehensive consumer-privacy law, so there are no general data-rights, consent, or processor-contract duties under state law today. The operative statute is the Personal Information Protection Act, which requires reasonable security, secure disposal, and breach notification — including Attorney General notice for breaches affecting more than 1,000 people — and is enforced exclusively by the Attorney General through the Deceptive Trade Practices Act, with no private right of action. The big change is imminent — the Arkansas Children and Teens' Online Privacy Protection Act (Act 952 of 2025) takes effect July 1, 2026, banning targeted advertising to children and teens, imposing data-minimization, notice, consent, deletion, and security duties on covered operators, and giving the Attorney General exclusive enforcement authority.	Personal Information Protection Act, Ark. Code Ann. §§ 4-110-101 to 4-110-108 — Arkansas has no comprehensive consumer-privacy law; PIPA (safeguards, disposal, breach notice) plus the Deceptive Trade Practices Act and the federal overlay is the operative framework, with the Arkansas Children and Teens' Online Privacy Protection Act (Act 952 of 2025) effective July 1, 2026	No Arkansas statute mandates a general consumer privacy policy or fixes its contents; whatever is posted must be true under the ADTPA catch-all and FTC Act § 5, and from July 1, 2026 covered operators must give clear and conspicuous notice with six required elements for children's and teens' data	Jun 12, 2026
Who does it cover? Any person or business — however organized, for profit or not, expressly including state agencies — that acquires, owns, or licenses personal information about Arkansas residents; no revenue or consumer-volume threshold. From July 1, 2026, for-profit operators of websites, online services, or apps directed at children or teens, or with actual knowledge of collecting their data, are also covered Can consumers sue? No Privacy policy rule Policy required only for specific data Lawsuit detail Not under PIPA — every violation is punishable by action of the Attorney General under the ADTPA; the ADTPA's own private remedy requires actual financial loss caused by individual reliance and bans private class actions, and Act 952 of 2025 expressly disclaims any private right of action Who enforces it? Arkansas Attorney General Future effective law —
California	Comprehensive law	If your business meets a CCPA threshold, you must post a CCPA-compliant privacy policy, honor consumer rights and opt-out signals, put statutory terms in your vendor contracts, and maintain reasonable security — or face CPPA/AG enforcement and, after a breach, consumer suits.	Cal. Civ. Code § 1798.100 et seq. (CCPA, as amended by the CPRA)	Yes — an online privacy policy with statutorily fixed contents, updated at least every 12 months	Jun 3, 2026
Who does it cover? For-profit businesses doing business in California that meet a threshold — e.g., over $25,000,000 in annual gross revenue (CPI-adjusted to $26,625,000 for 2025–2026) Can consumers sue? Limited path Privacy policy rule Policy contents fixed by law Lawsuit detail Narrow — data breaches only (§ 1798.150) Who enforces it? California Privacy Protection Agency (CPPA) and the Attorney General Future effective law —
Colorado	Comprehensive law	If you do business in Colorado and meet the 100,000-consumer (or 25,000 plus data-sale) threshold — nonprofits included — the CPA requires a privacy notice, a universal opt-out mechanism, processor contracts, and consent to process sensitive data, enforced by the Attorney General with no consumer lawsuits and no cure period.	Colo. Rev. Stat. §§ 6-1-1301 et seq. (Colorado Privacy Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 4, 2026
Who does it cover? Controllers doing business in Colorado (or targeting Coloradans) that control or process the data of 100,000+ consumers a year, or 25,000+ while deriving revenue from selling data — nonprofits included; no revenue floor Can consumers sue? No Privacy policy rule Policy contents fixed by law Lawsuit detail No — the statute bars any private right of action Who enforces it? Colorado Attorney General and district attorneys Future effective law —
Connecticut	Comprehensive law	If you meet the 100,000-consumer (or 25,000 plus data-sale) threshold in Connecticut, the CTDPA requires a privacy notice, recognition of universal opt-out signals, processor contracts, and consent for sensitive data — enforced by the Attorney General, with no consumer lawsuits and a cure period that expired at the end of 2024.	Conn. Gen. Stat. §§ 42-515 et seq. (Connecticut Data Privacy Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 4, 2026
Who does it cover? Persons doing business in Connecticut (or targeting residents) that control or process the data of 100,000+ consumers a year, or 25,000+ while deriving 25%+ of gross revenue from selling data — no revenue floor; nonprofits exempt Can consumers sue? No Privacy policy rule Policy contents fixed by law Lawsuit detail No — the statute bars any private right of action Who enforces it? Connecticut Attorney General (exclusive) Future effective law —
Delaware	Comprehensive law	If you control or process the data of 35,000 Delaware residents (or 10,000 plus a fifth of revenue from selling data), the DPDPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Department of Justice, whose temporary right-to-cure expired at the end of 2025, with no consumer lawsuits.	Del. Code tit. 6 §§ 12D-101 et seq. (Delaware Personal Data Privacy Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 6, 2026
Who does it cover? Persons doing business in Delaware (or targeting residents) that control or process the data of 35,000+ consumers a year, or 10,000+ while deriving more than 20% of gross revenue from selling data — no revenue floor, and only insurance-crime nonprofits are exempt Can consumers sue? No Privacy policy rule Policy contents fixed by law Lawsuit detail No — enforcement belongs solely to the Delaware Department of Justice Who enforces it? Delaware Department of Justice (exclusive) Future effective law —
District of Columbia	No comprehensive law	The District of Columbia has no omnibus privacy act, but its Consumer Protection Procedures Act lets consumers, testers, nonprofits, and public-interest organizations sue over deceptive data practices, and its breach law adds a reasonable-security duty, Attorney General notice at 50 affected residents, and 18 months of free identity-theft protection when a released Social Security or taxpayer identification number triggers that remedy.	Consumer Protection Procedures Act (CPPA), D.C. Code §§ 28-3901 et seq., plus the consumer security-breach subchapter, D.C. Code §§ 28-3851–3853 — the District has no comprehensive consumer-privacy law	No District statute mandates a consumer privacy policy or fixes its contents; a policy that misstates practices is an unfair or deceptive trade practice under CPPA § 28-3904(e)–(f), and GLBA, HIPAA, and COPPA supply contents where they apply	Jun 11, 2026
Who does it cover? Breach notice reaches a person or entity conducting business in the District that owns or licenses covered electronic data; security, destruction, and vendor-contract duties use the separate conduct triggers in § 28-3852.01; the CPPA reaches merchants supplying consumer goods or services; the District government itself is carved out Can consumers sue? Yes Privacy policy rule No state policy checklist Lawsuit detail Yes — CPPA § 28-3905(k)(1) grants standing to consumers, qualifying individual testers, nonprofits, and public-interest organizations, with treble or $1,500-per-violation damages; for § 28-3904(kk), the damages remedy is actual damages rather than treble or statutory damages Who enforces it? Office of the Attorney General for the District of Columbia (CPPA consumer complaints run through the Department of Licensing and Consumer Protection) Future effective law —
Florida	Limited-scope law	Florida's Digital Bill of Rights (effective July 1, 2024) imposes full data-rights duties only on billion-dollar big-tech controllers, but its no-threshold sensitive-data-sale consent rule and the Florida Information Protection Act's 30-day breach-notice duties reach virtually every business that handles Floridians' data.	Florida Digital Bill of Rights, Fla. Stat. §§ 501.701–501.722, plus the Florida Information Protection Act (FIPA), Fla. Stat. § 501.171, and FDUTPA, Fla. Stat. §§ 501.201–501.213	Yes for FDBR controllers — § 501.711 fixes the contents, requires at least annual updates, and scripts exact word-for-word sale notices; for everyone else, FDUTPA and FTC Act § 5 make a policy that misstates actual practices a deceptive-practice risk	Jun 11, 2026
Who does it cover? The FDBR's full rights-and-notice core covers only for-profit controllers with over $1 billion in global revenue that also run a major online-ad business, a consumer smart-speaker voice-assistant service, or a 250,000-app store — but its sensitive-data-sale consent rule has no revenue threshold, and FIPA's security and breach duties reach essentially any business holding Floridians' personal information Can consumers sue? Limited path Privacy policy rule Policy contents fixed by law Lawsuit detail No under the FDBR (§ 501.72(8)) and no under FIPA (§ 501.171(10)); FDUTPA (§ 501.211) gives private plaintiffs declaratory, injunctive, and actual-damages remedies, and § 501.1736 lets minor account holders recover up to $10,000 from social media platforms Who enforces it? Florida Attorney General (Department of Legal Affairs) Future effective law —
Georgia	No comprehensive law	Georgia has not enacted an omnibus consumer-privacy law, so there are no general state-law access, deletion, correction, opt-out, controller, processor, or privacy-notice duties. The current Georgia obligations are breach notification for information brokers and government data collectors, a fast 24-hour vendor notice-up rule, and truth-in-privacy-policy exposure through the Fair Business Practices Act and FTC Act § 5.	O.C.G.A. §§ 10-1-910 to 10-1-912 (identity theft and data-breach notification) plus the Georgia Fair Business Practices Act, O.C.G.A. §§ 10-1-390 to 10-1-408 — Georgia has no comprehensive consumer-privacy statute	No Georgia statute generally requires a consumer privacy policy or fixes its contents; a policy that misstates actual practices is reachable as a deceptive practice under the FBPA and FTC Act § 5, with GLBA, HIPAA, COPPA, and other sectoral laws supplying notices where they apply	Jun 12, 2026
Who does it cover? The breach-notification statute reaches information brokers and government data collectors that maintain computerized personal information about individuals, and gives vendors holding that data a 24-hour notice-up duty; the FBPA reaches unfair or deceptive practices in consumer transactions and consumer acts or practices in trade or commerce Can consumers sue? Limited path Privacy policy rule No state policy checklist Lawsuit detail Not expressly under the breach-notification article; the FBPA gives injured persons an individual action, but not a representative action, after a 30-day demand, with treble actual damages for intentional violations and attorney-fee shifting Who enforces it? Georgia Attorney General Future effective law —
Hawaii	No comprehensive law	Hawaii has not enacted a comprehensive consumer-privacy law, so there are no general access, deletion, correction, or opt-out rights under state law. The operative state framework is sectoral — breach notification under HRS ch. 487N, social security number protections under ch. 487J, records-destruction duties under ch. 487R, and the ch. 480 unfair-or-deceptive-practices law. The standout exposure: § 487N-3(b) gives a person injured by a breach-notification violation a private damages action, and § 480-13 adds treble damages with a $1,000 floor for deceptive practices, so Hawaii's sectoral rules carry real private-suit risk even without an omnibus act.	Hawaii Revised Statutes ch. 487N (security breach notification), ch. 487J (social security number protection), ch. 487R (destruction of personal information records), and ch. 480 (unfair or deceptive practices) — Hawaii has no comprehensive consumer-privacy statute	No Hawaii statute mandates a general consumer privacy policy or fixes its contents; a policy that misstates actual practices is reachable as a deceptive practice under FTC Act § 5 and HRS § 480-2, and GLBA, HIPAA, and COPPA supply the contents where those regimes apply	Jun 12, 2026
Who does it cover? Any business — a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized for profit — that owns, licenses, maintains, or disposes of personal information of Hawaii residents, plus government agencies; no revenue or consumer-volume thresholds Can consumers sue? Limited path Privacy policy rule No state policy checklist Lawsuit detail Yes — HRS § 487N-3(b) makes a business that violates the breach-notification chapter liable to the injured party for actual damages plus possible attorneys' fees (chs. 487J and 487R carry the same clause), and HRS § 480-13 gives consumers treble damages with a $1,000 floor for unfair or deceptive practices Who enforces it? Hawaii Attorney General and the Executive Director of the Office of Consumer Protection (Department of Commerce and Consumer Affairs) Future effective law —
Idaho	No comprehensive law	Idaho has not enacted a comprehensive consumer-privacy law, so there are no general data-rights, notice-at-collection, consent, or processor-contract duties under state law. The operative state statutes are the breach-notification provisions in the identity-theft chapter — a misuse-triggered notice duty with no day-count deadline and no regulator notice for private businesses — and the Idaho Consumer Protection Act, which makes a privacy policy you publish but do not follow a deceptive practice. Build to the federal overlay (FTC Act § 5, GLBA, HIPAA, COPPA) and the breach statute, and watch two narrow 2026 enactments, one on social-media minors and one on conversational AI.	Idaho Code §§ 28-51-104 to 28-51-107 (data-breach notification) plus the Idaho Consumer Protection Act, Idaho Code § 48-601 et seq. — Idaho has no comprehensive consumer-privacy statute	No Idaho statute requires a consumer privacy policy or fixes its contents; the binding constraints are FTC Act § 5 and the Idaho Consumer Protection Act's ban on misleading or deceptive practices, plus GLBA, HIPAA, and COPPA where the business is in scope	Jun 11, 2026
Who does it cover? Any agency, individual, or commercial entity (for profit or not) that conducts business in Idaho and owns or licenses computerized personal information about Idaho residents; no revenue or consumer-volume threshold Can consumers sue? Limited path Privacy policy rule No state policy checklist Lawsuit detail Not under the breach statute — enforcement runs through each entity's primary regulator; the Idaho Consumer Protection Act gives purchasers a private action for actual damages or $1,000 (Idaho Code § 48-608), with narrow 2026 sectoral enactments to track separately Who enforces it? Idaho Attorney General (the primary regulator for most businesses; the Department of Finance and Department of Insurance for their licensees) Future effective law —
Illinois	Specific data types only	Illinois has not enacted a comprehensive consumer-privacy law, but it is the highest-exposure privacy state in the country for one reason — the Biometric Information Privacy Act. Before collecting a fingerprint, face scan, or voiceprint, a business must publish a written retention-and-destruction policy and obtain informed written consent, and any person whose rights are violated can sue for $1,000 or $5,000 in liquidated damages per person without proving actual harm, on a five-year limitations period. A 2024 amendment capped repeated identical scans at one recovery per person per method of collection, and in April 2026 the Seventh Circuit held that cap applies retroactively to pending cases. Genetic data carries parallel private-suit exposure under GIPA, and breach notification under the Personal Information Protection Act is the Attorney General's lane.	Biometric Information Privacy Act (BIPA), 740 ILCS 14 — Illinois has no comprehensive consumer-privacy law; BIPA sits alongside the Genetic Information Privacy Act (410 ILCS 513), the Personal Information Protection Act breach statute (815 ILCS 530), and the Consumer Fraud Act	Yes for biometric data — BIPA § 15(a) requires a written, publicly available policy with a retention schedule and destruction guidelines; no Illinois statute fixes the contents of a general consumer privacy policy, so FTC Act § 5 and the Consumer Fraud Act truthfulness rules govern the rest	Jun 11, 2026
Who does it cover? BIPA reaches any private entity — any individual, partnership, corporation, LLC, association, or other group — that handles biometric identifiers or biometric information of people in Illinois, with no revenue or volume threshold; government agencies and GLBA financial institutions are carved out Can consumers sue? Yes Privacy policy rule Policy required only for specific data Lawsuit detail Yes — BIPA § 20 allows suit without actual injury beyond the statutory violation under Rosenbach; GIPA § 40 separately provides a private right of action and liquidated damages of $2,500/$15,000 per violation Who enforces it? BIPA is enforced through private plaintiffs; GIPA has a private right of action, with insurer-related § 30 violations handled through the Illinois Insurance Code; PIPA is enforced through the Consumer Fraud and Deceptive Business Practices Act Future effective law —
Indiana	Comprehensive law	If you meet the 100,000-consumer (or 25,000 plus majority-data-sale) threshold in Indiana, the INCDPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General with a permanent 30-day cure period and no consumer lawsuits. Its broad entity-level exemptions (nonprofits, HIPAA entities, higher education, utilities) keep many organizations out entirely.	Ind. Code §§ 24-15 et seq. (Indiana Consumer Data Protection Act), effective January 1, 2026	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 6, 2026
Who does it cover? Persons doing business in Indiana (or targeting residents) that control or process the data of 100,000+ Indiana consumers a year, or 25,000+ while deriving over 50% of gross revenue from selling data — no revenue floor, and entity-level exemptions for nonprofits, HIPAA covered entities, higher education, GLBA institutions, and public utilities Can consumers sue? No Privacy policy rule Policy contents fixed by law Lawsuit detail No — enforcement is exclusively the Attorney General's Who enforces it? Indiana Attorney General (exclusive) Future effective law —
Iowa	Comprehensive law	If you meet the 100,000-consumer (or 25,000 plus majority-data-sale) threshold in Iowa, the ICDPA requires a privacy notice, processor contracts, and notice plus an opportunity to opt out before processing sensitive data — but not opt-in consent or a universal opt-out signal — enforced by the Attorney General with a 90-day cure period and no consumer lawsuits.	Iowa Code §§ 715D.1 et seq. (Iowa Consumer Data Protection Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 5, 2026
Who does it cover? Persons conducting business in Iowa (or targeting residents) that, in a calendar year, control or process the data of 100,000+ consumers, or 25,000+ while deriving over 50% of gross revenue from selling data — no revenue floor; nonprofits, government, GLBA and HIPAA entities, and higher-education institutions exempt Can consumers sue? No Privacy policy rule Policy contents fixed by law Lawsuit detail No — enforcement is exclusively the Attorney General's Who enforces it? Iowa Attorney General (exclusive) Future effective law —
Kansas	No comprehensive law	Kansas has not enacted a comprehensive consumer-privacy law, so there are no general data-rights, notice-at-collection, consent, or processor-contract duties under state law. The operative statutes are the 2006 data-breach notification law — a twice-gated, identity-theft-keyed notice duty with no fixed day-count — and the Kansas Consumer Protection Act, whose deception and unconscionability rules are what make a published privacy policy enforceable against the business that wrote it. Everything else rides the federal and sectoral overlay, so build to FTC Act § 5, GLBA, HIPAA, and COPPA and the program will be easier to adapt if Kansas later enacts an omnibus law.	Kansas data-breach notification statute, K.S.A. 50-7a01 and 50-7a02, plus the Kansas Consumer Protection Act, K.S.A. 50-623 et seq. — Kansas has no comprehensive consumer-privacy law	No Kansas statute mandates a consumer privacy policy or fixes its contents; a policy that misstates actual practices is reachable as a deceptive act under the KCPA and FTC Act § 5, and GLBA, HIPAA, and COPPA supply notice duties where they apply	Jun 11, 2026
Who does it cover? The breach statute reaches any person that conducts business in Kansas and owns or licenses computerized personal information of Kansas residents; the KCPA reaches any supplier in consumer transactions — no revenue or consumer-volume thresholds Can consumers sue? Limited path Privacy policy rule No state policy checklist Lawsuit detail The breach statute creates no express private remedy; the KCPA gives an aggrieved consumer an individual action for damages or a civil penalty, whichever is greater, with damages class actions sharply limited Who enforces it? Kansas Attorney General (the insurance commissioner has sole authority over breach violations by licensed insurers) Future effective law —
Kentucky	Comprehensive law	If you meet the 100,000-consumer (or 25,000 plus majority-data-sale) threshold in Kentucky, the KCDPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General with a permanent 30-day cure period and no consumer lawsuits.	KRS 367.3611 to 367.3629 (Kentucky Consumer Data Protection Act), effective January 1, 2026	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 6, 2026
Who does it cover? Persons doing business in Kentucky (or targeting residents) that control or process the data of 100,000+ consumers a year, or 25,000+ while deriving over 50% of gross revenue from selling data — no revenue floor; nonprofits and higher-education institutions exempt Can consumers sue? No Privacy policy rule Policy contents fixed by law Lawsuit detail No — enforcement is exclusively the Attorney General's Who enforces it? Kentucky Attorney General (exclusive) Future effective law —
Louisiana	Comprehensive law	Louisiana enacted the Louisiana Data Privacy Act (Act No. 502 of 2026) effective January 1, 2027, requiring covered businesses to publish a six-item privacy notice, obtain consent for sensitive data, sign processor contracts, and honor consumer rights — enforced solely by the Attorney General with a cure period that sunsets July 31, 2027; until the act starts, the breach-notification law (with its own private right of action) and LUTPA govern.	Louisiana Data Privacy Act, La. R.S. 51:1780.1–1780.5 (Act No. 502 of 2026), effective January 1, 2027; until then the Database Security Breach Notification Law (La. R.S. 51:3071–3077) and LUTPA (La. R.S. 51:1401 et seq.) are the operative state framework	From January 1, 2027, yes — a reasonably accessible and clear privacy notice with six fixed contents, plus scripted word-for-word notices if the business sells sensitive or biometric data; today no state checklist exists and the governing rule is that whatever the policy says must be true	Jun 11, 2026
Who does it cover? From January 1, 2027 — a person or entity doing business in Louisiana that has over $25 million in annual gross revenue, or annually handles the personal information of 75,000+ consumers, households, or devices, or derives 50%+ of annual revenue from selling personal information; state agencies, GLBA financial institutions, HIPAA entities, nonprofits, and higher education are exempt Can consumers sue? Limited path Privacy policy rule Policy contents fixed by law Lawsuit detail No under the LDPA — it routes violations into LUTPA while expressly excluding the private actions in La. R.S. 51:1409 and 1409.1; but the breach law keeps its own private action for actual damages from untimely breach notice (La. R.S. 51:3075), and LUTPA § 1409 remains a general private-action hook for actual damages, with trebling only after Attorney General notice and knowing continuation Who enforces it? Louisiana Attorney General (exclusive for the LDPA) Future effective law —
Maine	Specific data types only	Maine has no comprehensive consumer-privacy law — the Maine Online Data Privacy Act (LD 1822) was placed in the Legislative Files (DEAD) on April 13, 2026 after the chambers insisted on opposing enactment positions — but it does have the nation's strictest ISP privacy statute, which since July 1, 2020 has required broadband providers serving Maine customers to get opt-in consent before using, disclosing, or selling customer personal information. Every other business builds to the Notice of Risk to Personal Data Act's 30-day breach-notice clock, the Maine Unfair Trade Practices Act, and the federal overlay.	35-A M.R.S. § 9301 (broadband ISP opt-in privacy law, eff. July 1, 2020) plus the Notice of Risk to Personal Data Act, 10 M.R.S. §§ 1346–1350-B — Maine has no comprehensive consumer-privacy statute	No general mandate — broadband providers must post a clear notice of customers' opt-in rights at the point of sale and on their website; for everyone else, policy contents are driven by FTC Act § 5 and the GLBA, HIPAA, and COPPA overlay	Jun 11, 2026
Who does it cover? The ISP law reaches only broadband providers serving customers physically located and billed in Maine; the breach act reaches any person maintaining computerized personal information of Maine residents — including state agencies, municipalities, and universities — with no revenue or volume threshold Can consumers sue? Limited path Privacy policy rule Policy required only for specific data Lawsuit detail None under the breach act (regulator/AG-enforced) and none stated in the ISP law; Maine UTPA § 213 gives consumer purchasers a restitution-oriented action for loss of money or property from unfair or deceptive practices Who enforces it? Maine Attorney General; Department of Professional and Financial Regulation regulators for licensed entities (Bureau of Insurance superintendent for insurance licensees) Future effective law —
Maryland	Comprehensive law	If you meet the 35,000-consumer (or 10,000 plus 20%-data-sale) threshold in Maryland, MODPA requires a detailed privacy notice and processor contracts, limits sensitive-data collection to what is strictly necessary, and bans the sale of sensitive data and of a minor's data outright — enforced by the Attorney General, with a cure period that sunsets for violations after April 1, 2027 and no consumer lawsuits.	Md. Code Ann., Com. Law §§ 14-4701 et seq. (Maryland Online Data Privacy Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents, including detailed third-party disclosures	Jun 6, 2026
Who does it cover? Persons doing business in Maryland (or targeting residents) that, in the prior calendar year, controlled or processed the data of 35,000+ consumers, or 10,000+ consumers while deriving more than 20% of gross revenue from selling data — a low threshold with only a narrow nonprofit carve-out Can consumers sue? No Privacy policy rule Policy contents fixed by law Lawsuit detail No — enforcement is exclusively the Attorney General's Consumer Protection Division Who enforces it? Maryland Attorney General, Consumer Protection Division (exclusive) Future effective law —
Massachusetts	No comprehensive law	Massachusetts governs consumer data today through its breach-notification statute (c. 93H), the prescriptive 201 CMR 17.00 regulation (in force since March 1, 2010, it requires a written information security program), and the c. 93A unfair-practices backbone — and the Massachusetts Consumer Data Privacy Act, which would add comprehensive consumer rights and controller duties, has passed both chambers in differing versions and is now in conference-committee reconciliation, not yet law.	Mass. Gen. Laws ch. 93H (breach notification) plus 201 CMR 17.00 (the written information security program rule) and ch. 93I (data destruction), enforced through the ch. 93A consumer-protection backbone — no comprehensive consumer-privacy act is in force; the Massachusetts Consumer Data Privacy Act has passed both chambers in differing versions and is in conference reconciliation	No Massachusetts statute requires a general consumer privacy policy today; a posted policy that misstates practices is a c. 93A § 2 and FTC Act § 5 deception risk, and both pending MCDPA versions would mandate a detailed privacy notice if enacted	Jun 12, 2026
Who does it cover? Any person that owns or licenses personal information about a Massachusetts resident — c. 93H and 201 CMR 17.00 carry no revenue or consumer-volume threshold and reach out-of-state businesses holding resident data; the pending MCDPA versions would add consumer-count and sensitive-data triggers Can consumers sue? Limited path Privacy policy rule No state policy checklist Lawsuit detail None under c. 93H — its enforcement section routes the Attorney General to c. 93A § 4 remedies; consumers injured by unfair or deceptive data practices can sue under c. 93A § 9 after a 30-day demand letter, with double or treble damages for willful violations; the House MCDPA text would add a c. 93A-based action against large data holders if it prevails in conference Who enforces it? Massachusetts Attorney General; the Office of Consumer Affairs and Business Regulation administers 201 CMR 17.00 and receives breach notices Future effective law —
Michigan	Specific data types only	Michigan has not enacted a comprehensive consumer-privacy law, so there are no general data-rights, notice-at-collection, consent, or processor-contract duties under state law. What Michigan has instead is a distinctive set of sectoral exposures. The Preservation of Personal Privacy Act bars businesses from disclosing records that identify what a customer bought, rented, or borrowed in books, music, or video without a statutory exception, such as permission, marketing notice and opt-out, ordinary course, or legal process, and it carries a private right of action that has produced an active class-action industry — with $5,000-per-customer statutory damages still in play for disclosures predating its July 31, 2016 amendment. The Identity Theft Protection Act requires breach notice without unreasonable delay, backed by civil fines up to $750,000 per breach. Build the rest of the program to the federal overlay — FTC Act § 5, GLBA, HIPAA, and COPPA — and it auto-upgrades if Michigan later enacts an omnibus law.	Sectoral framework — Preservation of Personal Privacy Act (PPPA), MCL 445.1711–445.1715; Identity Theft Protection Act breach-notice duty, MCL 445.72; Michigan Consumer Protection Act, MCL 445.901 et seq.; Michigan has no comprehensive consumer-privacy law	No general website privacy-policy mandate and no state-fixed website contents — but a person obtaining Social Security numbers in the ordinary course of business must create an internal SSN privacy policy, a PPPA-covered business disclosing customer reading or viewing data for marketing may give the required opt-out notice in an online privacy policy, and a policy that misstates practices is deceptive under the MCPA and FTC Act § 5	Jun 11, 2026
Who does it cover? No omnibus thresholds. The PPPA reaches any business selling at retail, renting, or lending books or other written materials, sound recordings, or video recordings; the breach statute reaches any person or agency that owns, licenses, or maintains computerized personal information of Michigan residents Can consumers sue? Yes Privacy policy rule Policy required only for specific data Lawsuit detail Yes, under the PPPA — a customer who suffers actual damages may sue (MCL 445.1715), and disclosures predating the July 31, 2016 amendment carry $5,000 statutory damages; the MCPA right of action (MCL 445.911) survives but Smith v. Globe Life's regulated-conduct exemption narrows it; none under the breach statute Who enforces it? Michigan Attorney General (MCPA enforcement; breach-notice civil fines, which a county prosecuting attorney may also recover), with the FTC behind the federal overlay Future effective law —
Minnesota	Comprehensive law	If you control or process the data of 100,000+ Minnesota consumers (or 25,000+ plus over 25% of revenue from data sales), the MCDPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — plus a uniquely strict list-of-third-parties right and profiling-reevaluation rights. The Attorney General enforces it; there are no consumer lawsuits, and the 30-day cure period has already expired.	Minn. Stat. §§ 325M.10–325M.21 (Minnesota Consumer Data Privacy Act), effective July 31, 2025	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 6, 2026
Who does it cover? Legal entities doing business in Minnesota (or targeting residents) that control or process the data of 100,000+ consumers a year (excluding payment-only data), or 25,000+ while deriving over 25% of gross revenue from selling data — no general nonprofit exemption; small businesses exempt except they still cannot sell sensitive data without consent Can consumers sue? No Privacy policy rule Policy contents fixed by law Lawsuit detail No — enforcement is exclusively the Attorney General's Who enforces it? Minnesota Attorney General (exclusive) Future effective law —
Mississippi	No comprehensive law	Mississippi has not enacted an omnibus consumer-privacy law, so there are no general state-law access, deletion, correction, sale opt-out, targeted-advertising opt-out, controller, processor, or privacy-notice duties. The state-law privacy program is breach notice, vendor notice-up, and truthfulness of consumer-facing privacy promises.	Miss. Code Ann. § 75-24-29 (data-breach notification), plus Miss. Code Ann. §§ 75-24-5 and 75-24-15 for unfair or deceptive trade practices and individual consumer remedies — Mississippi has no comprehensive consumer-privacy statute	No Mississippi statute generally requires a consumer privacy policy or fixes its contents; a policy that misstates actual practices is reachable as a deceptive-practices risk under Miss. Code Ann. § 75-24-5 and FTC Act § 5, with GLBA, HIPAA, COPPA, and other sectoral laws supplying notices where they apply	Jun 12, 2026
Who does it cover? The breach-notification statute applies to any person conducting business in Mississippi that, in the ordinary course of business, owns, licenses, or maintains personal information of a Mississippi resident; the deceptive-practices statute reaches unfair methods of competition and unfair or deceptive trade practices in or affecting commerce Can consumers sue? Limited path Privacy policy rule No state policy checklist Lawsuit detail No private right of action under the breach-notification section; § 75-24-15 gives an individual purchaser or lessee who suffers ascertainable loss a private action for prohibited practices, but class actions are barred Who enforces it? Mississippi Attorney General Future effective law —
Missouri	No comprehensive law	Missouri has not enacted a comprehensive consumer-privacy law. The 2026 session saw biometric and privacy-adjacent bills, but no omnibus access/delete/correct/opt-out framework passed before the May 15, 2026 adjournment, so the main commercial state framework is the breach-notification statute, the MMPA's deception rules and qualified private right of action, and, for insurance licensees, the Insurance Data Security Act's phased duties; everything else rides the federal overlay.	Mo. Rev. Stat. § 407.1500 (breach notification) plus the Merchandising Practices Act (§§ 407.010–407.025) and, for insurance licensees, the Insurance Data Security Act (§§ 375.1400–375.1427, effective January 1, 2026) — Missouri has no comprehensive consumer-privacy statute	No general Missouri mandate fixes a privacy policy's contents — they are driven by FTC Act § 5 and the sectoral overlay (GLBA, HIPAA, COPPA), with the MMPA supplying the state deception hook for a policy that misstates actual practices; an insurance licensee must hand its privacy policy to the insurance director after a cybersecurity event	Jun 11, 2026
Who does it cover? Breach statute: any person that owns or licenses personal information of Missouri residents, or that conducts business in Missouri and owns or licenses a resident's personal information, with no size threshold. MMPA: anyone selling or advertising merchandise — defined to include services and intangibles — in or from Missouri. Insurance Data Security Act: persons licensed or registered under Missouri insurance law Can consumers sue? Yes Privacy policy rule No state policy checklist Lawsuit detail Not under the breach statute (the Attorney General has exclusive authority, with a civil penalty up to $150,000 per breach) and expressly none under the Insurance Data Security Act; but MMPA § 407.025 gives consumers a private action — punitive damages, fee-shifting, and class actions included — subject to heightened reasonable-consumer and objective-damages proof requirements added in 2020 Who enforces it? Missouri Attorney General (breach statute and MMPA); Director of the Department of Commerce and Insurance (Insurance Data Security Act) Future effective law —
Montana	Comprehensive law	If you meet the 25,000-consumer (or 15,000 plus over-25%-data-sale) threshold in Montana, the MCDPA requires a privacy notice, opt-in consent to process sensitive data, recognition of a universal opt-out preference signal, and processor contracts — enforced by the Attorney General, with no consumer lawsuits and, since the 2025 amendments, no general right to cure before penalties of up to $7,500 per violation.	Mont. Code Ann. §§ 30-14-2801 et seq. (codified short title Consumer Data Privacy Act; commonly the Montana Consumer Data Privacy Act, or MCDPA)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 5, 2026
Who does it cover? Persons doing business in Montana (or targeting residents) that control or process the data of 25,000+ consumers, or 15,000+ while deriving over 25% of gross revenue from selling data — no revenue floor; state agencies, higher-education institutions, GLBA banks, HIPAA covered entities, and insurers are exempt Can consumers sue? No Privacy policy rule Policy contents fixed by law Lawsuit detail No — enforcement is exclusively the Attorney General's Who enforces it? Montana Attorney General (exclusive) Future effective law —
Nebraska	Comprehensive law	If you do business in Nebraska (or serve its residents), process or sell personal data, and are not a federal small business, the Data Privacy Act requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General with a 30-day cure period and no consumer lawsuits.	Neb. Rev. Stat. §§ 87-1101 et seq. (Nebraska Data Privacy Act, effective Jan. 1, 2025)	Yes — a reasonably accessible and clear privacy notice with statutorily fixed contents	Jun 6, 2026
Who does it cover? Persons that conduct business in Nebraska or produce a product or service consumed by Nebraska residents, that process or sell personal data, and that are not a small business under the federal Small Business Act — no consumer-count or revenue threshold; state agencies, GLBA, HIPAA, nonprofits, and higher-education institutions exempt Can consumers sue? No Privacy policy rule Policy contents fixed by law Lawsuit detail No — the Act cannot be construed as a basis for a private right of action Who enforces it? Nebraska Attorney General (exclusive) Future effective law —
Nevada	Limited-scope law	Nevada has no omnibus privacy law, but NRS chapter 603A requires a website privacy notice with five fixed elements, honors opt-outs of monetary-consideration sales of covered information, and requires opt-in consent and a dedicated privacy policy for consumer health data.	NRS ch. 603A — internet privacy notice and sale opt-out (NRS 603A.300–.360), consumer health data (NRS 603A.400–.550, effective March 31, 2024), and data security and breach notification (NRS 603A.010–.290); Nevada has no comprehensive consumer-privacy act	Yes — website operators need an accessible privacy notice with five fixed content elements under NRS 603A.340, and a business handling consumer health data needs a separate health-data privacy policy under NRS 603A.495	Jun 11, 2026
Who does it cover? Operators of commercial websites and online services that collect covered information from Nevada consumers (constitutional-nexus test, no revenue or volume threshold), data brokers that resell that information, regulated entities that handle consumer health data, and any data collector holding Nevadans' personal information Can consumers sue? No Privacy policy rule Policy contents fixed by law Lawsuit detail No private right against operators under NRS 603A.360(4) and none under the health-data regime; data-broker and security/breach private-action theories are open or untested Who enforces it? Nevada Attorney General for the internet regime; Attorney General or district attorneys for security/breach injunctions; public DTPA enforcers for deceptive-trade-practice violations Future effective law —
New Hampshire	Comprehensive law	If you meet the 35,000-consumer (or 10,000 plus majority-share-of-revenue-from-data-sale) threshold in New Hampshire, ch. 507-H requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General with no consumer lawsuits and a cure period that became discretionary on January 1, 2026.	N.H. Rev. Stat. Ann. ch. 507-H (New Hampshire Privacy Act), effective January 1, 2025	Yes — a clear and meaningful privacy notice in a reasonably accessible format with statutorily fixed contents	Jun 6, 2026
Who does it cover? Persons doing business in New Hampshire (or targeting residents) that in a one-year period control or process the data of 35,000+ unique consumers (excluding payment-only data), or 10,000+ consumers while deriving more than 25% of gross revenue from selling data — no revenue floor; nonprofits, higher education, and GLBA- and HIPAA-regulated entities exempt Can consumers sue? No Privacy policy rule Policy contents fixed by law Lawsuit detail No — enforcement is exclusively the Attorney General's Who enforces it? New Hampshire Attorney General (exclusive) Future effective law —
New Jersey	Comprehensive law	If you meet the 100,000-consumer (or 25,000 plus any data-sale revenue) threshold in New Jersey, the NJDPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General as an unlawful practice under the Consumer Fraud Act, with no consumer lawsuits and a cure period that sunsets after the law's first 18 months.	N.J.S.A. 56:8-166.4 et seq. (New Jersey Data Privacy Act), effective January 15, 2025	Yes — a reasonably accessible, clear, and meaningful notice with seven statutorily fixed contents	Jun 6, 2026
Who does it cover? Controllers doing business in New Jersey (or targeting residents) that control or process the data of 100,000+ consumers a year (excluding payment-only data), or 25,000+ while deriving any revenue or a discount from selling data — no revenue floor, and no exemption for nonprofits Can consumers sue? No Privacy policy rule Policy contents fixed by law Lawsuit detail No — enforcement is exclusively the Attorney General's Who enforces it? New Jersey Attorney General, through the Division of Consumer Affairs (exclusive) Future effective law —
New Mexico	No comprehensive law	New Mexico has not enacted a comprehensive consumer-privacy law — the Consumer Information and Data Protection Act (HB 214) died in the 2026 session, and aggregator pages reporting a July 1, 2026 effective date are describing a dead bill. What governs today is the Data Breach Notification Act (45-day breach notice, reasonable-security, disposal, and vendor-contract duties) plus the Unfair Practices Act, which can create private damages exposure when a covered privacy-policy or breach-response misstatement causes money or property loss.	Data Breach Notification Act, NMSA 1978, §§ 57-12C-1 to -12, plus the Unfair Practices Act, NMSA 1978, §§ 57-12-1 to -26 — New Mexico has no comprehensive consumer-privacy statute	No New Mexico statute mandates a consumer privacy policy or fixes its contents; what you publish is policed by FTC Act § 5 and the Unfair Practices Act, so a knowing policy misstatement tied to a covered transaction can create private exposure if a person loses money or property	Jun 11, 2026
Who does it cover? Any person that owns or licenses personal identifying information of New Mexico residents — no revenue or volume threshold; persons subject to GLBA or HIPAA are exempt from the breach act entirely Can consumers sue? Limited path Privacy policy rule No state policy checklist Lawsuit detail Not under the Data Breach Notification Act — enforcement is Attorney General-only; but the Unfair Practices Act gives a private action to a person who loses money or property from an unlawful practice, with a $100 statutory floor, possible treble damages for willful conduct, mandatory fee-shifting, and class actions Who enforces it? New Mexico Attorney General (New Mexico Department of Justice) Future effective law —
New York	Specific data types only	New York has not enacted a comprehensive consumer-privacy law, but the SHIELD Act already requires almost every business holding New Yorkers' private information — with no revenue or in-state-presence threshold — to run a reasonable data-security program, to report breaches within 30 days, and to expect Attorney General enforcement under separate SHIELD and breach-notice provisions. Since June 20, 2025 the Child Data Protection Act has added a default-deny regime for processing personal data of users under 18, including a sale ban subject to statutory exceptions. There is no general privacy-policy mandate, so the policy slice is governed by the rule that whatever you publish must be true; the moving piece to watch is the twice-passed Health Information Privacy Act, which would add a strict consumer-health-data regime if it becomes law.	SHIELD Act — N.Y. Gen. Bus. Law § 899-bb (reasonable-safeguards duty) and § 899-aa (breach notification) — plus the Child Data Protection Act (GBL art. 39-FF, in force since June 20, 2025) and GBL § 349; New York has no comprehensive consumer-privacy statute	No general New York statute mandates a consumer privacy policy or fixes its contents; a published policy that misstates practices is actionable under GBL § 349 and FTC Act § 5, and GLBA, HIPAA, and COPPA supply required contents where they apply	Jun 11, 2026
Who does it cover? Any person or business, wherever located, that owns or licenses computerized data including the private information of a New York resident — no in-state-presence, revenue, or volume threshold; small businesses get scaled (not waived) duties; the Child Data Protection Act covers operators of online services with New York users under 18 Can consumers sue? Limited path Privacy policy rule No state policy checklist Lawsuit detail Not under the SHIELD Act — § 899-bb expressly creates none and § 899-aa runs through the Attorney General; but GBL § 349(h) lets a consumer injured by a deceptive practice sue for actual damages or $50 (treble to $1,000) plus attorney's fees Who enforces it? New York Attorney General (Commissioner of Labor for employee personal-identifying-information violations under Labor Law § 203-d) Future effective law —
North Carolina	No comprehensive law	North Carolina has not enacted a comprehensive consumer-privacy law; the operative statute is the Identity Theft Protection Act, whose breach-notification, Social Security number, disposal, and security-freeze sections expressly bridge violations into § 75-1.1.	Identity Theft Protection Act, N.C. Gen. Stat. §§ 75-60 to 75-66 (Article 2A of Chapter 75) — North Carolina has no comprehensive consumer-privacy law; breach-notification, Social Security number, disposal, and security-freeze sections contain express § 75-1.1 bridges	No North Carolina statute mandates a general consumer privacy policy or fixes its contents; a materially misleading statement can support a § 75-1.1 or FTC Act § 5 deception theory if the required elements are met, alongside GLBA, HIPAA, and COPPA where those apply	Jun 11, 2026
Who does it cover? Any business that owns, licenses, maintains, or possesses personal information of North Carolina residents — in any form, computerized or paper — with no revenue or consumer-volume threshold Can consumers sue? Limited path Privacy policy rule No state policy checklist Lawsuit detail Yes for specific bridged ITPA sections — an injured consumer can use § 75-16 for mandatory treble damages where the section expressly makes the violation a § 75-1.1 violation; § 75-66 separately allows civil damages under G.S. 1-539.2C Who enforces it? North Carolina Attorney General (Consumer Protection Division) Future effective law —
North Dakota	No comprehensive law	North Dakota has not enacted a comprehensive consumer-privacy law — the operative state framework is the ch. 51-30 breach-notification statute, enforced by the Attorney General through the ch. 51-15 consumer-fraud law, plus a 2025 information-security chapter for state-regulated financial corporations, with everything else riding the federal and sectoral overlay.	N.D. Cent. Code ch. 51-30 (breach notification) — North Dakota has no comprehensive consumer-privacy law; ch. 51-30 plus the consumer-fraud law (ch. 51-15) and the 2025 financial-corporation data-security chapter (ch. 13-01.2) are the operative state framework	No North Dakota statute mandates a consumer privacy policy or fixes its contents; a policy that misstates practices can be a deceptive practice under N.D. Cent. Code ch. 51-15 and FTC Act § 5, with GLBA, HIPAA, and COPPA supplying contents where those regimes apply	Jun 12, 2026
Who does it cover? Any person that owns or licenses computerized data including personal information of North Dakota residents — no revenue or consumer-volume threshold; the 2025 data-security chapter reaches financial corporations regulated by the Department of Financial Institutions Can consumers sue? Limited path Privacy policy rule No state policy checklist Lawsuit detail Not expressly under ch. 51-30 — the Attorney General enforces it — but a ch. 51-30 violation is deemed a ch. 51-15 violation, and § 51-15-09 preserves private claims, with treble damages for knowing conduct, against a defendant who acquired money or property through an unlawful practice Who enforces it? North Dakota Attorney General; Commissioner of the Department of Financial Institutions for the 2025 financial-corporation data-security chapter Future effective law —
Ohio	No comprehensive law	Ohio regulates consumer data by sector, not comprehensively — the operative duties are 45-day breach notification under Ohio Rev. Code § 1349.19 (Attorney General enforced, no private right of action) and truthful data practices under the Consumer Sales Practices Act, while the Ohio Data Protection Act (ch. 1354) gives a business that maintains a written cybersecurity program conforming to a recognized framework an affirmative defense to data-breach tort claims.	Ohio Rev. Code § 1349.19 (data-breach notification) plus ch. 1354 (Ohio Data Protection Act cybersecurity safe harbor) and ch. 1345 (Consumer Sales Practices Act) — Ohio has no comprehensive consumer-privacy law	No Ohio statute mandates a consumer privacy policy or fixes its contents; the federal overlay (FTC Act § 5, GLBA, HIPAA, COPPA) supplies the notice duties, and a policy that misstates practices is a deceptive act under the Consumer Sales Practices Act	Jun 11, 2026
Who does it cover? Any person or business entity that conducts business in Ohio and owns or licenses computerized personal information of Ohio residents — no revenue or data-volume threshold; HIPAA covered entities and federally regulated financial institutions are exempt from the breach statute Can consumers sue? Limited path Privacy policy rule No state policy checklist Lawsuit detail Not under the breach statute — Ohio Rev. Code § 1349.192 gives the Attorney General exclusive enforcement authority; the Consumer Sales Practices Act allows individual suits, but treble damages and class actions are gated on a prior rule or published court decision Who enforces it? Ohio Attorney General (breach notification and Consumer Sales Practices Act); superintendent of insurance for insurance licensees under ch. 3965 Future effective law —
Oklahoma	No comprehensive law^*	The Oklahoma Consumer Data Privacy Act (SB 546) does not take effect until January 1, 2027, but the state's rewritten Security Breach Notification Act — Attorney General notice for breaches affecting 500 or more residents, biometric and credential data elements, and penalties keyed to reasonable safeguards — has applied since January 1, 2026, so breach readiness is due now and OKCDPA compliance next January.	Oklahoma Consumer Data Privacy Act, 75A O.S. §§ 300–320 (SB 546, effective January 1, 2027); until then, the Security Breach Notification Act, 24 O.S. §§ 161–166 (as rewritten effective January 1, 2026) plus the Oklahoma Consumer Protection Act	Yes from January 1, 2027 — a reasonably accessible and clear privacy notice with statutorily fixed contents, plus conspicuous opt-out disclosures for data sales and targeted advertising	Jun 11, 2026
Who does it cover? From 2027, controllers and processors doing business in Oklahoma (or targeting Oklahoma residents) that process personal data of 100,000+ consumers a year — or 25,000+ consumers while deriving over half of gross revenue from selling personal data; the breach act already covers any individual or entity owning, licensing, or maintaining computerized personal information, with duties depending on that role Can consumers sue? Limited path Privacy policy rule No state policy checklist^* Lawsuit detail No — the OKCDPA expressly bars private suits and the breach act is enforced by the Attorney General or district attorneys, but the Oklahoma Consumer Protection Act gives consumers a private damages action for deceptive practices Who enforces it? Oklahoma Attorney General (exclusive under the OKCDPA; district attorneys share breach-act and consumer-protection enforcement) Future effective law Oklahoma Consumer Data Privacy Act effective 2027-01-01 (Law coverage: Comprehensive law; Privacy policy rule: Policy contents fixed by law; Sensitive-data consent: Consent required first) — Current buckets stay on Oklahoma's breach-notification and consumer-protection baseline until the OKCDPA takes effect.
Oregon	Comprehensive law	If you meet the 100,000-consumer (or 25,000 plus 25%-data-sale-revenue) threshold in Oregon, the OCPA requires a privacy notice with prescribed contents, opt-in consent to process sensitive data, recognition of a universal opt-out signal, and processor contracts — enforced by the Attorney General with civil penalties up to $7,500 per violation, no consumer lawsuits, and no general right to cure after January 1, 2026.	Or. Rev. Stat. §§ 646A.570–646A.589 (Oregon Consumer Privacy Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 5, 2026
Who does it cover? Persons doing business in Oregon (or targeting residents) that, in a calendar year, control or process the personal data of 100,000+ consumers, or 25,000+ while deriving 25% or more of annual gross revenue from selling personal data — no dollar revenue floor; nonprofits covered; GLBA financial institutions, insurers, and public bodies are exempt at the entity level, while HIPAA-regulated health data is exempt only at the data level (so HIPAA-covered businesses still comply for non-exempt data) Can consumers sue? No Privacy policy rule Policy contents fixed by law Lawsuit detail No — enforcement is exclusively the Attorney General's Who enforces it? Oregon Attorney General (exclusive) Future effective law —
Pennsylvania	No comprehensive law	Pennsylvania has not enacted a comprehensive consumer-privacy law, so there are no general data-rights, notice-at-collection, consent, or processor-contract duties under state law. The operative state statute is the Breach of Personal Information Notification Act, which requires notice of a data breach without unreasonable delay and is enforced solely by the Attorney General. Everything else in a Pennsylvania-facing privacy program comes from the federal and sectoral overlay — FTC Act § 5, GLBA, HIPAA, and COPPA — so build to those and to the Breach Act, and the program auto-upgrades if Pennsylvania later enacts an omnibus law. One state-law exposure does demand attention now — Pennsylvania's all-party-consent wiretap statute (WESCA) has become the basis for website session-replay and tracking-pixel class actions, so obtain visitor consent before running third-party tracking.	Pennsylvania Breach of Personal Information Notification Act, 73 P.S. §§ 2301 et seq. — Pennsylvania has no comprehensive consumer-privacy law; the Breach Act plus a federal and sectoral overlay is the operative framework	No comprehensive Pennsylvania statute mandates a consumer privacy policy or fixes its contents; contents are driven by FTC Act § 5 (a policy that misstates practices is deceptive), the UTPCPL, and the GLBA, HIPAA, and COPPA rules where the business is in scope	Jun 7, 2026
Who does it cover? Any entity — a sole proprietorship, partnership, corporation, association, or other group, for profit or not — doing business in Pennsylvania that maintains, stores, or manages computerized personal information of Pennsylvania residents; no revenue or consumer-volume threshold Can consumers sue? Yes Privacy policy rule No state policy checklist Lawsuit detail Not under the Breach Act — the Attorney General has exclusive UTPCPL enforcement authority; but Pennsylvania's all-party-consent wiretap law (WESCA, 18 Pa.C.S. § 5725) provides a private cause of action that drives website session-replay class actions Who enforces it? Pennsylvania Office of Attorney General Future effective law —
Rhode Island	Limited-scope law	If your commercial website sells Rhode Island customers' personal information, RIDTPPA requires an information-sharing-practices notice; meeting the 35,000-customer (or 10,000-plus-20%-data-sale) threshold adds opt-in consent for sensitive data and binding processor contracts — all enforced by the Attorney General, with no consumer lawsuits.	R.I. Gen. Laws ch. 6-48.1 (Rhode Island Data Transparency and Privacy Protection Act), effective January 1, 2026	Yes — a commercial website or ISP that collects, stores, and sells customers' personal information must conspicuously disclose data categories, the third parties it sells to, and a contact mechanism	Jun 6, 2026
Who does it cover? Two tracks: any commercial website or internet service provider that collects, stores, and sells customers' personal information must post information-sharing disclosures; the broader controller duties reach for-profit entities that control or process the data of 35,000+ Rhode Island customers, or 10,000+ while deriving over 20% of gross revenue from data sales. Financial institutions, GLBA/HIPAA data, nonprofits, and government bodies are exempt. Can consumers sue? No Privacy policy rule Policy contents fixed by law Lawsuit detail No — the statute expressly forbids any private right of action; the Attorney General is the sole enforcer Who enforces it? Rhode Island Attorney General (sole enforcement authority) Future effective law —
South Carolina	Specific data types only	South Carolina has not enacted a comprehensive consumer-privacy law, but it is not toothless. Act No. 96 of 2026 — an age-appropriate design code that took effect at signing on February 5, 2026 — imposes reasonable-care, data-minimization, no-targeted-advertising, highest-default-protection, and annual-audit duties on online services likely to be accessed by minors that meet a size threshold, enforced by the Attorney General with treble the financial damages incurred and personal officer liability; July 1 is only the recurring audit-report deadline, and a NetChoice First Amendment challenge to the act is pending. For everyone else, the operative state laws are the breach-notification statute — which, unusually, lets an injured resident sue — and the Unfair Trade Practices Act, which supplies the deception hook for privacy-policy misstatements if the plaintiff satisfies SCUTPA's loss and action requirements. The rest of a South Carolina privacy program rides the federal overlay.	S.C. Code Ann. § 39-1-90 (breach notification, with a private right of action) plus Act No. 96 of 2026 (H. 3431), the age-appropriate design code for minors codified at S.C. Code Ann. ch. 80, tit. 39 — South Carolina has no comprehensive consumer-privacy statute	No general South Carolina mandate — contents are driven by FTC Act § 5 and the sectoral overlay (GLBA, HIPAA, COPPA); SCUTPA supplies the deception hook if a misstatement causes an ascertainable loss, and Act 96 separately requires covered online services to post prominent minors' design-safety, privacy-protection, and parental-tool disclosures	Jun 11, 2026
Who does it cover? Breach statute: any person conducting business in South Carolina that owns or licenses residents' computerized personal identifying information, with no size threshold. Act 96: online services reasonably likely to be accessed by minors that meet one of three thresholds — over $25 million in annual revenue, personal data of 50,000+ consumers, households, or devices per year, or 50%+ of revenue from selling or sharing personal data Can consumers sue? Limited path Privacy policy rule Policy required only for specific data Lawsuit detail Yes, unusually — § 39-1-90(G) lets a resident injured by a breach-notification violation sue (damages for a wilful and knowing violation, actual damages for a negligent one, plus injunction and fees), and SCUTPA § 39-5-140 gives an individual-only action with treble damages for willful violations; Act 96 is enforced by the Attorney General Who enforces it? South Carolina Attorney General (Act 96 and SCUTPA); Department of Consumer Affairs (breach-statute administrative fines); Department of Insurance (insurance licensees) Future effective law —
South Dakota	Specific data types only	South Dakota has no comprehensive consumer-privacy law — compliance today means the 60-day breach-notification statute, truthful privacy statements under a knowledge-gated deceptive-practices law, and the federal overlay; direct-to-consumer genetic-testing companies face a consent-heavy Genetic Data Privacy Act on July 1, 2026, and the largest social-media platforms face data-portability duties on July 1, 2027.	No comprehensive consumer-privacy statute — the operative framework is the breach-notification act (S.D. Codified Laws §§ 22-40-19 to 22-40-26), the deceptive-trade-practices chapter (ch. 37-24), and the Genetic Data Privacy Act (§§ 37-24-59 to 37-24-64, effective July 1, 2026)	No general mandate — from July 1, 2026 only direct-to-consumer genetic-testing companies must publish a plain-language privacy policy plus a prominent privacy notice; everyone else's policy contents are driven by FTC Act § 5 and the sectoral federal rules	Jun 11, 2026
Who does it cover? Breach duties reach any person or business that conducts business in South Dakota and owns or licenses computerized personal or protected information of residents — no size or revenue threshold; the Genetic Data Privacy Act reaches direct-to-consumer genetic-testing companies; the 2027 portability law reaches only social-media services with more than 100 million monthly users Can consumers sue? Limited path Privacy policy rule Policy required only for specific data Lawsuit detail None in the breach act or the Genetic Data Privacy Act — the only consumer path is S.D. Codified Laws § 37-24-31, which allows actual-damages suits solely for knowing deceptive acts under § 37-24-6 Who enforces it? South Dakota Attorney General (Consumer Protection division) Future effective law —
Tennessee	Comprehensive law	If you exceed the $25 million revenue floor and meet Tennessee's large consumer-volume tests, TIPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General with a 60-day cure period and no consumer lawsuits, and uniquely offering an affirmative defense to businesses that maintain a written privacy program conforming to the NIST privacy framework.	Tenn. Code Ann. §§ 47-18-3301 et seq. (Tennessee Information Protection Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 6, 2026
Who does it cover? Persons doing business in Tennessee (or targeting residents) that exceed $25 million in revenue AND either process the information of 175,000+ consumers a year, or 25,000+ while deriving over 50% of gross revenue from selling personal information — a high entry bar; nonprofits, government, GLBA, HIPAA, and higher-education entities exempt Can consumers sue? No Privacy policy rule Policy contents fixed by law Lawsuit detail No — enforcement is exclusively the Attorney General's Who enforces it? Tennessee Attorney General and Reporter (exclusive) Future effective law —
Texas	Comprehensive law	If you do business in Texas and are not an SBA small business, the TDPSA requires a specific privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced solely by the Attorney General, with no consumer lawsuits.	Tex. Bus. & Com. Code ch. 541 (Texas Data Privacy and Security Act)	Yes — a reasonably accessible and clear notice with statutorily fixed contents	Jun 4, 2026
Who does it cover? Anyone who does business in Texas (or sells products/services to Texans), processes or sells personal data, and is not a small business as defined by the U.S. Small Business Administration — no revenue or data-volume threshold Can consumers sue? No Privacy policy rule Policy contents fixed by law Lawsuit detail No — the statute bars any private right of action Who enforces it? Texas Attorney General (exclusive) Future effective law —
Utah	Comprehensive law	The UCPA covers only larger businesses ($25M+ revenue plus a volume threshold). Covered controllers must post a privacy notice, give notice and an opt-out before processing sensitive data, sign processor contracts, and honor opt-outs — enforced by the Attorney General after a 30-day cure, with no consumer lawsuits.	Utah Code §§ 13-61-101 et seq. (Utah Consumer Privacy Act)	Yes — a reasonably accessible and clear notice with statutorily fixed contents	Jun 4, 2026
Who does it cover? Controllers or processors doing business in Utah (or targeting Utahns) with $25,000,000+ annual revenue that also process the data of 100,000+ consumers a year, or 25,000+ while deriving 50%+ of revenue from selling data Can consumers sue? No Privacy policy rule Policy contents fixed by law Lawsuit detail No — enforcement is exclusively the Attorney General's Who enforces it? Utah Attorney General (after Division of Consumer Protection investigation) Future effective law —
Vermont	Specific data types only	Vermont today is a sectoral-statute state — the Security Breach Notice Act, the data-broker registration law, and the Consumer Protection Act are the operative framework — but that could change within days: S.71, the Vermont Data Privacy and Online Surveillance Act, passed both chambers and was delivered to the Governor on June 10, 2026, with a constitutional deadline to act on or about June 16, 2026, and the enacted Age-Appropriate Design Code takes effect January 1, 2027.	Security Breach Notice Act, 9 V.S.A. § 2435, plus the data-broker law, 9 V.S.A. §§ 2446–2447 — Vermont has no comprehensive consumer-privacy act in force; S.71 (comprehensive) is awaiting action by the Governor, and the Age-Appropriate Design Code, 9 V.S.A. §§ 2449a–2449i, takes effect January 1, 2027	No Vermont statute requires a general consumer privacy policy today or fixes its contents; notice duties arise only in scoped settings — breach notices, data-broker registry disclosures, and (from January 1, 2027) the design code's transparency duties — with FTC Act § 5 and the Consumer Protection Act policing whatever a business publishes	Jun 12, 2026
Who does it cover? Breach duties reach any data collector that handles computerized personal information of Vermont residents, with no size threshold; data-broker duties reach businesses that knowingly collect and sell or license data about consumers with whom they have no direct relationship Can consumers sue? Limited path Privacy policy rule Policy required only for specific data Lawsuit detail Not under the privacy statutes themselves, which route enforcement to the Attorney General; but the Consumer Protection Act, 9 V.S.A. § 2461(b), lets a consumer who contracts in reliance on, or sustains damages from, a prohibited practice sue for damages, attorney's fees, and exemplary damages up to three times the consideration Who enforces it? Vermont Attorney General (Department of Financial Regulation for its licensees) Future effective law —
Virginia	Comprehensive law	If you meet the 100,000-consumer (or 25,000 plus majority-data-sale) threshold in Virginia, the VCDPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General with a permanent 30-day cure period and no consumer lawsuits.	Va. Code §§ 59.1-575 et seq. (Virginia Consumer Data Protection Act)	Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents	Jun 4, 2026
Who does it cover? Persons doing business in Virginia (or targeting residents) that control or process the data of 100,000+ consumers a year, or 25,000+ while deriving over 50% of gross revenue from selling data — no revenue floor; nonprofits exempt Can consumers sue? No Privacy policy rule Policy contents fixed by law Lawsuit detail No — enforcement is exclusively the Attorney General's Who enforces it? Virginia Attorney General (exclusive) Future effective law —
Washington	Specific data types only	Washington never passed a comprehensive privacy act, but the My Health My Data Act functions like one for a wide swath of businesses — consumer health data includes biometrics, precise location, and inferences, every covered business needs a separate homepage-linked health-data privacy policy, selling that data requires a signed authorization, and violations carry class-action exposure through the Consumer Protection Act.	My Health My Data Act, ch. 19.373 RCW (main regulated-entity duties operative March 31, 2024; small-business duties generally June 30, 2024; geofencing ban separately in force), alongside the breach-notification statute (ch. 19.255 RCW) and the biometric-identifier statute (ch. 19.375 RCW) — Washington has no comprehensive consumer-privacy act	Yes — a dedicated consumer health data privacy policy with statutorily fixed contents and a prominently published homepage link (RCW 19.373.020); no Washington statute fixes the contents of a general privacy policy	Jun 11, 2026
Who does it cover? Any legal entity that conducts business in Washington or targets products or services to Washington consumers and determines how consumer health data is handled — a category that sweeps in biometrics, genetic data, precise location near health services, and health inferences derived from non-health data, so many non-health businesses are covered; small businesses generally had later dates, not an exemption Can consumers sue? Yes Privacy policy rule Policy required only for specific data Lawsuit detail Yes — an MHMDA violation is a per se Consumer Protection Act violation (RCW 19.373.090), so consumers injured in their business or property can sue under RCW 19.86.090; the biometric chapter, by contrast, is Attorney General-only Who enforces it? Washington Attorney General (under the Consumer Protection Act), alongside private CPA suits Future effective law —
West Virginia	No comprehensive law	West Virginia has not enacted a comprehensive consumer-privacy law, so there are no general data-rights, notice-at-collection, consent, or processor-contract duties under state law. The operative state statutes are the breach-notification article — enforced exclusively by the Attorney General, with civil penalties capped at $150,000 per breach and available only for repeated and willful violations — and the West Virginia Consumer Credit and Protection Act, whose deceptive-practices article carries a consumer private right of action for actual damages or $200 after a 45-day pre-suit cure window. Everything else in a West Virginia-facing privacy program comes from the federal and sectoral overlay — FTC Act § 5, GLBA, HIPAA, and COPPA — so build to those and to the breach statute, and the program upgrades rather than restarts if West Virginia later enacts an omnibus law.	West Virginia breach-notification article, W. Va. Code §§ 46A-2A-101 to 46A-2A-105, plus the WVCCPA unfair-or-deceptive-practices article (W. Va. Code § 46A-6-104) — West Virginia has no comprehensive consumer-privacy law	No West Virginia statute mandates a general consumer privacy policy or fixes its contents; a policy that misstates actual practices invites FTC Act § 5 and WVCCPA deception exposure, and GLBA, HIPAA, and COPPA supply the contents where those regimes apply	Jun 12, 2026
Who does it cover? Any individual or entity — corporations, partnerships, limited liability companies, associations, governments, for profit or not — that owns or licenses computerized personal information of West Virginia residents; no revenue or consumer-volume threshold Can consumers sue? Limited path Privacy policy rule No state policy checklist Lawsuit detail Not under the breach-notification article — the Attorney General has exclusive enforcement authority; but WVCCPA § 46A-6-106 gives a consumer a private action for actual damages or $200, whichever is greater, subject to the 45-day right-to-cure notice in § 46A-5-108 Who enforces it? West Virginia Attorney General Future effective law —
Wisconsin	No comprehensive law	Wisconsin has no comprehensive consumer-privacy law — the 2025–26 Wisconsin Data Privacy Act bills (AB 172/SB 166) failed on March 23, 2026 — so there are no general data-rights, consent, or processor-contract duties under state law. The operative state statute is the breach-notification law, Wis. Stat. § 134.98, which sets a 45-day notice clock but prescribes no penalty, names no enforcer, and creates no private right of action; its practical teeth are evidentiary use in negligence suits plus possible federal FTC Act exposure for unfair or deceptive conduct. The rest of a Wisconsin program rides sectoral statutes — record disposal, patient health records, insurance data security — and the federal overlay, with the codified § 995.50 right of privacy supplying Wisconsin's only general privacy private action.	No comprehensive consumer-privacy law — Wis. Stat. § 134.98 (breach notification) is the operative general statute, alongside sectoral rules (§§ 134.97, 146.84, ch. 601 subch. IX), the § 995.50 right of privacy, and the federal overlay	No Wisconsin statute mandates a consumer privacy policy or fixes its contents; the operative rules are FTC Act § 5 (unfair or deceptive conduct can create federal exposure), § 100.18 (untrue, deceptive or misleading public representations), and the GLBA, HIPAA, and COPPA notice rules where the business is in scope	Jun 11, 2026
Who does it cover? § 134.98 covers any entity — expressly including state and local government — that conducts business in Wisconsin and maintains personal information, licenses personal information in the state, maintains depository accounts for residents, or lends money to residents; no size or revenue threshold Can consumers sue? Yes Privacy policy rule No state policy checklist Lawsuit detail Not under § 134.98 — noncompliance is only potential evidence of negligence; § 100.18(11)(b)2. requires pecuniary loss; the codified right of privacy, § 995.50, is Wisconsin's only general privacy private action, and § 146.84 adds a strong one for patient health-care records Who enforces it? No designated privacy regulator — § 134.98 names no enforcement agency; DATCP enforces § 100.18, and the Commissioner of Insurance enforces insurance data security Future effective law —
Wyoming	Specific data types only	Wyoming has not enacted a comprehensive consumer-privacy law, so there are no general data-rights, notice-at-collection, consent, or processor-contract duties under state law. The operative state laws are the data-breach notification statute (Wyo. Stat. §§ 40-12-501 et seq.), the Wyoming Consumer Protection Act, and a genetic-data privacy chapter that imposes consent, notice, and deletion duties on direct-to-consumer genetic testing companies and carries a private right of action. Everything else in a Wyoming-facing privacy program comes from the federal and sectoral overlay — FTC Act § 5, GLBA, HIPAA, and COPPA.	Wyo. Stat. §§ 40-12-501 et seq. (breach of the security of the data system), the Wyoming Consumer Protection Act, §§ 40-12-101 et seq., and the genetic data privacy chapter, §§ 35-32-101 et seq. — Wyoming has no comprehensive consumer-privacy law	No general Wyoming statute mandates a consumer privacy policy or fixes its contents; direct-to-consumer genetic testing companies must post a high-level privacy-policy overview and a prominent privacy notice, and FTC Act § 5, GLBA, HIPAA, and COPPA drive contents for everyone else	Jun 12, 2026
Who does it cover? Any individual or commercial entity that conducts business in Wyoming and owns or licenses computerized personal identifying information about Wyoming residents — no revenue or consumer-volume threshold; the genetic-data chapter reaches direct-to-consumer genetic testing companies Can consumers sue? Limited path Privacy policy rule Policy required only for specific data Lawsuit detail Not under the breach statute, which the Attorney General enforces; the Wyoming Consumer Protection Act lets a consumer sue over an uncured deceptive trade practice (§ 40-12-108), and the genetic-data chapter gives individuals a civil action after a 60-day cure window (§ 35-32-104) Who enforces it? Wyoming Attorney General (the enforcing authority under the Wyoming Consumer Protection Act) Future effective law —